diff --git a/api/src/CalDAV.php b/api/src/CalDAV.php
index 6200faad6a..45385d5db2 100644
--- a/api/src/CalDAV.php
+++ b/api/src/CalDAV.php
@@ -1165,6 +1165,7 @@ class CalDAV extends HTTP_WebDAV_Server
 				'data' => self::mkprop(self::CALDAV, 'data', '')
 			]),
 			'other' => [],
+			'root' => ['name' => null],
 		);
 
 		// sync-collection report via GET parameter sync-token
diff --git a/timesheet/inc/class.timesheet_bo.inc.php b/timesheet/inc/class.timesheet_bo.inc.php
index 7f89035cc1..631c1fcc73 100644
--- a/timesheet/inc/class.timesheet_bo.inc.php
+++ b/timesheet/inc/class.timesheet_bo.inc.php
@@ -454,15 +454,16 @@ class timesheet_bo extends Api\Storage
 		{
 			$extra_cols[] = $total_sql.' AS ts_total';
 		}
-		if (!isset($filter['ts_owner']) || !count((array)$filter['ts_owner']))
-		{
-			$filter['ts_owner'] = array_keys($this->grants);
-		}
 		// $filter['ts_owner'] === false --> no ACL checks
-		elseif ($filter['ts_owner'] === false)
+		if (isset($filter['ts_owner']) && $filter['ts_owner'] === false)
 		{
 			$filter['ts_owner'] = '';
 		}
+		// empty --> all the user has access too
+		elseif (empty($filter['ts_owner']))
+		{
+			$filter['ts_owner'] = array_keys($this->grants);
+		}
 		else
 		{
 			if(!is_array($filter['ts_owner']))
diff --git a/timesheet/src/ApiHandler.php b/timesheet/src/ApiHandler.php
index 6e0a97c1a3..ef536103f1 100644
--- a/timesheet/src/ApiHandler.php
+++ b/timesheet/src/ApiHandler.php
@@ -349,7 +349,7 @@ class ApiHandler extends Api\CalDAV\Handler
 		// in case of JSON/REST API pass filters to report
 		if (Api\CalDAV::isJSON() && !empty($options['filters']) && is_array($options['filters']))
 		{
-			$filters += $this->filter2col_filter($options['filters']);    // using += to not allow overwriting existing filters
+			$filters = $this->filter2col_filter($options['filters']) + $filters;    // + to allow overwriting default owner filter (BO ensures ACL!)
 		}
 		elseif (!empty($options['filters']))
 		{