From 3c30997bf522bb997b82a2e6b116c8b2e178d3d9 Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Thu, 16 Nov 2017 11:41:36 -0500
Subject: [PATCH] Don't expose Web calendars to other users

Fixes #4331
---
 NEWS                                            | 1 +
 SoObjects/Appointments/SOGoAppointmentFolders.m | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index dd7b9244e..19338d6c3 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,7 @@ Bug fixes
  - [core] increased column size of settings/defaults for MySQL (#4260)
  - [core] fixed yearly recurrence calculator with until date
  - [core] generalized HTML sanitization to avoid encoding issues when replying/forwarding mails
+ - [core] don't expose web calendars to other users (#4331)
  - [web] fixed display of error when the mail editor is in a popup
  - [web] attachments are not displayed on IOS (#4150)
  - [web] fixed parsing of pasted email addresses from Spreadsheet (#4258)
diff --git a/SoObjects/Appointments/SOGoAppointmentFolders.m b/SoObjects/Appointments/SOGoAppointmentFolders.m
index 913cc4632..006af6332 100644
--- a/SoObjects/Appointments/SOGoAppointmentFolders.m
+++ b/SoObjects/Appointments/SOGoAppointmentFolders.m
@@ -650,7 +650,8 @@ static SoSecurityManager *sm = nil;
       for (count = 0; count < max; count++)
         {
           folder = [folders objectAtIndex: count];
-          if ([folder folderPropertyValueInCategory: @"WebCalendars"])
+          if ([folder folderPropertyValueInCategory: @"WebCalendars"
+                                            forUser: [SOGoUser userWithLogin: owner]])
             {
               name = [folder nameInContainer];
               if (isWebRequest)