From 4e04d895cd7766dfe6a287e08e333943aba0f8ce Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Thu, 16 Nov 2017 11:41:36 -0500
Subject: [PATCH] Don't expose Web calendars to other users

Fixes #4331
---
 NEWS                                            | 1 +
 SoObjects/Appointments/SOGoAppointmentFolders.m | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 8608f5579..9772e076f 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ Bug fixes
  - [core] correctly handle "Last day of the month" recurrence rule
  - [core] fixed yearly recurrence calculator with until date
  - [core] generalized HTML sanitization to avoid encoding issues when replying/forwarding mails
+ - [core] don't expose web calendars to other users (#4331)
  - [eas] avoid sync requests for shared folders every second (#4275)
 
 2.3.22 (2017-07-20)
diff --git a/SoObjects/Appointments/SOGoAppointmentFolders.m b/SoObjects/Appointments/SOGoAppointmentFolders.m
index 405105a9a..e20bd05ff 100644
--- a/SoObjects/Appointments/SOGoAppointmentFolders.m
+++ b/SoObjects/Appointments/SOGoAppointmentFolders.m
@@ -659,7 +659,8 @@ static SoSecurityManager *sm = nil;
       for (count = 0; count < max; count++)
         {
           folder = [folders objectAtIndex: count];
-          if ([folder folderPropertyValueInCategory: @"WebCalendars"])
+          if ([folder folderPropertyValueInCategory: @"WebCalendars"
+                                            forUser: [SOGoUser userWithLogin: owner]])
             {
               name = [folder nameInContainer];
               if (isWebRequest)