From ab5fd9fef1a4f64a0941f29b12da8e5f6ca54107 Mon Sep 17 00:00:00 2001
From: Ludovic Marcotte <lmarcotte@inverse.ca>
Date: Tue, 9 Aug 2016 16:17:17 -0400
Subject: [PATCH] (fix) check if the SENT-BY has access to organizer's calendar
 before modifying attendees' calendar (fixes #3759)

---
 .../Appointments/SOGoAppointmentObject.m      | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/SoObjects/Appointments/SOGoAppointmentObject.m b/SoObjects/Appointments/SOGoAppointmentObject.m
index b7bd50b56..e4b243f55 100644
--- a/SoObjects/Appointments/SOGoAppointmentObject.m
+++ b/SoObjects/Appointments/SOGoAppointmentObject.m
@@ -138,7 +138,7 @@
 }
 
 - (SOGoAppointmentObject *) _lookupEvent: (NSString *) eventUID
-				                          forUID: (NSString *) uid
+				  forUID: (NSString *) uid
 {
   SOGoAppointmentFolder *folder;
   SOGoAppointmentObject *object;
@@ -2122,6 +2122,26 @@ inRecurrenceExceptionsForEvent: (iCalEvent *) theEvent
 
           if (userIsOrganizer)
             {
+	      // We check ACLs of the 'organizer' - in case someone forges the SENT-BY
+	      NSString *uid;
+
+	      uid = [[oldEvent organizer] uidInContext: context];
+
+	      if ([[[context activeUser] login] caseInsensitiveCompare: uid] != NSOrderedSame)
+		{
+		  SOGoAppointmentObject *organizerObject;
+
+		  organizerObject = [self _lookupEvent: [oldEvent uid] forUID: uid];
+		  roles = [[context activeUser] rolesForObject: organizerObject
+						     inContext: context];
+
+		  if (![roles containsObject: @"ComponentModifier"])
+		    {
+		      return [NSException exceptionWithHTTPStatus: 409
+							   reason: @"Not allowed to perform this action. Wrong SENT-BY being used regarding access rights on organizer's calendar."];
+		    }
+		}
+
               // A RECCURENCE-ID was removed
               if (!newEvent && oldEvent)
                 [self prepareDeleteOccurence: oldEvent];