fix(calendar): Fix issue where a calendar's subscribed user can give acl to another user

SoObjects/SOGo/SOGoObject.m

@@ -1399,6 +1399,10 @@
 	}
       else if ([nodeName isEqualToString: @"set-roles"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
+
 	  // We support two ways of setting roles. The first one is, for example:
 	  //
 	  // <?xml version="1.0" encoding="UTF-8"?>
@@ -1426,8 +1430,7 @@
 	  allRoles = [self _davGetRolesFromRequest: node];
 	  for (i = 0; i < [allUsers count]; i++)
 	    { 
-        if ([[[context activeUser] login] isEqualToString: owner])
-	        [self setRoles: allRoles
+	      [self setRoles: allRoles
                      forUser: [allUsers objectAtIndex: i]];
 	    }
 	  result = @"";
@@ -1447,6 +1450,9 @@
       //
       else if ([nodeName isEqualToString: @"add-user"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
 	  attrs = [node attributes];
 	  userAttr = [attrs namedItem: @"user"];
 	  user = [userAttr nodeValue];
@@ -1455,6 +1461,9 @@
 	}
       else if ([nodeName isEqualToString: @"add-users"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
 	  attrs = [node attributes];
 	  userAttr = [attrs namedItem: @"users"];
 	  allUsers = [[userAttr nodeValue] componentsSeparatedByString: @","];
@@ -1475,6 +1484,9 @@
       //
       else if ([nodeName isEqualToString: @"remove-user"])
 	{
+    // Disable Acl modifications if this is not the owner
+    if (![[[context activeUser] login] isEqualToString: owner])
+      return nil;
 	  attrs = [node attributes];
 	  userAttr = [attrs namedItem: @"user"];
 	  user = [userAttr nodeValue];