From e2a4737fdb3d2a6feded38ffc4127e164531b38f Mon Sep 17 00:00:00 2001
From: Bjoern Schiessle <bjoern@schiessle.org>
Date: Wed, 26 Apr 2023 21:45:23 +0200
Subject: [PATCH] forbid changing the displayname or color of the calendar/deck
 when the user doesn't has the "manage" permissions

Signed-off-by: Bjoern Schiessle <bjoern@nextcloud.com>
---
 lib/DAV/Calendar.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/DAV/Calendar.php b/lib/DAV/Calendar.php
index 3457e6c10..e34b77771 100644
--- a/lib/DAV/Calendar.php
+++ b/lib/DAV/Calendar.php
@@ -188,12 +188,18 @@ class Calendar extends ExternalCalendar {
 			foreach ($properties as $key => $value) {
 				switch ($key) {
 					case '{DAV:}displayname':
+						if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) {
+							throw new Forbidden('no permission to change the displayname');
+						}
 						if (mb_strpos($value, 'Deck: ') === 0) {
 							$value = mb_substr($value, strlen('Deck: '));
 						}
 						$this->board->setTitle($value);
 						break;
 					case '{http://apple.com/ns/ical/}calendar-color':
+						if (!$this->backend->checkBoardPermission($this->board->getId(), Acl::PERMISSION_MANAGE)) {
+							throw new Forbidden('no permission to change the calendar color');
+						}
 						$color = substr($value, 1, 6);
 						if (!preg_match('/[a-f0-9]{6}/i', $color)) {
 							throw new InvalidDataException('No valid color provided');