mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:03:05 -05:00
[PR #24764] fix: check destination calendar write access on event update #98865
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24764
Author: @Classic298
Created: 5/15/2026
Status: 🔄 Open
Base:
dev← Head:fix/calendar-event-update-destination-authz📝 Commits (1)
b43da8dfix: check destination calendar write access on event update📊 Changes
1 file changed (+6 additions, -0 deletions)
View changed files
📝
backend/open_webui/routers/calendar.py(+6 -0)📄 Description
update_event only verified write access on the event's source calendar. CalendarEventUpdateForm accepts a new calendar_id which the model layer applies unconditionally, so a user with write access to their own calendar could move (inject) an event into any other user's calendar. Mirror the destination check create_event already performs.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.