From ab16a40e3924b9ad2f9332a6b722601e022e306c Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Wed, 21 Feb 2024 22:31:04 -0500
Subject: [PATCH] Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event
---
 src/Module/Calendar/Event/API.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Module/Calendar/Event/API.php b/src/Module/Calendar/Event/API.php
index 9deb14a647..2539bf3592 100644
--- a/src/Module/Calendar/Event/API.php
+++ b/src/Module/Calendar/Event/API.php
@@ -142,7 +142,8 @@ class API extends BaseModule
 	{
 		$eventId = !empty($request['event_id']) ? intval($request['event_id']) : 0;
 		$uid     = (int)$this->session->getLocalUserId();
-		$cid     = !empty($request['cid']) ? intval($request['cid']) : 0;
+		// No overwriting event.cid on edit
+		$cid     = !empty($request['cid']) && !$eventId ? intval($request['cid']) : 0;
 
 		$strStartDateTime  = Strings::escapeHtml($request['start_text'] ?? '');
 		$strFinishDateTime = Strings::escapeHtml($request['finish_text'] ?? '');