do not allow editing events that do not belong to us

Zotlabs/Module/Channel_calendar.php

@@ -147,6 +147,11 @@ class Channel_calendar extends \Zotlabs\Web\Controller {
 				}
 				return;
 			}
+
+			if($x[0]['event_xchan'] !== $channel['xchan_hash']) {
+				notice( t('Not allowed.') . EOL);
+				return;
+			}
 	
 			$acl->set($x[0]);
 	

view/tpl/cdav_calendar.tpl

@@ -322,7 +322,11 @@ $(document).ready(function() {
 		$('#id_categories').tagsinput('add', '{{$categories}}'),
 		$('#id_description').val(resource.description);
 		$('#id_location').val(resource.location);
-		$('#event_submit').html('{{$update}}');
+
+		if(resource.event_xchan !== '{{$channel_hash}}')
+			$('#event_submit').hide();
+		else
+			$('#event_submit').html('{{$update}}');
 	}
 });