fix(calendar): scope CalDAV event lookup by calendar

* fix: CalDAV sync hijacks another user's event sharing a VEVENT uid * Seed schema-valid dtstart/dtend in caldav uid-scope test fixture
2026-06-04 04:01:21 +01:00
parent e340674c12
commit 49c14af5c7
2 changed files with 96 additions and 3 deletions
--- a/src/caldav_sync.py
+++ b/src/caldav_sync.py
@@ -105,6 +105,25 @@ def _to_utc_naive(dt):
    return datetime(dt.year, dt.month, dt.day), True


+def _find_existing_event(db, pending, uid_val, calendar_id):
+    """Find the event to update for THIS calendar.
+
+    CalendarEvent.uid is the global primary key, so an unscoped lookup by uid
+    returns whatever row holds that VEVENT uid — including another owner's.
+    The old code then reassigned that row's calendar_id, moving (stealing)
+    another user's event into the syncing calendar whenever the two share a
+    uid (shared/subscribed/public calendars, or two accounts on one server).
+    Scope the lookup to the calendar being synced; a genuine cross-user uid
+    collision then fails the PK insert inside the per-calendar try/except
+    instead of hijacking the row. (import_ics was already fixed this way.)
+    """
+    from core.database import CalendarEvent
+    return pending.get(uid_val) or db.query(CalendarEvent).filter(
+        CalendarEvent.uid == uid_val,
+        CalendarEvent.calendar_id == calendar_id,
+    ).first()
+
+
 def _sync_blocking(owner: str, url: str, username: str, password: str) -> dict:
    """The actual sync — synchronous, intended to run in a threadpool.
    Returns counts: {calendars, events, deleted, errors}."""
@@ -235,9 +254,7 @@ def _sync_blocking(owner: str, url: str, username: str, password: str) -> dict:
                            else ""
                        )

-                        existing = pending.get(uid_val) or db.query(CalendarEvent).filter(
-                            CalendarEvent.uid == uid_val,
-                        ).first()
+                        existing = _find_existing_event(db, pending, uid_val, local_cal.id)
                        if existing:
                            existing.calendar_id = local_cal.id
                            existing.summary = summary