From de8d1874b11229065dbfe4e392340b5fdd2905d1 Mon Sep 17 00:00:00 2001
From: dartcafe <github@dartcafe.de>
Date: Sun, 10 Feb 2019 13:01:33 +0100
Subject: [PATCH] #511 - added missing access check

---
 lib/Controller/ApiController.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
index d33dbadd6..f77af7fcc 100644
--- a/lib/Controller/ApiController.php
+++ b/lib/Controller/ApiController.php
@@ -178,6 +178,8 @@ private function grantAccessAs($event, $shares) {
 			$grantAccessAs = 'public';
 		} elseif ($event['access'] === 'registered' && \OC::$server->getUserSession()->getUser() instanceof IUser) {
 			$grantAccessAs = 'registered';
+		} elseif ($event['access'] === 'hidden' && ($event['owner'] === \OC::$server->getUserSession()->getUser())) {
+			$grantAccessAs = 'hidden';
 		} elseif ($this->checkUserAccess($shares)) {
 			$grantAccessAs = 'userInvitation';
 		} elseif ($this->checkGroupAccess($shares)) {
@@ -418,7 +420,10 @@ public function getPolls() {
 		$eventsList = array();
 
 		foreach ($events as $eventElement) {
-			$eventsList[] = $this->getPoll($eventElement->id);
+			$event = $this->getPoll($eventElement->id);
+			if ($event['grantedAs'] !== 'none') {
+				$eventsList[] = $event;
+			}
 		}
 
 		return new DataResponse($eventsList, Http::STATUS_OK);