From ad45d6b8a29610bd81296ba45f3d6ed2d676ac14 Mon Sep 17 00:00:00 2001
From: Hamza <hamzamahjoubi221@gmail.com>
Date: Tue, 5 May 2026 11:43:17 +0200
Subject: [PATCH] fix: add proper ACLs for trashbin proxys

fix: add proper ACLs for trashbin proxys

Signed-off-by: Hamza <hamzamahjoubi221@gmail.com>
---
 .../CalDAV/Trashbin/DeletedCalendarObject.php | 12 ++++++++++-
 .../DeletedCalendarObjectsCollection.php      | 19 +++++++++++++++--
 apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php | 21 +++++++++++++++++++
 3 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php
index d8c429f205616..fa9347829087b 100644
--- a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php
+++ b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php
@@ -94,7 +94,17 @@ public function getACL(): array {
 			],
 			[
 				'privilege' => '{DAV:}unbind', // For moving and deletion
-				'principal' => '{DAV:}owner',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}all',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
 				'protected' => true,
 			],
 		];
diff --git a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
index f75e19689f1df..b3bee8840ef7f 100644
--- a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
+++ b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
@@ -125,9 +125,24 @@ public function getACL(): array {
 			],
 			[
 				'privilege' => '{DAV:}unbind',
-				'principal' => '{DAV:}owner',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}unbind',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
 				'protected' => true,
-			]
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
+				'protected' => true,
+			],
 		];
 	}
 }
diff --git a/apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php b/apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php
index 1c76bd2295d8b..68f4b98014fb0 100644
--- a/apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php
+++ b/apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php
@@ -36,6 +36,27 @@ public function getOwner(): string {
 		return $this->principalInfo['uri'];
 	}
 
+	#[\Override]
+	public function getACL(): array {
+		return [
+			[
+				'privilege' => '{DAV:}all',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}all',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
+				'protected' => true,
+			],
+		];
+	}
+
 	public function createFile($name, $data = null) {
 		throw new Forbidden('Permission denied to create files in the trashbin');
 	}