Mask calendar name/color for invited events (pen test F-01)

Invitees no longer see the event owner's calendar name/color, preventing minor information disclosure (CWE-200). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 14:04:13 +08:00 · 2026-03-16 14:04:13 +08:00 · 68a609ee50
commit 68a609ee50
parent df857a5719
1 changed files with 2 additions and 2 deletions
--- a/backend/app/routers/events.py
+++ b/backend/app/routers/events.py
@ -45,8 +45,8 @@ def _event_to_dict(
        "recurrence_rule": event.recurrence_rule,
        "is_starred": event.is_starred,
        "calendar_id": event.calendar_id,
-        "calendar_name": event.calendar.name if event.calendar else "",
-        "calendar_color": event.calendar.color if event.calendar else "",
+        "calendar_name": "Invited" if is_invited else (event.calendar.name if event.calendar else ""),
+        "calendar_color": "#6B7280" if is_invited else (event.calendar.color if event.calendar else ""),
        "is_virtual": False,
        "parent_event_id": event.parent_event_id,
        "is_recurring": event.is_recurring,