From 68a609ee502f0a4c28081d76db61c7aacabd060d Mon Sep 17 00:00:00 2001
From: Kyle Pope <kyle.a.pope@outlook.com>
Date: Mon, 16 Mar 2026 14:04:13 +0800
Subject: [PATCH] Mask calendar name/color for invited events (pen test F-01)

Invitees no longer see the event owner's calendar name/color,
preventing minor information disclosure (CWE-200).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/app/routers/events.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/app/routers/events.py b/backend/app/routers/events.py
index a01b9fc..3ac5707 100644
--- a/backend/app/routers/events.py
+++ b/backend/app/routers/events.py
@@ -45,8 +45,8 @@ def _event_to_dict(
         "recurrence_rule": event.recurrence_rule,
         "is_starred": event.is_starred,
         "calendar_id": event.calendar_id,
-        "calendar_name": event.calendar.name if event.calendar else "",
-        "calendar_color": event.calendar.color if event.calendar else "",
+        "calendar_name": "Invited" if is_invited else (event.calendar.name if event.calendar else ""),
+        "calendar_color": "#6B7280" if is_invited else (event.calendar.color if event.calendar else ""),
         "is_virtual": False,
         "parent_event_id": event.parent_event_id,
         "is_recurring": event.is_recurring,