When a member is viewing a private event - the title of the private event is shown in the "Who's Online". This can sometimes contain revealing information and should be kept private.

The problem was reported to me by one of our users, and I have confirmed this for myself.

No check is being performed.

in online.php:
$userinfo[where] = "Viewing Calendar event <a href='calendar.php?s=$session[sessionhash]&action=getinfo&eventid=$userinfo[eventid]'>".$event[$userinfo[eventid]]."</a>";

I suppose a temporary fix would be to just remove the link to the event and display "Viewing Calendar event"

I'm not too sure how you'd go about getting the permissions for a specific event.

Paul

I guess you could look at the code in calender.php which deals with retreiving events.

Just hide all private events is the easiest solution

$eventresults = $DB_site->query("SELECT eventid, subject
FROM calendar_events
WHERE eventid IN (0$eventids)");

is changed to

$eventresults = $DB_site->query("SELECT eventid, subject
FROM calendar_events
WHERE eventid IN (0$eventids) AND public=1");