During some recent changes, I've discovered that if a standard registered user was visiting this URL:
https://atlas.landscapefor.eu/calendar-edit.php?poi_ID=16298
Everything was OK. There was a check to verify if the user has enough permissions:
// no edit privileges no party if( !$poi->canEditPOICalendar() ) { die_asking_for_permissions(); }
But the issue that, if a standard registered user visits this page:
https://atlas.landscapefor.eu/calendar-edit.php?id=151
That registered user is able to edit the calendar because the page was not checking user privileges.
This is a Security issue.