diff --git a/htdocs/freebusy.php b/htdocs/freebusy.php
index 284fc0bd..baecabd5 100644
--- a/htdocs/freebusy.php
+++ b/htdocs/freebusy.php
@@ -1,9 +1,80 @@
 <?php
 require_once("always.php");
+dbg_error_log( "freebusy", " User agent: %s", ((isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : "Unfortunately Mulberry and Chandler don't send a 'User-agent' header with their requests :-(")) );
+require_once("BasicAuthSession.php");
 
 $raw_headers = apache_request_headers();
 $raw_post = file_get_contents ( 'php://input');
 
+/**
+* Our path is /<script name>/<user name>/<user controlled> if it ends in
+* a trailing '/' then it is referring to a DAV 'collection' but otherwise
+* it is referring to a DAV data item.
+*
+* Permissions are controlled as follows:
+*  1. if there is no <user name> component, the request has read privileges
+*  2. if the requester is an admin, the request has read/write priviliges
+*  3. if there is a <user name> component which matches the logged on user
+*     then the request has read/write privileges
+*  4. otherwise we query the defined relationships between users and use
+*     the minimum privileges returned from that analysis.
+*/
+$request_path = $_SERVER['PATH_INFO'];
+$bad_chars_regex = '/[\\^\\[\\(\\\\]/';
+if ( preg_match( $bad_chars_regex, $request_path ) ) {
+  header("HTTP/1.1 400 Bad Request");
+  header("Content-type: text/plain");
+  echo "The calendar path contains illegal characters.";
+  dbg_error_log("freebusy", "Illegal characters /%s/ in calendar path for User: %d, Path: %s", $bad_chars_regex, $session->user_no, $request_path);
+  exit(0);
+}
+dbg_error_log("freebusy", "Legal characters /%s/ in calendar path for User: %d, Path: %s", $bad_chars_regex, $session->user_no, $request_path);
+
+$path_split = preg_split('#/+#', $request_path );
+$permissions = array();
+if ( !isset($path_split[1]) || $path_split[1] == '' ) {
+  dbg_error_log( "freebusy", "No useful path split possible" );
+  unset($path_user_no);
+  unset($path_username);
+}
+else {
+  $path_username = $path_split[1];
+  @dbg_error_log( "freebusy", "Path split into at least /// %s /// %s /// %s", $path_split[1], $path_split[2], $path_split[3] );
+  $qry = new PgQuery( "SELECT * FROM usr WHERE username = ?;", $path_username );
+  if ( $qry->Exec("caldav") && $path_user_record = $qry->Fetch() ) {
+    $path_user_no = $path_user_record->user_no;
+  }
+  if ( $session->AllowedTo("Admin") ) {
+    $permissions = array('read' => 'read', "write" => 'write' );
+    dbg_error_log( "freebusy", "Full permissions for a systems administrator" );
+  }
+  else if ( $session->user_no == $path_user_no ) {
+    $permissions = array('read' => 'read', "write" => 'write' );
+    dbg_error_log( "freebusy", "Full permissions for user accessing their own hierarchy" );
+  }
+  else if ( isset($path_user_no) ) {
+    /**
+    * We need to query the database for permissions
+    */
+    $qry = new PgQuery( "SELECT get_permissions( ?, ? ) AS perm;", $session->user_no, $path_user_no);
+    if ( $qry->Exec("caldav") && $permission_result = $qry->Fetch() ) {
+      $permission_result = "!".$permission_result->perm; // We prepend something to ensure we get a non-zero position.
+      $permissions = array();
+      if ( strpos($permission_result,"R") )       $permissions['read'] = 'read';
+      if ( strpos($permission_result,"W") )       $permissions['write'] = 'write';
+    }
+    dbg_error_log( "freebusy", "Restricted permissions for user accessing someone elses hierarchy: read=%s, write=%s", isset($permissions['read']), isset($permissions['write']) );
+  }
+}
+
+if ( !isset($permissions['read']) ) {
+  header("HTTP/1.1 403 Forbidden");
+  header("Content-type: text/plain");
+  echo "You may not access that calendar.";
+  dbg_error_log("freebusy", "Access denied for User: %d, Path: %s", $session->user_no, $request_path);
+  exit(0);
+}
+
 switch ( $_SERVER['REQUEST_METHOD'] ) {
   case 'GET':
     include_once("freebusy-GET.php");
diff --git a/inc/freebusy-GET.php b/inc/freebusy-GET.php
index a27fa6d6..1aa6387e 100644
--- a/inc/freebusy-GET.php
+++ b/inc/freebusy-GET.php
@@ -1,5 +1,17 @@
 <?php
-  echo "<h1>Unimplemented</h1><p>Unfortunately this function is planned, but not yet implemented</p";
-  echo "<p>Well, actually, perhaps 'planned' is too strong a word.  It <em>is</em> on the roadmap, and if you want to
-contribute to the planning, please add your two cents to the Sourceforge forums or tracker items</p>";
+
+require_once("iCalendar.php");
+
+  header("Content-type: text/plain");
+
+  $where .= " WHERE caldav_data.dav_name ~ ".qpg("^".$request_path)." ";
+  $qry = new PgQuery( "SELECT * FROM caldav_data INNER JOIN calendar_item USING(user_no, dav_name)". $where );
+  if ( $qry->Exec("freebusy",__LINE__,__FILE__) && $qry->rows > 0 ) {
+    echo iCalendar::iCalHeader();
+    while( $calendar_object = $qry->Fetch() ) {
+      $parsed = new iCalendar( array('icalendar' => $calendar_object->caldav_data ) );
+      echo $parsed->RenderFreeBusy();
+    }
+    echo iCalendar::iCalFooter();
+  }
 ?>
\ No newline at end of file