Why? Because calendar is very hackerish.
In fact calendar 4-6 implements a "trust-your-user-to-not-change-the-url" form of security - hence it doesn:t really matter what you do on your permissons page.
Thanks to Lars calendar is now using permissions properly. Have a look at this commit http://cvs.openacs.org/cvs/dotlrn-calendar/tcl/dotlrn-calendar-procs.tcl?view=auto&rev=1.71&root=dotlrn
And for inspiration please look at this thread https://openacs.org/forums/forum-view?forum_id=14014
This could be solved properly via a site-wide parameter (Create_Calendar_With_Broken_Security_Inheritance_p) and a toggle to switch that. Sounds good?
