Forum OpenACS Development: Re: Calendar Permissions

Collapse
2: Re: Calendar Permissions (response to 1)
Posted by Iuri Sampaio on
Hi Ryan,

I realized the same thing. I felt it was missing something and asked the question, to myself, a while ago when i played a bit with calendar pkg.

In my point of view, it is missing a permission check using the permission model that already exists in the calendar pkg, such as "cal_item_read".

I just looked up, quickly, into the codes, and thought we could add whether TCL conditionals within the files:

1) /packages/calendar/www/view/view-one-day-display,
2) /packages/calendar/www/view/view-week-display,
3) /packages/calendar/www/view/view-list-display and
4) /packages/calendar/www/view/view-month-display

Or just to add a few more lines, within the file views-postgresql.xql, specifically to the gigantic query: dbqd.calendar.www.views.select_items

as in the SQL query bellow:

fullquery name="select_items"
querytext
select to_char(start_date, 'YYYY-MM-DD HH24:MI:SS') as ansi_start_date,
to_char(end_date, 'YYYY-MM-DD HH24:MI:SS') as ansi_end_date,
to_number(to_char(start_date,'HH24'),'90') as start_hour,
to_number(to_char(start_date,'MI'),'90') as start_minutes,
to_number(to_char(start_date,'SSSSS'),'99990') as start_seconds,
to_number(to_char(end_date,'HH24'),'90') as end_hour,
to_number(to_char(end_date,'MI'),'90') as end_minutes,
to_number(to_char(end_date,'SSSSS'),'99990') as end_seconds,
coalesce(e.name, a.name) as name,
coalesce(e.status_summary, a.status_summary) as status_summary,
coalesce(e.description, a.description) as description,
e.event_id as item_id,
cit.type as item_type,
cals.calendar_id,
cals.calendar_name,
cals.package_id as cal_package_id,

++++ acs_permission__permission_p(object_id, :user_id, 'cal_item_read') as object_read_p


(select count(1) from attachments where object_id=e.event_id) as num_attachments
$additional_select_clause
from acs_activities a,
acs_events e,
timespans s,
time_intervals t,
calendars cals,
cal_items ci left join
cal_item_types cit on cit.item_type_id = ci.item_type_id
where e.timespan_id = s.timespan_id
and s.interval_id = t.interval_id
and e.activity_id = a.activity_id
and start_date between $interval_limitation_clause
and ci.cal_item_id= e.event_id
and cals.calendar_id = ci.on_which_calendar
and e.event_id = ci.cal_item_id

+++ and exists (
+++ select 1 from acs_object_party_privilege_map ppm
+++ where ppm.object_id = ci.cal_item_id
+++ and ppm.party_id = :user_id
+++ and ppm.privilege = 'read'
+++ )

$additional_limitations_clause
$calendars_clause
$order_by_clause
/querytext
...

ps. Of course it lacks more codding. The example is just a suggestion/idea how it could be done. I am sure OCT can do much better ;)

Best wishes

Collapse
3: Re: Calendar Permissions (response to 2)
Posted by Ryan Gallimore on
Thanks, Iuri.

I have a patch (below), I just wasn't sure whether the lack of permission check was intentional.

By the way, acs_permission__permission_p is slow. Use acs_object_party_privilege_map instead.

===================================================================
RCS file: /cvsroot/openacs-4/packages/calendar/www/views-postgresql.xql,v
retrieving revision 1.8
diff -u -r1.8 views-postgresql.xql
--- views-postgresql.xql    8 Sep 2008 20:13:37 -0000    1.8
+++ views-postgresql.xql    19 Feb 2012 20:04:03 -0000
@@ -37,6 +37,11 @@
    and      ci.cal_item_id= e.event_id
    and      cals.calendar_id = ci.on_which_calendar
    and      e.event_id = ci.cal_item_id
+    and      exists (select 1
+                      from acs_object_party_privilege_map ppm
+                      where ppm.object_id = ci.cal_item_id
+                        and ppm.privilege = 'read'
+                        and ppm.party_id = :user_id)
    $additional_limitations_clause
    $calendars_clause
    $order_by_clause
@@ -67,7 +72,7 @@
          timespans s,
          time_intervals t,
          acs_activities a,
-        calendars cals
+        calendars cals
    where    e.timespan_id = s.timespan_id
    and      s.interval_id = t.interval_id
    and      e.activity_id = a.activity_id
@@ -75,6 +80,11 @@
    and      ci.cal_item_id = e.event_id
    and      cals.calendar_id = ci.on_which_calendar
    and      e.event_id = ci.cal_item_id
+    and      exists (select 1
+                      from acs_object_party_privilege_map ppm
+                      where ppm.object_id = ci.cal_item_id
+                        and ppm.privilege = 'read'
+                        and ppm.party_id = :user_id)
    $additional_limitations_clause
    $calendars_clause
    $order_by_clause