Forum OpenACS Development: Re: Calendar Permissions
I realized the same thing. I felt it was missing something and asked the question, to myself, a while ago when i played a bit with calendar pkg.
In my point of view, it is missing a permission check using the permission model that already exists in the calendar pkg, such as "cal_item_read".
I just looked up, quickly, into the codes, and thought we could add whether TCL conditionals within the files:
1) /packages/calendar/www/view/view-one-day-display,
2) /packages/calendar/www/view/view-week-display,
3) /packages/calendar/www/view/view-list-display and
4) /packages/calendar/www/view/view-month-display
Or just to add a few more lines, within the file views-postgresql.xql, specifically to the gigantic query: dbqd.calendar.www.views.select_items
as in the SQL query bellow:
fullquery name="select_items"
querytext
select to_char(start_date, 'YYYY-MM-DD HH24:MI:SS') as ansi_start_date,
to_char(end_date, 'YYYY-MM-DD HH24:MI:SS') as ansi_end_date,
to_number(to_char(start_date,'HH24'),'90') as start_hour,
to_number(to_char(start_date,'MI'),'90') as start_minutes,
to_number(to_char(start_date,'SSSSS'),'99990') as start_seconds,
to_number(to_char(end_date,'HH24'),'90') as end_hour,
to_number(to_char(end_date,'MI'),'90') as end_minutes,
to_number(to_char(end_date,'SSSSS'),'99990') as end_seconds,
coalesce(e.name, a.name) as name,
coalesce(e.status_summary, a.status_summary) as status_summary,
coalesce(e.description, a.description) as description,
e.event_id as item_id,
cit.type as item_type,
cals.calendar_id,
cals.calendar_name,
cals.package_id as cal_package_id,
++++ acs_permission__permission_p(object_id, :user_id, 'cal_item_read') as object_read_p
(select count(1) from attachments where object_id=e.event_id) as num_attachments
$additional_select_clause
from acs_activities a,
acs_events e,
timespans s,
time_intervals t,
calendars cals,
cal_items ci left join
cal_item_types cit on cit.item_type_id = ci.item_type_id
where e.timespan_id = s.timespan_id
and s.interval_id = t.interval_id
and e.activity_id = a.activity_id
and start_date between $interval_limitation_clause
and ci.cal_item_id= e.event_id
and cals.calendar_id = ci.on_which_calendar
and e.event_id = ci.cal_item_id
+++ and exists (
+++ select 1 from acs_object_party_privilege_map ppm
+++ where ppm.object_id = ci.cal_item_id
+++ and ppm.party_id = :user_id
+++ and ppm.privilege = 'read'
+++ )
$additional_limitations_clause
$calendars_clause
$order_by_clause
/querytext
...
ps. Of course it lacks more codding. The example is just a suggestion/idea how it could be done. I am sure OCT can do much better ;)
Best wishes
I have a patch (below), I just wasn't sure whether the lack of permission check was intentional.
By the way, acs_permission__permission_p is slow. Use acs_object_party_privilege_map instead.
===================================================================
RCS file: /cvsroot/openacs-4/packages/calendar/www/views-postgresql.xql,v
retrieving revision 1.8
diff -u -r1.8 views-postgresql.xql
--- views-postgresql.xql 8 Sep 2008 20:13:37 -0000 1.8
+++ views-postgresql.xql 19 Feb 2012 20:04:03 -0000
@@ -37,6 +37,11 @@
and ci.cal_item_id= e.event_id
and cals.calendar_id = ci.on_which_calendar
and e.event_id = ci.cal_item_id
+ and exists (select 1
+ from acs_object_party_privilege_map ppm
+ where ppm.object_id = ci.cal_item_id
+ and ppm.privilege = 'read'
+ and ppm.party_id = :user_id)
$additional_limitations_clause
$calendars_clause
$order_by_clause
@@ -67,7 +72,7 @@
timespans s,
time_intervals t,
acs_activities a,
- calendars cals
+ calendars cals
where e.timespan_id = s.timespan_id
and s.interval_id = t.interval_id
and e.activity_id = a.activity_id
@@ -75,6 +80,11 @@
and ci.cal_item_id = e.event_id
and cals.calendar_id = ci.on_which_calendar
and e.event_id = ci.cal_item_id
+ and exists (select 1
+ from acs_object_party_privilege_map ppm
+ where ppm.object_id = ci.cal_item_id
+ and ppm.privilege = 'read'
+ and ppm.party_id = :user_id)
$additional_limitations_clause
$calendars_clause
$order_by_clause
