Thanks, Iuri.
I have a patch (below), I just wasn't sure whether the lack of permission check was intentional.
By the way, acs_permission__permission_p is slow. Use acs_object_party_privilege_map instead.
===================================================================
RCS file: /cvsroot/openacs-4/packages/calendar/www/views-postgresql.xql,v
retrieving revision 1.8
diff -u -r1.8 views-postgresql.xql
--- views-postgresql.xql 8 Sep 2008 20:13:37 -0000 1.8
+++ views-postgresql.xql 19 Feb 2012 20:04:03 -0000
@@ -37,6 +37,11 @@
and ci.cal_item_id= e.event_id
and cals.calendar_id = ci.on_which_calendar
and e.event_id = ci.cal_item_id
+ and exists (select 1
+ from acs_object_party_privilege_map ppm
+ where ppm.object_id = ci.cal_item_id
+ and ppm.privilege = 'read'
+ and ppm.party_id = :user_id)
$additional_limitations_clause
$calendars_clause
$order_by_clause
@@ -67,7 +72,7 @@
timespans s,
time_intervals t,
acs_activities a,
- calendars cals
+ calendars cals
where e.timespan_id = s.timespan_id
and s.interval_id = t.interval_id
and e.activity_id = a.activity_id
@@ -75,6 +80,11 @@
and ci.cal_item_id = e.event_id
and cals.calendar_id = ci.on_which_calendar
and e.event_id = ci.cal_item_id
+ and exists (select 1
+ from acs_object_party_privilege_map ppm
+ where ppm.object_id = ci.cal_item_id
+ and ppm.privilege = 'read'
+ and ppm.party_id = :user_id)
$additional_limitations_clause
$calendars_clause
$order_by_clause
