This is OpenACS 4.6.2, from the tarball.
I have a calendar that should be visible to any registered users but only accept postings from certain users. However, I'm finding that any registered user can post to it. I checked permissions and nowhere have I given any cal_admin or write permissions on this calendar to any account other than one admin account.
I looked at cal-item-new, and it only appears to check if a user is logged in, without checking if the user actually has permission to post events to the calendar. I turned super-spammy logging on and don't see any check for permissions to create the calendar items in the log. (Although it does check for read access before displaying the calendar....)
Is this a known issue with calendar in 4.6.2 (I didn't see anything in bugtracker), a misconfiguration on my part, or a bugtracker-worthy problem?
Thanks!
