Just want to check with everyone before making a change to the calendar module. I need to know if what I propose to do will upset anyone's current use of the module.
Issue
~~~~~
If you set up a calendar for a group of users and set permissions such that only parties within that group should be able to see related calendar items, the calendar module will show the 'Description' of the entries to all users who have access to the calendar instance irrespective of the permissions.
The detail of the calendar event is protected but the description is there for all to see.
This constitutes a security leak because:
1) People tend to give entries meaningful names which means that everyone can see what the event is even without having to read the detail.
2) You are revealing that there is an event there despite that event being permission restricted.
This is a clutter mongering pain because with a large group the calendar rapidly becomes unuseable because of the number of event descriptions being displayed.
There is currently no way for a user to filter out the descriptions that they are not particularly interested in.
Solution
~~~~~~~~
The obvious solution is to assume that this is not intended behaviour and 'fix' the permissions so that descriptions are only shown to those with 'read' permission on the event.
However, in the absence of an availability checking function, was it intended that you could see when time had been blocked out by someone even when you are not allowed to see the detail?
Should we therefore show time 'blocks' instead of the description? If we do this we still have clutter.
My preference is to only show item descriptions that the viewing party has 'read' permission on, to accept as a user that you only see a subset of other parties' the events (that other users actally want you to see) and then progress to create an availability checker/ meetings arranger in the near future.
The meeting arranger could utilise the planned internal site messaging module along with maybe a simple workflow driven process for setting up appointments and meetings.
Please let me hae any thoughts and let me know if I can 'do the deed' on the calendar permissions fix.
Also, maybe we should add a display filter function to allow a user to select which of the 'calendars' (or event types as they really are) to display. This should probably default to "all upon which I have 'read'" and allow for arbitrary de-selection of one or more.
Thanks
Regards
Richard
