Forum OpenACS Development: Calendar Permissions

Collapse
1: Calendar Permissions
Posted by Ryan Gallimore on 02/17/12 03:56 AM
When creating calendar items under calendar objects, the individual item cannot be viewed unless read permission is granted.

However, an item without read permissions IS visible on the calendar display views (/packages/calendar/www/view) for month, day, week and list.

Looking at /packages/calendar/www/views-*.xql there are no permission checks.

Is this a bug or is it by design?

Collapse
2: Re: Calendar Permissions (response to 1)
Posted by Iuri Sampaio on 02/19/12 08:49 PM
Hi Ryan,

I realized the same thing. I felt it was missing something and asked the question, to myself, a while ago when i played a bit with calendar pkg.

In my point of view, it is missing a permission check using the permission model that already exists in the calendar pkg, such as "cal_item_read".

I just looked up, quickly, into the codes, and thought we could add whether TCL conditionals within the files:

1) /packages/calendar/www/view/view-one-day-display,
2) /packages/calendar/www/view/view-week-display,
3) /packages/calendar/www/view/view-list-display and
4) /packages/calendar/www/view/view-month-display

Or just to add a few more lines, within the file views-postgresql.xql, specifically to the gigantic query: dbqd.calendar.www.views.select_items

as in the SQL query bellow:

fullquery name="select_items"
querytext
select to_char(start_date, 'YYYY-MM-DD HH24:MI:SS') as ansi_start_date,
to_char(end_date, 'YYYY-MM-DD HH24:MI:SS') as ansi_end_date,
to_number(to_char(start_date,'HH24'),'90') as start_hour,
to_number(to_char(start_date,'MI'),'90') as start_minutes,
to_number(to_char(start_date,'SSSSS'),'99990') as start_seconds,
to_number(to_char(end_date,'HH24'),'90') as end_hour,
to_number(to_char(end_date,'MI'),'90') as end_minutes,
to_number(to_char(end_date,'SSSSS'),'99990') as end_seconds,
coalesce(e.name, a.name) as name,
coalesce(e.status_summary, a.status_summary) as status_summary,
coalesce(e.description, a.description) as description,
e.event_id as item_id,
cit.type as item_type,
cals.calendar_id,
cals.calendar_name,
cals.package_id as cal_package_id,

++++ acs_permission__permission_p(object_id, :user_id, 'cal_item_read') as object_read_p


(select count(1) from attachments where object_id=e.event_id) as num_attachments
$additional_select_clause
from acs_activities a,
acs_events e,
timespans s,
time_intervals t,
calendars cals,
cal_items ci left join
cal_item_types cit on cit.item_type_id = ci.item_type_id
where e.timespan_id = s.timespan_id
and s.interval_id = t.interval_id
and e.activity_id = a.activity_id
and start_date between $interval_limitation_clause
and ci.cal_item_id= e.event_id
and cals.calendar_id = ci.on_which_calendar
and e.event_id = ci.cal_item_id

+++ and exists (
+++ select 1 from acs_object_party_privilege_map ppm
+++ where ppm.object_id = ci.cal_item_id
+++ and ppm.party_id = :user_id
+++ and ppm.privilege = 'read'
+++ )

$additional_limitations_clause
$calendars_clause
$order_by_clause
/querytext
...

ps. Of course it lacks more codding. The example is just a suggestion/idea how it could be done. I am sure OCT can do much better ;)

Best wishes

Collapse
3: Re: Calendar Permissions (response to 2)
Posted by Ryan Gallimore on 02/19/12 09:07 PM
Thanks, Iuri.

I have a patch (below), I just wasn't sure whether the lack of permission check was intentional.

By the way, acs_permission__permission_p is slow. Use acs_object_party_privilege_map instead.

===================================================================
RCS file: /cvsroot/openacs-4/packages/calendar/www/views-postgresql.xql,v
retrieving revision 1.8
diff -u -r1.8 views-postgresql.xql
--- views-postgresql.xql    8 Sep 2008 20:13:37 -0000    1.8
+++ views-postgresql.xql    19 Feb 2012 20:04:03 -0000
@@ -37,6 +37,11 @@
    and      ci.cal_item_id= e.event_id
    and      cals.calendar_id = ci.on_which_calendar
    and      e.event_id = ci.cal_item_id
+    and      exists (select 1
+                      from acs_object_party_privilege_map ppm
+                      where ppm.object_id = ci.cal_item_id
+                        and ppm.privilege = 'read'
+                        and ppm.party_id = :user_id)
    $additional_limitations_clause
    $calendars_clause
    $order_by_clause
@@ -67,7 +72,7 @@
          timespans s,
          time_intervals t,
          acs_activities a,
-        calendars cals
+        calendars cals
    where    e.timespan_id = s.timespan_id
    and      s.interval_id = t.interval_id
    and      e.activity_id = a.activity_id
@@ -75,6 +80,11 @@
    and      ci.cal_item_id = e.event_id
    and      cals.calendar_id = ci.on_which_calendar
    and      e.event_id = ci.cal_item_id
+    and      exists (select 1
+                      from acs_object_party_privilege_map ppm
+                      where ppm.object_id = ci.cal_item_id
+                        and ppm.privilege = 'read'
+                        and ppm.party_id = :user_id)
    $additional_limitations_clause
    $calendars_clause
    $order_by_clause