next »

[Dennisc]

I have found a problem with viewing permissions. I have setup 3 calendars. In the footer I have put links to the other calendars ex. http://calendar.domain.com/cgi-bin/calendar.pl?calendar=del

The problem is I have users that do not have rights to view all calendars. When using the shortcut it goes directly to the calendar view.

But if you go through the interface and change calendars though the scipt it does restict the view.

Any Ideas

[DanO]

If you never want anyone to be able to view a calendar they don't have permissions for, you'd have to turn the "Require Login" setting to YES. Then whenever someone tries to view the calendar, they'll get the log-in screen instead or an error message saying they don't have permission.

Dan O.

------------------

[Dennisc]

All 3 Calendars have the required login on. If you link to anyone of them directly it will ask for a login. But after you login the first time to a calendar you have permisions for and direct link to another you do not it will show the calendar.

But if you use the Change Calendar script on the admin page it will catch it and tell you you do not have permissions.

------------------

[DanO]

** direct link to another you do not [have view permissions for] it will show the calendar.**

Not on my calendars. When I try to view a calendar I do NOT have 'View' permissions for, I get this error message:  

quote:ERROR:

You do not have permission to view this calendar <-- in RED text

I can NOT view the calendar AT ALL.

Make sure you have all account's permissions set up properly and that NONE have 'View' permissions for All users for calendar: ________ and All calendars for user: ________ set.

Dan O.

------------------

[Dennisc]

OK, I went through all with a fine tooth comb. I rechecked all calendars to make sure password required.

2. I changed all permissions for all users except the admistrator. All permissions were set for each calendar seperatly no All Calanders or all Users set. I have a calendar that a couple of users have no permissions set at all.

The problem still exists.  If you goto the browser command line and change the calender=*** the the restricted calendar while logged in as user that has no rights the calendar will display. When you click an event to view it in this scenerio it gives the following error.
"ERROR:

The template file specified does not exist."

This user is able to add an event though there is no add event or edit event button displayed only the admin button which gives the user this feature.

This user cannot view the event that was created with the same error as above.

I am nearly positive that all of the permissions are set properly that maybe this was a possible oversight in the code.

I think the only solution for me is to change all of the links to the change calender html.

Any other thoughts would be appreciated

------------------

[DanO]

** while logged in as user that has no rights, the calendar will display. **

Sorry I have no idea what your problem is. As I said, my test calendar works as it is suppose to.

What CalendarScript version are you using??

** This user is able to add an event though there is no add event or edit event button displayed only the admin button which gives the user this feature. **

That shouldn't be.

You don't have 2 browsers open at the same time, one logged in as one user and the other as a different user?? You can only be logged in as one user at a time.

** I think the only solution for me is to change all of the links to the change calender html. **

That shouldn't be necessary but if you can't figure it out...

Dan O.

------------------

[Dennisc]

Send me an email & I will give you the link
& access to see for yourself

------------------

[DanO]

That's Ok, you can try your alternate solution. I'm afraid I don't offer personalized assistance... for free.

Dan O.

------------------

[Dennisc]

OK, Thats fine, Just appears to be a security hole to me and the fix worked fine as long as a user does not know the calendar name it is secure, kind of like a Microsoft Product.

------------------

[DanO]

** Just appears to be a security hole to me  **

As I said, *I* am not experiencing such a problem with my calendar installations so I can't see there being anything inherent to the program (although you never did state which version you are using).

If you're really concerned, maybe you can contact CalendarScript's author (which is not me). Maybe he'll be willing to personally look into yours for you?

TTFN

Dan O.

------------------

[Dennisc]

Version is 3.2 running on IIS6

It's OK, I have found a suitable workaround

------------------

[DanO]

** Version is 3.2 **

Than you should upgrade to the current version 3.21 as there are some real security concerns with previous versions.

(it shouldn't affect the problem you're currently dealing with though).

JMO

Dan O.

------------------