Mailing List Archive

Privileges
Hey list,

I've got a new issue and I'd like to know if there's an elegant solution for this:

I've got users who are in groups. This data is mapped onto Davical. Each group has its own calendar. All regular users (like pupils) are only allowed to *read* their group calendars. This is the easy part which I can control with basic Caldav permissions.

Now we have a separate privilege in our system which can be granted to groups and allows their members (like teachers) to *write* to their group calendars.

Is there a way to map this to Davical without the need to grant each member of this extra groups the read privilege on the group calendars individually? Any "You're allowed to write to all your group collections"-permission I've overseen?

:confused:
Matthias

_______________________________________________
DAViCal-dev mailing list
DAViCal-dev@lists.davical.org
http://lists.davical.org/listinfo/davical-dev
Re: Privileges [ In reply to ]
On Tue, 2012-02-28 at 13:05 +0100, Matthias Althaus wrote:
> Hey list,
>
> I've got a new issue and I'd like to know if there's an elegant
> solution for this:
>
> I've got users who are in groups. This data is mapped onto Davical.
> Each group has its own calendar. All regular users (like pupils) are
> only allowed to *read* their group calendars. This is the easy part
> which I can control with basic Caldav permissions.
>
> Now we have a separate privilege in our system which can be granted to
> groups and allows their members (like teachers) to *write* to their
> group calendars.
>
> Is there a way to map this to Davical without the need to grant each
> member of this extra groups the read privilege on the group calendars
> individually? Any "You're allowed to write to all your group
> collections"-permission I've overseen?

If the relationship is 'teacher' and 'students' then I would make the
calendar owned by the teacher, and grant read access to the students.

If the relationship is 'teachers' and 'students' then I would make the
calendar separately owned, and would grant 'write' to the 'teachers'
group and 'read' to the 'students' group.

If you need a layer of 'per class' on top of this then you'll have two
groups per class.

I can't see anything particularly difficult about this, but the process
of setting it up may not be ideal in the current DAViCal admin UI. It's
worth noting, maybe, that the 'class' calendars need not be owned by the
group - they would probably be better to be owned by one or more
separate principals, with the permissions granted by the calendar,
rather than by the principal.

Cheers,
Andrew.

--
------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com +64(272)DEBIAN
Take an astronaut to launch.
------------------------------------------------------------------------
Re: Privileges [ In reply to ]
Hey,

>current DAViCal admin UI.
The data is synced by triggers using db_link from our database into the Davical database as all the user-group-privilege-handling is done by our system. Therefore granting specific permissions for a specific group of users is a bit nasty. We're not using your web UI at all. :/

> If you need a layer of 'per class' on top of this then you'll have two
> groups per class.
I think that's the case... example for the rescue:

Group "Class A":
* Teacher 1
* Teacher 2
* A number of students

Group "Class B":
* Teacher 1
* Teacher 3
* A number of students

Group "Teachers":
* Teacher [1-3]

Our system can now grant the teachers (or another group like admins) the privilege to get write access to their group calendars. So "Teacher 1" would get write access to A and B whilst "Teacher 2" could only write to A.

At the moment I cannot add extra groups to Davical, because we're using a direct mapping of our user/group IDs to the Davical users/principals for easier trigger handling as the IDs are the only thing that doesn't change in our database.

So the only "clean" solution I see at the moment is on update of the "write permission groups"

1) Get all members of the groups
2) Get for each member his groups
3) Add a write permission for each group collection for the member's principal

... and all this in a trigger accessing Davical by db_link(). My boss doesn't think that this is a good thing. ;)


btw: What'd happen if we give the teachers a general write access to *all* group collections, but they still have only read permission for a limited number? This wouldn't work out in CalDAV?

btw2: Has the "is_group" field in the grant table a specific use? I missed to set it correctly at the beginning, but it didn't seem to do any evil. ^^

Cheers
Matthias
_______________________________________________
DAViCal-dev mailing list
DAViCal-dev@lists.davical.org
http://lists.davical.org/listinfo/davical-dev