-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access control #5
Comments
EO uses meta caps for posting permission: In the CAC ticket, I recommended augmenting EO's caps by checking for group member role and adding in EO's native caps. Visibility, I think, uses WP's native |
781f500 does the basic 'read' logic. Regarding editing: @r-a-y, I see that in 1f75c6e you asked some questions about whether mods/members/etc should be able to edit group-connected events. My inclination is to say no: we should let EO handle 'edit_event' mapping https://github.com/stephenharris/Event-Organiser/blob/9cb3399ec28561e4a96c61d1cbd97edf538a13fd/includes/event-organiser-cpt.php#L330, which is to say that only super admins and the event author should be able to edit. I think what we'll probably need is a separate cap/UI for disconnecting an event from a group, and that should be available to group admins/mods. See boonebgorges/buddypress-docs#444 for a similar feature in buddypress-docs. Does this seem right to you @r-a-y ? |
Your suggestions sound good to me. My inline comments were just reminders to switch those lines out after we've determined who should have access to what. |
The previous implementation queried for all events, and then filtered out individual events not belonging to the group using the `intercept_calendar()` filter on 'eventorganiser_fullcalendar_event'. This technique is inefficent, especially as the number of group events increases. The new technique is to detect the 'bp_group_id' param sent with the AJAX request, and then add a corresponding 'bp_group' param to the event query, using the new 'eventorganiser_fullcalendar_query' filter in EO. This mirrors the way user-specific calendar requests are filtered. See #2, #5, #8.
On a default BP install, a user has the This is because in EO, the For our needs, I think we should force the |
+1 On 04/05/15 14:17, r-a-y wrote:
|
…ibutor' role. Commit also includes unit tests. See #5.
Fixes an issue where a user with no default role (but has the bbPress default role of 'bbp_participant') has no ability to publish an event. Previously, the logic was to check if a user explicitly had either the 'contributor' or'subscriber' role. See #5.
- Only query for public events by friends. Have to separate queries for events by the user and a user's friends so the post status is not shared amongst the two. - Add 'private' status when querying for user or group events. See #5.
…caps need access to a specific event ID. The plural caps (the primitives) do not, and PHP notices should be avoided in these cases. See #5.
Users: - Do not map caps for 'edit_events' and 'delete_events' caps. These are already mapped to the 'edit_event' and 'delete_event' cap by EO's caps. - Set meta caps for 'edit_event', 'delete_event' and 'read_event'. - Add unit tests for 'delete_event' cap. - Move over user-related tests from group tests. Groups: - Do not map caps for 'edit_event'; this should be handled in the user meta cap function as denoted above. - Bail when there are no groups attached to an event. See #5.
Requires dynamically giving admins and mods the 'edit_others_events' capability. See #5.
Internally, we decided to give group admins and mods the ability to edit and delete events. See commit 37594b7. |
It should be possible to control access to an event or a calendar based on group membership/role. Here's what I wrote in the original CAC ticket:
What does EO currently do for visibility/access? Anything?
We should also control the ability to connect events to groups. This might be a hardcoded meta cap for now (eg,
groups_is_user_member()
) but at some point this might be configurable by the group admin. BuddyPress Docs, for example, lets you set a minimum group role that a user must have in order to associate Docs with the group.The text was updated successfully, but these errors were encountered: