Access control #5
Comments
EO uses meta caps for posting permission: In the CAC ticket, I recommended augmenting EO's caps by checking for group member role and adding in EO's native caps. Visibility, I think, uses WP's native |
|
781f500 does the basic 'read' logic. Regarding editing: @r-a-y, I see that in 1f75c6e you asked some questions about whether mods/members/etc should be able to edit group-connected events. My inclination is to say no: we should let EO handle 'edit_event' mapping https://github.com/stephenharris/Event-Organiser/blob/9cb3399ec28561e4a96c61d1cbd97edf538a13fd/includes/event-organiser-cpt.php#L330, which is to say that only super admins and the event author should be able to edit. I think what we'll probably need is a separate cap/UI for disconnecting an event from a group, and that should be available to group admins/mods. See boonebgorges/buddypress-docs#444 for a similar feature in buddypress-docs. Does this seem right to you @r-a-y ? |
|
Your suggestions sound good to me. My inline comments were just reminders to switch those lines out after we've determined who should have access to what. |
The previous implementation queried for all events, and then filtered out individual events not belonging to the group using the `intercept_calendar()` filter on 'eventorganiser_fullcalendar_event'. This technique is inefficent, especially as the number of group events increases. The new technique is to detect the 'bp_group_id' param sent with the AJAX request, and then add a corresponding 'bp_group' param to the event query, using the new 'eventorganiser_fullcalendar_query' filter in EO. This mirrors the way user-specific calendar requests are filtered. See #2, #5, #8.
|
On a default BP install, a user has the This is because in EO, the For our needs, I think we should force the |
|
+1 On 04/05/15 14:17, r-a-y wrote:
|
…ibutor' role. Commit also includes unit tests. See #5.
Fixes an issue where a user with no default role (but has the bbPress default role of 'bbp_participant') has no ability to publish an event. Previously, the logic was to check if a user explicitly had either the 'contributor' or'subscriber' role. See #5.
- Only query for public events by friends. Have to separate queries for events by the user and a user's friends so the post status is not shared amongst the two. - Add 'private' status when querying for user or group events. See #5.
…caps need access to a specific event ID. The plural caps (the primitives) do not, and PHP notices should be avoided in these cases. See #5.
Users: - Do not map caps for 'edit_events' and 'delete_events' caps. These are already mapped to the 'edit_event' and 'delete_event' cap by EO's caps. - Set meta caps for 'edit_event', 'delete_event' and 'read_event'. - Add unit tests for 'delete_event' cap. - Move over user-related tests from group tests. Groups: - Do not map caps for 'edit_event'; this should be handled in the user meta cap function as denoted above. - Bail when there are no groups attached to an event. See #5.
Requires dynamically giving admins and mods the 'edit_others_events' capability. See #5.
|
Internally, we decided to give group admins and mods the ability to edit and delete events. See commit 37594b7. |
It should be possible to control access to an event or a calendar based on group membership/role. Here's what I wrote in the original CAC ticket:
What does EO currently do for visibility/access? Anything?
We should also control the ability to connect events to groups. This might be a hardcoded meta cap for now (eg,
groups_is_user_member()) but at some point this might be configurable by the group admin. BuddyPress Docs, for example, lets you set a minimum group role that a user must have in order to associate Docs with the group.The text was updated successfully, but these errors were encountered: