Currently users have to be granted permission to update all events displayed on the calendar or none at all. I think fullcalendar drap and drop updates should respect all entity permissions, eg. 'edit own content'. Bypassing these permissions really limits the use of drag and drop updating in many use cases.

Proposed resolution

Added an entity_access() check to fullcalendar_update and return a custom message to be displayed in fullcalendar-status div if it fails.

Remaining tasks

Though a separate and mutually exclusive issue, the functionality proposed in #1938350: Create a hook to validate/abort/alter events updated via ajax & allow return of basic status to fullcalendar display. would enhance this solution.

User interface changes

New message shown to calendar users on entity_access() fail.

API changes


Original report by [username]




slcp’s picture

Status: Active » Needs review
955 bytes
slcp’s picture

Status: Needs review » Needs work

Just seen: #1842550: _fullcalendar_update_access() expects entity (object), receives entity id (string) as menu access callback

I should probably be using _fullcalendar_update_access() here instead. Also remembered that entity is not in core anyway...roll on D8 :-)

Will remake this patch in the next couple of days.

slcp’s picture

Kinda misunderstood the access checks already taking place, not quite sure how I was reading them. Closed this as a duplicate of #1842550: _fullcalendar_update_access() expects entity (object), receives entity id (string) as menu access callback

slcp’s picture

Status: Needs work » Closed (duplicate)