search envelope-o feed check
Home Unanswered Active Tags New Question
user comment-o

Calendar for different users? (Users can only view/edit their own events)

Asked by Sam Ellis
5 years ago.

Hello,

I'm working on an in house calendaring solution and DayPilot looks like a great option but I'm not able to find any information on how membership is best implemented. We have various users that will be scheduling their own appointments for their own work areas and we do not want the other users to be able to see their events. Additionally, we'd like to have some users who can help schedule for a few of the other employees.

I've read around the site and KB some but haven't found a good answer. Any thoughts on how this is best accomplished? We currently have a .NET MVC app in place that uses the built in authentication engine and we'd like to integrate it with that if possible. Is it just a matter of adding a foreign key to each event that is associated with the user such that users can only use CRUD functions on their own events and then setup the administrative users to have access to events with specific user foreign keys?

Thanks in advance for any input!
Sam

Answer posted by Dan Letecky [DayPilot]
5 years ago.

This has to be done on several levels:

1. You can use the authentication system you already have in place to identify the current user.

2. Let's simplify the authorization rules (ACL) to general "roles" (this is supported but the MVC membership system; I'm not sure if it goes deeper, i.e. rules applied to specific objects).

3. In the controller that handles the calendar backend, you need to check the permissions to read and write to the calendars. In the simplified model, the users can always access her own events (where event owner = logged user) and the users in the administrator role can access any event.

4. You need to do the same for the calendar views (but remember that this is not enough, you always need to do #3 because it's not safe to only disable it in the UI). Display the events only to their owners. Display all events if the user is in the administrator role. Depending on the view type, this will mean a limited SELECT when reading the events or resources (for the Scheduler).

By default, all the controls have the editing handlers disabled (e.g. EventMoveHandling = Disabled) so only enable them when the user has the permissions.

This question is more than 6 months old and has been closed. Please create a new question if you have anything to add.