We realized that yesterday someone created a set of events in a public category.
I just checked that the “Restricted event creation” proprietry was disabled so I set it enabled in order to avoid the user to create more events but he can pick another category number randomly and do it again.
“Restricted event creation” = true means that only the managers can create events. Is it right?
Is there a way to set the value to true to all the categories? We want to give the possibility only to staff members set as managers to create events.
I attache the log file
Alberto Nardella indico.log.gz (407.6 KB)
I had completely forgotten this feature (everyone can create an event).
Is it still useful these days?
(I guess it was, in the very beginning when InDiCo or CDS-agenda users had to be approved manually before they could gain acces to the system.) A system which needs wide-open event-creation permissions today would probably base its user registry on an existing LDAP or OAuth instance.
I would like to propose to remove the possibility to create events for unauthentified users completely.
Unauthenticated guests cannot create events. But any logged-in user can. I think the most logical change would be to default to restricted event creation on the root category - IIRC. we copy this setting when creating subcategories, so this would lead to a more secure default on any new installation.