Brian Moseley wrote:
we had this argument a couple months ago bro ;)
Hmm, I distinctly remember trying that 'we already had this argument' thing on you before. Didn't have much effect on you, if memory serves. :) Seems like whatever discussion y'all had before didn't settle the issue, or we wouldn't be talking about it again. Apologies though for not following it closely the last time around.
I'm simply saying that single-click easy access to a calendar (including full write privileges), without also providing users a straightforward way to lock it down, is a huge, obvious security hole. And when bad things happen to users' shared calendars, it will give us a black eye.
I understand that it adds a lot of extra complexity to the security model. It just seems like the ability to password-protect stuff (i.e., provide an obvious way to use something distinctly different from the URL) is a pretty fundamental facility to expect for anything Web-based.
M. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "Design" mailing list http://lists.osafoundation.org/mailman/listinfo/design
