Reputation: 49
Check user permissions to move original event in Google Calendar
I am developing an application that gives users an option to grant my application access rights to add/modify events in their calendars. I am obtaining access rights to user calendars using OAuth2 gaining access to scopes https://www.googleapis.com/auth/calendar and https://www.googleapis.com/auth/calendar.events. Once a user connects his/her calendar I pull some events so that they can work with them in my app. All of this works fine.
The issue I have is: how do I accurately determine if user can move the event? I started by comparing the organizer.email field with the connected Google calendar email address and this works fine, however, there are still instances where certain users have events where they are not the organizers that they can still move in the Google calendar interface but not in my app because of situations like this:
- Calendar Administrators: If someone has admin rights to the calendar where the event is created, they can modify events even if they're not the organizer.
- Delegated Access: If someone has been granted delegate access to manage another person's calendar (common for executive assistants), they can modify events on behalf of that person.
- Calendar API Service Account: If an application is using a service account with appropriate permissions, it can modify events regardless of the organizer.
- Calendar Resource Managers: For resource calendars (like meeting rooms), resource managers can modify events scheduled for that resource.
So relying on organizer.email is wrong, it provides incorrect result.
But what is the alternative?
I cannot check my user access rights to the calendar the event originates from because I don't have any information about the calendar the event originates from. This information is not in the event object and even if that would be possible I'm not sure if access key my user has would allow me to modify events in that calendar even if he has access?
I tried moving the event and checking if this will work but this results in moving the event in the user calendar and not the original calendar. SDK call doesn't seem to return any information indicating that only the event 'copy' was moved unfortunately which would be perfect for me. Suprisingly if I do that via the Google calendar UI I do get the warning:
If anyone has any ideas on how I can tackle this I would appreciate the help.
Upvotes: 0
Views: 49
Answers (1)
Reputation: 532
When determining if a user possesses the necessary permissions to modify or move an event within Google Calendar, it is not sufficient to simply compare the organizer.email field with the user's email. There are multiple scenarios where a user might have the authority to modify events they did not personally create. This can occur due to the various roles and access levels granted to the user.
Consider this approach to verify user permissions:
Use the Calendar API to fetch the user's access role for the calendar containing the event. The CalendarList: get method returns a CalendarListEntry resource, which includes the accessRole field indicating the user's permission level on the calendar.
The CalendarList: get documentation indicates that it returns the user's access role for a given calendar. This access role can then be used to verify if the user can modify an event.
The access roles are as follows:
- owner: Full access, including managing ACLs.
- writer: Read and write access, allowing event modifications.
- reader or freeBusyReader: No modification permissions.
API Method: GET https://www.googleapis.com/calendar/v3/users/me/calendarList/calendarId
Therefore, a user can modify events in a calendar if they have the owner or writer access role.
Then, check the event's guestsCanModify property. This is necessary even if a user has write access to a calendar, as individual events may have specific restrictions.
API Method: GET https://www.googleapis.com/calendar/v3/calendars/calendarId/events/eventId
Response Field: guestsCanModify (boolean)
Therefore, attendees can modify the event if guestsCanModify is set to true.
Note on the accessRole and guestsCanModify properties:
If the accessRole is owner or writer, the user can modify the event.
If the accessRole is reader or lower, the user can modify the event only if guestsCanModify is true.
References:
Upvotes: 0
Related Questions
- Google Calendar PHP Api - Check if user has edit rights
- mulesoft google connector to create an event
- Google Calendar API request is denied for scope https://www.googleapis.com/auth/calendar.app.created
- Confusion regarding permissions (write access) for the calendar resource
- Google Calendar API Java 400 invalid_request
- Google Calendar API: writer access error when setting up Google calendar event create on Google business account
- What's the difference between the Google Calendar API scopes - calendar.readonly and calendar.events.readonly?
- Adding event to Google Calendar