calendar page is not protected

[ghost]

When using this plugin with the calendar plugin, the route /calendar is unprotected allowing unregistered/guest visitors access.

[ghost]

Which is strange as looking at the code here, I don't see how this happens.

[LM1LC3N7]

Indeed the code should not allow this url. The only explaination I see is that maybe this url is declared before my plugin control which URL is allowed or not. You can check with the calendar dev team or on the forum.

[LM1LC3N7]

This is because of these kinds of errors that I have switched to a discourse forum. My needs was to have a private forum and as you can see this plugin seems not enough even if a nodebb dev helped me on their forum.

[ghost]

I'll see if I can figure it out.

[LM1LC3N7]

You can start the forum in dev mode and see if the request for calendar is serve before this plugin in invoked.

[LM1LC3N7]

Hello, can you try again with the latest version 1.3.0?

[ghost]

Yes, today. Sorry for the delay, I haven't had time recently.

[ghost]

This one is still present in the recent version, I will check the order plugins are loading as soon as I can. Might not be for a couple days though.

[LM1LC3N7]

Also can you describe what is publicly visible? I tried the calendar plugin (that is using an old nodebb code) and did not understand what was not protected.

[ghost]

Just the calendar page itself, I assumed it would redirect to the login page.

You can see at https://lavender.colloquy.ca/calendar

[ghost]

Quick update, I verified with a test event that the events are publicly visible as well.

[LM1LC3N7]

I also installed the module and tried to update my plugin to catch the calendar loading event, and did not succeed for now.