Is there anything wrong with the way I'm implementing a Calendar on my site?

Question

I am setting up a website for students of a school, which must include a schedule page which will show a calendar with events populated by feeds from various teachers' calendars. After trying out a variety of scripts and tools made for showing calendars, I finally hit upon a very shoddy, hacked-together way of doing it, and I want to know if theres any specific things wrong with my implementation.

My requirements from this calendar are posted in a previous question This is how my implementation is gonna work:

The teachers make their schedules in their own calendar programs and make those feeds available in the iCal format. A common Google account for the school subcribes to all these calendars, and so gets read only access to ALL the teacher's schedules in school. Google Calendar has a feature that lets you select some of your calendars, and then get the html code for an iframe to embed on your website, so that visitors to the site can see what events are coming up. When I experimented around with the options in the Google 'Configurator', I found that by simply including certain codes in the url called for the iframe contents, you could change which calendars were visible. These codes, or calendar ids, are clearly displayed in the settings for each calendar. Thus, my final solution is thus:

For every student, there is a record stating which courses he has taken, and hence which calendars he should be shown. With some SQL magic, I can retrieve the calendar ids from a pre-prepared database of all the calendar ids, and then generate the correct url for the iframe using php, and display it.

I hope that wasn't too convoluted to understand. Now can anyone tell me if there are any inherent security flaws or bad programming practices etc in this. Something about the whole idea of dynamically generating urls, using iframes, using a common google account etc just screams 'Mistake!'. Can someone tell me if this is an ok way to go about it, or is there some problem with it?

Answer 1

Actually, I think your solution has the potential to be very secure. Using a single google account to collect the read-only calendars into one place is just an organizational shortcut. As long as the calendars themselves are read-only, your single account contains nothing that isn't already public.

Generating URLs is perfectly reasonable, as long as you are combining strings that you've sanitized beforehand. Since your database can only get calendar IDs from your aggregation google account, you know that potentially malicious users can't cause arbitrary characters to end up in your synthesized URLs.

The biggest problem you'll probably run into is that the google embedded calendar iframe only allows up to ten calendar feeds.

The most likely security vulnerability you'll face is the security of all of the teachers' google calendars.

By default, google calendars accept "invitations" and post them as events. You might find that anyone can "invite" a teacher's calendar to prank events and those prank events will then show up on student calendars.