✨(calendar) add link to a CalDAV instance to accept events directly

Author: sylvinus

src/backend/core/api/openapi.json

@@ -691,3 +691,22 @@ def has_permission(self, request, view):
         return models.MailboxAccess.objects.filter(
             user=request.user, mailbox=view.kwargs.get("mailbox_id")
         ).exists()
+
+
+class HasWriteAccessToMailbox(IsAuthenticated):
+    """Allows access only to users with an editor-or-above role on the mailbox.
+
+    Use for state-changing endpoints whose effect is observable beyond the
+    mailbox itself (e.g. writing to the mailbox's CalDAV calendar, which a
+    VIEWER access shouldn't be able to do).
+    """
+
+    def has_permission(self, request, view):
+        if not super().has_permission(request, view):
+            return False
+
+        return models.MailboxAccess.objects.filter(
+            user=request.user,
+            mailbox=view.kwargs.get("mailbox_id"),
+            role__in=enums.MAILBOX_ROLES_CAN_EDIT,
+        ).exists()

src/backend/core/api/permissions.py

@@ -1965,6 +1965,10 @@ class Meta:
     # generators write directly to ``encrypted_settings`` instead.
     RESERVED_SETTINGS_KEYS = {
         enums.ChannelTypes.API_KEY: ["api_key_hashes"],
+        # CalDAV credentials must live in ``encrypted_settings``, never in
+        # the plaintext ``settings`` JSONField — a DB read would otherwise
+        # surface every user's CalDAV password.
+        enums.ChannelTypes.CALDAV: ["username", "password"],
     }
 
     def create(self, validated_data):