Multiple users and security problem

I couldn't find an answer in the README or the list archives, so here 
goes. I'm using webDAV to allow folks to publish calendars, but I've 
created a structure like this:

/var/www/calendars/public/user1 user2 etc.
/var/www/calendars/private/user1 user2 etc.

In an httpd conf file I have the directory options set so that anybody 
can read public calendars but only the user can publish; for private 
calendars, only the user can read and publish.

What I'd like to do is use phpicalendar so that each user could see 
his/her public calendars combined, but I haven't been able to find a way 
to do that. It seems I would have to have a separate config file for 
each to point to the users public calendar directory.

Just playing around I pointed to /var/www/calendars as the path to 
calendars. I then noticed that I could add 
"month.php?cal=public/user1/calendarname" to display a particular 
calendar, but not combined calendars.

Then I noticed that I could even do 
"month.php?cal=private/user1/privatecalendar" and the calendar would 
display, even though I was not authenticated (http basic). I assumed it 
would not display since trying to access it directly in a browser 
prompts for credentials.

Is there any way to have each user's public directory be the "root" as 
defined in the config.inc.php? I'm a little concerned about the private 
directory being readable through phpicalendar, but for now it's no big 
deal since I can just exclude it from the path.

Advice or suggestions are most welcome.

Thanks,
Todd


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click