Non-admin CRUD for events + rollup security fix

[Copilot]

Adds non-admin views for managing individual Event objects (requires PPerm.edit_events), replacing the need to use the Django admin for basic event management. Also patches a path traversal vulnerability in rollup.

Event CRUD views (course/calendar.py)

• list_events — lists all course events ordered by kind/ordinal/time
• edit_event — create (event_id=-1) or update an existing event via SingleEventForm (ModelForm excluding course); redirects to list on success
• delete_event — GET shows confirmation, POST deletes and redirects to list

All views guard with PPerm.edit_events and reject cross-course access with SuspiciousOperation.

URLs (relate/urls.py)

/course/<id>/events/                   → list_events
/course/<id>/events/<event_id>/edit/   → edit_event  (-1 = new)
/course/<id>/events/<event_id>/delete/ → delete_event

Template (course/templates/course/events-list.html)

Table of events with kind, ordinal, start/end time, flags, and Edit/Delete action buttons.

Security

Updated rollup from 4.57.1 → 4.59.0 to fix an arbitrary file write via path traversal vulnerability (affected >= 4.0.0, < 4.59.0).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Non-admin CRUD for events</issue_title>
<issue_description></issue_description>

Comments on the Issue (you are @copilot in this section)

@inducer Intro project for Paul

• Fixes Non-admin CRUD for events #322

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.