Some of the files they need to keep updated/maintained are PHP files.
I believe I'm getting closer to finding a solution, just need some help figuring this part out. I found a php.ini directive called open_basedir:
http://www.php.net/manual/en/ini.core.php#ini.open-basedir
open_basedir basically allows you to restrict what directories a PHP file can access through include(), fopen(), etc., exactly what I'm looking for. So I went into my php.ini file in the "calendar" directory, found open_basedir, and set it to restrict PHP files in the "calendar" directory from accessing files outside of that directory like so -
html/calendar/php.ini:
open_basedir = /home/user/html/calendar/
It worked great and prevented any PHP file within the "calendar" directory from using the include() function to include files outside of that directory.
But here's the problem: If one of the users with access to the "calendar" directory wanted to, they could simply turn open_basedir Off in the php.ini file, since the php.ini file with that open_basedir restriction resides in the "calendar" directory.
So my question now becomes: could open_basedir be activated in a php.ini file (or through some other means) outside of the "calendar" directory? It's kind of pointless to have the restriction set in a location that users can access anyway.
My hosting provider, BlueHost, does have the option for using a single php.ini file (as in, you can set it so that there's just a single php.ini file located in html/php.ini which all directories use) if that would be of any help.
If someone could point me in the right direction or if you have any other suggestions, feel free to post.