NotificationsYou must be signed in to change notification settings
Fork11.2k
Star39k

fix: Grab booking organizer credentials when team admins request reschedule#24645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

Udit-takkar merged 25 commits intomainfromfix-request-reschedule-by-non-organizer

Nov 25, 2025

Merged

fix: Grab booking organizer credentials when team admins request reschedule#24645

Udit-takkar merged 25 commits intomainfromfix-request-reschedule-by-non-organizer

Nov 25, 2025

Conversation

Copy link

Contributor

joeauyeung commentedOct 22, 2025•
edited by cubic-dev-aibot
Loading

What does this PR do?

When requesting reschedule for a booking, grab the booking organizer credentials to delete calendar events, instead of the user initiating the reschedule request
Fixing naming convention around request reschedule frombookingUId tobookingUid inline with other places in the codebase

Mandatory Tasks (DO NOT REMOVE)

I have self-reviewed the code (A decent size PR without self-review might be rejected).
I have updated the developer docs in /docs if this PR makes changes that would require adocumentation change. If N/A, write N/A here and check the checkbox.
I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

Create a team booking with a calendar event
Request reschedule for the booking as a team admin

Summary by cubic

Fixes reschedule requests for team bookings by using the organizer’s credentials to cancel calendar/video events and enforcing permissions. Also switches the API input to bookingUid.

Bug Fixes
- Use booking organizer credentials to delete calendar/video events on reschedule.
- Enforce team permissions with booking.update for admins/owners; block unauthorized users.
- Prevent reschedule on cancelled or rejected bookings.
Migration
- requestReschedule input renamed: bookingId -> bookingUid.

^{Written for commit78d994e. Summary will update automatically on new commits.}

joeauyeung added11 commits

October 22, 2025 13:57

Change arg name frombookingUId tobookingUid

f70cda5

Lint fix

11ec0c4

UseBookingRepository to find booking to reschedule

da47659

Move early return further up if no booking is found

ae136be

UsePermissionCheckService if request rescheduling a team booking

27c7b0a

Remove redundent check

0b0f8ef

Remove redundent eventType query

aac9bd8

UsingBookingRepository to update the booking to rescheduled

8af5203

Update type ingetUsersCredentialsIncludeServiceAccountKey to only

c998afd

require params that are required

Get booking organizer credentials

c2f810b

Type fixes

7b3061b

pull-request-sizebot added the size/L label

Oct 22, 2025

keithwillcode added core

area: core, team members only

enterprisearea: enterprise, audit log, organisation, SAML, SSO labels

Oct 22, 2025

vercelbotdeployed toPreview – dev

October 22, 2025 19:06

View deployment

devin-ai-integrationbot added a commit that referenced this pull request

Oct 22, 2025

test: Add tests for team admin request reschedule with organizer cred…

23a8efc

…entials- Add test for team admin requesting reschedule with proper permissions- Add test verifying organizer's credentials are used (not requester's)- Add test for team member without permissions (should fail)These tests cover the fix in PR#24645 which ensures that when a team adminrequests a reschedule, the booking organizer's credentials are used to deletecalendar events instead of the requester's credentials.Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com>

joeauyeung mentioned this pull request

Oct 22, 2025

test: Add tests for team admin request reschedule with organizer credentials#24646

Closed

7 tasks

test: Add tests for team admin request reschedule with organizer cred…

3201583

…entials- Add test for team admin requesting reschedule with proper permissions- Add test verifying organizer's credentials are used (not requester's)- Add test for team member without permissions (should fail)These tests cover the fix in PR#24645 which ensures that when a team adminrequests a reschedule, the booking organizer's credentials are used to deletecalendar events instead of the requester's credentials.Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com>

pull-request-sizebot added size/XL and removed size/L labels

Oct 23, 2025

Copy link

vercelbot commentedOct 23, 2025•
edited
Loading

The latest updates on your projects. Learn more aboutVercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
cal	Ignored			Nov 25, 2025 7:00am
cal-eu	Ignored			Nov 25, 2025 7:00am

vercelbothad a problem deploying toPreview – dev

October 23, 2025 17:48

Failure

Merge branch

2beca4c

joeauyeung added the ready-for-e2e label

Oct 28, 2025

Copy link

Contributor

github-actionsbot commentedOct 28, 2025•
edited
Loading

E2E results are ready!

Workflow #89964.1 latest results

vercelbothad a problem deploying toPreview – dev

October 28, 2025 17:36

Failure

joeauyeung commented

Oct 28, 2025

View reviewed changes

apps/web/components/booking/BookingListItem.tsx Outdated

		isOpenDialog={isOpenRescheduleDialog}
		setIsOpenDialog={setIsOpenRescheduleDialog}
		bookingUId={booking.uid}
		bookingUid={booking.uid}

Copy link

ContributorAuthor

joeauyeungOct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Throughout the codebase we usebookingUid so cleaning this up to be more consistent.

apps/web/components/dialog/RescheduleDialog.tsx

		onClick={()=>{
		rescheduleApi({
		bookingId,
		bookingUid,

Copy link

ContributorAuthor

joeauyeungOct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We're actually passing thebookingUid instead of the id here so cleaning this up to be more clear.

packages/app-store/delegationCredential.ts Outdated

		* It includes in-memory DelegationCredential credentials as well.
		*/
		exportasyncfunctiongetUsersCredentialsIncludeServiceAccountKey(user:User){
		exportasyncfunctiongetUsersCredentialsIncludeServiceAccountKey(user:{id:number;email:string}){

Copy link

ContributorAuthor

joeauyeungOct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Changed the type here to only require the params that are used in the function rather than the broaderUser type

packages/features/bookings/repositories/BookingRepository.ts

Copy link

ContributorAuthor

joeauyeungOct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Moved these two prisma calls fromrequestReschedule.handler to theBookingRepository

packages/trpc/server/routers/viewer/bookings/requestReschedule.handler.ts Outdated

		constbookingToReschedule=awaitbookingRepository.findBookingForRequestReschedule({ bookingUid});

		if(!bookingToReschedule.userId){
		if(!bookingToReschedule)return;

Copy link

ContributorAuthor

joeauyeungOct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Moved this early return right after when the query is made.

Copy link

Member

hariombalharaNov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

findBookingForRequestReschedule already throws when it can't find the booking, so this is probably dead code

packages/trpc/server/routers/viewer/bookings/requestReschedule.handler.ts

Comment on lines +67 to +74

		if(!isBookingOrganizer&&bookingBelongsToTeam&&bookingToReschedule.eventType?.teamId){
		constpermissionCheckService=newPermissionCheckService();
		consthasPermission=awaitpermissionCheckService.checkPermission({
		userId:user.id,
		teamId:bookingToReschedule.eventType.teamId,
		permission:"booking.update",
		fallbackRoles:["ADMIN","OWNER"],
		});

Copy link

ContributorAuthor

joeauyeungOct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Replaced this manual check with thePermissionCheckService. Shoutout@sean-brydon

Merge branch 'main' into fix-request-reschedule-by-non-organizer

c39ee0b

vercelbothad a problem deploying toPreview – dev

October 28, 2025 20:25

Failure

Merge branch 'main' into fix-request-reschedule-by-non-organizer

f18d8df

cubic-dev-aibot reviewed

Nov 10, 2025

View reviewed changes

Copy link

Contributor

cubic-dev-aibot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

No issues found across 6 files

Merge branch 'main' into fix-request-reschedule-by-non-organizer

af438b5

vercelbotdeployed toPreview – dev

November 11, 2025 21:40

View deployment

Udit-takkar reviewed

Nov 14, 2025

View reviewed changes

packages/trpc/server/routers/viewer/bookings/requestReschedule.handler.ts

		}

		constbookingBelongsToTeam=!!bookingToReschedule.eventType?.teamId;
		constisBookingOrganizer=bookingToReschedule.userId===user.id;

Copy link

Contributor

Udit-takkarNov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

In case of multiple hosts (collective or round robin event type) thenisBookingOrganizer would be false in case the second host clicks on request reschedule