fix: managed orgs bookings by bookingUid

[romitg2]

What does this PR do?

• Fixes fix: managed orgs bookings by bookingUid #23178 (GitHub issue number)
• Fixes CAL-6277 (Linear issue number - should be visible at the bottom of the GitHub issue description)

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[vercel]

@romitg2 is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

Adds bookingUid to the filter payload in InputBookingsService_2024_08_13.transformGetBookingsFilters to enable filtering bookings by UID. Introduces two e2e tests in managed-organizations-bookings.controller.e2e-spec.ts: one verifies fetching bookings by organizationId and bookingUid returns only the matching booking; another verifies a non-existent bookingUid returns an empty result. No public API signatures changed.

Assessment against linked issues

Objective	Addressed	Explanation
Apply bookingUid filter for managed organization bookings so organizations/:orgId/bookings?bookingUid=X returns only the matching booking (#23178, CAL-6277)	✅

Possibly related PRs

• revert: fix: managed orgs get bookings #23066: Touches the same managed-organization bookings filtering and e2e tests; appears to revert or adjust related changes.
• fix: managed orgs get bookings #23063: Modifies the same managed-organizations bookings e2e test suite, indicating close test coverage overlap.
• fix: managed organization bookings #23078: Also updates managed-organizations bookings controller e2e tests around booking behavior, suggesting direct relation.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (08/19/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add community label" took an action on this PR • (08/19/25)

1 label was added to this PR based on Keith Williams's automation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

apps/api/v2/src/modules/organizations/bookings/managed-organizations-bookings.controller.e2e-spec.ts (2)

525-556: Positive-path e2e test for bookingUid filter looks good

This verifies happy-path filtering by bookingUid for managed orgs and asserts the returned record matches the requested UID and org event type. Solid coverage.

Minor: the .then(async (response) => { … }) callback doesn’t need to be async since there are no awaits inside.

---

558-576: Good negative test — consider adding a cross-organization isolation check

Validates empty results for a non-existent bookingUid. To harden isolation, add a test ensuring a valid UID from a different organization does not leak through this endpoint.

Apply this diff to add the isolation test after the current block:

@@
       it("should return empty results for non-existent bookingUid", async () => {
         return request(app.getHttpServer())
           .get(`/v2/organizations/${managedOrganization.id}/bookings?bookingUid=non-existent-uid`)
           .set(CAL_API_VERSION_HEADER, VERSION_2024_08_13)
           .set(X_CAL_CLIENT_ID, oAuthClient.id)
           .set(X_CAL_SECRET_KEY, oAuthClient.secret)
           .expect(200)
           .then(async (response) => {
             const responseBody: GetBookingsOutput_2024_08_13 = response.body;
             expect(responseBody.status).toEqual(SUCCESS_STATUS);
             expect(responseBody.data).toBeDefined();
             const data: (
               | BookingOutput_2024_08_13
               | RecurringBookingOutput_2024_08_13
               | GetSeatedBookingOutput_2024_08_13
             )[] = responseBody.data;
             expect(data.length).toEqual(0);
           });
       });
+
+      it("should not return bookings from other organizations when bookingUid belongs to a different org", async () => {
+        // Fetch a booking from the manager organization
+        const managerBookingsResponse = await request(app.getHttpServer())
+          .get(`/v2/organizations/${managerOrganization.id}/bookings`)
+          .set(CAL_API_VERSION_HEADER, VERSION_2024_08_13)
+          .set(X_CAL_CLIENT_ID, oAuthClient.id)
+          .set(X_CAL_SECRET_KEY, oAuthClient.secret)
+          .expect(200);
+
+        const foreignUid = managerBookingsResponse.body.data[0].uid;
+
+        // Query managed org endpoint using a foreign org bookingUid -> should not return results
+        const response = await request(app.getHttpServer())
+          .get(`/v2/organizations/${managedOrganization.id}/bookings?bookingUid=${foreignUid}`)
+          .set(CAL_API_VERSION_HEADER, VERSION_2024_08_13)
+          .set(X_CAL_CLIENT_ID, oAuthClient.id)
+          .set(X_CAL_SECRET_KEY, oAuthClient.secret)
+          .expect(200);
+
+        const responseBody: GetBookingsOutput_2024_08_13 = response.body;
+        expect(responseBody.status).toEqual(SUCCESS_STATUS);
+        expect(responseBody.data).toBeDefined();
+        expect(responseBody.data.length).toEqual(0);
+      });

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9e9f815 and 888695f.

📒 Files selected for processing (2)

• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (1 hunks)
• apps/api/v2/src/modules/organizations/bookings/managed-organizations-bookings.controller.e2e-spec.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

• apps/api/v2/src/modules/organizations/bookings/managed-organizations-bookings.controller.e2e-spec.ts
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

• apps/api/v2/src/modules/organizations/bookings/managed-organizations-bookings.controller.e2e-spec.ts
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts

**/*.{service,repository}.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Avoid dot-suffixes like .service.ts or .repository.ts for new files; reserve .test.ts, .spec.ts, .types.ts for their specific purposes

Files:

• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts

🧬 Code Graph Analysis (1)

apps/api/v2/src/modules/organizations/bookings/managed-organizations-bookings.controller.e2e-spec.ts (2)

packages/platform/constants/api.ts (5)

• CAL_API_VERSION_HEADER (72-72)
• VERSION_2024_08_13 (59-59)
• X_CAL_CLIENT_ID (50-50)
• X_CAL_SECRET_KEY (49-49)
• SUCCESS_STATUS (9-9)

packages/platform/types/bookings/2024-08-13/outputs/booking.output.ts (3)

• BookingOutput_2024_08_13 (280-306)
• RecurringBookingOutput_2024_08_13 (308-323)
• GetSeatedBookingOutput_2024_08_13 (325-331)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Install dependencies / Yarn install & cache
• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (1)

apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (1)

692-707: Booking UID passthrough added — confirm downstream filter key

You’ve wired bookingUid: queryParams.bookingUid into transformGetBookingsFilters, but the shared listing helper (getAllUserBookings) or its underlying Kysely/Prisma query likely filters on the actual column name (uid), not bookingUid. Please verify that:

• The getAllUserBookings function accepts a bookingUid field and maps it to where: { uid: … }, or
• If it doesn’t, update transformGetBookingsFilters to emit uid: queryParams.bookingUid (or the correct filter key) instead of bookingUid.