Skip to content

Comments

fix: Ignore userIds form filter segment if no permission#24194

Merged
anikdhabal merged 15 commits intomainfrom
issue#CAL-6491
Nov 5, 2025
Merged

fix: Ignore userIds form filter segment if no permission#24194
anikdhabal merged 15 commits intomainfrom
issue#CAL-6491

Conversation

@anikdhabal
Copy link
Contributor

@anikdhabal anikdhabal commented Oct 1, 2025
edited
Loading

Fixes #24172
Fixes #24167

@anikdhabal anikdhabal requested a review from a team as a code owner October 1, 2025 07:37
@linear
Copy link

linear bot commented Oct 1, 2025

CAL-6491 Ignore userIds form filter segment if no permission

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 1, 2025
edited
Loading

Walkthrough

The bookings GET handler now fetches user IDs and emails for which the requester is an admin/owner, filters incoming userIds to only those IDs plus the requester’s own ID, and applies that filtered list when building booking queries. The prior FORBIDDEN guard that errored on out-of-scope userIds was removed so unauthorized IDs are ignored. The admin/owner lookup was moved out of the earlier Promise.all into a dedicated fetch and Promise.all was updated; the unioned booking subqueries and subsequent dynamic filters (event types, attendees, statuses, dates) remain unchanged.

Possibly related PRs

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)
Check name Status Explanation Resolution
Out of Scope Changes Check ⚠️ Warning The PR removes two end-to-end tests from the organization bookings controller spec that are unrelated to the linked issues’ objective of filtering unauthorized userIds in viewer bookings, constituting out-of-scope changes. Restore or justify the removal of the organization bookings tests in a separate change or include an explanation for why they are affected by the permission filter update.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run `@coderabbitai generate docstrings` to improve docstring coverage.
✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The title clearly describes the core change of ignoring userIds in a filter segment when the user lacks permission, matching the primary objective of the PR.
Linked Issues Check ✅ Passed The PR implements the linked issue’s primary objective by filtering out unauthorized userIds instead of throwing an error when building the bookings query, aligning with issues #24172 and CAL-6491.
Description Check ✅ Passed The description references the linked issue that corresponds to the change, confirming it is related to the modifications implemented in this PR.
✨ Finishing touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch issue#CAL-6491
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3f2f066 and e365155.

📒 Files selected for processing (1)
  • apps/api/v2/src/modules/organizations/bookings/organizations-bookings.controller.e2e-spec.ts (0 hunks)
💤 Files with no reviewable changes (1)
  • apps/api/v2/src/modules/organizations/bookings/organizations-bookings.controller.e2e-spec.ts
⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Codacy Static Code Analysis

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@graphite-app graphite-app bot requested a review from a team October 1, 2025 07:37
@keithwillcode keithwillcode added the core area: core, team members only label Oct 1, 2025
@vercel
Copy link

vercel bot commented Oct 1, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Preview Comments Updated (UTC)
cal Ignored Ignored Nov 4, 2025 3:57pm
cal-eu Ignored Ignored Nov 4, 2025 3:57pm

@dosubot dosubot bot added bookings area: bookings, availability, timezones, double booking 🐛 bug Something isn't working labels Oct 1, 2025
coderabbitai[bot]
coderabbitai bot reviewed Oct 1, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 43cc40d and 566eff3.

📒 Files selected for processing (1)
  • packages/trpc/server/routers/viewer/bookings/get.handler.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (3)
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

  • packages/trpc/server/routers/viewer/bookings/get.handler.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

  • packages/trpc/server/routers/viewer/bookings/get.handler.ts
**/*.{ts,tsx,js,jsx}

⚙️ CodeRabbit configuration file

Flag default exports and encourage named exports. Named exports provide better tree-shaking, easier refactoring, and clearer imports. Exempt main components like pages, layouts, and components that serve as the primary export of a module.

Files:

  • packages/trpc/server/routers/viewer/bookings/get.handler.ts
🧠 Learnings (1)
📚 Learning: 2025-08-26T08:08:23.395Z 
Learnt from: SinghaAnirban005
PR: calcom/cal.com#23343
File: packages/features/insights/server/trpc-router.ts:1080-1101
Timestamp: 2025-08-26T08:08:23.395Z
Learning: In packages/features/insights/server/trpc-router.ts, when filtering personal event types (userId provided, no teamId, not isAll), the query correctly uses user.id (authenticated user) instead of the input userId parameter for security reasons. This prevents users from accessing other users' personal event types by passing arbitrary user IDs.

Applied to files:

  • packages/trpc/server/routers/viewer/bookings/get.handler.ts
⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Type check / check-types
  • GitHub Check: Tests / Unit
  • GitHub Check: Linters / lint

@pull-request-size pull-request-size bot added size/L and removed size/M labels Oct 1, 2025
@github-actions github-actions bot added consumer High priority Created by Linear-GitHub Sync labels Oct 1, 2025
coderabbitai[bot]
coderabbitai bot reviewed Oct 1, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
apps/web/playwright/booking-filters.e2e.ts (2)

123-135: Consider waiting for the API response after reload to avoid flakiness.

After page.reload(), the test immediately checks for UI elements but doesn't explicitly wait for the /api/trpc/bookings/get response like earlier in the test (lines 86-92). This could lead to flaky assertions if the UI renders before data loads.

Apply this diff to add the response wait:

     await test.step("Verify filter segment still works and UI is not stuck", async () => {
+      const bookingsGetResponseReload = page.waitForResponse((response) =>
+        /\/api\/trpc\/bookings\/get.*/.test(response.url())
+      );
       await page.reload();
       await page.waitForLoadState("domcontentloaded");
+      await bookingsGetResponseReload;
 
       await expect(dataTable).toBeVisible();

132-132: Clarify the purpose of the Escape key press.

The Escape key press at line 132 appears disconnected from the surrounding assertions. If it's intended to close a dialog or dropdown that might interfere with the permission message check, consider adding a comment to explain its purpose.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cb0f9e0 and a695701.

📒 Files selected for processing (1)
  • apps/web/playwright/booking-filters.e2e.ts (2 hunks)
🧰 Additional context used
📓 Path-based instructions (3)
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

  • apps/web/playwright/booking-filters.e2e.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

  • apps/web/playwright/booking-filters.e2e.ts
**/*.{ts,tsx,js,jsx}

⚙️ CodeRabbit configuration file

Flag default exports and encourage named exports. Named exports provide better tree-shaking, easier refactoring, and clearer imports. Exempt main components like pages, layouts, and components that serve as the primary export of a module.

Files:

  • apps/web/playwright/booking-filters.e2e.ts
🧬 Code graph analysis (1)
apps/web/playwright/booking-filters.e2e.ts (1)
packages/platform/libraries/index.ts (1)
  • MembershipRole (34-34)
⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Install dependencies / Yarn install & cache
  • GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (3)
apps/web/playwright/booking-filters.e2e.ts (3)

3-3: LGTM!

The import is necessary for role-based test setup and follows the project's naming conventions.

59-82: Well-structured test setup.

The test properly creates a team owner and two members with explicit roles. Using createMany for memberships is efficient and the accepted: true flag ensures the memberships are active for the test scenario.

54-136: Excellent E2E test coverage for the filter permission fix.

This test effectively validates the PR objective by ensuring that when a filter segment contains userIds that are no longer valid (due to membership removal), the UI remains functional and no permission errors are displayed. The test structure with explicit test.step calls makes the scenario clear and easy to follow.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 1, 2025
edited
Loading

E2E results are ready!

@anikdhabal anikdhabal enabled auto-merge (squash) October 1, 2025 13:35
@anikdhabal anikdhabal requested a review from a team as a code owner October 1, 2025 14:20
@github-actions
Copy link
Contributor

github-actions bot commented Oct 18, 2025

This PR is being marked as stale due to inactivity.

@github-actions github-actions bot added the Stale label Oct 18, 2025
@anikdhabal
Refactor booking filters tests for clarity and structure
cc14caf 
Refactor booking filters tests to improve clarity and structure. Update user creation and filter application logic.
@anikdhabal
Merge branch 'main' into issue#CAL-6491
416a49e
@pull-request-size pull-request-size bot added size/M and removed size/L labels Nov 4, 2025
@pull-request-size pull-request-size bot added size/L and removed size/M labels Nov 4, 2025
@anikdhabal
Simplify user ID filtering and permissions check
4d9a70f 
Refactor user ID and email retrieval logic for clarity and efficiency.
@anikdhabal anikdhabal mentioned this pull request Nov 4, 2025
Closed
3 tasks
@anikdhabal anikdhabal requested a review from eunjae-lee November 4, 2025 16:01
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Prompt for AI agents (all 1 issues) 

Understand the root cause of the following 1 issues and fix them.


<file name="apps/web/playwright/booking-filters.e2e.ts">

<violation number="1" location="apps/web/playwright/booking-filters.e2e.ts:269">
Rule violated: **E2E Tests Best Practices**

Missing expect(page).toHaveURL after both the initial goto and subsequent reload violates the E2E Tests Best Practices requirement to catch unexpected redirects. Please assert the URL after each navigation so the test fails fast if a redirect occurs.</violation>
</file>

React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 2 files

Prompt for AI agents (all 2 issues) 

Understand the root cause of the following 2 issues and fix them.


<file name="apps/web/playwright/booking-filters.e2e.ts">

<violation number="1" location="apps/web/playwright/booking-filters.e2e.ts:269">
Rule violated: **E2E Tests Best Practices**

After navigating with page.goto we should assert expect(page).toHaveURL(...) per the E2E Tests Best Practices so the test fails fast on unexpected redirects. Please add the missing URL assertion right after this navigation.</violation>

<violation number="2" location="apps/web/playwright/booking-filters.e2e.ts:285">
Rule violated: **E2E Tests Best Practices**

The new assertions rely on page.getByText, but the E2E Tests Best Practices require using stable data-testid (or role-based) locators to keep selectors resilient. Please switch these checks to test ids; the same adjustment is needed for the later &quot;You do not have permissions&quot; assertion in this block.</violation>
</file>

React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.

@anikdhabal anikdhabal merged commit 7f48c7f into main Nov 5, 2025
41 of 42 checks passed
@anikdhabal anikdhabal deleted the issue#CAL-6491 branch November 5, 2025 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Udit-takkar Udit-takkar Udit-takkar approved these changes

@ThyMinimalDev ThyMinimalDev Awaiting requested review from ThyMinimalDev

@eunjae-lee eunjae-lee Awaiting requested review from eunjae-lee

Assignees

No one assigned

Labels

bookings area: bookings, availability, timezones, double booking 🐛 bug Something isn't working consumer core area: core, team members only High priority Created by Linear-GitHub Sync ready-for-e2e size/L Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Ignore userIds form filter segment if no permission Allow adjusting booking filters when "No permission" error is shown

3 participants

@anikdhabal @Udit-takkar @keithwillcode