fix: Allow all team members to view hidden fields and UTM tracking data

[hariombalhara]

What does this PR do?

Fixes #23864

Based on #23878

This PR expands the permission logic for viewing hidden booking data to include all team members, not just event hosts. Previously, only the event host could view hidden booking fields and UTM tracking parameters. Now, any team member can view this data.

Changes:

• Server-side (bookings-single-view.getServerSideProps.tsx):

  • Added isTeamMember check to determine if the logged-in user is a member of the event's team
  • Created new canViewHiddenData prop that is true for both hosts and team members
  • Updated permission checks for hidden fields and internal note presets to use canViewHiddenData

• Client-side (bookings-single-view.tsx):

  • Updated UTM parameters visibility to use canViewHiddenData instead of isHost

Additional UI changes (scope unclear):

• Changed booking details grid from 3 columns to 2 columns
• Adjusted spacing and avatar sizing for round-robin events
• Removed unused variable canCancelAndReschedule

---

Link to Devin run: https://app.devin.ai/sessions/537d2cd15a8f4473b64c17853c40c9ba
Requested by: @hariombalhara

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

Test scenario:

1. Create a team with multiple members
2. Create a team event type with hidden booking fields (e.g., custom fields marked as hidden)
3. Create a booking with UTM parameters (e.g., ?utm_source=test&utm_campaign=demo)
4. Log in as a team member who is NOT the event host
5. View the booking details page

Expected behavior:

• Team member should see the hidden booking field responses
• Team member should see the UTM tracking parameters
• Team member should see internal note presets (if configured for the team)

Important notes:

• Ensure the user is a team member but NOT the event host to verify the new permission logic
• Test both eventType.team and eventType.parent.teamId scenarios

Human Review Checklist

⚠️ Please pay special attention to:

• Are the CSS/layout changes (grid columns, spacing, avatar sizes) intentional or accidental scope creep?
• Should isTeamMember be called twice (once for team.id, once for parent.teamId), or can this be optimized to a single call?
• Are there any security implications of allowing all team members to view hidden data?
• Should automated tests be added to verify team member permissions?

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ naaa760
❌ neha

---

neha seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cubic-dev-ai]

No issues found across 2 files

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
cal	Ignored			Oct 31, 2025 4:45am
cal-eu	Ignored			Oct 31, 2025 4:45am

[cubic-dev-ai]

Reviewed changes from recent commits (found 1 issue).

1 issue found across 1 file

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx">

<violation number="1" location="apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx:180">
This change stops checking parent-team membership when an event has its own team. If a user is only a member of the parent team (previously supported), `eventType.team?.id` short-circuits the nullish coalescing, so `isTeamMember` is invoked only for that team and returns false, blocking the user from hidden data they used to see. Please restore the fallback check that also tests `eventType.parent?.teamId`.</violation>
</file>

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[github-actions]

E2E results are ready!

• Workflow #85861.2 latest results

[Udit-takkar]

LGTM.

Can you fix all the conflicts?

[hariombalhara]

@Udit-takkar fixed conflicts