fix: only host can disable cancel meeting

[hackice20]

What does this PR do?

Allow hosts to cancel even when “Disable cancelling” is on

This PR updates booking actions and cancel logic so that hosts (organizers/event owners) can still cancel bookings even when the event type has disableCancelling enabled, while guests are blocked. It wires isHost through the booking UI, adjusts isActionDisabled("cancel", ...) to permit host cancellations, updates handleCancelBooking to only enforce the “no cancellations” rule for non-hosts, and adds tests covering both host-allowed and guest-blocked scenarios.

• Fixes When the cancelation is disable for the guest in the event definition, the host is also unable to cancel the event from the reservation dashboard #24017 (GitHub issue number)

Visual Demo (For contributors especially)

Screencast.From.2026-02-18.19-09-22.mp4

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

Checklist

• I have read the contributing guide
• My code does follow the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have checked if my changes generate no new warnings
• My PR is not too large (>500 lines or >10 files)

[cubic-dev-ai]

5 issues found across 6 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="packages/features/bookings/lib/handleCancelBooking.ts">

<violation number="1" location="packages/features/bookings/lib/handleCancelBooking.ts:216">
P2: Host check now treats any eventType host as cancellation-authorized, without verifying the host is assigned to the booking’s attendees. This can allow unassigned team hosts to cancel bookings even when disableCancelling is enabled, conflicting with the per-booking host assignment policy used elsewhere.</violation>

<violation number="2" location="packages/features/bookings/lib/handleCancelBooking.ts:225">
P2: Untrusted cancelledBy query param is now used to grant host status, allowing spoofed host cancellations to bypass disableCancelling when userId is absent.</violation>
</file>

<file name="apps/web/components/booking/actions/BookingActionsDropdown.tsx">

<violation number="1" location="apps/web/components/booking/actions/BookingActionsDropdown.tsx:202">
P2: Client-side isHost only checks booking owner; it omits assigned event type hosts (attendee-email match), so non-owner hosts will still be treated as guests and blocked from canceling.</violation>
</file>

<file name="apps/web/components/booking/actions/bookingActions.ts">

<violation number="1" location="apps/web/components/booking/actions/bookingActions.ts:277">
P2: The new cancel bypass trusts `isHost`, but `isHost` is computed only by userId equality with `booking.user.id` and does not verify attendee assignment. This can enable cancellation for non-assigned team members even when guest cancellation is disabled. Host detection should include the attendee-email/assignment check before using it to bypass cancel restrictions.</violation>
</file>

<file name="apps/web/components/booking/BookingListItem.tsx">

<violation number="1" location="apps/web/components/booking/BookingListItem.tsx:208">
P2: Host determination omits attendee-based assignment checks, which can incorrectly treat non-assigned team hosts/owners as hosts and allow cancellation despite disableCancelling.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: The new cancel bypass trusts isHost, but isHost is computed only by userId equality with booking.user.id and does not verify attendee assignment. This can enable cancellation for non-assigned team members even when guest cancellation is disabled. Host detection should include the attendee-email/assignment check before using it to bypass cancel restrictions.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/web/components/booking/actions/bookingActions.ts, line 277:

<comment>The new cancel bypass trusts `isHost`, but `isHost` is computed only by userId equality with `booking.user.id` and does not verify attendee assignment. This can enable cancellation for non-assigned team members even when guest cancellation is disabled. Host detection should include the attendee-email/assignment check before using it to bypass cancel restrictions.</comment>

<file context>
@@ -270,7 +271,12 @@ export function isActionDisabled(actionId: string, context: BookingActionContext
+    }
     case "cancel":
+      // Allow hosts to cancel even when cancellation is disabled for guests
+      if (isHost && !isBookingInPast && !isCancelled && !isRejected) {
+        return false;
+      }
</file context>

[hackice20]

@sean-brydon @Udit-takkar can you guys please review my PR :)
Also I have doubts regarding these cubic bot comments let me know which ones to address
Thanking you in anticipation

[hackice20]

@romitg2 @sahitya-chandra can you please review my PR

@sean-brydon @Udit-takkar can you guys please review my PR :) Also I have doubts regarding these cubic bot comments let me know which ones to address Thanking you in anticipation

[romitg2]

@hackice20 can you please address cubic comments, Thanks

@romitg2 @sahitya-chandra can you please review my PR

@sean-brydon @Udit-takkar can you guys please review my PR :) Also I have doubts regarding these cubic bot comments let me know which ones to address Thanking you in anticipation

[hackice20]

@hackice20 can you please address cubic comments, Thanks

@romitg2 @sahitya-chandra can you please review my PR

@sean-brydon @Udit-takkar can you guys please review my PR :) Also I have doubts regarding these cubic bot comments let me know which ones to address Thanking you in anticipation

@romitg2 But I have a doubt, as you can read those comments we need to decide logic for bookings with multiple hosts. Do we want all hosts to be able to cancel ? Or only the one who accepted / created it ?

[cubic-dev-ai]

2 issues found across 4 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/web/components/booking/BookingListItem.tsx">

<violation number="1" location="apps/web/components/booking/BookingListItem.tsx:81">
P2: isUserHostOfBooking now treats any event type host/owner as the booking host without verifying the user is assigned to this booking (attendee email). This diverges from server-side host checks and can enable cancel actions for non-assigned team hosts when canceling is disabled.</violation>
</file>

<file name="packages/features/bookings/lib/handleCancelBooking.ts">

<violation number="1" location="packages/features/bookings/lib/handleCancelBooking.ts:225">
P2: Removing the cancelledBy email fallback means unauthenticated host cancellations are no longer recognized as host, which can block legitimate organizer cancellations and bypass host-only cancellation reason rules.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[hackice20]

@romitg2 please let me know what you think ?

[sahitya-chandra]

please address

[hackice20]

@sahitya-chandra I have made the changes , can you please review it now ?