fix: Rescheduling seated events creates a seperate booking #22371
Conversation
|
@romitg2 is attempting to deploy a commit to the cal Team on Vercel. A member of the Team first needs to authorize it. |
Graphite Automations"Add consumer team as reviewer" took an action on this PR • (07/10/25)1 reviewer was added to this PR based on Keith Williams's automation. "Add community label" took an action on this PR • (07/10/25)1 label was added to this PR based on Keith Williams's automation. "Add ready-for-e2e label" took an action on this PR • (07/13/25)1 label was added to this PR based on Keith Williams's automation. |
|
Hey @romitg2, Thanks for the PR. Could you pls check this comment here and try to fix that as well? |
|
@kart1ka fixed |
E2E results are ready! |
| href: `/reschedule/${booking.uid}${ | ||
| booking.seatsReferences.length ? `?seatReferenceUid=${getSeatReferenceUid()}` : "" | ||
| }`, |
There was a problem hiding this comment.
Aren't we only excluding it when a host reschedule it? But it is currently same for an attendee also, right?
There was a problem hiding this comment.
i think you're right. also surprisingly, currently attendee can't even reschedule seated booking from bookings page, flow seems broken.
Screen.Recording.2025-07-15.at.1.29.39.PM.mov
There was a problem hiding this comment.
@anikdhabal @kart1ka fixed, review 🙏
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the """ WalkthroughThe changes modify the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~7 minutes The changes are localized to two files with moderate complexity: one involves refining a function to match seat references by email and adjusting URL construction logic, and the other modifies conditional access control logic in server-side props. Both changes are straightforward and limited in scope. Assessment against linked issues
Assessment against linked issues: Out-of-scope changesNo out-of-scope changes found. Poem
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
apps/web/components/booking/BookingListItem.tsx(3 hunks)apps/web/lib/reschedule/[uid]/getServerSideProps.ts(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- apps/web/components/booking/BookingListItem.tsx
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Security Check
| // If the user is not a host or the owner of the event type and no seat reference uid is provided, return not found | ||
| // If user is not host or owner but has a seat reference uid, then allow reschedule | ||
| if (!userIsHost && !userIsOwnerOfEventType && !seatReferenceUid) { |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Logic change looks correct for seated event rescheduling.
The updated conditional logic properly allows non-hosts/non-owners to reschedule seated events when they provide a valid seat reference UID. This aligns with the PR objective of fixing rescheduling issues for seated events.
However, ensure that the seatReferenceUid is properly validated to prevent unauthorized access.
🏁 Script executed:
#!/bin/bash
# Description: Verify that seatReferenceUid validation exists elsewhere in the codebase
# Expected: Find validation logic that ensures seatReferenceUid belongs to the current user
# Search for seatReferenceUid validation logic
rg -A 10 -B 5 "seatReferenceUid.*validation|validate.*seatReferenceUid" --type ts
echo "---"
# Search for maybeGetBookingUidFromSeat implementation to understand how seat reference is handled
rg -A 15 "maybeGetBookingUidFromSeat" --type ts
echo "---"
# Search for any security checks around seat references
rg -A 5 -B 5 "seat.*reference.*uid|seatReferenceUid.*user|user.*seatReferenceUid" --type tsLength of output: 11164
Confirm seatReferenceUid validation is missing and needs implementation
Our search shows no existing checks confirming that a provided seatReferenceUid actually belongs to the current user. Without this, anyone could supply a valid seatReferenceUid in the URL and reschedule another attendee’s booking.
Please add a check in getServerSideProps to ensure the maybeSeatReferenceUid (from maybeGetBookingUidFromSeat) is owned by session.user.id before allowing reschedule. For example, after fetching bookingSeat, verify its userId matches the logged-in user and return notFound otherwise.
• Location: apps/web/lib/reschedule/[uid]/getServerSideProps.ts: lines 170–200
• Add after maybeGetBookingUidFromSeat call:
// After fetching maybeSeatReferenceUid and bookingUid:
if (maybeSeatReferenceUid && bookingSeat.userId !== session.user.id) {
return { notFound: true } as const;
}🤖 Prompt for AI Agents
In apps/web/lib/reschedule/[uid]/getServerSideProps.ts around lines 170 to 200,
add a validation after retrieving maybeSeatReferenceUid and bookingSeat to
confirm that bookingSeat.userId matches session.user.id. If they do not match,
return { notFound: true } to prevent unauthorized rescheduling using someone
else's seatReferenceUid. This ensures only the owner of the seatReferenceUid can
proceed with rescheduling.
|
This PR is being marked as stale due to inactivity. |
There was a problem hiding this comment.
Neither cancelling nor rescheduling the seated booking works as expected. Pls see the videos attached:
weird, Thanks @kart1ka for sharing videos, will fix it shortly. |
|
@kart1ka The issue was that undefined in query param was taken literally as |
There was a problem hiding this comment.
Cancellation still does not work.
Pls see the video attached.
https://cap.link/1pjbwwyq26rst1m
The title of the booking also shows "Nameless" instead of the name of the attendee.
There is also an empty seatRefUid param in the url.
Pls fix these issues.
solution:
when host want to reschedule don't pass seat uid
After:
Screen.Recording.2025-07-10.at.2.39.40.PM.mov
Before:
Screen.Recording.2025-07-10.at.2.41.48.PM.mov
Visual Demo (For contributors especially)
A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).
Video Demo (if applicable):
Image Demo (if applicable):
Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
Checklist
Summary by cubic
Fixed an issue where rescheduling a seated event created a separate booking by removing the seat reference from the reschedule link.