Add guest management functionality to existing bookings#3
Conversation
* feat: ability to add guests via app.cal.com/bookings * fix: some update * fix: minor issue * fix: final update * update * update * add requested changes * fix type error * small update * final update * fix type error * fix location * update calender event --------- Co-authored-by: Somay Chauhan <somaychauhan98@gmail.com>
|
bugbot run |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
|
|
||
| const isTeamAdminOrOwner = | ||
| (await isTeamAdmin(user.id, booking.eventType?.teamId ?? 0)) && | ||
| (await isTeamOwner(user.id, booking.eventType?.teamId ?? 0)); |
There was a problem hiding this comment.
Authorization check uses AND instead of OR
High Severity
The isTeamAdminOrOwner variable uses && (AND) to combine isTeamAdmin and isTeamOwner, but the variable name and intent clearly require || (OR). Since isTeamAdmin already matches both ADMIN and OWNER roles, adding && isTeamOwner effectively restricts access to only OWNER role holders. Team admins who are not owners will be incorrectly denied permission to add guests.
| await eventManager.updateCalendarAttendees(evt, booking); | ||
|
|
||
| try { | ||
| await sendAddGuestsEmails(evt, guests); |
There was a problem hiding this comment.
Wrong guest list passed to email function
Medium Severity
sendAddGuestsEmails is called with guests (the raw user input) instead of uniqueGuests (the filtered list). The email function uses this list to decide which template each attendee receives — new guests get AttendeeScheduledEmail while existing attendees get AttendeeAddGuestsEmail. If a user submits an email that already belongs to an existing attendee, that attendee will incorrectly receive a "you are scheduled" email instead of a "new guests added" notification.
| (guest) => | ||
| !booking.attendees.some((attendee) => guest === attendee.email) && | ||
| !blacklistedGuestEmails.includes(guest) | ||
| ); |
There was a problem hiding this comment.
Blacklist bypass via email case mismatch
Medium Severity
The blacklist check lowercases the blocklist entries but does not lowercase the incoming guest email before calling blacklistedGuestEmails.includes(guest). A user can bypass the blacklist by submitting a mixed-case variant like "Blocked@Example.com". The existing implementations in handleNewBooking.ts and checkIfBookerEmailIsBlocked.ts correctly lowercase both sides of the comparison.
| credentials: [...credentials], | ||
| }); | ||
|
|
||
| await eventManager.updateCalendarAttendees(evt, booking); |
There was a problem hiding this comment.
DB write before calendar update causes unrecoverable inconsistency
Medium Severity
The database is updated with new guest attendees (line 92) before the calendar update attempt (line 165), and the calendar call has no error handling. If updateCalendarAttendees throws (e.g., expired token, API failure), guests are already committed to the DB, the client receives an error, and retrying fails because uniqueGuests filters them out as duplicates. The calendar event is permanently out of sync with no recovery path. The comparable editLocation handler deliberately updates the calendar first and only persists to the DB on success.
2 participants
Test 10nn
Summary by CodeRabbit
Release Notes
✏️ Tip: You can customize this high-level summary in your review settings.
nn---n*Replicated from [ai-code-review-evaluation/cal.com-coderabbit#10](https://github.com/ai-code-review-evaluation/cal.com-coderabbit/pull/10)*Note
Medium Risk
Touches booking attendee persistence, calendar sync, and outbound email flows; incorrect validation/permissions or calendar update failures could cause data or notification inconsistencies.
Overview
Adds an “Additional guests” action to booking list items that opens a new
AddGuestsDialogfor entering multiple attendee emails via a reusableMultiEmailUI control.Introduces a new authed
viewer.bookings.addGuestsTRPC mutation that appends new attendees to the booking (filtering out existing/blacklisted emails), updates the external calendar event’s attendee list, and triggers new organizer/attendee email notifications (including ICS) usingsendAddGuestsEmailswith newOrganizerAddGuestsEmail/AttendeeAddGuestsEmailtemplates and i18n strings.Written by Cursor Bugbot for commit baa9045. Configure here.