feat: managed event reassignment (calcom#24809)

* init

* --

* update dialog

* reassignment

* further changes

* add unit test

* fix

* type fix??

* fix type??

* emails

* workflows

* reason recorder

* refactor reassigned email

* fix reassigned reason

* fix type

* improve dialog

* add integration tests

* -

* remove unnecessary comments --1

* removed unnecessary comments

* fix type?

* address cubic

* address feedback

* --

* fix type?

* address cubic

* type-fix?

* fix type

* further fixes

* fix location update

* type fix

* propagate error to top

* fix mocking

* fix reported bugs

* fix

* fix success page video URL

* remove PII from logs

* persist video URL

* better audit trail

* revert email function name change

* fix test

* fix flake

* di

* fixes

* extract logic and other repo access from BookingRepository

* fixes

* (☞ﾟ∀ﾟ)☞ udit

* integration test fixes

* mroe fixes

* extract to repo

* extract to repo --2

* fix type

* cubic

* address feedback --1

* --2

* wip

* addressed feedback

* type fixes

* type fixes

* fix issues

* feedback --1

* feedback --2

* BookingAccessService DI

* fix

* break down function into small functions

* fixes --1

* fixes

* typefix

* addressing feedback

* fix merge conflict lost change

Author: alishaz-polymath

apps/api/v1/lib/validations/booking.ts

@@ -113,6 +113,12 @@ export const schemaBookingReadPublic = Booking.extend({
     )
     .optional(),
   responses: z.record(z.any()).nullable(),
+  // Override metadata to handle reassignment objects from Round Robin/Managed Events
+  // Safe to use z.any() here because:
+  // 1. API v1 POST only accepts z.record(z.string()) for metadata (user input restricted)
+  // 2. API v1 PATCH does not accept metadata changes at all
+  // 3. Complex metadata (objects) are only set by trusted internal features
+  metadata: z.record(z.any()).nullable(),
 }).pick({
   id: true,
   userId: true,

apps/api/v1/test/lib/bookings/[id]/_patch.integration-test.ts

@@ -1,7 +1,7 @@
 import type { Request, Response } from "express";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { createMocks } from "node-mocks-http";
-import { describe, it, expect, beforeAll } from "vitest";
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
 
 import prisma from "@calcom/prisma";
 
@@ -11,69 +11,114 @@ type CustomNextApiRequest = NextApiRequest & Request;
 type CustomNextApiResponse = NextApiResponse & Response;
 
 describe("PATCH /api/bookings", () => {
+  let member1Booking: Awaited<ReturnType<typeof prisma.booking.create>>;
+  let member0Booking: Awaited<ReturnType<typeof prisma.booking.create>>;
+  const createdBookingIds: number[] = [];
+  let testAdminUserId: number | null = null;
+
   beforeAll(async () => {
-    const acmeOrg = await prisma.team.findFirst({
-      where: {
-        slug: "acme",
-        isOrganization: true,
+    const member1 = await prisma.user.findFirstOrThrow({
+      where: { email: "member1-acme@example.com" },
+    });
+
+    const member0 = await prisma.user.findFirstOrThrow({
+      where: { email: "member0-acme@example.com" },
+    });
+
+    // Create bookings for testing
+    member1Booking = await prisma.booking.create({
+      data: {
+        uid: `test-member1-booking-${Date.now()}`,
+        title: "Member 1 Test Booking",
+        startTime: new Date(Date.now() + 86400000), // Tomorrow
+        endTime: new Date(Date.now() + 90000000), // Tomorrow + 1 hour
+        userId: member1.id,
+        status: "ACCEPTED",
+      },
+    });
+    createdBookingIds.push(member1Booking.id);
+
+    member0Booking = await prisma.booking.create({
+      data: {
+        uid: `test-member0-booking-${Date.now()}`,
+        title: "Member 0 Test Booking",
+        startTime: new Date(Date.now() + 172800000), // Day after tomorrow
+        endTime: new Date(Date.now() + 176400000), // Day after tomorrow + 1 hour
+        userId: member0.id,
+        status: "ACCEPTED",
       },
     });
+    createdBookingIds.push(member0Booking.id);
+  });
+
+  afterAll(async () => {
+    if (createdBookingIds.length > 0) {
+      await prisma.booking.deleteMany({
+        where: { id: { in: createdBookingIds } },
+      });
+    }
 
-    if (acmeOrg) {
-      await prisma.organizationSettings.upsert({
-        where: {
-          organizationId: acmeOrg.id,
-        },
-        update: {
-          isAdminAPIEnabled: true,
-        },
-        create: {
-          organizationId: acmeOrg.id,
-          orgAutoAcceptEmail: "acme.com",
-          isAdminAPIEnabled: true,
-        },
+    // Clean up test admin user if created
+    if (testAdminUserId) {
+      await prisma.user.delete({
+        where: { id: testAdminUserId },
       });
     }
   });
   it("Returns 403 when user has no permission to the booking", async () => {
-    const memberUser = await prisma.user.findFirstOrThrow({ where: { email: "member2-acme@example.com" } });
-    const proUser = await prisma.user.findFirstOrThrow({ where: { email: "pro@example.com" } });
-    const booking = await prisma.booking.findFirstOrThrow({ where: { userId: proUser.id } });
+    // Member2 tries to access Member0's booking - should fail
+    const member2 = await prisma.user.findFirstOrThrow({ where: { email: "member2-acme@example.com" } });
 
     const { req, res } = createMocks<CustomNextApiRequest, CustomNextApiResponse>({
       method: "PATCH",
       body: {
-        title: booking.title,
-        startTime: booking.startTime.toISOString(),
-        endTime: booking.endTime.toISOString(),
-        userId: memberUser.id,
+        title: member0Booking.title,
+        startTime: member0Booking.startTime.toISOString(),
+        endTime: member0Booking.endTime.toISOString(),
+        userId: member2.id,
       },
       query: {
-        id: booking.id,
+        id: member0Booking.id,
       },
     });
 
-    req.userId = memberUser.id;
+    req.userId = member2.id;
 
     await handler(req, res);
     expect(res.statusCode).toBe(403);
   });
 
   it("Allows PATCH when user is system-wide admin", async () => {
-    const adminUser = await prisma.user.findFirstOrThrow({ where: { email: "admin@example.com" } });
-    const proUser = await prisma.user.findFirstOrThrow({ where: { email: "pro@example.com" } });
-    const booking = await prisma.booking.findFirstOrThrow({ where: { userId: proUser.id } });
+    // Check if admin user already exists before upserting
+    const existingAdmin = await prisma.user.findUnique({ where: { email: "test-admin@example.com" } });
+    
+    // Create a system-wide admin user for this test
+    const adminUser = await prisma.user.upsert({
+      where: { email: "test-admin@example.com" },
+      update: { role: "ADMIN" },
+      create: {
+        email: "test-admin@example.com",
+        username: "test-admin",
+        name: "Test Admin",
+        role: "ADMIN",
+      },
+    });
+    
+    // Only track for cleanup if we created it (not if it already existed)
+    if (!existingAdmin) {
+      testAdminUserId = adminUser.id;
+    }
 
     const { req, res } = createMocks<CustomNextApiRequest, CustomNextApiResponse>({
       method: "PATCH",
       body: {
-        title: booking.title,
-        startTime: booking.startTime.toISOString(),
-        endTime: booking.endTime.toISOString(),
-        userId: proUser.id,
+        title: member0Booking.title,
+        startTime: member0Booking.startTime.toISOString(),
+        endTime: member0Booking.endTime.toISOString(),
+        userId: member0Booking.userId,
       },
       query: {
-        id: booking.id,
+        id: member0Booking.id,
       },
     });
 
@@ -86,19 +131,17 @@ describe("PATCH /api/bookings", () => {
 
   it("Allows PATCH when user is org-wide admin", async () => {
     const adminUser = await prisma.user.findFirstOrThrow({ where: { email: "owner1-acme@example.com" } });
-    const memberUser = await prisma.user.findFirstOrThrow({ where: { email: "member1-acme@example.com" } });
-    const booking = await prisma.booking.findFirstOrThrow({ where: { userId: memberUser.id } });
 
     const { req, res } = createMocks<CustomNextApiRequest, CustomNextApiResponse>({
       method: "PATCH",
       body: {
-        title: booking.title,
-        startTime: booking.startTime.toISOString(),
-        endTime: booking.endTime.toISOString(),
-        userId: memberUser.id,
+        title: member1Booking.title,
+        startTime: member1Booking.startTime.toISOString(),
+        endTime: member1Booking.endTime.toISOString(),
+        userId: member1Booking.userId,
       },
       query: {
-        id: booking.id,
+        id: member1Booking.id,
       },
     });
 

apps/api/v1/test/lib/bookings/_get.integration-test.ts

@@ -1,7 +1,7 @@
 import type { Request, Response } from "express";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { createMocks } from "node-mocks-http";
-import { describe, expect, it, beforeAll } from "vitest";
+import { describe, expect, it, beforeAll, afterAll } from "vitest";
 import { ZodError } from "zod";
 
 import { prisma } from "@calcom/prisma";
@@ -16,51 +16,67 @@ const DefaultPagination = {
   skip: 0,
 };
 
-describe("GET /api/bookings", async () => {
+describe("GET /api/bookings", () => {
+  let proUser: Awaited<ReturnType<typeof prisma.user.findFirstOrThrow>>;
+  let proUserBooking: Awaited<ReturnType<typeof prisma.booking.findFirstOrThrow>>;
+  let memberUser: Awaited<ReturnType<typeof prisma.user.findFirstOrThrow>>;
+  let memberUserBooking: Awaited<ReturnType<typeof prisma.booking.create>>;
+
   beforeAll(async () => {
-    const acmeOrg = await prisma.team.findFirst({
+    proUser = await prisma.user.findFirstOrThrow({ where: { email: "pro@example.com" } });
+    proUserBooking = await prisma.booking.findFirstOrThrow({ where: { userId: proUser.id } });
+
+    memberUser = await prisma.user.findFirstOrThrow({ where: { email: "member2-acme@example.com" } });
+    
+    // Find an event type for memberUser or use a simple booking
+    const memberEventType = await prisma.eventType.findFirst({
       where: {
-        slug: "acme",
-        isOrganization: true,
+        OR: [
+          { userId: memberUser.id },
+          { team: { members: { some: { userId: memberUser.id } } } }
+        ]
+      }
+    });
+
+    memberUserBooking = await prisma.booking.create({
+      data: {
+        uid: `test-member-booking-${Date.now()}`,
+        title: "Member Test Booking",
+        startTime: new Date(Date.now() + 86400000), // Tomorrow
+        endTime: new Date(Date.now() + 90000000),   // Tomorrow + 1 hour
+        userId: memberUser.id,
+        eventTypeId: memberEventType?.id,
+        status: "ACCEPTED",
       },
     });
+  });
 
-    if (acmeOrg) {
-      await prisma.organizationSettings.upsert({
-        where: {
-          organizationId: acmeOrg.id,
-        },
-        update: {
-          isAdminAPIEnabled: true,
-        },
-        create: {
-          organizationId: acmeOrg.id,
-          orgAutoAcceptEmail: "acme.com",
-          isAdminAPIEnabled: true,
-        },
+  afterAll(async () => {
+    // Clean up the test booking created in beforeAll
+    if (memberUserBooking?.id) {
+      await prisma.booking.delete({
+        where: { id: memberUserBooking.id },
       });
     }
   });
-  const proUser = await prisma.user.findFirstOrThrow({ where: { email: "pro@example.com" } });
-  const proUserBooking = await prisma.booking.findFirstOrThrow({ where: { userId: proUser.id } });
 
   it("Does not return bookings of other users when user has no permission", async () => {
-    const memberUser = await prisma.user.findFirstOrThrow({ where: { email: "member2-acme@example.com" } });
-
     const { req } = createMocks<CustomNextApiRequest, CustomNextApiResponse>({
       method: "GET",
       query: {
-        userId: proUser.id,
+        userId: proUser.id, // Try to access proUser's bookings
       },
       pagination: DefaultPagination,
     });
 
-    req.userId = memberUser.id;
+    req.userId = memberUser.id; // But request is from memberUser
 
     const responseData = await handler(req);
     const groupedUsers = new Set(responseData.bookings.map((b) => b.userId));
 
+    // Should only return memberUser's own bookings, not proUser's
     expect(responseData.bookings.find((b) => b.userId === memberUser.id)).toBeDefined();
+    expect(responseData.bookings.find((b) => b.id === memberUserBooking.id)).toBeDefined();
     expect(groupedUsers.size).toBe(1);
     const firstEntry = groupedUsers.entries().next().value;
     expect(firstEntry?.[0]).toBe(memberUser.id);

apps/web/components/booking/actions/BookingActionsDropdown.tsx

@@ -427,6 +427,7 @@ export function BookingActionsDropdown({
           bookingId={booking.id}
           teamId={booking.eventType?.team?.id || 0}
           bookingFromRoutingForm={isBookingFromRoutingForm}
+          isManagedEvent={booking.eventType?.parentId != null}
         />
       )}
       <EditLocationDialog

apps/web/components/booking/actions/bookingActions.ts

@@ -109,6 +109,12 @@ export function getEditEventActions(context: BookingActionContext): ActionType[]
   } = context;
   const seatReferenceUid = getSeatReferenceUid();
 
+  const isReassignableRoundRobin =
+    booking.eventType.schedulingType === SchedulingType.ROUND_ROBIN &&
+    (!booking.eventType.hostGroups || booking.eventType.hostGroups.length <= 1);
+  const isManagedChildEvent = booking.eventType.parentId != null;
+  const isReassignable = isReassignableRoundRobin || isManagedChildEvent;
+
   const actions: (ActionType | null)[] = [
     {
       id: "reschedule",
@@ -154,9 +160,7 @@ export function getEditEventActions(context: BookingActionContext): ActionType[]
           icon: "user-plus",
           disabled: false,
         },
-    // Reassign if round robin with no or one host groups
-    booking.eventType.schedulingType === SchedulingType.ROUND_ROBIN &&
-    (!booking.eventType.hostGroups || booking.eventType.hostGroups?.length <= 1)
+    isReassignable
       ? {
           id: "reassign",
           label: t("reassign"),