fix: Grab booking organizer credentials when team admins request reschedule (calcom#24645)

* Change arg name from `bookingUId` to `bookingUid`

* Lint fix

* Use `BookingRepository` to find booking to reschedule

* Move early return further up if no booking is found

* Use `PermissionCheckService` if request rescheduling a team booking

* Remove redundent check

* Remove redundent eventType query

* Using `BookingRepository` to update the booking to rescheduled

* Update type in `getUsersCredentialsIncludeServiceAccountKey` to only
require params that are required

* Get booking organizer credentials

* Type fixes

* test: Add tests for team admin request reschedule with organizer credentials

- Add test for team admin requesting reschedule with proper permissions
- Add test verifying organizer's credentials are used (not requester's)
- Add test for team member without permissions (should fail)

These tests cover the fix in PR calcom#24645 which ensures that when a team admin
requests a reschedule, the booking organizer's credentials are used to delete
calendar events instead of the requester's credentials.

Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com>

* fix: Address code review comments for request reschedule

- Change user: true to user: { select: { id, email } } to only fetch required fields
- Change eventType include to select with explicit fields including teamId
- Remove sensitive information (user object, cancellationReason) from debug log
- All integration tests passing locally

Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com>

* Type fix

* Remove businesss logic references from repository methods.

* Move business logic to handler

* Type fix

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: joeauyeung

apps/web/components/booking/actions/BookingActionsDropdown.tsx

@@ -418,7 +418,7 @@ export function BookingActionsDropdown({
       <RescheduleDialog
         isOpenDialog={isOpenRescheduleDialog}
         setIsOpenDialog={setIsOpenRescheduleDialog}
-        bookingUId={booking.uid}
+        bookingUid={booking.uid}
       />
       {isOpenReassignDialog && (
         <ReassignDialog

apps/web/components/dialog/RescheduleDialog.tsx

@@ -13,13 +13,13 @@ import { showToast } from "@calcom/ui/components/toast";
 interface IRescheduleDialog {
   isOpenDialog: boolean;
   setIsOpenDialog: Dispatch<SetStateAction<boolean>>;
-  bookingUId: string;
+  bookingUid: string;
 }
 
 export const RescheduleDialog = (props: IRescheduleDialog) => {
   const { t } = useLocale();
   const utils = trpc.useUtils();
-  const { isOpenDialog, setIsOpenDialog, bookingUId: bookingId } = props;
+  const { isOpenDialog, setIsOpenDialog, bookingUid } = props;
   const [rescheduleReason, setRescheduleReason] = useState("");
 
   const { mutate: rescheduleApi, isPending } = trpc.viewer.bookings.requestReschedule.useMutation({
@@ -66,7 +66,7 @@ export const RescheduleDialog = (props: IRescheduleDialog) => {
             disabled={isPending}
             onClick={() => {
               rescheduleApi({
-                bookingId,
+                bookingUid,
                 rescheduleReason,
               });
             }}>

apps/web/test/handlers/requestReschedule.test.ts

@@ -9,14 +9,15 @@ import {
   getScenarioData,
   getMockBookingAttendee,
   getDate,
+  mockCalendar,
 } from "@calcom/web/test/utils/bookingScenario/bookingScenario";
 import { expectBookingRequestRescheduledEmails } from "@calcom/web/test/utils/bookingScenario/expects";
 
 import type { Request, Response } from "express";
 import type { NextApiRequest, NextApiResponse } from "next";
-import { describe } from "vitest";
+import { describe, expect } from "vitest";
 
-import { SchedulingType } from "@calcom/prisma/enums";
+import { SchedulingType, MembershipRole } from "@calcom/prisma/enums";
 import { BookingStatus } from "@calcom/prisma/enums";
 import type { TRequestRescheduleInputSchema } from "@calcom/trpc/server/routers/viewer/bookings/requestReschedule.schema";
 import type { TrpcSessionUser } from "@calcom/trpc/server/types";
@@ -116,7 +117,7 @@ describe("Handler: requestReschedule", () => {
         getTrpcHandlerData({
           user: loggedInUser,
           input: {
-            bookingId: bookingUid,
+            bookingUid,
             rescheduleReason: "",
           },
         })
@@ -236,7 +237,7 @@ describe("Handler: requestReschedule", () => {
         getTrpcHandlerData({
           user: loggedInUser,
           input: {
-            bookingId: bookingUid,
+            bookingUid,
             rescheduleReason: "",
           },
         })
@@ -253,6 +254,297 @@ describe("Handler: requestReschedule", () => {
         bookNewTimePath: "/team/team-1/event-type-1",
       });
     });
+
+    test(`should allow team admin to request-reschedule for a team booking and use organizer's credentials
+          1. Team admin (non-organizer) can request reschedule with proper permissions
+          2. Organizer's credentials are used to delete calendar events`, async ({ emails }) => {
+      const { requestRescheduleHandler } = await import(
+        "@calcom/trpc/server/routers/viewer/bookings/requestReschedule.handler"
+      );
+
+      const booker = getBooker({
+        email: "booker@example.com",
+        name: "Booker",
+      });
+
+      const organizer = getOrganizer({
+        name: "Organizer",
+        email: "organizer@example.com",
+        id: 101,
+        teams: [
+          {
+            membership: {
+              accepted: true,
+              role: "MEMBER",
+            },
+            team: {
+              id: 1,
+              name: "Team 1",
+              slug: "team-1",
+            },
+          },
+        ],
+        schedules: [TestData.schedules.IstWorkHours],
+        credentials: [getGoogleCalendarCredential()],
+        selectedCalendars: [TestData.selectedCalendars.google],
+      });
+
+      const teamAdmin = {
+        id: 102,
+        username: "team-admin",
+        name: "Team Admin",
+        email: "team-admin@example.com",
+        locale: "en",
+        timeZone: "America/New_York",
+        teams: [
+          {
+            membership: {
+              accepted: true,
+              role: MembershipRole.ADMIN,
+            },
+            team: {
+              id: 1,
+              name: "Team 1",
+              slug: "team-1",
+            },
+          },
+        ],
+        schedules: [TestData.schedules.IstWorkHours],
+        credentials: [], // No credentials
+        selectedCalendars: [],
+      };
+
+      const { dateString: plus1DateString } = getDate({ dateIncrement: 1 });
+      const bookingUid = "MOCKED_BOOKING_UID_TEAM_ADMIN";
+      const eventTypeSlug = "event-type-1";
+
+      const calendarMock = await mockCalendar("googlecalendar");
+
+      await createBookingScenario(
+        getScenarioData({
+          webhooks: [
+            {
+              userId: organizer.id,
+              eventTriggers: ["BOOKING_CREATED"],
+              subscriberUrl: "http://my-webhook.example.com",
+              active: true,
+              eventTypeId: 1,
+              appId: null,
+            },
+          ],
+          eventTypes: [
+            {
+              id: 1,
+              slug: eventTypeSlug,
+              slotInterval: 45,
+              teamId: 1,
+              schedulingType: SchedulingType.COLLECTIVE,
+              length: 45,
+              users: [
+                {
+                  id: 101,
+                },
+              ],
+            },
+          ],
+          bookings: [
+            {
+              uid: bookingUid,
+              eventTypeId: 1,
+              userId: 101, // Booking belongs to organizer
+              status: BookingStatus.ACCEPTED,
+              startTime: `${plus1DateString}T05:00:00.000Z`,
+              endTime: `${plus1DateString}T05:15:00.000Z`,
+              references: [
+                {
+                  type: "google_calendar",
+                  uid: "MOCK_CALENDAR_EVENT_UID",
+                  meetingId: "MOCK_MEETING_ID",
+                  meetingPassword: "MOCK_PASSWORD",
+                  meetingUrl: "https://UNUSED_URL",
+                  credentialId: 1,
+                },
+              ],
+              attendees: [
+                getMockBookingAttendee({
+                  id: 2,
+                  name: booker.name,
+                  email: booker.email,
+                  locale: "hi",
+                  timeZone: "Asia/Kolkata",
+                  noShow: false,
+                }),
+              ],
+            },
+          ],
+          organizer,
+          usersApartFromOrganizer: [teamAdmin],
+          apps: [TestData.apps["google-calendar"], TestData.apps["daily-video"]],
+        })
+      );
+
+      const loggedInTeamAdmin = {
+        organizationId: null,
+        id: 102, // Team admin ID
+        username: "team-admin",
+        name: "Team Admin",
+        email: "team-admin@example.com",
+      };
+
+      await requestRescheduleHandler(
+        getTrpcHandlerData({
+          user: loggedInTeamAdmin,
+          input: {
+            bookingUid,
+            rescheduleReason: "Team admin requesting reschedule",
+          },
+        })
+      );
+
+      expectBookingRequestRescheduledEmails({
+        booking: {
+          uid: bookingUid,
+        },
+        booker,
+        organizer: organizer,
+        loggedInUser: loggedInTeamAdmin,
+        emails,
+        bookNewTimePath: "/team/team-1/event-type-1",
+      });
+
+      const deleteEventCalls = calendarMock.deleteEventCalls;
+      expect(deleteEventCalls.length).toBe(1);
+
+      const credentialUsed = deleteEventCalls[0].calendarServiceConstructorArgs.credential;
+      expect(credentialUsed.userId).toBe(organizer.id);
+      expect(credentialUsed.id).toBe(1);
+    });
+
+    test(`should reject request-reschedule from team member without proper permissions`, async () => {
+      const { requestRescheduleHandler } = await import(
+        "@calcom/trpc/server/routers/viewer/bookings/requestReschedule.handler"
+      );
+
+      const booker = getBooker({
+        email: "booker@example.com",
+        name: "Booker",
+      });
+
+      const organizer = getOrganizer({
+        name: "Organizer",
+        email: "organizer@example.com",
+        id: 101,
+        teams: [
+          {
+            membership: {
+              accepted: true,
+              role: "MEMBER",
+            },
+            team: {
+              id: 1,
+              name: "Team 1",
+              slug: "team-1",
+            },
+          },
+        ],
+        schedules: [TestData.schedules.IstWorkHours],
+        credentials: [getGoogleCalendarCredential()],
+        selectedCalendars: [TestData.selectedCalendars.google],
+      });
+
+      const teamMember = {
+        id: 103,
+        username: "team-member",
+        name: "Team Member",
+        email: "team-member@example.com",
+        locale: "en",
+        timeZone: "America/New_York",
+        teams: [
+          {
+            membership: {
+              accepted: true,
+              role: MembershipRole.MEMBER,
+            },
+            team: {
+              id: 1,
+              name: "Team 1",
+              slug: "team-1",
+            },
+          },
+        ],
+        schedules: [TestData.schedules.IstWorkHours],
+        credentials: [],
+        selectedCalendars: [],
+      };
+
+      const { dateString: plus1DateString } = getDate({ dateIncrement: 1 });
+      const bookingUid = "MOCKED_BOOKING_UID_MEMBER";
+      const eventTypeSlug = "event-type-1";
+
+      await createBookingScenario(
+        getScenarioData({
+          eventTypes: [
+            {
+              id: 1,
+              slug: eventTypeSlug,
+              slotInterval: 45,
+              teamId: 1,
+              schedulingType: SchedulingType.COLLECTIVE,
+              length: 45,
+              users: [
+                {
+                  id: 101,
+                },
+              ],
+            },
+          ],
+          bookings: [
+            {
+              uid: bookingUid,
+              eventTypeId: 1,
+              userId: 101, // Booking belongs to organizer
+              status: BookingStatus.ACCEPTED,
+              startTime: `${plus1DateString}T05:00:00.000Z`,
+              endTime: `${plus1DateString}T05:15:00.000Z`,
+              attendees: [
+                getMockBookingAttendee({
+                  id: 2,
+                  name: booker.name,
+                  email: booker.email,
+                  locale: "hi",
+                  timeZone: "Asia/Kolkata",
+                  noShow: false,
+                }),
+              ],
+            },
+          ],
+          organizer,
+          usersApartFromOrganizer: [teamMember],
+          apps: [TestData.apps["google-calendar"], TestData.apps["daily-video"]],
+        })
+      );
+
+      const loggedInTeamMember = {
+        organizationId: null,
+        id: 103, // Team member ID
+        username: "team-member",
+        name: "Team Member",
+        email: "team-member@example.com",
+      };
+
+      await expect(
+        requestRescheduleHandler(
+          getTrpcHandlerData({
+            user: loggedInTeamMember,
+            input: {
+              bookingUid,
+              rescheduleReason: "Team member trying to reschedule",
+            },
+          })
+        )
+      ).rejects.toThrow("User does not have permission to request reschedule for this booking");
+    });
+
     test.todo("Verify that the email should go to organizer as well as the team members");
   });
 });