fix: validate hosts belong to team in managed event type create/update (calcom#26952)

* fix: validate hosts belong to team in managed event type create/update

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* test: add e2e tests for managed event type host validation

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: move update test after get team event-types test to fix ordering

Co-Authored-By: morgan@cal.com <morgan@cal.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: ThyMinimalDev

apps/api/v2/src/modules/organizations/event-types/services/input.service.ts

@@ -316,6 +316,7 @@ export class InputOrganizationsEventTypesService {
     }
 
     if (inputEventType.hosts) {
+      await this.validateHosts(teamId, inputEventType.hosts);
       return inputEventType.hosts.map((host) => host.userId);
     }
 
@@ -354,6 +355,7 @@ export class InputOrganizationsEventTypesService {
     }
 
     if (inputEventType.hosts) {
+      await this.validateHosts(teamId, inputEventType.hosts);
       return inputEventType.hosts.map((host) => host.userId);
     }
 

apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types.controller.e2e-spec.ts

@@ -205,6 +205,33 @@ describe("Organizations Event Types Endpoints", () => {
       return request(app.getHttpServer()).post(`/v2/teams/${team.id}/event-types`).send(body).expect(404);
     });
 
+    it("should not be able to create managed event-type for user outside team", async () => {
+      const userId = falseTestUser.id;
+
+      const body: CreateTeamEventTypeInput_2024_06_14 = {
+        title: `managed-outside-team-${randomString()}`,
+        slug: `managed-outside-team-${randomString()}`,
+        description: "Managed event type with non-team member.",
+        lengthInMinutes: 60,
+        locations: [
+          {
+            type: "integration",
+            integration: "cal-video",
+          },
+        ],
+        schedulingType: "MANAGED",
+        hosts: [
+          {
+            userId,
+            mandatory: true,
+            priority: "high",
+          },
+        ],
+      };
+
+      return request(app.getHttpServer()).post(`/v2/teams/${team.id}/event-types`).send(body).expect(404);
+    });
+
     it("should not be able to create phone-only event type", async () => {
       const body: CreateTeamEventTypeInput_2024_06_14 = {
         title: "Phone coding consultation",
@@ -564,6 +591,25 @@ describe("Organizations Event Types Endpoints", () => {
         });
     });
 
+    it("should not be able to update managed event-type with user outside team", async () => {
+      await ensureManagedEventType();
+
+      const body: UpdateTeamEventTypeInput_2024_06_14 = {
+        hosts: [
+          {
+            userId: falseTestUser.id,
+            mandatory: true,
+            priority: "high",
+          },
+        ],
+      };
+
+      return request(app.getHttpServer())
+        .patch(`/v2/teams/${team.id}/event-types/${managedEventType?.id}`)
+        .send(body)
+        .expect(404);
+    });
+
     it("should not be able to update non existing event-type", async () => {
       const body: UpdateTeamEventTypeInput_2024_06_14 = {
         title: "Clean code consultation",