feat(slots): add functionality to check if booker is a Cal.com user and include their availability when rescheduling#25346
Conversation
…nd include their availability when rescheduling
|
@krishvsoni is attempting to deploy a commit to the cal Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (all 1 issues)
Understand the root cause of the following 1 issues and fix them.
<file name="packages/trpc/server/routers/viewer/slots/util.ts">
<violation number="1" location="packages/trpc/server/routers/viewer/slots/util.ts:1078">
Rule violated: **Avoid Logging Sensitive Information**
Remove the booker’s email from the log payload to avoid emitting personally identifiable information in logs.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
…ub.com/krishvsoni/cal.com into cal-4531/reschedule-guest-availability
…ned case for Cal.com user check
|
This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active. |
|
@anikdhabal could you please review the changes I’ve submitted? Let me know if anything needs adjustment |
…ling tests, alongside enhanced Next.js routing for organization slugs.
… annotation and unused import.
…ub.com/krishvsoni/cal.com into cal-4531/reschedule-guest-availability
… yarn install and add type for searchTextClauses
|
|
There was a problem hiding this comment.
6 issues found across 1022 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name=".env.example">
<violation number="1" location=".env.example:515">
P2: Ad tracking features should default to disabled (`=0` or empty) in `.env.example`, consistent with other feature flags like `GOOGLE_LOGIN_ENABLED=false` and `ORGANIZATIONS_ENABLED=`. Self-hosters copying this example would have tracking enabled by default, which may not be desired for privacy-conscious deployments.</violation>
</file>
<file name=".github/workflows/labeler.yml">
<violation number="1" location=".github/workflows/labeler.yml:23">
P1: Secrets context is not available in job-level `if:` conditionals. This condition will not work as expected. Consider using a different approach, such as checking the secret in a step or using a repository variable to gate this job.</violation>
<violation number="2" location=".github/workflows/labeler.yml:26">
P2: Using `@main` for a third-party action is a security risk. Pin to a specific commit SHA (e.g., `equitybee/team-label-action@abc123...`) to prevent unexpected changes or supply chain attacks.</violation>
</file>
<file name=".github/workflows/pr.yml">
<violation number="1" location=".github/workflows/pr.yml:275">
P0: Bug: Reference to renamed job `needs.changes` should be `needs.prepare`. The `changes` job was renamed to `prepare` but this reference wasn't updated, which will cause the condition to malfunction.</violation>
<violation number="2" location=".github/workflows/pr.yml:283">
P1: The new failure detection only checks for `failure` results, but per team policy, `skipped` (and `cancelled`) jobs should also block merges. All required checks must run and succeed before a PR can merge.
(Based on your team's feedback about treating 'skipped' as non-success for merge requirements.) [FEEDBACK_USED]</violation>
</file>
<file name="apps/api/v2/src/ee/bookings/2024-08-13/services/booking-location.service.ts">
<violation number="1" location="apps/api/v2/src/ee/bookings/2024-08-13/services/booking-location.service.ts:110">
P1: Rule violated: **Avoid Logging Sensitive Information**
This log statement serializes the entire `loc` object which can contain PII such as phone numbers and physical addresses. Instead of logging the full object, log only the non-sensitive `loc.type` field to debug unsupported location types.</violation>
</file>
Reply to cubic to teach it or ask questions. Tag @cubic-dev-ai to re-run a review.
| TRIGGER_DEV_PROJECT_REF= | ||
|
|
||
| GOOGLE_ADS_ENABLED=1 # To enable Google Ads tracking (gclid) | ||
| LINKEDIN_ADS_ENABLED=1 # To enable LinkedIn Ads tracking (li_fat_id) |
There was a problem hiding this comment.
P2: Ad tracking features should default to disabled (=0 or empty) in .env.example, consistent with other feature flags like GOOGLE_LOGIN_ENABLED=false and ORGANIZATIONS_ENABLED=. Self-hosters copying this example would have tracking enabled by default, which may not be desired for privacy-conscious deployments.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .env.example, line 515:
<comment>Ad tracking features should default to disabled (`=0` or empty) in `.env.example`, consistent with other feature flags like `GOOGLE_LOGIN_ENABLED=false` and `ORGANIZATIONS_ENABLED=`. Self-hosters copying this example would have tracking enabled by default, which may not be desired for privacy-conscious deployments.</comment>
<file context>
@@ -509,4 +509,7 @@ SEED_PLATFORM_OAUTH_CLIENT_SECRET=
+TRIGGER_DEV_PROJECT_REF=
+
+GOOGLE_ADS_ENABLED=1 # To enable Google Ads tracking (gclid)
+LINKEDIN_ADS_ENABLED=1 # To enable LinkedIn Ads tracking (li_fat_id)
</file context>
| if: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN != '' }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: equitybee/team-label-action@main |
There was a problem hiding this comment.
P2: Using @main for a third-party action is a security risk. Pin to a specific commit SHA (e.g., equitybee/team-label-action@abc123...) to prevent unexpected changes or supply chain attacks.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/labeler.yml, line 26:
<comment>Using `@main` for a third-party action is a security risk. Pin to a specific commit SHA (e.g., `equitybee/team-label-action@abc123...`) to prevent unexpected changes or supply chain attacks.</comment>
<file context>
@@ -14,7 +14,20 @@ jobs:
+ if: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN != '' }}
+ steps:
+ - uses: actions/checkout@v4
+ - uses: equitybee/team-label-action@main
+ with:
+ repo-token: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN }}
</file context>
| contents: read | ||
| pull-requests: write | ||
| runs-on: ubuntu-latest | ||
| if: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN != '' }} |
There was a problem hiding this comment.
P1: Secrets context is not available in job-level if: conditionals. This condition will not work as expected. Consider using a different approach, such as checking the secret in a step or using a repository variable to gate this job.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/labeler.yml, line 23:
<comment>Secrets context is not available in job-level `if:` conditionals. This condition will not work as expected. Consider using a different approach, such as checking the secret in a step or using a repository variable to gate this job.</comment>
<file context>
@@ -14,7 +14,20 @@ jobs:
+ contents: read
+ pull-requests: write
+ runs-on: ubuntu-latest
+ if: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN != '' }}
+ steps:
+ - uses: actions/checkout@v4
</file context>
.github/workflows/pr.yml
Outdated
| # Use jq to list jobs with result == "failure" | ||
| echo '${{ toJson(needs) }}' > /tmp/needs.json | ||
| cat /tmp/needs.json | ||
| failures=$(jq -r 'to_entries | map(select(.value.result=="failure")) | .[].key' /tmp/needs.json || true) |
There was a problem hiding this comment.
P1: The new failure detection only checks for failure results, but per team policy, skipped (and cancelled) jobs should also block merges. All required checks must run and succeed before a PR can merge.
(Based on your team's feedback about treating 'skipped' as non-success for merge requirements.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/pr.yml, line 283:
<comment>The new failure detection only checks for `failure` results, but per team policy, `skipped` (and `cancelled`) jobs should also block merges. All required checks must run and succeed before a PR can merge.
(Based on your team's feedback about treating 'skipped' as non-success for merge requirements.) </comment>
<file context>
@@ -264,18 +271,18 @@ jobs:
+ # Use jq to list jobs with result == "failure"
+ echo '${{ toJson(needs) }}' > /tmp/needs.json
+ cat /tmp/needs.json
+ failures=$(jq -r 'to_entries | map(select(.value.result=="failure")) | .[].key' /tmp/needs.json || true)
+ if [ -n "$failures" ]; then
+ echo " Failed jobs: $failures"
</file context>
✅ Addressed in 279723a
.github/workflows/pr.yml
Outdated
| needs.build-companion.result != 'success' | ||
| ) | ||
| - name: Dump dependent job results and fail only on 'failure' | ||
| if: needs.changes.outputs.has-files-requiring-all-checks == 'true' |
There was a problem hiding this comment.
P0: Bug: Reference to renamed job needs.changes should be needs.prepare. The changes job was renamed to prepare but this reference wasn't updated, which will cause the condition to malfunction.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/pr.yml, line 275:
<comment>Bug: Reference to renamed job `needs.changes` should be `needs.prepare`. The `changes` job was renamed to `prepare` but this reference wasn't updated, which will cause the condition to malfunction.</comment>
<file context>
@@ -264,18 +271,18 @@ jobs:
- needs.build-companion.result != 'success'
- )
+ - name: Dump dependent job results and fail only on 'failure'
+ if: needs.changes.outputs.has-files-requiring-all-checks == 'true'
+ run: |
+ echo 'Dependent job results:'
</file context>
| if: needs.changes.outputs.has-files-requiring-all-checks == 'true' | |
| if: needs.prepare.outputs.has-files-requiring-all-checks == 'true' |
✅ Addressed in 57fbd58
| if (loc.type === "attendeePhone") return loc.phone; | ||
| if (loc.type === "attendeeDefined") return loc.location; | ||
|
|
||
| this.logger.log( |
There was a problem hiding this comment.
P1: Rule violated: Avoid Logging Sensitive Information
This log statement serializes the entire loc object which can contain PII such as phone numbers and physical addresses. Instead of logging the full object, log only the non-sensitive loc.type field to debug unsupported location types.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/api/v2/src/ee/bookings/2024-08-13/services/booking-location.service.ts, line 110:
<comment>This log statement serializes the entire `loc` object which can contain PII such as phone numbers and physical addresses. Instead of logging the full object, log only the non-sensitive `loc.type` field to debug unsupported location types.</comment>
<file context>
@@ -0,0 +1,118 @@
+ if (loc.type === "attendeePhone") return loc.phone;
+ if (loc.type === "attendeeDefined") return loc.location;
+
+ this.logger.log(
+ `Booking location service getLocationValue - loc ${JSON.stringify(
+ loc
</file context>
…e the appropriate output from the prepare job
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
1 similar comment
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
Resolved conflicts in: - .github/workflows/pr.yml: Took upstream trust-check and conditional job failure logic - packages/embeds/embed-core/src/embed-iframe.ts: Took upstream guard for document.body - packages/lib/package.json: Combined upstream exact versions with PR's @trigger.dev/sdk addition - packages/prisma/package.json: Combined PR's ts-node in dependencies with upstream exact versions - packages/trpc/server/routers/viewer/slots/util.ts: Combined upstream blocked hosts filtering with PR's booker availability checking - yarn.lock: Took upstream version Co-Authored-By: unknown <>
Co-Authored-By: unknown <>
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
There was a problem hiding this comment.
3 issues found across 17 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/testing/src/lib/bookingScenario/expects.ts">
<violation number="1" location="packages/testing/src/lib/bookingScenario/expects.ts:720">
P2: bookerReschedule flag ignored; test now accepts any email type for old organizer, weakening scenario coverage</violation>
</file>
<file name=".github/workflows/labeler.yml">
<violation number="1" location=".github/workflows/labeler.yml:26">
P1: Unpinned third‑party action in pull_request_target receives secret token, enabling supply-chain/secret exfiltration risk</violation>
</file>
<file name="packages/trpc/server/routers/viewer/slots/util.ts">
<violation number="1" location="packages/trpc/server/routers/viewer/slots/util.ts:1225">
P2: Booker availability is dropped in fallback round‑robin recalculations, so fallback slots ignore booker conflicts</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| if: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN != '' }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: equitybee/team-label-action@main |
There was a problem hiding this comment.
P1: Unpinned third‑party action in pull_request_target receives secret token, enabling supply-chain/secret exfiltration risk
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/labeler.yml, line 26:
<comment>Unpinned third‑party action in pull_request_target receives secret token, enabling supply-chain/secret exfiltration risk</comment>
<file context>
@@ -14,7 +14,20 @@ jobs:
+ if: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN != '' }}
+ steps:
+ - uses: actions/checkout@v4
+ - uses: equitybee/team-label-action@main
+ with:
+ repo-token: ${{ secrets.EQUITY_BEE_TEAM_LABELER_ACTION_TOKEN }}
</file context>
| prevOrganizer, | ||
| bookerReschedule, | ||
|
|
||
| bookerReschedule: _bookerReschedule, |
There was a problem hiding this comment.
P2: bookerReschedule flag ignored; test now accepts any email type for old organizer, weakening scenario coverage
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/testing/src/lib/bookingScenario/expects.ts, line 720:
<comment>bookerReschedule flag ignored; test now accepts any email type for old organizer, weakening scenario coverage</comment>
<file context>
@@ -712,62 +712,115 @@ export function expectCalendarEventCreationFailureEmails({
prevOrganizer,
- bookerReschedule,
+
+ bookerReschedule: _bookerReschedule,
}: {
emails: Fixtures["emails"];
</file context>
| }); | ||
|
|
||
| if (bookerWithCredentials) { | ||
| allHosts = [ |
There was a problem hiding this comment.
P2: Booker availability is dropped in fallback round‑robin recalculations, so fallback slots ignore booker conflicts
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/trpc/server/routers/viewer/slots/util.ts, line 1225:
<comment>Booker availability is dropped in fallback round‑robin recalculations, so fallback slots ignore booker conflicts</comment>
<file context>
@@ -1181,6 +1205,35 @@ export class AvailableSlotsService {
+ });
+
+ if (bookerWithCredentials) {
+ allHosts = [
+ ...allHosts,
+ {
</file context>
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
Co-Authored-By: unknown <>
feat(slots): check booker availability when host reschedules if booker is a Cal.com user
What does this PR do?
This PR adds functionality to check if a booking's attendee (booker) is a Cal.com user when the host attempts to reschedule. If the booker is a Cal.com user, their availability (including connected calendars) is included in the slot calculation, ensuring only mutually available time slots are displayed.
Key Changes:
Added
_getBookerUserIfCalUsermethod to check if booker email belongs to a Cal.com userModified
_getAvailableSlotsto include booker in availability checks during reschedulingBooker is treated as a fixed host to ensure their calendar conflicts are respected
Fixes [CAL-4531] Take into account guest's availability when rescheduling #16378
Fixes CAL-4531
Type of change
Visual Demo
In the video, User A is not available on Monday and User B is not available on Wednesday, so both days are not displayed on the calendar
2025-11-22.16-20-16.mp4
Before:
When a host reschedules a booking, the system only checks the host's availability and ignores the booker's calendar, even if the booker is a Cal.com user with their own availability settings and connected calendars.
After:
When a host reschedules:
How to Verify:
Check the browser console/network tab for the log message:
This confirms the booker's availability is being checked.
Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
Prerequisites:
Test Steps:
Setup Users:
Create Initial Booking:
Test Rescheduling:
Expected Results:
Verify Logs:
"Booker is a Cal.com user, including their availability"/api/trpc/slots.getScheduleEdge Cases to Test:
Non-Cal.com User as Booker:
Team Event:
Environment Variables:
No additional environment variables needed beyond standard Cal.com setup.
Minimal Test Data:
Checklist
Additional Notes
Technical Implementation:
findByUidIncludeEventTypemethod from BookingRepository to fetch booking with attendeesfindUsersForAvailabilityCheckto fetch booker's full availability dataPerformance Considerations:
rescheduleUidis presentFuture Enhancements: