Skip to content

Code Review Bench PR #25434 - fix: get bookings handler for pbac and fallback roles#1

Open
tomerqodo wants to merge 2 commits intobase_pr_25434_20260125_2717from
corrupted_pr_25434_20260125_2717
Open

Code Review Bench PR #25434 - fix: get bookings handler for pbac and fallback roles#1
tomerqodo wants to merge 2 commits intobase_pr_25434_20260125_2717from
corrupted_pr_25434_20260125_2717

Conversation

@tomerqodo
Copy link

@tomerqodo tomerqodo commented Jan 25, 2026

Code Review Bench PR calcom#25434

Original PR Title: fix: get bookings handler for pbac and fallback roles
Original PR Description: ## What does this PR do?

This PR is stacked upon calcom#25387

Fixes the issue where PBAC/fallback roles were not taken into consideration correctly when calling get booking. The changes include:

  • Refactored get.handler.ts to use PermissionCheckService instead of direct membership queries
  • Added orgId parameter to getTeamIdsWithPermission and getTeamIdsWithPermissions to properly scope results to the user's organization
  • Updated SQL queries in PermissionRepository to filter teams by organization scope
  • Added comprehensive unit tests for PBAC permission checks in the bookings handler
  • Added integration tests for the orgId filtering functionality

Updates since last revision

  • Merged latest main to resolve conflicts
  • Fixed failing unit tests by updating the PermissionCheckService mock to use function() instead of arrow function (required for proper constructor mocking in Vitest)
  • Renamed scopedOrgId parameter to orgId for consistency
  • Changed fallback roles to use MembershipRole enum instead of hardcoded strings

Visual Demo (For contributors especially)

N/A - Backend logic changes only

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  1. Run the unit tests: TZ=UTC yarn vitest run packages/trpc/server/routers/viewer/bookings/get.handler.test.ts
  2. Run the integration tests: VITEST_MODE=integration yarn test packages/features/pbac/infrastructure/repositories/__tests__/PermissionRepository.integration-test.ts
  3. Verify that users with PBAC permissions or ADMIN/OWNER fallback roles can view bookings for their team members
  4. Verify that users cannot view bookings for users outside their permission scope

Human Review Checklist

  • Verify the SQL queries in PermissionRepository.ts correctly handle the orgId filtering (including null/undefined cases)
  • Verify the permission checks work correctly for both PBAC-enabled teams and fallback role scenarios
  • Confirm the test mock fix using function() instead of arrow function is the correct pattern

Link to Devin run: https://app.devin.ai/sessions/8454efaba8ea4ecdb672f6ec9bde2876
Requested by: sean@cal.com (@sean-brydon)
Original PR URL: calcom#25434

This was referenced Jan 25, 2026
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
@tomerqodo tomerqodo mentioned this pull request Feb 2, 2026
Open
@ketkarameya ketkarameya mentioned this pull request Feb 10, 2026
Closed
@kayagokalp kayagokalp mentioned this pull request Feb 25, 2026
Open
This was referenced Mar 10, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomerqodo