cal.com icon indicating copy to clipboard operation
cal.com copied to clipboard
verified publisher icon calcom

fix: do not let people override meeting location

Open chaitanyya opened this issue 6 months ago • 5 comments

What does this PR do?

Video Demo

Screenshot 2025-06-13 at 9 13 24 PM

Fix Demo Loom

Mandatory Tasks

  • [x] I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • [x] I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A
  • [x] I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  • Open a booking link
  • Add location={"value":"phone","optionValue":"%2B16134443433"} in search params
  • Scheduling should fail, it should not override the location

chaitanyya avatar Jun 14 '25 04:06 chaitanyya

@chaitanyya is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

vercel[bot] avatar Jun 14 '25 04:06 vercel[bot]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (06/14/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add community label" took an action on this PR • (06/14/25)

1 label was added to this PR based on Keith Williams's automation.

"Add platform team as reviewer" took an action on this PR • (06/14/25)

1 reviewer was added to this PR based on Keith Williams's automation.

graphite-app[bot] avatar Jun 14 '25 04:06 graphite-app[bot]

@chaitanyya test cases are failing , please try to fix them..

Devanshusharma2005 avatar Jun 14 '25 14:06 Devanshusharma2005

@Devanshusharma2005 all tests are passing now, one test had to be adjusted because it was modifying the booking location for an even that already had an location attached to it, which is what we wanted to avoid

chaitanyya avatar Jun 15 '25 17:06 chaitanyya

@chaitanyya thank you for the contribution - it is awesome!

I have a question though - could you replicate the orignal issue? I am asking because I am not able to - I visited my meeting page https://i.cal.com/lauris/30min and then added the query param https://i.cal.com/lauris/30min?location={%22value%22:%22phone%22,%22optionValue%22:%22%2B16134443433%22}) and then i book myself the location is the correct one - cal video

Screenshot 2025-06-16 at 17 55 52

Loom: https://www.loom.com/share/e0d912abb89c409f91e029c86279e926

Did the phone appear as the location in the booking confirmation page? Thank you!

Neither was i able to replicate if i install zoom so wondering if i am missing something or it actually works already.

supalarry avatar Jun 16 '25 15:06 supalarry

@supalarry Yes, the location did appear on the final page which is what was worrisome, i could consistently reproduce it. Let me make another loom

chaitanyya avatar Jun 16 '25 18:06 chaitanyya

@supalarry https://www.loom.com/share/63cdb02d8a2b4fac80a4cc064cef696e here

chaitanyya avatar Jun 16 '25 21:06 chaitanyya

@SomayChauhan about defaulting to zoom/cal video there are definitely some cons, ideally this scenario (user trying to modify location) should never happen and whenever it happens imo an error is the right approach for the following reasons:

It catches configuration issues early - the handleNewBooking logic it so convoluted. And maintains data integrity

chaitanyya avatar Jun 18 '25 16:06 chaitanyya

Hey @chaitanyya, Can you please resolve the merge conflicts?

kart1ka avatar Jun 22 '25 11:06 kart1ka

@kart1ka done

chaitanyya avatar Jun 22 '25 20:06 chaitanyya

@SomayChauhan wondering it this can be merged now?

chaitanyya avatar Jun 29 '25 21:06 chaitanyya

@SomayChauhan wondering if there are still blockers on this?

chaitanyya avatar Jul 11 '25 18:07 chaitanyya

Could you please resolve merge conflicts?

kart1ka avatar Aug 27 '25 14:08 kart1ka

[!NOTE]

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The PR adds validation to getLocationValueForDB to ensure booking locations match the event type’s configured locations, introduces fallback and attendee-input validation, and throws ErrorCode.InvalidLocationForEventType when invalid. It adds corresponding unit tests, a new error code, and an English translation string for the error. A dynamic group booking test is updated to mock Daily Video meeting creation and omit location from mocked responses. A non-functional import order change was made in a React component.

Assessment against linked issues

Objective Addressed Explanation
Prevent attendees from overriding host-defined booking location via API V2 by supplying user-input (e.g., phone) when the event is configured for another location type (#21806, CAL-5923)

Assessment against linked issues: Out-of-scope changes

Code Change Explanation

Possibly related PRs

  • calcom/cal.com#21377: Both modify packages/app-store/locations.ts for location type handling; may interact with new matching/validation logic.
  • calcom/cal.com#22840: Also changes location resolution and conference credential handling in packages/app-store/locations.ts, likely touching similar code paths.

[!TIP]

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches
  • [ ] 📝 Generate Docstrings
🧪 Generate unit tests
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot] avatar Aug 27 '25 23:08 coderabbitai[bot]