Merge branch 'main' into allow-team-with-same-slug

Author: anikdhabal

apps/web/test/lib/handleChildrenEventTypes.test.ts

@@ -143,9 +143,10 @@ describe("handleChildrenEventTypes", () => {
         profileId: null,
         updatedValues: {},
       });
+      const { createdAt, updatedAt, ...expectedEvType } = evType;
       expect(prismaMock.eventType.create).toHaveBeenCalledWith({
         data: {
-          ...evType,
+          ...expectedEvType,
           parentId: 1,
           users: { connect: [{ id: 4 }] },
           lockTimeZoneToggleOnBookingPage: false,
@@ -206,7 +207,7 @@ describe("handleChildrenEventTypes", () => {
           bookingLimits: undefined,
         },
       });
-      const { profileId, autoTranslateDescriptionEnabled, ...rest } = evType;
+      const { profileId, autoTranslateDescriptionEnabled, createdAt, updatedAt, ...rest } = evType;
       expect(prismaMock.eventType.update).toHaveBeenCalledWith({
         data: {
           ...rest,
@@ -317,9 +318,10 @@ describe("handleChildrenEventTypes", () => {
         profileId: null,
         updatedValues: {},
       });
+      const { createdAt, updatedAt, ...expectedEvType } = evType;
       expect(prismaMock.eventType.create).toHaveBeenCalledWith({
         data: {
-          ...evType,
+          ...expectedEvType,
           parentId: 1,
           users: { connect: [{ id: 4 }] },
           bookingLimits: undefined,
@@ -383,7 +385,7 @@ describe("handleChildrenEventTypes", () => {
           length: 30,
         },
       });
-      const { profileId, autoTranslateDescriptionEnabled, ...rest } = evType;
+      const { profileId, autoTranslateDescriptionEnabled, createdAt, updatedAt, ...rest } = evType;
       expect(prismaMock.eventType.update).toHaveBeenCalledWith({
         data: {
           ...rest,
@@ -464,7 +466,11 @@ describe("handleChildrenEventTypes", () => {
         ...evType,
       };
 
-      prismaMock.eventType.update.mockResolvedValue(mockUpdatedEventType);
+      prismaMock.eventType.update.mockResolvedValue({
+        ...mockUpdatedEventType,
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      });
 
       await updateChildrenEventTypes({
         eventTypeId: 1,
@@ -480,9 +486,10 @@ describe("handleChildrenEventTypes", () => {
         updatedValues: {},
       });
 
+      const { createdAt, updatedAt, ...expectedEvType } = evType;
       expect(prismaMock.eventType.create).toHaveBeenCalledWith({
         data: {
-          ...evType,
+          ...expectedEvType,
           bookingLimits: undefined,
           durationLimits: undefined,
           recurringEvent: undefined,
@@ -507,7 +514,7 @@ describe("handleChildrenEventTypes", () => {
           allowReschedulingCancelledBookings: false,
         },
       });
-      const { profileId, rrSegmentQueryValue, ...rest } = evType;
+      const { profileId, rrSegmentQueryValue, createdAt: _, updatedAt: __, ...rest } = evType;
       if ("workflows" in rest) delete rest.workflows;
       expect(prismaMock.eventType.update).toHaveBeenCalledWith({
         data: {

packages/features/eventtypes/lib/defaultEvents.ts

@@ -149,6 +149,8 @@ const commons = {
   eventTypeColor: null,
   hostGroups: [],
   bookingRequiresAuthentication: false,
+  createdAt: null,
+  updatedAt: null,
 };
 
 export const dynamicEvent = {

packages/lib/test/builder.ts

@@ -162,6 +162,8 @@ export const buildEventType = (eventType?: Partial<EventType>): EventType => {
     restrictionScheduleId: null,
     useBookerTimezone: false,
     bookingRequiresAuthentication: false,
+    createdAt: null,
+    updatedAt: null,
     ...eventType,
   };
 };

packages/prisma/extensions/event-type-timestamps.ts

@@ -0,0 +1,27 @@
+import { Prisma } from "@calcom/prisma/client";
+
+export function eventTypeTimestampsExtension() {
+  return Prisma.defineExtension({
+    query: {
+      eventType: {
+        async create({ args, query }) {
+          const now = new Date();
+          args.data.createdAt = now;
+          return query(args);
+        },
+        async createMany({ args, query }) {
+          const now = new Date();
+          if (Array.isArray(args.data)) {
+            args.data = args.data.map((item) => ({
+              ...item,
+              createdAt: now,
+            }));
+          } else {
+            args.data.createdAt = now;
+          }
+          return query(args);
+        },
+      },
+    },
+  });
+}

packages/prisma/index.ts

@@ -2,6 +2,7 @@ import { PrismaClient, type Prisma } from "@calcom/prisma/client";
 
 import { bookingIdempotencyKeyExtension } from "./extensions/booking-idempotency-key";
 import { disallowUndefinedDeleteUpdateManyExtension } from "./extensions/disallow-undefined-delete-update-many";
+import { eventTypeTimestampsExtension } from "./extensions/event-type-timestamps";
 import { excludeLockedUsersExtension } from "./extensions/exclude-locked-users";
 import { excludePendingPaymentsExtension } from "./extensions/exclude-pending-payment-teams";
 import { usageTrackingExtention } from "./extensions/usage-tracking";
@@ -42,6 +43,7 @@ export const customPrisma = (options?: Prisma.PrismaClientOptions) =>
     .$extends(excludeLockedUsersExtension())
     .$extends(excludePendingPaymentsExtension())
     .$extends(bookingIdempotencyKeyExtension())
+    .$extends(eventTypeTimestampsExtension())
     .$extends(disallowUndefinedDeleteUpdateManyExtension()) as unknown as PrismaClient;
 
 // If any changed on middleware server restart is required
@@ -58,6 +60,7 @@ export const prisma: PrismaClient = baseClient
   .$extends(excludeLockedUsersExtension())
   .$extends(excludePendingPaymentsExtension())
   .$extends(bookingIdempotencyKeyExtension())
+  .$extends(eventTypeTimestampsExtension())
   .$extends(disallowUndefinedDeleteUpdateManyExtension()) as unknown as PrismaClient;
 
 // This prisma instance is meant to be used only for READ operations.

packages/prisma/migrations/20250919174231_add_event_type_timestamps/migration.sql

@@ -0,0 +1,3 @@
+-- AlterTable
+ALTER TABLE "EventType" ADD COLUMN     "createdAt" TIMESTAMP(3),
+ADD COLUMN     "updatedAt" TIMESTAMP(3);

packages/prisma/schema.prisma

@@ -244,6 +244,9 @@ model EventType {
 
   bookingRequiresAuthentication Boolean @default(false)
 
+  createdAt DateTime?
+  updatedAt DateTime? @updatedAt
+
   @@unique([userId, slug])
   @@unique([teamId, slug])
   @@unique([userId, parentId])
@@ -1747,7 +1750,7 @@ model BookingDenormalized {
 }
 
 view BookingTimeStatusDenormalized {
-  id             Int           @id @unique
+  id             Int           @unique
   uid            String
   eventTypeId    Int?
   title          String

packages/trpc/server/routers/viewer/teams/removeMember.handler.ts

@@ -1,121 +1,72 @@
-import { FeaturesRepository } from "@calcom/features/flags/features.repository";
-import { Resource, CustomAction } from "@calcom/features/pbac/domain/types/permission-registry";
-import { getSpecificPermissions } from "@calcom/features/pbac/lib/resource-permissions";
 import { checkRateLimitAndThrowError } from "@calcom/lib/checkRateLimitAndThrowError";
-import { isTeamOwner } from "@calcom/features/ee/teams/lib/queries";
-import { TeamService } from "@calcom/lib/server/service/teamService";
-import { prisma } from "@calcom/prisma";
-import { MembershipRole } from "@calcom/prisma/enums";
-import type { TrpcSessionUser } from "@calcom/trpc/server/types";
 
 import { TRPCError } from "@trpc/server";
 
 import type { TRemoveMemberInputSchema } from "./removeMember.schema";
+import { RemoveMemberServiceFactory } from "./removeMember/RemoveMemberServiceFactory";
 
 type RemoveMemberOptions = {
   ctx: {
-    user: NonNullable<TrpcSessionUser>;
-    sourceIp?: string;
+    user: {
+      id: number;
+      organization?: {
+        isOrgAdmin: boolean;
+      };
+    };
   };
   input: TRemoveMemberInputSchema;
 };
 
-export const removeMemberHandler = async ({ ctx, input }: RemoveMemberOptions) => {
+export const removeMemberHandler = async ({
+  ctx: {
+    user: { id: userId, organization },
+  },
+  input,
+}: RemoveMemberOptions) => {
   await checkRateLimitAndThrowError({
-    identifier: `removeMember.${ctx.user.id}`,
+    identifier: `removeMember.${userId}`,
   });
 
   const { memberIds, teamIds, isOrg } = input;
+  const isOrgAdmin = organization?.isOrgAdmin ?? false;
+
+  // Note: This assumes that all teams in the request have the same PBAC setting 9999% chance they do.
+  const primaryTeamId = teamIds[0];
+  if (!primaryTeamId) {
+    throw new TRPCError({
+      code: "BAD_REQUEST",
+      message: "At least one team ID must be provided",
+    });
+  }
 
-  // Check PBAC permissions for each team
-  const hasRemovePermission = await Promise.all(
-    teamIds.map(async (teamId) => {
-      // Get user's membership role in this team
-      const membership = await prisma.membership.findFirst({
-        where: {
-          userId: ctx.user.id,
-          teamId: teamId,
-        },
-        select: {
-          role: true,
-        },
-      });
-
-      if (!membership) return false;
-
-      // Check PBAC permissions for removing team members
-      const permissions = await getSpecificPermissions({
-        userId: ctx.user.id,
-        teamId: teamId,
-        resource: isOrg ? Resource.Organization : Resource.Team,
-        userRole: membership.role,
-        actions: [CustomAction.Remove],
-        fallbackRoles: {
-          [CustomAction.Remove]: {
-            roles: [MembershipRole.ADMIN, MembershipRole.OWNER],
-          },
-        },
-      });
-
-      return permissions[CustomAction.Remove];
-    })
-  ).then((results) => results.every((result) => result));
+  // Get the appropriate service based on feature flag
+  const service = await RemoveMemberServiceFactory.create(primaryTeamId);
 
-  // Check if user is trying to remove themselves (allowed for non-owners)
-  const isRemovingSelf = memberIds.length === 1 && memberIds[0] === ctx.user.id;
+  const { hasPermission } = await service.checkRemovePermissions({
+    userId,
+    isOrgAdmin,
+    memberIds,
+    teamIds,
+    isOrg,
+  });
 
-  // Allow if user has remove permission OR if they're removing themselves
-  if (!hasRemovePermission && !isRemovingSelf) {
+  if (!hasPermission) {
     throw new TRPCError({ code: "UNAUTHORIZED" });
   }
 
-  // TODO(SEAN): Remove this after PBAC is rolled out.
-  // Check if any team has PBAC enabled
-  const featuresRepository = new FeaturesRepository(prisma);
-  const pbacEnabledForTeams = await Promise.all(
-    teamIds.map(async (teamId) => await featuresRepository.checkIfTeamHasFeature(teamId, "pbac"))
+  await service.validateRemoval(
+    {
+      userId,
+      isOrgAdmin,
+      memberIds,
+      teamIds,
+      isOrg,
+    },
+    hasPermission
   );
-  const isAnyTeamPBACEnabled = pbacEnabledForTeams.some((enabled) => enabled);
-
-  // Only apply traditional owner-based logic if PBAC is not enabled for any teams
-  if (!isAnyTeamPBACEnabled) {
-    // Only a team owner can remove another team owner.
-    const isAnyMemberOwnerAndCurrentUserNotOwner = await Promise.all(
-      memberIds.map(async (memberId) => {
-        const isAnyTeamOwnerAndCurrentUserNotOwner = await Promise.all(
-          teamIds.map(async (teamId) => {
-            return (await isTeamOwner(memberId, teamId)) && !(await isTeamOwner(ctx.user.id, teamId));
-          })
-        ).then((results) => results.some((result) => result));
-
-        return isAnyTeamOwnerAndCurrentUserNotOwner;
-      })
-    ).then((results) => results.some((result) => result));
-
-    if (isAnyMemberOwnerAndCurrentUserNotOwner) {
-      throw new TRPCError({
-        code: "UNAUTHORIZED",
-        message: "Only a team owner can remove another team owner.",
-      });
-    }
-
-    // Check if user is trying to remove themselves from a team they own (prevent this)
-    if (isRemovingSelf && hasRemovePermission) {
-      // Additional check: ensure they're not an owner trying to remove themselves
-      const isOwnerOfAnyTeam = await Promise.all(
-        teamIds.map(async (teamId) => await isTeamOwner(ctx.user.id, teamId))
-      ).then((results) => results.some((result) => result));
-
-      if (isOwnerOfAnyTeam) {
-        throw new TRPCError({
-          code: "FORBIDDEN",
-          message: "You can not remove yourself from a team you own.",
-        });
-      }
-    }
-  }
 
-  await TeamService.removeMembers({ teamIds, userIds: memberIds, isOrg });
+  // Perform the removal
+  await service.removeMembers(memberIds, teamIds, isOrg);
 };
 
 export default removeMemberHandler;

packages/trpc/server/routers/viewer/teams/removeMember/BaseRemoveMemberService.ts

@@ -0,0 +1,21 @@
+import { TeamService } from "@calcom/lib/server/service/teamService";
+
+import type {
+  IRemoveMemberService,
+  RemoveMemberContext,
+  RemoveMemberPermissionResult,
+} from "./IRemoveMemberService";
+
+/**
+ * Base abstract class for remove member services
+ * Provides common functionality and defines abstract methods for specific implementations
+ */
+export abstract class BaseRemoveMemberService implements IRemoveMemberService {
+  abstract checkRemovePermissions(context: RemoveMemberContext): Promise<RemoveMemberPermissionResult>;
+
+  abstract validateRemoval(context: RemoveMemberContext, hasPermission: boolean): Promise<void>;
+
+  async removeMembers(memberIds: number[], teamIds: number[], isOrg: boolean): Promise<void> {
+    await TeamService.removeMembers({ teamIds, userIds: memberIds, isOrg });
+  }
+}

packages/trpc/server/routers/viewer/teams/removeMember/IRemoveMemberService.ts

@@ -0,0 +1,31 @@
+import type { MembershipRole } from "@calcom/prisma/enums";
+
+export interface RemoveMemberContext {
+  userId: number;
+  isOrgAdmin: boolean;
+  memberIds: number[];
+  teamIds: number[];
+  isOrg: boolean;
+}
+
+export interface RemoveMemberPermissionResult {
+  hasPermission: boolean;
+  userRoles?: Map<number, MembershipRole | null>;
+}
+
+export interface IRemoveMemberService {
+  /**
+   * Checks if the user has permission to remove members from teams
+   */
+  checkRemovePermissions(context: RemoveMemberContext): Promise<RemoveMemberPermissionResult>;
+
+  /**
+   * Validates that the removal can proceed (e.g., owner checks)
+   */
+  validateRemoval(context: RemoveMemberContext, hasPermission: boolean): Promise<void>;
+
+  /**
+   * Performs the actual removal of members from teams
+   */
+  removeMembers(memberIds: number[], teamIds: number[], isOrg: boolean): Promise<void>;
+}