From 3f25e4917b832322134dade3bddc20ea4bad25ca Mon Sep 17 00:00:00 2001 From: Codemod Bot Date: Mon, 22 Jun 2026 19:47:37 +0000 Subject: [PATCH] Enforce PermissionsGuard on @Permissions targets --- .../controllers/atoms.schedules.controller.ts | 13 ++++++----- .../controllers/bookings.controller.ts | 4 ++-- .../booking-attendees.controller.ts | 8 +++---- .../controllers/booking-guests.controller.ts | 2 +- .../booking-location.controller.ts | 2 +- .../controllers/bookings.controller.ts | 22 +++++++++---------- .../event-types-private-links.controller.ts | 8 +++---- .../controllers/event-types.controller.ts | 10 ++++----- .../controllers/event-types.controller.ts | 8 +++---- 9 files changed, 39 insertions(+), 38 deletions(-) diff --git a/apps/api/v2/src/modules/atoms/controllers/atoms.schedules.controller.ts b/apps/api/v2/src/modules/atoms/controllers/atoms.schedules.controller.ts index dedeaad05cb5b8..56cd7f158f6755 100644 --- a/apps/api/v2/src/modules/atoms/controllers/atoms.schedules.controller.ts +++ b/apps/api/v2/src/modules/atoms/controllers/atoms.schedules.controller.ts @@ -36,6 +36,7 @@ import { FindDetailedScheduleByIdReturnType } from "@calcom/platform-libraries/s import { ApiResponse, UpdateAtomScheduleDto } from "@calcom/platform-types"; import { SchedulesAtomsService } from "../services/schedules-atom.service"; +import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard"; /* Endpoints used only by platform atoms, reusing code from other modules, data is already formatted and ready to be used by frontend atoms @@ -53,7 +54,7 @@ export class AtomsSchedulesController { @Get("/schedules") @Version(VERSION_NEUTRAL) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @Permissions([SCHEDULE_READ]) async getSchedule( @GetUser() user: UserWithProfile, @@ -75,7 +76,7 @@ export class AtomsSchedulesController { @Get("/schedules/event-type/:eventSlug") @Version(VERSION_NEUTRAL) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @Permissions([SCHEDULE_READ]) async getScheduleByEventSlug( @GetUser() user: UserWithProfile, @@ -90,7 +91,7 @@ export class AtomsSchedulesController { @Get("/schedules/all") @Version(VERSION_NEUTRAL) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @Permissions([SCHEDULE_READ]) async getAllUserSchedules( @GetUser() user: UserWithProfile @@ -105,7 +106,7 @@ export class AtomsSchedulesController { @Patch("schedules/:scheduleId") @Permissions([SCHEDULE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiOperation({ summary: "Update atom schedule" }) async updateSchedule( @GetUser() user: UserWithProfile, @@ -126,7 +127,7 @@ export class AtomsSchedulesController { @Post("schedules/create") @Permissions([SCHEDULE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiOperation({ summary: "Create atom schedule" }) async createSchedule( @GetUser() user: UserWithProfile, @@ -142,7 +143,7 @@ export class AtomsSchedulesController { @Post("schedules/:scheduleId/duplicate") @Permissions([SCHEDULE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiOperation({ summary: "Duplicate existing schedule" }) async duplicateExistingSchedule( @GetUser() user: UserWithProfile, diff --git a/apps/api/v2/src/platform/bookings/2024-04-15/controllers/bookings.controller.ts b/apps/api/v2/src/platform/bookings/2024-04-15/controllers/bookings.controller.ts index 85791f56650147..7162e54719a592 100644 --- a/apps/api/v2/src/platform/bookings/2024-04-15/controllers/bookings.controller.ts +++ b/apps/api/v2/src/platform/bookings/2024-04-15/controllers/bookings.controller.ts @@ -127,7 +127,7 @@ export class BookingsController_2024_04_15 { ) {} @Get("/") - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @Permissions([BOOKING_READ]) @ApiQuery({ name: "filters[status]", enum: Status_2024_04_15, required: true }) @ApiQuery({ name: "limit", type: "number", required: false }) @@ -289,7 +289,7 @@ export class BookingsController_2024_04_15 { @Post("/:bookingUid/mark-no-show") @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) async markNoShow( @GetUser() user: UserWithProfile, @Body() body: MarkNoShowInput_2024_04_15, diff --git a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-attendees.controller.ts b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-attendees.controller.ts index 330dca553f4789..5ce32401175386 100644 --- a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-attendees.controller.ts +++ b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-attendees.controller.ts @@ -48,7 +48,7 @@ export class BookingAttendeesController_2024_08_13 { @Get("/") @Permissions([BOOKING_READ]) - @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Get all attendees for a booking", @@ -71,7 +71,7 @@ export class BookingAttendeesController_2024_08_13 { @Get("/:attendeeId") @Permissions([BOOKING_READ]) - @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Get a specific attendee for a booking", @@ -95,7 +95,7 @@ export class BookingAttendeesController_2024_08_13 { @Post("/") @HttpCode(HttpStatus.CREATED) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard, PermissionsGuard) @Throttle({ limit: 5, ttl: 60000, @@ -134,7 +134,7 @@ export class BookingAttendeesController_2024_08_13 { @Delete("/:attendeeId") @HttpCode(HttpStatus.OK) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @Throttle({ limit: 5, ttl: 60000, diff --git a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-guests.controller.ts b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-guests.controller.ts index 9487602fe9f32e..bf8f43de439d05 100644 --- a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-guests.controller.ts +++ b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-guests.controller.ts @@ -35,7 +35,7 @@ export class BookingGuestsController_2024_08_13 { @Post("/") @HttpCode(HttpStatus.OK) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @Throttle({ limit: 5, ttl: 60000, diff --git a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-location.controller.ts b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-location.controller.ts index 8af6264c3d803d..2e0f34fe6ca760 100644 --- a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-location.controller.ts +++ b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/booking-location.controller.ts @@ -49,7 +49,7 @@ export class BookingLocationController_2024_08_13 { @HttpCode(HttpStatus.OK) @Throttle({ name: "booking_location_update", limit: 5, ttl: 60000, blockDuration: 60000 }) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Update booking location for an existing booking", diff --git a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/bookings.controller.ts b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/bookings.controller.ts index 97874eeb42a14b..03ca5721a114c4 100644 --- a/apps/api/v2/src/platform/bookings/2024-08-13/controllers/bookings.controller.ts +++ b/apps/api/v2/src/platform/bookings/2024-08-13/controllers/bookings.controller.ts @@ -223,7 +223,7 @@ export class BookingsController_2024_08_13 { @Get("/:bookingUid/recordings") @Pbac(["booking.readRecordings"]) @Permissions([BOOKING_READ]) - @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Get all the recordings for the booking", @@ -244,7 +244,7 @@ export class BookingsController_2024_08_13 { @Get("/:bookingUid/transcripts") @Pbac(["booking.readRecordings"]) @Permissions([BOOKING_READ]) - @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Get Cal Video real time transcript download links for the booking", @@ -267,7 +267,7 @@ export class BookingsController_2024_08_13 { } @Get("/") - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @Permissions([BOOKING_READ]) @ApiOperation({ @@ -390,7 +390,7 @@ export class BookingsController_2024_08_13 { @Post("/:bookingUid/mark-absent") @HttpCode(HttpStatus.OK) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Mark a booking absence", @@ -415,7 +415,7 @@ export class BookingsController_2024_08_13 { @Post("/:bookingUid/reassign") @HttpCode(HttpStatus.OK) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Reassign a booking to auto-selected host", @@ -439,7 +439,7 @@ export class BookingsController_2024_08_13 { @Post("/:bookingUid/reassign/:userId") @HttpCode(HttpStatus.OK) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Reassign a booking to a specific host", @@ -470,7 +470,7 @@ export class BookingsController_2024_08_13 { @Post("/:bookingUid/confirm") @HttpCode(HttpStatus.OK) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Confirm a booking", @@ -494,7 +494,7 @@ export class BookingsController_2024_08_13 { @Post("/:bookingUid/decline") @HttpCode(HttpStatus.OK) @Permissions([BOOKING_WRITE]) - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Decline a booking", @@ -517,7 +517,7 @@ export class BookingsController_2024_08_13 { } @Get("/:bookingUid/calendar-links") - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @Permissions([BOOKING_READ]) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ @@ -538,7 +538,7 @@ export class BookingsController_2024_08_13 { } @Get("/:bookingUid/references") - @UseGuards(ApiAuthGuard, BookingUidGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, PermissionsGuard) @Permissions([BOOKING_READ]) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ @@ -567,7 +567,7 @@ export class BookingsController_2024_08_13 { @HttpCode(HttpStatus.OK) @Pbac(["booking.readRecordings"]) @Permissions([BOOKING_READ]) - @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) + @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Get Video Meeting Sessions. Only supported for Cal Video", diff --git a/apps/api/v2/src/platform/event-types-private-links/controllers/event-types-private-links.controller.ts b/apps/api/v2/src/platform/event-types-private-links/controllers/event-types-private-links.controller.ts index 91afc934ab0618..232eee22923fdb 100644 --- a/apps/api/v2/src/platform/event-types-private-links/controllers/event-types-private-links.controller.ts +++ b/apps/api/v2/src/platform/event-types-private-links/controllers/event-types-private-links.controller.ts @@ -29,7 +29,7 @@ export class EventTypesPrivateLinksController { @Post("/") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard) + @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Create a private link for an event type" }) async createPrivateLink( @@ -47,7 +47,7 @@ export class EventTypesPrivateLinksController { @Get("/") @Permissions([EVENT_TYPE_READ]) - @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard) + @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Get all private links for an event type" }) async getPrivateLinks( @@ -63,7 +63,7 @@ export class EventTypesPrivateLinksController { @Patch("/:linkId") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard) + @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Update a private link for an event type" }) async updatePrivateLink( @@ -82,7 +82,7 @@ export class EventTypesPrivateLinksController { @Delete("/:linkId") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard) + @UseGuards(ApiAuthGuard, EventTypeOwnershipGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Delete a private link for an event type" }) async deletePrivateLink( diff --git a/apps/api/v2/src/platform/event-types/event-types_2024_04_15/controllers/event-types.controller.ts b/apps/api/v2/src/platform/event-types/event-types_2024_04_15/controllers/event-types.controller.ts index 0e543cdfcab757..a2868d0e3e164f 100644 --- a/apps/api/v2/src/platform/event-types/event-types_2024_04_15/controllers/event-types.controller.ts +++ b/apps/api/v2/src/platform/event-types/event-types_2024_04_15/controllers/event-types.controller.ts @@ -66,7 +66,7 @@ export class EventTypesController_2024_04_15 { @Post("/") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) async createEventType( @Body() body: CreateEventTypeInput_2024_04_15, @GetUser() user: UserWithProfile @@ -81,7 +81,7 @@ export class EventTypesController_2024_04_15 { @Get("/:eventTypeId") @Permissions([EVENT_TYPE_READ]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) async getEventType( @Param("eventTypeId", ParseIntPipe) eventTypeId: number, @GetUser() user: UserWithProfile @@ -100,7 +100,7 @@ export class EventTypesController_2024_04_15 { @Get("/") @Permissions([EVENT_TYPE_READ]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) async getEventTypes(@GetUser() user: UserWithProfile): Promise { const eventTypes = await getEventTypesByViewer({ id: user.id, @@ -169,7 +169,7 @@ export class EventTypesController_2024_04_15 { @Patch("/:eventTypeId") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @HttpCode(HttpStatus.OK) async updateEventType( @Param() params: EventTypeIdParams_2024_04_15, @@ -187,7 +187,7 @@ export class EventTypesController_2024_04_15 { @Delete("/:eventTypeId") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) async deleteEventType( @Param() params: EventTypeIdParams_2024_04_15, @Param("eventTypeId", ParseIntPipe) eventTypeId: number, diff --git a/apps/api/v2/src/platform/event-types/event-types_2024_06_14/controllers/event-types.controller.ts b/apps/api/v2/src/platform/event-types/event-types_2024_06_14/controllers/event-types.controller.ts index c075c46feada3e..ab6ffa4b2462a1 100644 --- a/apps/api/v2/src/platform/event-types/event-types_2024_06_14/controllers/event-types.controller.ts +++ b/apps/api/v2/src/platform/event-types/event-types_2024_06_14/controllers/event-types.controller.ts @@ -82,7 +82,7 @@ export class EventTypesController_2024_06_14 { @Post("/") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Create an event type", @@ -107,7 +107,7 @@ export class EventTypesController_2024_06_14 { @Get("/:eventTypeId") @Permissions([EVENT_TYPE_READ]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Get an event type", @@ -180,7 +180,7 @@ export class EventTypesController_2024_06_14 { @Patch("/:eventTypeId") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @HttpCode(HttpStatus.OK) @ApiOperation({ @@ -208,7 +208,7 @@ export class EventTypesController_2024_06_14 { @Delete("/:eventTypeId") @Permissions([EVENT_TYPE_WRITE]) - @UseGuards(ApiAuthGuard) + @UseGuards(ApiAuthGuard, PermissionsGuard) @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER) @ApiOperation({ summary: "Delete an event type",