fix: align reassignment query handlers with existing access check pattern (calcom#28876)

Author: pedroccastro

packages/trpc/server/routers/viewer/teams/managedEvents/getManagedEventUsersToReassign.handler.ts

@@ -4,6 +4,7 @@ import { ensureAvailableUsers } from "@calcom/features/bookings/lib/handleNewBoo
 import { getEventTypesFromDB } from "@calcom/features/bookings/lib/handleNewBooking/getEventTypesFromDB";
 import type { IsFixedAwareUser } from "@calcom/features/bookings/lib/handleNewBooking/types";
 import { BookingRepository } from "@calcom/features/bookings/repositories/BookingRepository";
+import { getBookingAccessService } from "@calcom/features/di/containers/BookingAccessService";
 import { EventTypeRepository } from "@calcom/features/eventtypes/repositories/eventTypeRepository";
 import { withSelectedCalendars } from "@calcom/features/users/repositories/UserRepository";
 import { ErrorCode } from "@calcom/lib/errorCodes";
@@ -12,6 +13,8 @@ import type { PrismaClient } from "@calcom/prisma";
 
 import type { TrpcSessionUser } from "@calcom/trpc/server/types";
 
+import { TRPCError } from "@trpc/server";
+
 import type { TGetManagedEventUsersToReassignInputSchema } from "./getManagedEventUsersToReassign.schema";
 
 type GetManagedEventUsersToReassignOptions = {
@@ -74,6 +77,16 @@ export const getManagedEventUsersToReassign = async ({
     prefix: ["gettingManagedEventUsersToReassign", `${bookingId}`],
   });
 
+  const bookingAccessService = getBookingAccessService();
+  const isAllowed = await bookingAccessService.doesUserIdHaveAccessToBooking({
+    userId: user.id,
+    bookingId,
+  });
+
+  if (!isAllowed) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "You do not have permission" });
+  }
+
   const bookingRepository = new BookingRepository(prisma);
   const eventTypeRepository = new EventTypeRepository(prisma);
 

packages/trpc/server/routers/viewer/teams/roundRobin/getRoundRobinHostsToReasign.handler.ts

@@ -2,6 +2,7 @@ import { enrichUsersWithDelegationCredentials } from "@calcom/app-store/delegati
 import dayjs from "@calcom/dayjs";
 import { ensureAvailableUsers } from "@calcom/features/bookings/lib/handleNewBooking/ensureAvailableUsers";
 import type { IsFixedAwareUser } from "@calcom/features/bookings/lib/handleNewBooking/types";
+import { getBookingAccessService } from "@calcom/features/di/containers/BookingAccessService";
 import { withSelectedCalendars } from "@calcom/features/users/repositories/UserRepository";
 import { ErrorCode } from "@calcom/lib/errorCodes";
 import logger from "@calcom/lib/logger";
@@ -10,6 +11,8 @@ import { userSelect } from "@calcom/prisma";
 import { credentialForCalendarServiceSelect } from "@calcom/prisma/selects/credential";
 import type { TrpcSessionUser } from "@calcom/trpc/server/types";
 
+import { TRPCError } from "@trpc/server";
+
 import type { TGetRoundRobinHostsToReassignInputSchema } from "./getRoundRobinHostsToReasign.schema";
 
 type GetRoundRobinHostsToReassignOptions = {
@@ -111,6 +114,16 @@ export const getRoundRobinHostsToReassign = async ({ ctx, input }: GetRoundRobin
     prefix: ["gettingRoundRobinHostsToReassign", `${bookingId}`],
   });
 
+  const bookingAccessService = getBookingAccessService();
+  const isAllowed = await bookingAccessService.doesUserIdHaveAccessToBooking({
+    userId: user.id,
+    bookingId,
+  });
+
+  if (!isAllowed) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "You do not have permission" });
+  }
+
   const booking = await prisma.booking.findUniqueOrThrow({
     where: { id: bookingId },
     select: {