feat: update recording, transcript endpoint and add tests #79
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| }) | ||
| async getBookingRecordings(@Param("bookingUid") bookingUid: string): Promise<GetBookingRecordingsOutput> { | ||
| const recordings = await this.calVideoService.getRecordings(bookingUid); | ||
| const recordings = this.calVideoService.getRecordings(bookingUid); |
There was a problem hiding this comment.
Missing await causes Promise returned instead of recordings
High Severity
The await keyword was removed from the this.calVideoService.getRecordings(bookingUid) call, but getRecordings is an async method. Without await, the recordings variable holds a Promise instead of the resolved array, causing the API to return a Promise object in the response data field rather than the actual recordings.
| @Permissions([BOOKING_READ]) | ||
| @UseGuards(BookingUidGuard) | ||
| // @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) | ||
| @UseGuards(BookingPbacGuard, ApiAuthGuard, BookingUidGuard) |
There was a problem hiding this comment.
Incorrect guard order causes unauthorized error on transcripts
High Severity
The UseGuards decorator for the transcripts endpoint has BookingPbacGuard listed before ApiAuthGuard, but BookingPbacGuard requires request.user which is set by ApiAuthGuard. This incorrect order causes the guard to always throw UnauthorizedException because the user isn't authenticated yet when BookingPbacGuard runs.
| @UseGuards(BookingUidGuard) | ||
| // @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard) | ||
| @Pbac(["booking.readRecordings"]) | ||
| @Permissions([BOOKING_WRITE]) |
There was a problem hiding this comment.
Recordings endpoint incorrectly requires write permission for read
Medium Severity
The recordings GET endpoint was changed from BOOKING_READ to BOOKING_WRITE permission, but this is inconsistent with similar endpoints. The transcripts and conferencing-sessions GET endpoints both use BOOKING_READ, and all three share the same @Pbac(["booking.readRecordings"]) decorator indicating a read operation. Users with read-only access can view transcripts but are unexpectedly blocked from viewing recordings.
1 participant
Benchmark PR from qodo-benchmark#692
Note
Strengthens access control and aligns response types for media-related booking endpoints.
GET /v2/bookings/:bookingUid/recordingsnow uses@Pbac(["booking.readRecordings"]), requires@Permissions([BOOKING_WRITE]), and guardsApiAuthGuard,BookingUidGuard,BookingPbacGuard;GET /:bookingUid/transcriptsadds PBAC and guarded byBookingPbacGuard,ApiAuthGuard,BookingUidGuard(keepsBOOKING_READ).messagefield fromGetBookingRecordingsOutputandGetBookingTranscriptsOutput.getBookingRecordingsno longer awaitscalVideoService.getRecordings().Written by Cursor Bugbot for commit d18708a. Configure here.