Unintented access to all team bookings for a member of team via api ( update , cancel , e.t.c )

[Shaik-Sirajuddin]

Found a bug? Please fill out the sections below. 👍

Issue Summary

A member of team is able to gain access to team bookings ( update , cancel , e.t.c ) in case of round robin event type , even if the user is not present as round robin host

• A team has A , B , C as its members
• Event Type X has scheduling type set to round robin with A , B as hosts
• When a new user E books a meeting , one of A , B is assigned based on availabilty
• User C is not present in event type or booking in any form
• User C is able to cancel registered booking in above scenario via api

Actual Results

• User is able to cancel a team booking , irrespective of involvement in the specific booking

Expected Results

• User should only be able to cancel a team booking , if the user is present in the booking ( as a host , attendee e.t.c )

Evidence

Loom : Video

[Shaik-Sirajuddin]

In general admin of team would have access for all team bookings Currently api allows any user of team to have this privilege Unsure whether this is expected behaviour

[Amit91848]

In case User C is owner / admin of the team, it can delete / modify any bookings of that team irrespective of whether the user is in the booking or not. There is a PR open to allow admin / owner to cancel the booking via the app too

[CarinaWolli]

Can confirm that currently, members can access all team bookings. Members should only be able to access bookings they are part of