fix: restrict forceConfirm flag to event owner or admin only

Author: sbsb

packages/features/bookings/lib/handleNewBooking/test/booking-flags.test.ts

@@ -15,7 +15,7 @@ import { expectBookingToBeInDatabase } from "@calcom/web/test/utils/bookingScena
 import { getMockRequestDataForBooking } from "@calcom/web/test/utils/bookingScenario/getMockRequestDataForBooking";
 import { setupAndTeardown } from "@calcom/web/test/utils/bookingScenario/setupAndTeardown";
 
-import { describe, expect, test } from "vitest";
+import { describe, expect, test, vi } from "vitest";
 
 import { BookingStatus } from "@calcom/prisma/enums";
 
@@ -465,6 +465,7 @@ describe("handleNewBooking - Booking Flags", () => {
 
       const createdBooking = await handleNewBooking({
         bookingData: mockBookingData,
+        userId: 101, // Owner
       });
 
       expect(createdBooking.responses).toEqual(
@@ -474,7 +475,7 @@ describe("handleNewBooking - Booking Flags", () => {
         })
       );
 
-      // Even though requiresConfirmation is true, forceConfirm=true should produce ACCEPTED
+      // Even though requiresConfirmation is true, forceConfirm=true from owner should produce ACCEPTED
       expect(createdBooking.status).toBe(BookingStatus.ACCEPTED);
 
       await expectBookingToBeInDatabase({
@@ -577,5 +578,66 @@ describe("handleNewBooking - Booking Flags", () => {
         status: BookingStatus.PENDING,
       });
     });
+
+    test("should NOT honor forceConfirm if caller is NOT owner/admin", async () => {
+      const handleNewBooking = getNewBookingHandler();
+      const booker = getBooker({
+        email: "booker@example.com",
+        name: "Booker",
+      });
+
+      const organizer = getOrganizer({
+        name: "Organizer",
+        email: "organizer@example.com",
+        id: 101,
+        schedules: [TestData.schedules.IstWorkHours],
+        credentials: [getGoogleCalendarCredential()],
+        selectedCalendars: [TestData.selectedCalendars.google],
+      });
+
+      const { dateString: plus1DateString } = getDate({ dateIncrement: 1 });
+
+      await createBookingScenario(
+        getScenarioData({
+          eventTypes: [
+            {
+              id: 1,
+              slotInterval: 45,
+              length: 45,
+              requiresConfirmation: true,
+              users: [{ id: 101 }],
+              userId: 101, // eventType owner
+            },
+          ],
+          organizer,
+        })
+      );
+
+      vi.spyOn(prismaMock.user, "findUnique").mockResolvedValueOnce({
+        id: 999,
+        role: "USER", // Not an admin
+      } as Awaited<ReturnType<typeof prismaMock.user.findUnique>>);
+
+      const mockBookingData = getMockRequestDataForBooking({
+        data: {
+          eventTypeId: 1,
+          responses: {
+            email: booker.email,
+            name: booker.name,
+          },
+          start: `${plus1DateString}T05:00:00.000Z`,
+          end: `${plus1DateString}T05:45:00.000Z`,
+          forceConfirm: true,
+        },
+      });
+
+      const createdBooking = await handleNewBooking({
+        bookingData: mockBookingData,
+        userId: 999, // Unauthorized caller
+      });
+
+      // forceConfirm should be ignored, status should be PENDING
+      expect(createdBooking.status).toBe(BookingStatus.PENDING);
+    });
   });
 });

packages/features/bookings/lib/service/RegularBookingService.ts

@@ -86,6 +86,7 @@ import {
   WebhookTriggerEvents,
   WorkflowTriggerEvents,
   CreationSource,
+  UserPermissionRole,
 } from "@calcom/prisma/enums";
 import { userMetadata as userMetadataSchema } from "@calcom/prisma/zod-utils";
 import type {
@@ -752,7 +753,17 @@ async function handler(
 
   // Allow callers to force-confirm a booking even when the event type requires confirmation.
   // When forceConfirm is true, the booking is created as ACCEPTED regardless of requiresConfirmation.
-  const isConfirmedByDefault = isConfirmedByDefaultFromFlags || !!forceConfirm;
+  // Security Fix: Only the event type owner or an admin can use the forceConfirm flag.
+  const isOwner = !!(userId && (eventType.userId === userId || eventType.users?.some((u) => u.id === userId)));
+  let callerIsOwnerOrAdmin = isOwner;
+  if (!callerIsOwnerOrAdmin && userId) {
+    const caller = await deps.prismaClient.user.findUnique({
+      where: { id: userId },
+      select: { role: true },
+    });
+    callerIsOwnerOrAdmin = caller?.role === UserPermissionRole.ADMIN;
+  }
+  const isConfirmedByDefault = isConfirmedByDefaultFromFlags || (!!forceConfirm && callerIsOwnerOrAdmin);
 
   // For unconfirmed bookings or round robin bookings with the same attendee and timeslot, return the original booking
   if (