fix: prevent bulk update of locked locations in child managed event types (#24978)

* fix: prevent bulk update of locked locations in child managed event types

- Filter out child managed event types with locked locations in getBulkUserEventTypes
- Add validation in bulkUpdateEventsToDefaultLocation to prevent updating locked fields
- Implements defense in depth with validation at multiple layers

Co-Authored-By: [email protected] <[email protected]>

* Abstract filtering logic

* test: add comprehensive tests for bulk location update filtering

- Add unit tests for filterEventTypesWhereLocationUpdateIsAllowed
- Add unit tests for bulkUpdateEventsToDefaultLocation
- Add integration tests for getBulkUserEventTypes
- Fix bug: change unlockedFields?.locations check from !== undefined to === true
  This ensures that locations: false is properly treated as locked, addressing
  the security issue identified in PR review comments

Co-Authored-By: [email protected] <[email protected]>

* fix: filter locked managed event types on app installation page

- Add parentId to eventTypeSelect in getEventTypes function
- Apply filterEventTypesWhereLocationUpdateIsAllowed to both team and user event types
- Only filter when isConferencing is true to avoid affecting other app types
- Fixes issue where locked managed event types were showing in the event type selection list on /apps/installation/event-types page

Co-Authored-By: [email protected] <[email protected]>

* fix(embed-react): remove obsolete availabilityLoaded event listener

The availabilityLoaded event does not exist in the EventDataMap type system
in embed-core. This code was causing 5 TypeScript errors in CI:
- Type 'availabilityLoaded' does not satisfy constraint 'keyof EventDataMap'
- 'data' is of type 'unknown' (2 occurrences)
- Type 'availabilityLoaded' is not assignable to action union (2 occurrences)

Since this is an example file and the event is not defined in the type system,
removing this obsolete code resolves the type errors.

Co-Authored-By: [email protected] <[email protected]>

* fix: correct Prisma type for metadata in test helper function

Co-Authored-By: [email protected] <[email protected]>

* fix: use flexible PrismaLike type for better test compatibility

Co-Authored-By: [email protected] <[email protected]>

* fix: properly type mock Prisma objects in test files

Co-Authored-By: [email protected] <[email protected]>

* fix: properly mock Prisma methods in test file

Co-Authored-By: [email protected] <[email protected]>

* Filter out metadata

* Undo change in embed file

* Address feedback

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: joeauyeung

apps/web/lib/apps/installation/[[...step]]/getServerSideProps.ts

@@ -1,6 +1,7 @@
 import type { GetServerSidePropsContext } from "next";
 import { z } from "zod";
 
+import { filterEventTypesWhereLocationUpdateIsAllowed } from "@calcom/app-store/_utils/getBulkEventTypes";
 import { appStoreMetadata } from "@calcom/app-store/appStoreMetaData";
 import type { LocationObject } from "@calcom/app-store/locations";
 import { isConferencing as isConferencingApp } from "@calcom/app-store/utils";
@@ -73,7 +74,15 @@ const getAppBySlug = async (appSlug: string) => {
   return app;
 };
 
-const getEventTypes = async (userId: number, teamIds?: number[]) => {
+const getEventTypes = async ({
+  userId,
+  teamIds,
+  isConferencing = false,
+}: {
+  userId: number;
+  teamIds?: number[];
+  isConferencing?: boolean;
+}) => {
   const eventTypeSelect = {
     id: true,
     description: true,
@@ -96,6 +105,7 @@ const getEventTypes = async (userId: number, teamIds?: number[]) => {
     destinationCalendar: true,
     bookingFields: true,
     calVideoSettings: true,
+    parentId: true,
   } satisfies Prisma.EventTypeSelect;
 
   let eventTypeGroups: TEventTypeGroup[] | null = [];
@@ -119,22 +129,28 @@ const getEventTypes = async (userId: number, teamIds?: number[]) => {
         },
       },
     });
-    eventTypeGroups = teams.map((team) => ({
-      teamId: team.id,
-      slug: team.slug,
-      name: team.name,
-      isOrganisation: team.isOrganization,
-      image: getPlaceholderAvatar(team.logoUrl, team.name),
-      eventTypes: team.eventTypes
-        .map((item) => ({
-          ...item,
-          URL: `${CAL_URL}/${item.team ? `team/${item.team.slug}` : item?.users?.[0]?.username}/${item.slug}`,
-          selected: false,
-          locations: item.locations as unknown as LocationObject[],
-          bookingFields: eventTypeBookingFields.parse(item.bookingFields || []),
-        }))
-        .sort((eventTypeA, eventTypeB) => eventTypeB.position - eventTypeA.position),
-    }));
+    eventTypeGroups = teams.map((team) => {
+      const filteredEventTypes = isConferencing
+        ? filterEventTypesWhereLocationUpdateIsAllowed(team.eventTypes)
+        : team.eventTypes;
+
+      return {
+        teamId: team.id,
+        slug: team.slug,
+        name: team.name,
+        isOrganisation: team.isOrganization,
+        image: getPlaceholderAvatar(team.logoUrl, team.name),
+        eventTypes: filteredEventTypes
+          .map((item) => ({
+            ...item,
+            URL: `${CAL_URL}/${item.team ? `team/${item.team.slug}` : item?.users?.[0]?.username}/${item.slug}`,
+            selected: false,
+            locations: item.locations as unknown as LocationObject[],
+            bookingFields: eventTypeBookingFields.parse(item.bookingFields || []),
+          }))
+          .sort((eventTypeA, eventTypeB) => eventTypeB.position - eventTypeA.position),
+      };
+    });
   } else {
     const user = await prisma.user.findUnique({
       where: {
@@ -155,12 +171,16 @@ const getEventTypes = async (userId: number, teamIds?: number[]) => {
     });
 
     if (user) {
+      const filteredEventTypes = isConferencing
+        ? filterEventTypesWhereLocationUpdateIsAllowed(user.eventTypes)
+        : user.eventTypes;
+
       eventTypeGroups.push({
         userId: user.id,
         slug: user.username,
         name: user.name,
         image: getPlaceholderAvatar(user.avatarUrl, user.name),
-        eventTypes: user.eventTypes
+        eventTypes: filteredEventTypes
           .map((item) => ({
             ...item,
             URL: `${CAL_URL}/${item.team ? `team/${item.team.slug}` : item?.users?.[0]?.username}/${
@@ -208,7 +228,7 @@ export const getServerSideProps = async (context: GetServerSidePropsContext) =>
   const _ = stepsEnum.parse(parsedStepParam);
   const session = await getServerSession({ req });
   if (!session?.user?.id) return { redirect: { permanent: false, destination: "/auth/login" } };
-  const locale = await getLocale(context.req);
+  const _locale = await getLocale(context.req);
   const app = await getAppBySlug(parsedAppSlug);
   if (!app) return { redirect: { permanent: false, destination: "/apps" } };
   const appMetadata = appStoreMetadata[app.dirName as keyof typeof appStoreMetadata];
@@ -246,11 +266,11 @@ export const getServerSideProps = async (context: GetServerSidePropsContext) =>
     }
     if (isOrg) {
       const teamIds = userTeams.map((item) => item.id);
-      eventTypeGroups = await getEventTypes(user.id, teamIds);
+      eventTypeGroups = await getEventTypes({ userId: user.id, teamIds, isConferencing });
     } else if (parsedTeamIdParam) {
-      eventTypeGroups = await getEventTypes(user.id, [parsedTeamIdParam]);
+      eventTypeGroups = await getEventTypes({ userId: user.id, teamIds: [parsedTeamIdParam], isConferencing });
     } else {
-      eventTypeGroups = await getEventTypes(user.id);
+      eventTypeGroups = await getEventTypes({ userId: user.id, isConferencing });
     }
     if (isConferencing && eventTypeGroups) {
       const destinationCalendar = await prisma.destinationCalendar.findFirst({