Skip to content

cancelBooking lacks transaction protection; no unique indexes on User or RoomBooking collections #246

Open
Open
cancelBooking lacks transaction protection; no unique indexes on User or RoomBooking collections#246
Labels
advancedComplex issues requiring experienced contributorsbugSomething isn't workingsecuritySecurity vulnerabilities
@amaydixit11

Description

@amaydixit11
amaydixit11
opened on Apr 5, 2026

Issue 1: cancelBooking lacks transaction protection

The bookRoom controller (line 396) correctly uses MongoDB transactions, but cancelBooking (line 654) does NOT:

exports.cancelBooking = async (req, res) => {
  const booking = await RoomBooking.findById(id);  // No session, no transaction
  booking.status = "Cancelled";
  await booking.save();  // No transaction
};

Two concurrent cancel requests could both read the booking, causing data inconsistency or double-processing.

Issue 2: No unique indexes on critical collections

The User model has no unique indexes on:

  • user_id (ID number) - duplicate students can be created
  • email - duplicate accounts with same email are possible

The RoomBooking model has no unique compound index on (room, date, startTime). While the app-level transaction in bookRoom prevents this under normal operation, direct database access or a bug could create duplicate bookings.

Fix

Add unique indexes to the schema:

userSchema.index({ user_id: 1 }, { unique: true, sparse: true });
userSchema.index({ email: 1 }, { unique: true });
roomBookingSchema.index({ room: 1, date: 1, startTime: 1, status: 1 }, { partialFilterExpression: { status: { $in: ["Pending", "Approved"] } } });

Wrap cancelBooking in a transaction similar to bookRoom.

Metadata

Metadata

Assignees

No one assigned

    Labels

    advancedComplex issues requiring experienced contributorsbugSomething isn't workingsecuritySecurity vulnerabilities

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions