Skip to content

cancelBooking lacks transaction protection; no unique indexes on User or RoomBooking collections #246

Open
Open
cancelBooking lacks transaction protection; no unique indexes on User or RoomBooking collections#246
Labels
advancedComplex issues requiring experienced contributorsbugSomething isn't workingsecuritySecurity vulnerabilities
@amaydixit11

Description

@amaydixit11
amaydixit11
opened on Apr 5, 2026

Issue 1: cancelBooking lacks transaction protection

The bookRoom controller (line 396) correctly uses MongoDB transactions, but cancelBooking (line 654) does NOT:

exports.cancelBooking = async (req, res) => {
  const booking = await RoomBooking.findById(id);  // No session, no transaction
  booking.status = "Cancelled";
  await booking.save();  // No transaction
};

Two concurrent cancel requests could both read the booking, causing data inconsistency or double-processing.

Issue 2: No unique indexes on critical collections

The User model has no unique indexes on:

  • user_id (ID number) - duplicate students can be created
  • email - duplicate accounts with same email are possible

The RoomBooking model has no unique compound index on (room, date, startTime). While the app-level transaction in bookRoom prevents this under normal operation, direct database access or a bug could create duplicate bookings.

Fix

Add unique indexes to the schema:

userSchema.index({ user_id: 1 }, { unique: true, sparse: true });
userSchema.index({ email: 1 }, { unique: true });
roomBookingSchema.index({ room: 1, date: 1, startTime: 1, status: 1 }, { partialFilterExpression: { status: { $in: ["Pending", "Approved"] } } });

Wrap cancelBooking in a transaction similar to bookRoom.

Metadata

Metadata

Assignees

No one assigned

    Labels

    advancedComplex issues requiring experienced contributorsbugSomething isn't workingsecuritySecurity vulnerabilities

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions