changed schema and build accept req controller

[KashishShakya]

CodeAnt-AI Description

Add booking records and an endpoint to approve bookings that reduces available seats

What Changed

• Introduces a TravelBooking record for users to request seats on a travel post and exposes a new endpoint to approve a booking
• Approving a booking marks it as accepted and decrements the travel post's available seats; approval is rejected if the post doesn't exist, no seats remain, the booking doesn't exist, or the booking is already processed
• Travel posts now track total and available seats and reference bookings so seat availability and bookings are visible on the post

Impact

✅ Fewer overbookings
✅ Clearer booking approval errors for hosts
✅ Visible seat counts on travel posts

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Missing mongoose import The added transactional controller (acceptBookingController) uses mongoose.startSession() / session.startTransaction() but the file does not import mongoose. This will cause a runtime error when the controller is invoked. Enum / status mismatch The TravelBookingSchema defines status enum as ["pending", "approved"] but the controller sets booking.status = "accepted". The value written by the controller isn't allowed by the schema and will either be rejected or produce inconsistent records.

[codeant-ai]

Suggestion: The controller uses mongoose.startSession() but never imports mongoose, which will cause a ReferenceError when the accept-booking endpoint is hit. [type error]

Severity Level: Critical 🚨

- ❌ Booking-approval endpoint crashes before any business logic runs.
- ❌ Cab-sharing seats can never be approved in current deployment.

Suggested change

	import { sendEmail } from 'nodejs-nodemailer-outlook';
	import mongoose from "mongoose";

Steps of Reproduction ✅

1. Start the backend server with the current `controllers/campusTravelController.js` file,
which exports `acceptBookingController` at lines 184–233 but does not import `mongoose`
anywhere at the top of the file (lines 1–6).

2. Trigger the booking-acceptance flow via the HTTP route that is wired to
`acceptBookingController` (the route definition is outside this diff, but the handler is
`controllers/campusTravelController.js:184`).

3. When the request reaches `acceptBookingController`
(`controllers/campusTravelController.js:184`), execution hits `const session = await
mongoose.startSession();` at line 186.

4. Because `mongoose` is not defined in this module scope (no `import mongoose from
"mongoose";` exists), Node.js throws `ReferenceError: mongoose is not defined`, causing
the request to fail with a 500 error and the transaction logic to never run.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** controllers/campusTravelController.js
**Line:** 2:2
**Comment:**
	*Type Error: The controller uses `mongoose.startSession()` but never imports `mongoose`, which will cause a `ReferenceError` when the accept-booking endpoint is hit.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

Suggestion: The accept-booking logic never verifies that the booking actually belongs to the travel post whose ID is being processed, so a caller could approve an arbitrary booking against any post, leading to inconsistent data and authorization bypass; the booking's travelPost should be checked against the loaded post. [security]

Severity Level: Critical 🚨

- ❌ Bookings can be approved for the wrong travel post.
- ⚠️ Seat counts become inconsistent across travel posts.
- ⚠️ Potential authorization bypass by crafting mismatched IDs.

Suggested change

	if (booking.travelPost.toString() !== post._id.toString()) {
	throw new Error("Booking does not belong to this travel post");
	}

Steps of Reproduction ✅

1. Create at least two travel posts, `postA` and `postB`, using the existing travel-post
creation flow in `controllers/campusTravelController.js:20-40` (or the corresponding
service that backs `TravelPostModel`).

2. Create a pending booking document `bookingB` in `TravelBookingModel` that is logically
associated with `postB` (for example, via a `travelPost` reference field in
`TravelBookingModel` defined in `models/campusTravelModel.js`).

3. Call the HTTP route wired to `acceptBookingController`
(`controllers/campusTravelController.js:184`) with a JSON body containing `postId` set to
`postA._id` and `bookingId` set to `bookingB._id`.

4. Inside `acceptBookingController`, the code at lines 190–215 loads `postA` and
`bookingB` but never checks that `bookingB` actually belongs to `postA`; it sets
`booking.status = "accepted"` and decrements `postA.availableSeats`, effectively approving
a booking for a different post and reducing the wrong post's seat count.

5. This allows a malicious or buggy client to mix-and-match `postId` and `bookingId`,
leading to inconsistent data and potential authorization bypass (approving someone else's
booking against a different travel post).

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** controllers/campusTravelController.js
**Line:** 205:205
**Comment:**
	*Security: The accept-booking logic never verifies that the booking actually belongs to the travel post whose ID is being processed, so a caller could approve an arbitrary booking against any post, leading to inconsistent data and authorization bypass; the booking's `travelPost` should be checked against the loaded post.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

Suggestion: The booking status is set to "accepted" while the schema enum only allows "pending" and "approved", so saving the booking will fail validation; the status value should match the allowed enum. [logic error]

Severity Level: Major ⚠️

- ❌ Booking-approval requests fail on save due to enum mismatch.
- ⚠️ Cab-sharing bookings remain stuck in pending state.

Suggested change

	booking.status = "accepted";
	booking.status = "approved";

Steps of Reproduction ✅

1. In `models/campusTravelModel.js`, inspect the `TravelBookingModel` schema definition
for the `status` field (around the `TravelBookingModel` declaration); it is defined with
an enum that allows `"pending"` and `"approved"` but not `"accepted"`.

2. Create a booking that uses `TravelBookingModel` with `status: "pending"` via the
existing booking-creation flow (the creation endpoint is outside this diff but uses that
model).

3. Call the HTTP route wired to `acceptBookingController`
(`controllers/campusTravelController.js:184`) with a JSON body containing the `postId` and
the `bookingId` of the pending booking.

4. In `acceptBookingController`, after the seat and status checks, execution reaches
`booking.status = "accepted"; await booking.save({ session });` at lines 210–211; Mongoose
validation rejects `"accepted"` as an invalid enum value, causing `booking.save` to throw
a validation error and the request to return an error instead of approving the booking.

5. Note that this bug becomes visible once the missing `mongoose` import (suggestion 1) is
fixed; currently the controller fails earlier with a `ReferenceError`.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** controllers/campusTravelController.js
**Line:** 210:210
**Comment:**
	*Logic Error: The booking status is set to `"accepted"` while the schema enum only allows `"pending"` and `"approved"`, so saving the booking will fail validation; the status value should match the allowed enum.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

Suggestion: Marking totalSeats and availableSeats as required without providing them in the existing postTravel creation logic will cause validation errors and prevent travel posts from being saved; making them default to 0 and not required avoids breaking existing callers. [logic error]

Severity Level: Critical 🚨

- ❌ Creating TravelPost without seat fields fails validation.
- ⚠️ Existing clients omitting seats see request failures.

Suggested change

	"totalSeats": { type: Number, required: true },
	"availableSeats": { type: Number, required: true },
	"totalSeats": { type: Number, required: false, default: 0 },
	"availableSeats": { type: Number, required: false, default: 0 },

Steps of Reproduction ✅

1. Open `models/campusTravelModel.js` and note in `TravelPostSchema` at lines 12-14 that
`"totalSeats"` and `"availableSeats"` are defined with `{ type: Number, required: true }`
and have no default values.

2. In a new file `test/createTravelPost.js`, import `TravelPostModel` via `import {
TravelPostModel } from "../models/campusTravelModel.js";`.

3. In `test/createTravelPost.js`, call `await TravelPostModel.create({ email: "a@b.com",
name: "Test", travelDateTime: new Date(), to: "X", from: "Y", margin: 10, note: "n",
phonenumber: "123", chatId: "chat1" });` without providing `"totalSeats"` or
`"availableSeats"`.

4. Run `node test/createTravelPost.js` and observe Mongoose throws a validation error
indicating that `"totalSeats"` and `"availableSeats"` are required, preventing the
`TravelPost` document from being saved.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** models/campusTravelModel.js
**Line:** 13:14
**Comment:**
	*Logic Error: Marking `totalSeats` and `availableSeats` as required without providing them in the existing `postTravel` creation logic will cause validation errors and prevent travel posts from being saved; making them default to 0 and not required avoids breaking existing callers.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

Suggestion: The booking model is defined but not exported, so any import of this model in other files will be undefined and calls like TravelBookingModel.findById(...) will throw at runtime; exporting it fixes the issue. [type error]

Severity Level: Critical 🚨

- ❌ Importing TravelBookingModel fails with missing export error.
- ⚠️ Callers cannot query TravelBooking documents via Mongoose.

Suggested change

	const TravelBookingModel = mongoose.model("TravelBooking", TravelBookingSchema);
	export const TravelBookingModel = mongoose.model("TravelBooking", TravelBookingSchema);

Steps of Reproduction ✅

1. Open `models/campusTravelModel.js` and observe at line 50 that `TravelBookingModel` is
defined but not exported, while the export statement at lines 52-56 only exports
`TravelPostModel`, `TravelChatModel`, and `ReplyPostModel`.

2. Create a new file `test/bookingModelUsage.js` that contains `import {
TravelBookingModel } from "../models/campusTravelModel.js";` and then calls
`TravelBookingModel.find();`.

3. Run `node test/bookingModelUsage.js` (with ES modules enabled, e.g., `"type": "module"`
in `package.json`).

4. Observe that Node throws `SyntaxError: The requested module
'../models/campusTravelModel.js' does not provide an export named 'TravelBookingModel'`,
preventing any use of the booking model.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** models/campusTravelModel.js
**Line:** 50:50
**Comment:**
	*Type Error: The booking model is defined but not exported, so any import of this model in other files will be undefined and calls like `TravelBookingModel.findById(...)` will throw at runtime; exporting it fixes the issue.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Ayush-Dix]

Change PR from main to dev branch