Merge pull request #322 from codeunia-dev/fix/companyfunctions

codeunia-dev · web-flow · commit 120ae3933aca · 2025-11-14T16:56:02.000+05:30
fix(subscriptions): Prevent event creation limit bypass through deletion
diff --git a/lib/services/subscription-service.ts b/lib/services/subscription-service.ts
@@ -54,12 +54,14 @@ class SubscriptionService {
 
     const limits = SUBSCRIPTION_LIMITS[company.subscription_tier]
 
-    // Get events created this month
+    // Get events created this month (including deleted ones to prevent loophole)
+    // This counts ALL events created in the billing period, regardless of deletion status
     const startOfMonth = new Date()
     startOfMonth.setDate(1)
     startOfMonth.setHours(0, 0, 0, 0)
 
-    const { count: eventsCount, error: eventsError } = await supabase
+    // First, try to count from events table (active events)
+    const { count: activeEventsCount, error: eventsError } = await supabase
       .from('events')
       .select('*', { count: 'exact', head: true })
       .eq('company_id', companyId)
@@ -74,6 +76,18 @@ class SubscriptionService {
       )
     }
 
+    // Also count deleted events from audit log if it exists
+    // This prevents the loophole where users delete events to bypass limits
+    const { count: deletedEventsCount } = await supabase
+      .from('event_audit_log')
+      .select('*', { count: 'exact', head: true })
+      .eq('company_id', companyId)
+      .eq('action', 'created')
+      .gte('created_at', startOfMonth.toISOString())
+
+    // Use the audit log count if available (more accurate), otherwise use active count
+    const eventsCount = deletedEventsCount !== null ? deletedEventsCount : (activeEventsCount || 0)
+
     // Get active team members
     const { count: membersCount, error: membersError } = await supabase
       .from('company_members')
