[HOLD for payment 2023-07-14] [$1000] Able to request money from Workspaces in main

[Beamanator]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. create workspace
2. Click global create -> Request money
3. search for workspace you just created

Expected Result:

You shouldn't be able to find it (like in staging)

Actual Result:

You can request money from the workspace (in main) and it doesn't fail

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: main
Reproducible in staging?: N
Reproducible in production?: N
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation
Expensify/Expensify Issue URL:
Issue reported by: @niravkakadiya25
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1686834315473029

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~01948a1cdf660245e0
• Upwork Job ID: 1669353702452203520
• Last Price Increase: 2023-06-22

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~01948a1cdf660245e0

[melvin-bot]

Triggered auto assignment to @adelekennedy (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to @adelekennedy (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @abdulrahuman5196 (External)

[melvin-bot]

Triggered auto assignment to @flodnv (External), see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[hungvu193]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Able to request money from Workspaces in main

What is the root cause of that problem?

We are allowing to show workspace with iouType request here

App/src/pages/iou/steps/MoneyRequstParticipantsPage/MoneyRequestParticipantsSelector.js

Lines 75 to 86 in 9ea7b45

	getRequestOptions(searchTerm = '') {
	return OptionsListUtils.getNewChatOptions(
	this.props.reports,
	this.props.personalDetails,
	this.props.betas,
	searchTerm,
	[],
	CONST.EXPENSIFY_EMAILS,
	// If we are using this component in the "Request money" flow then we pass the includeOwnedWorkspaceChats argument so that the current user
	// sees the option to request money from their admin on their own Workspace Chat.
	this.props.iouType === CONST.IOU.MONEY_REQUEST_TYPE.REQUEST,

What changes do you think we should make in order to solve the problem?

I think this is intention since it was added 2 month ago 🤔 .
But in case we don't want to have the workspace inside participant list we can remove this condition:

this.props.iouType === CONST.IOU.MONEY_REQUEST_TYPE.REQUEST

What alternative solutions did you explore? (Optional)

N/A

[alitoshmatov]

@hungvu193 It is not showing workspaces in production which also has this.props.iouType === CONST.IOU.MONEY_REQUEST_TYPE.REQUEST.

[fedirjh]

@Beamanator I am sure this isn’t related to your last PR. This issue will not reach staging nor production.

Root cause

When we create a new workspace we generate an optimistic policyExpenseChat.

App/src/libs/actions/Policy.js

Lines 911 to 920 in a2d074b

	{
	onyxMethod: Onyx.METHOD.SET,
	key: `${ONYXKEYS.COLLECTION.REPORT}${expenseChatReportID}`,
	value: {
	pendingFields: {
	addWorkspaceRoom: CONST.RED_BRICK_ROAD_PENDING_ACTION.ADD,
	},
	...expenseChatData,
	},
	},

When the API command is successfully executed, the server only returns two reports: #admins and #announce. I believe the server should also return a third report based on the user's beta access to policyExpense. If the user doesn't have access to the beta, the optimistic report created in step 1 should be deleted from the user's device. However, if the user has access to the beta, the policyExpenseChat should be retained on the user's device. Currently, the actual behavior is that the policyExpenseChat is kept on the user's device regardless of beta access.

Here is the command response, which doesn't include the expenseChat report.

Here you can see the commend response which doesn’t include the expenseChat report

Now, since the user has a policyExpenseChat on their device, it will be displayed on the LHN and on the request money flow. This is because, for some reason, we allow developers to access the policyExpense beta on the development environment, as seen below.

User on Dev can access allBetas

App/src/libs/Permissions.js

Lines 10 to 12 in a2d074b

	function canUseAllBetas(betas) {
	return Environment.isDevelopment() || _.contains(betas, CONST.BETAS.ALL);
	}

Here we check if user has use PolicyExpenseChat, since he has access to allBetas, this will evaluate to true

App/src/libs/Permissions.js

Lines 85 to 87 in a2d074b

	function canUsePolicyExpenseChat(betas) {
	return _.contains(betas, CONST.BETAS.POLICY_EXPENSE_CHAT) || canUseAllBetas(betas);
	}

In the shouldReportBeInOptionList function, which takes various data from Onyx and evaluates whether a report should be displayed in the option list (for searching reports or in the LHN), there is a check for the report being a policyExpenseChat. However, this check fails because the user has access to the PolicyExpenseChat. Since they also have a policyReport saved in Onyx, it is displayed in multiple locations throughout the app, including the LHN, search, and money flow.

App/src/libs/ReportUtils.js

Lines 1940 to 1942 in a2d074b

	if (isPolicyExpenseChat(report) && !Permissions.canUsePolicyExpenseChat(betas)) {
	return false;
	}

When we try to open the report , the command will return 403 response

Solution

I believe we have three options:

1. Do nothing: This only affects the development environment. In other environments, the canUseAllBetas will fallback to the betas that the user has access to, rather than all betas.

2. Front-end Fix: Make canUsePolicyExpenseChat independent of canUseAllBetas. This means that by default, the user will not have access to the PolicyExpenseChat.

3. Backend Fix: When creating the workspace, modify the server to return Onyx.set null to the policy expense report, depending on the user's beta access. This will delete the report from the user's device if they don't have access, and keep it if they do.

[fedirjh]

Forget to mention that if user logout and then login, this issue will be resolved as the expense report will be deleted.

[flodnv]

@abdulrahuman5196 can you please review the proposals here?

[abdulrahuman5196]

Will review this before EOD

[abdulrahuman5196]

It seems to be intentional change to show the workspace in the option selector in case of request from #16967

@fedirjh
But to summarize the point you are trying to make, it seems like the user is allowed to use PolicyExpenseChat in main because of the development environment and the user is shown the workspace chats on request(This is expected to work if the user has legitimate access to PolicyExpenseChat). But in staging and production it won't cause any issue since the user can only use the feature if he added to the beta.

Note: I have to anyways verify this root cause, but I think it would be correct since @fedirjh was the C+ on the feature implementation.

If this case I think we should check for the frontend fix. The reason I am thinking of fixing this is,
What is the point of providing beta access locally, if the server request is expected to fail?, this would ultimately causes confusions and false positive bug reports from main like this one which could be avoided

[trjExpensify]

👋 @fedi @Beamanator I'm trying to figure out why we can't now find the workspace chat despite being on the policyExpenseChat beta. Specifically, the workspace chat is missing from Search, New Chat and the participant selector in the Request Money flow from global create all of a sudden.

rxt0m67WNP.mp4

This issue's OP is a tad confusing in what it's advocating for exactly, you should be able to request money from workspaces on main if you have the appropriate beta permissions, but that doesn't seem to be the case anymore either.

[Beamanator]

OOf please feel free to fix the bug report for me @trjExpensify 🙏 I wasn't aware this was "expected"! :O

[trjExpensify]

Can you confirm what the bug report is saying though in the first place? It seems like it's contradicting what we're seeing.

1. This bug report states you're able to request money from a workspace.. (despite not being on the beta, maybe?)
2. I (and others) were trying to do some tests and aren't able to find the workspace chat in New Chat, Search or Request Money at all despite being on the beta

[melvin-bot]

Based on my calculations, the pull request did not get merged within 3 working days of assignment. Please, check out my computations here:

• when @fedirjh got assigned: 2023-06-26 17:24:47 Z
• when the PR got merged: 2023-07-03 15:39:42 UTC
• days elapsed: 4

On to the next one 🚀

[flodnv]

I disagree with Melvin. This is on me for being ooo end of last week. Given @abdulrahuman5196's responsiveness on the PR, I'd like to recommend that this is eligible for the bonus @adelekennedy 👍

[adelekennedy]

ty @flodnv will pay out the timeline bonus

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.37-7 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• [No QA] [Fix] Remove all Betas access for dev environment #21655

If no regressions arise, payment will be issued on 2023-07-14. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@fedirjh / @abdulrahuman5196] The PR that introduced the bug has been identified. Link to the PR:
• [@fedirjh / @abdulrahuman5196] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@fedirjh / @abdulrahuman5196] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@fedirjh / @abdulrahuman5196] Determine if we should create a regression test for this bug.
• [@fedirjh / @abdulrahuman5196] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@adelekennedy] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[abdulrahuman5196]

BZ checklist:

The PR that introduced the bug has been identified. Link to the PR:
The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:

It was not a regression. It was a very old code and the expectation has changed now. https://expensify.slack.com/archives/C02NK2DQWUX/p1687549948966799

Determine if we should create a regression test for this bug.
If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.

No. This is only dev environment change.

[abdulrahuman5196]

@adelekennedy BZ checklist is complete here #20830 (comment)
This issue is pending payment processing.

[melvin-bot]

@flodnv, @fedirjh, @abdulrahuman5196, @adelekennedy Whoops! This issue is 2 days overdue. Let's get this updated quick!

[adelekennedy]

@abdulrahuman5196 @niravkakadiya25 @fedirjh will you apply here?

[abdulrahuman5196]

Thank you. Applied @adelekennedy

[niravkakadiya25]

@adelekennedy can you direct hire me please

https://www.upwork.com/freelancers/~01b750750a0d76226c

[fedirjh]

@adelekennedy Thank you! Applied.

[niravkakadiya25]

@adelekennedy can you please direct hire me on upwork?

[adelekennedy]

@niravkakadiya25 Will you apply here? To make sure I hire the right person.

[niravkakadiya25]

@adelekennedy
Applied

[adelekennedy]

hired - just pending the reporting bonus pay out

[adelekennedy]

paid!