Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HOLD for payment 2023-07-14] [$1000] Web - UserB can still create a task in room chat when UserA changes post permission to "Admins only" #21791

Closed
1 of 6 tasks
kbecciv opened this issue Jun 28, 2023 · 42 comments
Assignees
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. Daily KSv2 External Added to denote the issue can be worked on by a contributor

Comments

@kbecciv
Copy link

kbecciv commented Jun 28, 2023

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!


Action Performed:

  1. Login to UserA account
  2. Navigates to the "New room" section
  3. Creates a new room by entering a room name and select UserA's workspace
  4. Set the visibility of the room to "Public"
  5. Clicks on "Create room"
  6. Go to the room details
  7. Select "Share code" and copy the URL to the clipboard
  8. Returns to the previous page and clicks on "Settings" > "Who can post"
  9. In another browser, login to UserB account
  10. Joins the room by pasting the copied URL
  11. Go to the "Assign task" section in the room chat
  12. Change the "Who can post" setting to "Admins only" from UserA account
  13. Now you can create a task in the room chat

Expected Result:

When UserA changes the post permission to "Admins only," UserB should not be able to create a task in the room chat

Actual Result:

Even after UserA changes the post permission to "Admins only," UserB can still create a task in the room chat

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

  • Android / native
  • Android / Chrome
  • iOS / native
  • iOS / Safari
  • MacOS / Chrome / Safari
  • MacOS / Desktop

Version Number: 1.3.32-5
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

screen-recording-2023-06-26-at-122853-am_vxzqn8ht.1.mp4
Recording.931.mp4

Expensify/Expensify Issue URL:
Issue reported by: @ayazhussain79
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1687722646703389

View all open jobs on GitHub

Upwork Automation - Do Not Edit
  • Upwork Job URL: https://www.upwork.com/jobs/~01fc548bc92bd6afb3
  • Upwork Job ID: 1674304197984038912
  • Last Price Increase: 2023-06-29
@kbecciv kbecciv added Daily KSv2 Bug Something is broken. Auto assigns a BugZero manager. labels Jun 28, 2023
@dukenv0307
Copy link
Contributor

dukenv0307 commented Jun 28, 2023

Proposal

Please re-state the problem that we are trying to solve in this issue.

UserB can still create a task in room chat when UserA changes post permission to "Admins only"

What is the root cause of that problem?

We don't check to disable auto-set shareSomeWhere in NewTaskPage if the permission of parentReport is changed

What changes do you think we should make in order to solve the problem?

  1. We should add a check here to not set shareSomeWhere value if the permission of parentReport is changed by using ReportUtils.isAllowedToComment function
if (props.task.parentReportID && ReportUtils.isAllowedToComment(lodashGet(props.reports, `report_${props.task.parentReportID}`, {}))) {

if (props.task.parentReportID) {

  1. We should add a check here to show an error if shareSomeWhere is already set before the permission of parentReport is changed
if (!props.task.shareDestination || !ReportUtils.isAllowedToComment(lodashGet(props.reports, `report_${props.task.shareDestination}`, {})))

if (!props.task.shareDestination) {

  1. I think we also should exclude the report which has permission is admin only in TaskShareDestinationSelectorModal. To do this we could filter props.reports to exclude the report that has permission is admin only and then pass this filter reports into getShareDestinationOptions function instead of props.reports
const reportExcludeAdminOnly = useMemo(() => {
    let reportFilter = {}
    _.keys(props.reports).forEach((reportKey) => {
        if (ReportUtils.isAllowedToComment(props.reports[reportKey])) {
            reportFilter[reportKey] = props.reports[reportKey];
        }
    })
    return reportFilter;
}, [props.reports])
useEffect(() => {
  const {recentReports, personalDetails, userToInvite} = OptionsListUtils.getShareDestinationOptions(
      reportExcludeAdminOnly,
      ...

What alternative solutions did you explore? (Optional)

We also could display not found page specifying user cannot access to assign task by adding FullPageNotFoundView in NewTaskPage with shouldShow prop is !ReportUtils.isAllowedToComment(lodashGet(props.reports, report_${props.task.shareDestination}, {}))

@melvin-bot
Copy link

melvin-bot bot commented Jun 28, 2023

Triggered auto assignment to @kadiealexander (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

@melvin-bot
Copy link

melvin-bot bot commented Jun 28, 2023

Bug0 Triage Checklist (Main S/O)

  • This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
  • This bug is not a duplicate report (check E/App issues and #expensify-bugs)
    • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
  • This bug is reproducible using the reproduction steps in the OP. S/O
    • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
    • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
  • This issue is filled out as thoroughly and clearly as possible
    • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
  • I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

@kadiealexander
Copy link
Contributor

Repro'd:

2023-06-29_18-29-09.mp4

@kadiealexander kadiealexander added the External Added to denote the issue can be worked on by a contributor label Jun 29, 2023
@melvin-bot melvin-bot bot changed the title Web - UserB can still create a task in room chat when UserA changes post permission to "Admins only" [$1000] Web - UserB can still create a task in room chat when UserA changes post permission to "Admins only" Jun 29, 2023
@melvin-bot
Copy link

melvin-bot bot commented Jun 29, 2023

Job added to Upwork: https://www.upwork.com/jobs/~01fc548bc92bd6afb3

@melvin-bot melvin-bot bot added the Help Wanted Apply this label when an issue is open to proposals by contributors label Jun 29, 2023
@melvin-bot
Copy link

melvin-bot bot commented Jun 29, 2023

Current assignee @kadiealexander is eligible for the External assigner, not assigning anyone new.

@melvin-bot
Copy link

melvin-bot bot commented Jun 29, 2023

Triggered auto assignment to Contributor-plus team member for initial proposal review - @sobitneupane (External)

@sobitneupane
Copy link
Contributor

@dukenv0307 Thanks for your proposal.

Can we show a page similar to Not Found Page specifying user don't have access to assign task? It will inform user that he/she no longer have access.

@dukenv0307
Copy link
Contributor

@sobitneupane Yes. We also use the check that mentioned in my proposal to display not found page.

@sobitneupane
Copy link
Contributor

sobitneupane commented Jul 3, 2023

@dukenv0307 Can you please add an alternative solution in your proposal for #21791 (comment)

@dukenv0307
Copy link
Contributor

@sobitneupane
Copy link
Contributor

Alternative Solution from @dukenv0307's proposal looks good to me.

🎀 👀 🎀 C+ reviewed

@melvin-bot
Copy link

melvin-bot bot commented Jul 4, 2023

Triggered auto assignment to @cristipaval, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

@dukenv0307
Copy link
Contributor

I think we also should exclude the report which has permission is admin only in TaskShareDestinationSelectorModal. To do this we could filter props.reports to exclude the report that has permission is admin only and then pass this filter reports into getShareDestinationOptions function instead of props.reports

@sobitneupane Do you think we also should exclude the report in TaskShareDestinationSelectorModal

@sobitneupane
Copy link
Contributor

Oh yes. That might be necessary when user tries to create task from LHN.

@melvin-bot melvin-bot bot removed the Help Wanted Apply this label when an issue is open to proposals by contributors label Jul 4, 2023
@melvin-bot
Copy link

melvin-bot bot commented Jul 4, 2023

❌ There was an error making the offer to sobitneupane. The BZ member will need to manually hire the contributor. cc @thienlnam

@melvin-bot
Copy link

melvin-bot bot commented Jul 4, 2023

❌ There was an error making the offer to dukenv0307. The BZ member will need to manually hire the contributor. cc @thienlnam

@melvin-bot
Copy link

melvin-bot bot commented Jul 4, 2023

📣 @ayazhussain79 You have been assigned to this job!
Please apply to this job in Upwork here and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Once you apply to this job, your Upwork ID will be stored and you will be automatically hired for future jobs!
Keep in mind: Code of Conduct | Contributing 📖

@cristipaval
Copy link
Contributor

I think we should block the task creation in this case on the backend side as well 🤔

@kadiealexander kadiealexander removed their assignment Jul 13, 2023
@kadiealexander kadiealexander added the Bug Something is broken. Auto assigns a BugZero manager. label Jul 13, 2023
@melvin-bot
Copy link

melvin-bot bot commented Jul 13, 2023

Triggered auto assignment to @flaviadefaria (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

@melvin-bot melvin-bot bot added Daily KSv2 and removed Weekly KSv2 labels Jul 13, 2023
@Expensify Expensify deleted a comment from melvin-bot bot Jul 13, 2023
@kadiealexander
Copy link
Contributor

Thanks for the help Flavia!

@ayazhussain79
Copy link
Contributor

@kadiealexander offer accepted, Thank you

@melvin-bot melvin-bot bot added Daily KSv2 Overdue and removed Daily KSv2 labels Jul 13, 2023
@flaviadefaria
Copy link
Contributor

@sobitneupane can you please answer the information here? Thanks!

@melvin-bot melvin-bot bot removed the Overdue label Jul 17, 2023
@flaviadefaria
Copy link
Contributor

Payment issued for @dukenv0307 and @ayazhussain79.

@ayazhussain79
Copy link
Contributor

Thank you

@flaviadefaria
Copy link
Contributor

@sobitneupane friendy bump here so that we can close this GH.

@sobitneupane
Copy link
Contributor

Sorry for the delay @flaviadefaria. I will complete the checklist by tomorrow.

@melvin-bot melvin-bot bot added the Overdue label Jul 24, 2023
@flaviadefaria
Copy link
Contributor

@sobitneupane are you able to complete this today?

@sobitneupane
Copy link
Contributor

sobitneupane commented Jul 24, 2023

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

  • [@sobitneupane] The PR that introduced the bug has been identified. Link to the PR:

#17992

  • [@sobitneupane] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:

#17992 (comment)

  • [@sobitneupane] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:

It is an edge case. So, I don't think this could have been caught earlier in PR review.

  • [@sobitneupane] Determine if we should create a regression test for this bug.

Yes.

  • [@sobitneupane] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.

@sobitneupane
Copy link
Contributor

sobitneupane commented Jul 24, 2023

Regression Test Proposal:

  1. Login with user A
  2. On another device, login with user B
  3. From user B, create a workspace and invite user A to the workspcae
  4. From user A, go to announce chat of this workspace
  5. Click on plus icon > Assign task
  6. Enter title, description and go to next step
  7. From user B, go to announce chat of this workspace
  8. Change the setting of "Who can post" to "Admins only"
  9. From user A, verify that not found page appears, and after clicking on the back button, the modal is dismissed

Do we agree 👍 or 👎

@sobitneupane
Copy link
Contributor

Requested payment on newDot.

@flaviadefaria
Copy link
Contributor

Cool once Anu pays you we can close this.

@flaviadefaria
Copy link
Contributor

flaviadefaria commented Jul 26, 2023

Requested payment on newDot.

@anmurali, just for your control this should have been $1500.

@JmillsExpensify
Copy link

JmillsExpensify commented Jul 27, 2023

Reviewed details for @sobitneupane. This is accurate based on summary from Business Reviewer and approved for payment in NewDot.

@flaviadefaria
Copy link
Contributor

Great so closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. Daily KSv2 External Added to denote the issue can be worked on by a contributor
Projects
None yet
Development

No branches or pull requests

8 participants