[HOLD 296932][$1000] Web - Member from Share Somewhere in assign task (creating from group) can choose assignee, results in error
#21580
Comments
kbecciv
added
Daily
|
Triggered auto assignment to @joekaufmanexpensify ( |
Bug0 Triage Checklist (Main S/O)
|
ProposalPlease re-state the problem that we are trying to solve in this issue.Web - Member from Share Somewhere in assign task (creating from group) can choose assignee, results in error What is the root cause of that problem?The root cause for this problem is that we are not checking if current user has permission to assign this task to someone. App/src/components/TaskHeader.js Lines 66 to 117 in c261901 Currently we are only checking if the task is open or not. What changes do you think we should make in order to solve the problem?
Further updates discussed in this comment - #21580 (comment) What alternative solutions did you explore? (Optional)None |
|
I can reproduce this. Based on the design doc, it's not clear to me whether it's expected that anyone in the parent chat can edit a task's assignee. cc @thienlnam curious if you could share the expected behavior here? Should anyone in the chat be able to edit a task's assignee, or just the task creator/assignee (if there is one). |
|
Yes, only the creator, assignee, and policy admins are able to edit a task assignee |
|
Got it, ty! |
|
Updated OP to clarify expected behavior. |
joekaufmanexpensify
added
the
External
melvin-bot
bot
changed the title
Share Somewhere in assign task (creating from group) can choose assignee, results in errorShare Somewhere in assign task (creating from group) can choose assignee, results in error
|
Job added to Upwork: https://www.upwork.com/jobs/~01e2d2c3fd882a94d6 |
melvin-bot
bot
added
the
Help Wanted
|
Current assignee @joekaufmanexpensify is eligible for the External assigner, not assigning anyone new. |
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @abdulrahuman5196 ( |
ProposalPlease re-state the problem that we are trying to solve in this issue.User B should not be able to assign the task to someone, if they are not a policy admin, the task creator, or a current task assignee. What is the root cause of that problem?In TaskHeader we did not check who can open the modal change assign App/src/components/TaskHeader.js Line 54 in c122266 App/src/components/TaskHeader.js Lines 66 to 69 in c122266 What changes do you think we should make in order to solve the problem?We will check if they are not a policy admin, task creator, or a current task assignee.
What alternative solutions did you explore? (Optional)N/A |
What do you suggest to do when user doesn't have enough permissions? Like disable navigate user back or show some errors or disable the selection? |
|
@abdulrahuman5196 My suggestion would be disable the Options and show error message on the top in red color, that |
@BhuvaneshPatil Could you kindly share any other cases in the app where you have referenced this? Because it would be better if we reuse any existing exception handling behaviour similar to this case? |
|
@abdulrahuman5196 I will try and find the places where same behavior is being handled. |
|
@abdulrahuman5196 , similar thing I came across is that when workspace member is trying to access workspace settings page. We show this page - We can wrap the Example - App/src/pages/workspace/WorkspaceInitialPage.js Lines 178 to 182 in aca4e40 |
|
Proposals under review |
|
Thanks for the research @BhuvaneshPatil. I agree with @BhuvaneshPatil 's root cause and solution mentioned here - #21580 (comment) The addons we should do part of this is,
And the condition would be Lets go with the proposal - #21580 (comment) 🎀👀🎀 🎀 👀 🎀 C+ reviewed |
|
Triggered auto assignment to @stitesExpensify, see https://stackoverflow.com/c/expensify/questions/7972 for more details. |
|
@namhihi237 Thank you for the proposal. But it is almost similar to the accepted proposal. |
|
@stitesExpensify The C+ approved comment is here #21580 (comment) |
|
I'm happy to add that in for the front end, but I'm going to tag @thienlnam to make sure that we have this fixed on the backend as well |
ProposalPlease re-state the problem that we are trying to solve in this issue.Web - Member from Share Somewhere in assign task (creating from group) can choose assignee, results in error What is the root cause of that problem?We are not adding any check on who can edit assignee. What changes do you think we should make in order to solve the problem?First we need to add check if isCompletedTaskReport but what is task is not completed yet? Task is not completed yet and users who are not allowed to edit assignee can access that page and can edit Task. We need to add other checks here too !Task.isTaskAssigneeOrTaskOwner ---To check if current user is task assignee or task owner if not then user will not be able to access that page. I am working on this #22851 PR. I have added all the necessary checks on front end so user cannot access this pages while clicking on them. For accessing these pages using deep links or share some where from front end we can use FullPageNotFoundView using the same checks That I have added here we can stop user from accessing this page. As no previous proposal has mentioned an effective way of handling this on the frontend, here's another open issue where we are handling all deep links. My proposal was selected there. You can check and decide whether to keep these issues separate or merge them. What alternative solutions did you explore? (Optional) |
|
Moving back to weekly as this is on hold. |
|
There are other issues coming in about accessing the pages - #22451, as it was decided to add FullPageNotFoundView - #21580 (comment) We can handle them here as part of this issue on frontend. |
|
Still on hold |
|
@thienlnam @abdulrahuman5196 Suggested proposal doesn't affects backend changes and with very small change solves the new issues as well. If it's fine we can open this issue (make external) and make the changes. Please share your views. |
|
Thanks @thienlnam , similar changes are mentioned in this issue as well - #22451 Please have a look the issue and provide your feedback on the issue because the changes mentioned here are approved on that issue. |
|
Held |
|
Held issue should be merged - we can start looking at solutions for this now #21580 (comment) |
|
As permissions have changed we will follow the approach that we use for disabling
For disabling edits in App/src/components/ReportActionItem/TaskView.js Lines 50 to 53 in ab4dc4b We can use similar logic in cc - @abdulrahuman5196 |
|
@thienlnam @BhuvaneshPatil for my own understanding, if anyone that can view a task can now change the task's assignee, what changes do we still need to make in this issue? |
|
Yeah good question, the proposal listed is more about better handling edge cases where you aren't able to update task details - a task is cancelled or completed and you try to access the update assignee page directly |
|
Got it. Is that related to the original bug about a non-assignee being able to update the task assignee? If not, I wonder if it could make sense to open a new bug/new feature issue (depending on which it is), to handle that. |
|
The selected proposal for the issue mentioned by @thienlnam contains changes that were supposed to be for this issue. Shall they be added or not? |
|
It looks like the changes you mentioned here are actually covered in the selected proposal message #22451 (comment) regarding use of the FullPageNotFoundView. So there doesn't seem to be a need to duplicate the changes here |
|
The proposal selected for that proposal mentions the changes for this issue and these changes were considered for selecting. and this issue was created way earlier, so I want to point out that if the changes are not needed then should not be considered for selection. And if we decide to add those changes, they should not be criteria for deciding. This is my proposal for same - #22451 (comment) |
|
@thienlnam @joekaufmanexpensify I have found a new bug similar to this one, shall I add them here or wait till they are reported by QA? |
|
If it's a new bug, it should be handled in a new issue. |
|
Closing this one for now, since the bug that was specifically covered by this issue was fixed by https://github.com/Expensify/Expensify/issues/296932 ! |
|
Will there be compensation for reporting the bug? |
|
I would say no, since the need to fix this bug was obviated by internal changes we made in https://github.com/Expensify/Expensify/issues/296932 . |
|
Okay. Thanks @joekaufmanexpensify |
If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!
Action Performed:
Expected Result:
User B should not be able to assign the task to someone, if they are not a policy admin, the task creator, or a current task assignee.
User B should be able to assign the task to someone if they are a policy admin, the task creator, or the current assignee.
Actual Result:
User B can assign the task to someone when they are not a policy admin, the task creator or current task assignee. However, the assignee only appears in their account and does not appear in user A's (who is the task creator).
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Version Number: 1.3.30-5
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation
Assignee.bug.in.grp.task.-.Made.with.Clipchamp.1.mp4
Recording.896.mp4
Expensify/Expensify Issue URL:
Issue reported by: @BhuvaneshPatil
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1687434560850899
View all open jobs on GitHub
Upwork Automation - Do Not Edit
The text was updated successfully, but these errors were encountered: