[HOLD for payment 2023-08-01] [$1000] Users who are not assigned can update the assignor for the task and update the status of the task

[kavimuru]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Login 2 account A and B on 2 devices
2. A create a group include B and C
3. A create a task but not assign anyone
4. B go to detail a task, observed that B cannot update status task
5. B click avatar where the person is assigned
6. B assign myself
7. B click "mark as done"

Expected Result:

B can't assign himself and update the task

Actual Result:

B can assign himself and update the task

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.33-2
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

Screen.Recording.2023-06-24.at.20.29.58.mov

Recording.1117.mp4

Expensify/Expensify Issue URL:
Issue reported by: @namhihi237
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1687614685996199

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~018d124d13032a7005
• Upwork Job ID: 1676990326156591104
• Last Price Increase: 2023-07-06

[melvin-bot]

Triggered auto assignment to @kevinksullivan (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[namhihi237]

Proposal

Please re-state the problem that we are trying to solve in this issue.

B can't assign himself and update the task

What is the root cause of that problem?

In TaskHeader we did not check who can open the modal change assign

App/src/components/TaskHeader.js

Line 54 in c122266

const isOpen = props.report.stateNum === CONST.REPORT.STATE_NUM.OPEN && props.report.statusNum === CONST.REPORT.STATUS.OPEN;

App/src/components/TaskHeader.js

Lines 66 to 69 in c122266

	<PressableWithFeedback
	onPress={() => Navigation.navigate(ROUTES.getTaskReportAssigneeRoute(props.report.reportID))}
	disabled={!isOpen}
	accessibilityRole="button"

What changes do you think we should make in order to solve the problem?

We need to check if the current user is ownerAccountID or not, If not we will disable

const isOwner = props.session.accountID === props.report.ownerAccountID;
const isOpen = props.report.stateNum === CONST.REPORT.STATE_NUM.OPEN && props.report.statusNum === CONST.REPORT.STATUS.OPEN && isOwner;

Result:

Screen.Recording.2023-06-28.at.01.10.47.mov

What alternative solutions did you explore? (Optional)

N/A

[kevinksullivan]

checking on expected behavior in slack before moving forward

https://expensify.slack.com/archives/C049HHMV9SM/p1687989265525919?thread_ts=1687614685.996199&cid=C049HHMV9SM

[melvin-bot]

@kevinksullivan Huh... This is 4 days overdue. Who can take care of this?

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~018d124d13032a7005

[melvin-bot]

Triggered auto assignment to @puneetlath (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[kevinksullivan]

Missed the label but this is a bug.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @mananjadhav (External)

[mananjadhav]

@namhihi237 Based on the slack conversation I think the task should be enabled for policy admins, creator(owner) and assignee. Does your proposal cover all the scenarios?

[Nodebrute]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Users who are not assigned can update the assignor for the task and update the status of the task

What is the root cause of that problem?

We are not adding check on who can edit the task

What changes do you think we should make in order to solve the problem?

Add this check in this empty space

App/src/components/TaskHeader.js

Line 56 in c122266

const canEdit = PolicyUtils.isPolicyAdmin(props.policy) ||TaskUtils.isTaskAssigneeOrTaskOwner(props.report,props.session.accountID)

pass policy in props to TaskHeader and then use it check if it's policy admin

In end change thisdisabled={!isOpen || !canEdit}

we can also add this check for title and description as mentioned in slack

What alternative solutions did you explore? (Optional)

[Nodebrute]

Updated as Task View has changed

Proposal

Please re-state the problem that we are trying to solve in this issue.

Users who are not assigned can update the assignor for the task and update the status of the task

What is the root cause of that problem?

We are not adding check on who can edit the task

What changes do you think we should make in order to solve the problem?

3 persons are allowed to edit assignee as mentioned in slack

1. Policy Admin
2. Assignee
3. Task creator

The challenge here we are not passing any policy data to the TaskView except we can access policy id from props.report.policyID

To check if isPolicyAdmin we need to pass policy to the utility function. To solve this issue I have created another utilityFunction in ReportUtils

function getPolicy(policyID){
    const policy = lodashGet(allPolicies, `${ONYXKEYS.COLLECTION.POLICY}${policyID}`) || {};
    return policy;
}

This function will return policy using policyID then we can use this data in TaskHeader to check if current user is policy admin

const canEdit =PolicyUtils.isPolicyAdmin(Policy) || Task.isTaskAssigneeOrTaskOwner(props.report,props.currentUserPersonalDetails.accountID)

and then use this to disable For example here

App/src/components/ReportActionItem/TaskView.js

Line 124 in 60f4817

disabled={!isOpen}

we can change this line to

disabled={!isOpen || !canEdit}

We can use same approach to limit user action for tasks at all the places where we want to restrict the user. We need to also fix this in taskHeaderActionButton.

What alternative solutions did you explore? (Optional)

[mananjadhav]

Based on the requirements @Nodebrute's proposal looks good here.

@puneetlath @kevinksullivan Wouldn't this also require a backend fix?

🎀 👀 🎀 C+ reviewed.

[melvin-bot]

Triggered auto assignment to @PauloGasparSv, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[Nodebrute]

@mananjadhav Could you please let me know the next steps here?

[mananjadhav]

Wait for @PauloGasparSv to review and assign the job. Thanks for the patience here.

[melvin-bot]

Triggered auto assignment to @Li357 (Engineering), see https://stackoverflow.com/c/expensify/questions/4319 for more details.

[kevinksullivan]

Sorry @mananjadhav , was OOO. New internal engineer assigned

[mananjadhav]

@Li357 Can you please check the linked PR?

[Li357]

Not overdue, going through regression testing

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.44-2 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Assignee selector #22851

If no regressions arise, payment will be issued on 2023-08-01. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @mananjadhav does not require payment (Eligable for Manual Requests)
• @Nodebrute requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@mananjadhav] The PR that introduced the bug has been identified. Link to the PR:
• [@mananjadhav] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@mananjadhav] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@mananjadhav] Determine if we should create a regression test for this bug.
• [@mananjadhav] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@kevinksullivan] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[mananjadhav]

While this is treated as a bug, I would also consider this a feature request. We discussed on the group on what the expected behavior should be and then finally added the code to handle this. I wouldn't attribute this to any PR, unless this was decided earlier which I can't find.

I think we should add a regression test for this one. @kevinksullivan we should add the Tests from the PR. @kevinksullivan @Li357 wdyt?

Regression Test Steps

1. Open Expensify as User A.
2. Go to any room.
3. Click on 'Assign Task,' fill in the task details, and share it in the room.
4. Open Expensify as User B, who is not the assignee, assignor, or PolicyAdmin.
5. Go to the same room and open the task report.
6. Verify that User B cannot edit the title, description, assignee, or mark the task as completed
7. Perform steps from 4 to 6 with user C who is policy admin and verify that they're able to edit the title, description, etc.
8. Perform steps from 3 to 6 with user D with the task assigned to them and verify that they're able to edit the title, description, etc.

@kevinksullivan Also this is ready for payout on 08/01, but there's no timeline bonus attached to it.

[Li357]

Agree, I think regression tests here would be valuable and those steps look good (I think steps 3 to 6 should be 4 to 6 for step 8?)

[mananjadhav]

For step 8, it is 3 to 6, as we need to add an assignee here.

[kevinksullivan]

Payment summary:

• Reporter: @namhihi237 $250
• Contributor: @Nodebrute $1,000
• C+: @mananjadhav $1,000

[JmillsExpensify]

Reviewed details for @mananjadhav. These details are accurate based on summary from Business Reviewer and are now approved for payment in NewDot.

[kevinksullivan]

Upwork payments done