[HOLD for payment 2023-07-14] [$1000] Error message displayed when User flags a message with no permission in a group chat

[kavimuru]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Login with userA account
2. Go to the “New room” section
3. Enter room name and select userA workspace
4. Select visibility to “Public”
5. Click on “Create room”
6. Send some messages in room chat
7. Go to the room detail
8. Share code > Copy URL to clipboard
9. Go back and click on Settings > Who can post
10. Select Admin only
11. Open other browser and login with userB account
12. Join the room by pasting URL
    13 Now click on “flag as offensive”
13. Click on any option

Expected Result:

Error message "Auth CreateReportAction returned an error" displayed when UserB flags a message without posting permission in a group chat

Actual Result:

The error message "Auth CreateReportAction returned an error" is displayed when UserB flags a message without having permission to post in the group chat

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.33-4
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

screen-recording-2023-06-24-at-82841-pm_IQp5roly.mp4

Recording.1119.mp4

Expensify/Expensify Issue URL:
Issue reported by: @ayazhussain79
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1687621449744259

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0129a94963f8137bb5
• Upwork Job ID: 1674063676186324992
• Last Price Increase: 2023-06-28

[melvin-bot]

Triggered auto assignment to @twisterdotcom (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[hungvu193]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Error message displayed when User flags a message with no permission in a group chat

What is the root cause of that problem?

We're allowing user to flag comment even they didn't have the permission in the room in here:

App/src/pages/home/report/ContextMenu/ContextMenuActions.js

Lines 322 to 328 in 52a1891

	shouldShow: (type, reportAction, isArchivedRoom, betas, menuTarget, isChronosReport, reportID) =>
	type === CONTEXT_MENU_TYPES.REPORT_ACTION &&
	ReportUtils.canFlagReportAction(reportAction, reportID) &&
	!isArchivedRoom &&
	!isChronosReport &&
	!ReportUtils.isConciergeChatReport(reportID) &&
	reportAction.actorEmail !== CONST.EMAIL.CONCIERGE,

But from our server, if users don't have permission, they also don't have permission to flag the comment, which caused the issue.

What changes do you think we should make in order to solve the problem?

We need to check if current user didn't have permission to comment, then we should hide the flag comment in our context menu.

        shouldShow: (type, reportAction, isArchivedRoom, betas, menuTarget, isChronosReport, reportID) =>
            type === CONTEXT_MENU_TYPES.REPORT_ACTION &&
            ReportUtils.canFlagReportAction(reportAction, reportID) &&
            !isArchivedRoom &&
            !isChronosReport &&
            !ReportUtils.isConciergeChatReport(reportID) &&
            reportAction.actorEmail !== CONST.EMAIL.CONCIERGE &&
            ReportUtils.isAllowedToComment(ReportUtils.getReport(reportID)),

We can also do the same with reply in thread menu options.

Incase a FlagCommentPage was already opened while the room setting was changed to "Admins only", we can add a FullPageNotFoundView inside FlagCommentPage and check if user is not allowed to comment then show the NotFound view, or dismiss the modal by adding an useEffect to check.

What alternative solutions did you explore? (Optional)

N/A

[twisterdotcom]

I am OOO! Adding another BZ member for the week.

[melvin-bot]

Triggered auto assignment to @anmurali (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0129a94963f8137bb5

[melvin-bot]

Current assignee @anmurali is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @allroundexperts (External)

[dukenv0307]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Error message displayed when User flags a message with no permission in a group chat

What is the root cause of that problem?

Currently, on the FE side, we allow users to flag messages in a room that only allows the admin to post comments.

What changes do you think we should make in order to solve the problem?

App/src/libs/ReportUtils.js

Lines 223 to 230 in 3404111

	function canFlagReportAction(reportAction) {
	return (
	!loginList.includes(reportAction.actorEmail) &&
	reportAction.actionName === CONST.REPORT.ACTIONS.TYPE.ADDCOMMENT &&
	!ReportActionsUtils.isDeletedAction(reportAction) &&
	!ReportActionsUtils.isCreatedTaskReportAction(reportAction)
	);
	}

We should update canFlagReportAction to prevent user flag comments without permission in a room like this

function canFlagReportAction(reportAction,reportID) {
    const report = getReport(reportID)
    if (isChatRoom(report) ) {
        if (report.writeCapability !== CONST.REPORT.WRITE_CAPABILITIES.ALL) return false
    }
    return (
        !loginList.includes(reportAction.actorEmail) &&
        reportAction.actionName === CONST.REPORT.ACTIONS.TYPE.ADDCOMMENT &&
        !ReportActionsUtils.isDeletedAction(reportAction) &&
        !ReportActionsUtils.isCreatedTaskReportAction(reportAction)
    );
}

After updating canFlagReportAction function, if the user access to flag comment page by URL without permission It will show NotFoundPage as we implemented in this PR

Optional: I also see user can reply in the thread in the room that the user doesn't have permission. If we want to prevent the user reply in the thread we can add the same condition as above

What alternative solutions did you explore? (Optional)

[allroundexperts]

Thanks for your proposal @dukenv0307. I did not find your proposal much different than what @hungvu193 suggested here. The check which you suggested to add in canFlagReportAction is also present in isAllowedToComment function as mentioned in this proposal.

Since @hungvu193 was the first one to propose the correct solution, I suggest that we go with them.

@hungvu193 I think we do not need to disable the thread option if the backend is not throwing any error for creating a thread.

🎀 👀 🎀 C+ reviewed

[melvin-bot]

Triggered auto assignment to @danieldoglas, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[dukenv0307]

@allroundexperts Thanks for your review. I see that we also need to fix the edge case when the user access to flag comment page by URL.
With my proposal, we only need to fix canFlagReportAction function to resolve 2 things:

1. Hide the flag icon on the context menu
2. Prevent user access to flag comment page by URL

With @hungvu193's proposal we need to fix 2 places with redundant code and it makes the code base become difficult to maintain

[allroundexperts]

@allroundexperts Thanks for your review. I see that we also need to fix the edge case when the user access to flag comment page by URL.

With my proposal, we only need to fix canFlagReportAction function to resolve 2 things:

1. Hide the flag icon on the context menu

2. Prevent user access to flag comment page by URL

With @hungvu193's proposal we need to fix 2 places with redundant code and it makes the code base become difficult to maintain

I think this optimisation can be handled in the PR easily.

[melvin-bot]

📣 @allroundexperts 🎉 An offer has been automatically sent to your Upwork account 🎉

Reviewer - [$1000] Error message displayed when User flags a message with no permission in a group chat

[melvin-bot]

📣 @hungvu193 🎉 An offer has been automatically sent to your Upwork account 🎉

Contributor - [$1000] Error message displayed when User flags a message with no permission in a group chat Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

📣 @ayazhussain79 You have been assigned to this job!
Please apply to this job in Upwork here and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Once you apply to this job, your Upwork ID will be stored and you will be automatically hired for future jobs!
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.37-7 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• prevent user with no permission from flag comment #22099

If no regressions arise, payment will be issued on 2023-07-14. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@allroundexperts] The PR that introduced the bug has been identified. Link to the PR:
• [@allroundexperts] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@allroundexperts] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@allroundexperts] Determine if we should create a regression test for this bug.
• [@allroundexperts] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@twisterdotcom / @anmurali] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[twisterdotcom]

Assigned Jul 3, 11:25am
Merged Jul 4, 12:55pm

Why was there no celebratory this was done within 3 days comment?

[ayazhussain79]

@twisterdotcom Offer accepted, Thank you

[twisterdotcom]

@allroundexperts is paid via Expensify: https://github.com/Expensify/Web-Expensify/blob/1d8ad948bc605c2c5c5d5b1d72028e2e41bbaf35/_devportal/lib/KernelScheduling/Data.php#L242

@ayazhussain79 paid here: https://www.upwork.com/en-gb/nx/wm/pre-hire/c/8577561/offer/25535486

@hungvu193 paid here: https://www.upwork.com/en-gb/nx/wm/workroom/34086179/overview

[allroundexperts]

@twisterdotcom The checklist does not seem to be applicable here. Looks like we did not take this into account when creating the message flagging feature.

[anmurali]

@allroundexperts is paid

[allroundexperts]

@twisterdotcom Can you please withdraw the offer on Upwork? Thanks!

[twisterdotcom]

I cannot load Upwork today sorry. This will need to be done Monday.