[HOLD for payment 2023-08-10] [$1000] Security - Still able to request Close Account when offline

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Go to Setting => Security => Close Account
2. Enter your email, press Close Account, Confirm Modal will show.
3. Disable your internet connection, and choose Yes, continue.
4. When back online, notice you're able to request close account when offline, even we disable the close button when offline.

Expected Result:

The "Yes, continue" button should be disabled on the confirmation modal when offline

Actual Result:

Still able to request Close Account when offline because the confirm modal is not dismissed.

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.44-0
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

RPReplay_Final1690196584.MP4

Recording.3856.mp4

Expensify/Expensify Issue URL:
Issue reported by: @hungvu193
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1690086679675019

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~01b9448cf41ba17959
• Upwork Job ID: 1684313431858905088
2023-07-26
• Automatic offers:
• mollfpr | Reviewer | 25817419
• samh-nl | Contributor | 25817420
• hungvu193 | Reporter | 25817421

[melvin-bot]

Triggered auto assignment to @MitchExpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[hungvu193]

Proposal

Please re-state the problem that we are trying to solve in this issue.

CloseAccount: Still able to request CloseAccount when offline.

What is the root cause of that problem?

In CloseAccountPage, we only disabled the Close button when offline but we didn't dismissed the ConfirmModal if it's visible.

What changes do you think we should make in order to solve the problem?

We should add a check inside CloseAccountPage if we're offline and ConfirmModal is visible then dismiss the modal.

    useEffect(() => {
        if (!props.network.isOffline || !isConfirmModalVisible) {
            return;
        }
        setConfirmModalVisibility(false);
    }, [props.network.isOffline, isConfirmModalVisible]);

or just check for offline is just enough:

    useEffect(() => {
        if (!props.network.isOffline) {
            return;
        }
        setConfirmModalVisibility(false);
    }, [props.network.isOffline]);

What alternative solutions did you explore? (Optional)

We should disable the Yes, continue button of the confirm modal when offline

[samh-nl]

Proposal

Please re-state the problem that we are trying to solve in this issue.

The user can still request an account closure if the confirmation model was opened prior to being offline.

What is the root cause of that problem?

The Close button is disabled when going offline, however ConfirmModal remains active in CloseAccountPage if this was already open, allowing the user to continue.

What changes do you think we should make in order to solve the problem?

Similar to the Form/FormAlertWithSubmitButton components, we can add a new prop enabledWhenOffline to ConfirmModal.
If the value of this prop is false and the user is offline, there are two options:

• Close the modal
• Disable the confirm button

This adds a general implementation that can be used elsewhere and furthermore that is consistent with forms.

What alternative solutions did you explore? (Optional)

Alternatively, if it should be possible to delete an account while the user is offline, then the "Close account" button should be made available.

[neonbhai]

Proposal

Please re-state the problem that we are trying to solve in this issue.

User is still able to request CloseAccount when offline.

What is the root cause of that problem?

This is because the ConfirmModal component does not disable the Confirm button when offline for dangerous actions.

The Original Form button that calls the confirm button is disabled when offline, but this functionality is not present in the confirm Modal, which creates an inconsistency.

What changes do you think we should make in order to solve the problem?

We should simply add the functionality to the Confirm button in the Confirm Modal component, buy using an optional enabledWhenOffline prop, exactly how the FormAlertWithSubmitButton component implements the feature here.

To carry out this change, we would define an optional prop type (bool) here and pass isDisabled prop to the button it renders here according to the similar logic used in FormAlertWithSubmitButton:

App/src/components/FormAlertWithSubmitButton.js

Lines 74 to 92 in 33ed167

	{isOffline && !props.enabledWhenOffline ? (
	<Button
	success
	isDisabled
	text={props.buttonText}
	style={[styles.mb3]}
	danger={props.isSubmitActionDangerous}
	/>
	) : (
	<Button
	success
	pressOnEnter={!props.disablePressOnEnter}
	text={props.buttonText}
	onPress={props.onSubmit}
	isDisabled={props.isDisabled}
	isLoading={props.isLoading}
	danger={props.isSubmitActionDangerous}
	/>
	)}

What alternative solutions did you explore? (Optional)

Alternatively we can dismiss the modal when offline, but this would create a jarring experice for user, as a modal is hidden without him doing anything (only his net is unstable)

[MitchExpensify]

@marcochavezf cc'ing you as you worked on offline first. This seems expected to me based on offline first, do you agree? Basically the action is completed once you get back online which seems reasonable to me

[neonbhai]

It does look like this should be expected, but since the original Form Button that calls the modal is disabled when offline we should probably expect similar behaviour with the modal.

[samh-nl]

Yes, it's a consistency problem. If deleting it should be possible while offline (and has no implications to take into account), then the Close account button shouldn't be disabled.

[marcochavezf]

Oh this is an interesting issue, yeah seems to be expected, but imo we should disable the confirmation button in the modal when offline too. I think we'd need to bring it into the open-source channel for a broader discussion

[MitchExpensify]

Ok cool, so it sounds like we are all agreed that the necessary fix here is to make sure the confirmation button in the modal is disabled when offline. I'll share in open-source and update the issue accordingly based on the feedback there

[MitchExpensify]

Shared for more eyes here https://expensify.slack.com/archives/C01GTK53T8Q/p1690320979990179

[Nodebrute]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Security - Still able to request Close Account when offline

What is the root cause of that problem?

We are not disabling the ConfirmContent

What changes do you think we should make in order to solve the problem?

One thing that no previous proposal has mentioned is We should pass an enabledWhenOffline false value from CloseAccountPage to all the way to ConfirmContent. It's very important because we don't want to disable the confirm button in all other places where we are using this modal.

1. In CloseAccountPage's confirm modal, pass

enabledWhenOffline={false}

here

App/src/pages/settings/Security/CloseAccountPage.js

Line 115 in 5ba2178

<ConfirmModal

2. Then in ConfirmModal's ConfirmContent pass

  enabledWhenOffline={props.enabledWhenOffline}

here

App/src/components/ConfirmModal.js

Line 71 in 5ba2178

<ConfirmContent

Make sure to set a default value of "true" in this component because we don't want to disable confirm button in other places where we are using this modal.

3.In ConfirmContent page do the following imports

import compose from '../libs/compose';
import {withNetwork} from './OnyxProvider';

and change export default to

export default  compose(withNetwork(), withLocalize)(ConfirmContent);

4. Create a new variable to check this condition

const shouldDisable = props.network.isOffline && !props.enabledWhenOffline;

here

App/src/components/ConfirmContent.js

Line 57 in 33ed167

function ConfirmContent(props) {

Don't forget to set the default value of enabledWhenOffline.

5. Pass the value of shouldDisbale to isDisabled prop of button

 isDisabled={shouldDisable}

here

App/src/components/ConfirmContent.js

Line 66 in 33ed167

<Button

Here if we want to disable the cancel button we can pass this value to cancel button too.

What alternative solutions did you explore? (Optional)

Here instead of step 3,4,5 we can also use the same approach of disabling button that we are using in FormAlertWithSubmitButton

App/src/components/FormAlertWithSubmitButton.js

Lines 72 to 92 in 478e0b7

	{(isOffline) => (
	<View>
	{isOffline && !props.enabledWhenOffline ? (
	<Button
	success
	isDisabled
	text={props.buttonText}
	style={[styles.mb3]}
	danger={props.isSubmitActionDangerous}
	/>
	) : (
	<Button
	success
	pressOnEnter={!props.disablePressOnEnter}
	text={props.buttonText}
	onPress={props.onSubmit}
	isDisabled={props.isDisabled}
	isLoading={props.isLoading}
	danger={props.isSubmitActionDangerous}
	/>
	)}

[MitchExpensify]

Updated the expected behavior to: "The "Yes, continue" button should be disabled on the confirmation modal when offline"

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~01b9448cf41ba17959

[melvin-bot]

Current assignee @MitchExpensify is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @mollfpr (External)

[mollfpr]

Thank you guys for the proposals!

I agree to add new props to ConfirmContent passed down from ConfirmModal for disabling the confirm button. Still, I think naming the props with shouldDisabledConfirmButton having a default value false is more accessible. My reason is we have two buttons in the confirmed content, enabledWhenOffline doesn't explain which button is.

@samh-nl @neonbhai @Nodebrute All of you have a similar proposal in general, and @Nodebrute did a great job detailing their solution. Since the solution is pretty straightforward, the first proposed solution already addressed the fix, we can go with @samh-nl proposal.

🎀 👀 🎀 C+ reviewed!

[melvin-bot]

Triggered auto assignment to @marcaaron, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[melvin-bot]

📣 @mollfpr 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[melvin-bot]

📣 @samh-nl 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

📣 @hungvu193 🎉 An offer has been automatically sent to your Upwork account for the Reporter role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[samh-nl]

PR is ready for review: #23917

[melvin-bot]

🎯 ⚡️ Woah @mollfpr / @samh-nl, great job pushing this forwards! ⚡️

The pull request got merged within 3 working days of assignment, so this job is eligible for a 50% #urgency bonus 🎉

• when @samh-nl got assigned: 2023-07-28 21:17:20 Z
• when the PR got merged: 2023-08-01 18:36:15 UTC

On to the next one 🚀

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.49-3 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: disable confirm button if offline #23917

If no regressions arise, payment will be issued on 2023-08-10. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @mollfpr requires payment offer (Reviewer)
• @samh-nl requires payment offer (Contributor)

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@mollfpr] The PR that introduced the bug has been identified. Link to the PR:
• [@mollfpr] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@mollfpr] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@mollfpr] Determine if we should create a regression test for this bug.
• [@mollfpr] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@MitchExpensify] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[MitchExpensify]

Reminder set to pay on 8/10. Lets tackle the BZ steps above in the meantime @mollfpr 👍

[MitchExpensify]

Summary for payment:

Reporting: $250 @hungvu193 (Upwork)
C: $1500 @mollfpr (Upwork)
C+: $1500 @samh-nl (Upwork)

[samh-nl]

C+: $1500 @samh-nl (Upwork)

Thank you, not sure it matters but @mollfpr is the C+ member.

[MitchExpensify]

not sure it matters but @mollfpr is the C+ member.

Correct! They were the contributing engineer on this one as opposed to the reviewer so I think it doesn't matter really 👍

[MitchExpensify]

Paying out now. Friendly bump on the BZ steps @mollfpr 🙇

[MitchExpensify]

All paid and contracts ended! Closing once BZ steps are done

[mollfpr]

Thanks for taking the payment early @MitchExpensify and sorry for the delay 🙏

[@mollfpr] The PR that introduced the bug has been identified. Link to the PR:
[@mollfpr] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:

There's no offending PR. Before, we didn't have the ability to control either the submit button on the confirm modal can be disabled based on certain conditions. In the PR, we added new props to accommodate that, and for the close page, we disabled the submit button when the network was offline.

[@mollfpr] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:

The page that uses the confirm modal may have a different case for handling the submit button on the network status. So, this issue is not very common to all the pages. So the regression test should be enough.

[@mollfpr] Determine if we should create a regression test for this bug.
[@mollfpr] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.

1. Open the App
2. Go to Settings
3. Go to Security
4. Go to Close account
5. Click on the Close Account button to open the confirm modal
6. Disable your internet connection
7. Verify that the Close account button in the modal is disabled
8. 👍 or 👎

[MitchExpensify]

QA test update added! Thanks again @mollfpr