[HOLD for payment 2024-02-26] [$500] [MEDIUM] Smartscan: Thread - You can go to the notifications@expensify.com profile and send a private message

[lanitochka17]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: 1.4.8-0
Reproducible in staging?: Y
Reproducible in production?: Y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: Applause - Internal Team
Slack conversation:

Action Performed:

1. Open New Expensify app
2. Navigate to any conversation
3. Request money from another account by uploading a non-legible receipt (a random pic).
4. Wait for smartscan to finish. It should fail.
5. Navigate to the IOU details
6. Create a thread with a system message about a receipt scanning failure
7. In the thread header, click on the "Expensify" avatar
8. In the RHP that appears, click on "Members"
9. In "Members," click on "Expensify."
10. In "Profile" click on "Message Expensify"

Expected Result:

notifications@expensify.com
account should be hidden from user interaction

Actual Result:

Through thread, you can go to the notifications@expensify.com
profile and send a private message

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android: Native
• Android: mWeb Chrome
• iOS: Native
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Add any screenshot/video evidence

Bug6302077_1701795887873.Recording__838.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~013bd0e1cccedfb977
• Upwork Job ID: 1732097741987237888
• Last Price Increase: 2024-01-02
• Automatic offers:
• fedirjh | Reviewer | 28124783
• mkhutornyi | Contributor | 28124784

[melvin-bot]

Triggered auto assignment to @puneetlath (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~013bd0e1cccedfb977

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @0xmiroslav (External)

[dukenv0307]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Through thread, you can go to the notifications@expensify.com
profile and send a private message

What is the root cause of that problem?

In here, we don't have any condition to not show the "Message ..." for forbidden accounts like notifications@expensify.com.

What changes do you think we should make in order to solve the problem?

1. Define a list of forbidden accounts, account ids where "Message ..." should not show and profile should not be viewed, and filter it out here so that it doesn't appear as one of the participants

})).filter((participant) => participant.accountID !== CONST.ACCOUNT_ID.NOTIFICATIONS);

We can optionally add the logic to show NotFound page or navigateBack (dismissModal), if the user deeplink into the participants page of a thread that has no members (members excluding Expensify notifications).

2. We should also filter it out here so it's not counted towards the Members subtitle.
3. [Optional] We should also show add the same check here to show not found page if we go to the profile directly, and also here for the profile page

const shouldShowBlockingView = (!hasMinimumDetails && !isLoading) || accountID === CONST.ACCOUNT_ID.NOTIFICATIONS;

And also update here to

hasMinimumDetails && !shouldShowBlockingView

So it won't show the profile if shouldShowBlockingView is true (in the case accountID is Expensify notifications account). Or we can wrap it in FullPageNotFoundView like other pages.

What alternative solutions did you explore? (Optional)

Other actions like Private notes, Reply in thread, Prevent viewing profile can also be restricted based on the same list. I think we need to define a list of things that we cannot do on that account and fix all at once.

[shubham1206agra]

Proposal

Please re-state the problem that we are trying to solve in this issue

Thread - You can go to the notifications@expensify.com profile and send a private message

What is the root cause of that problem?

This is due to missing restrictions on email chat in navigateToAndOpenReportWithAccountIDs.

What changes do you think we should make in order to solve the problem?

Add restrictions in the function and disable showing the message icon (Maybe disable reply, etc.). We should do this by creating a CONST called special accounts, which will be an array containing accounts from CONST.ACCOUNT_ID, and its structure will be a key-value pair, in which value will be restricted actions with the key account. This will make the account restrictions robust in nature.

What alternative solutions did you explore? (Optional)

[chiItepin]

Proposal

Please re-state the problem that we are trying to solve in this issue.

The user is able to send a private message to an official Expensify user that is meant to behave such a bot

What is the root cause of that problem?

In ProfilePage we are only not showing up the "message" button to current user and anonymous users

What changes do you think we should make in order to solve the problem?

We should expand and consolidate the condition to not include certain known bot accounts so that the MenuItem is not rendered

What alternative solutions did you explore? (Optional)

Reminder: Please use plain English, be brief and avoid jargon. Feel free to use images, charts or pseudo-code if necessary. Do not post large multi-line diffs or write walls of text. Do not create PRs unless you have been hired for this job.

[mkhutornyi]

Proposal

Please re-state the problem that we are trying to solve in this issue.

You can reply to message came from notifications@expensify.com profile

What is the root cause of that problem?

Specific acounts are not disabled here:

App/src/pages/ReportParticipantsPage.js

Line 91 in 52a6383

isDisabled: ReportUtils.isOptimisticPersonalDetail(participant.accountID),

Also, we allow viewing profile here:

App/src/pages/DetailsPage.js

Line 130 in 6cfdd6f

<FullPageNotFoundView shouldShow={_.isEmpty(login)}>

This condition checks only login existence. Not checking restricted accountID

What changes do you think we should make in order to solve the problem?

compare accountID with CONST.ACCOUNT_ID.NOTIFICATIONS and add that condition to above 2 links

We can create util function for further restricted accountIDs in the future

[yh-0218]

Proposal

Please re-state the problem that we are trying to solve in this issue.

You can reply to message came from notifications@expensify.com profile

What is the root cause of that problem?

We didn't consider about notification account here

What changes do you think we should make in order to solve the problem?

We need to update like this to disable notification account profile.

isDisabled: ReportUtils.isOptimisticPersonalDetail(participant.accountID) || participant.accountID === CONST.ACCOUNT_ID.NOTIFICATIONS

What alternative solutions did you explore? (Optional)

Screen.Recording.2023-12-05.at.9.35.23.PM.mov

[melvin-bot]

@puneetlath, @0xmiroslav Eep! 4 days overdue now. Issues have feelings too...

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[0xmiros]

We're preventing thread for whisper messages - #31676
Similarly, should we prevent thread as well for system messages coming from notifications@expensify.com?
cc: @puneetlath

[puneetlath]

Posted in #wave5 about what the ideal behavior should be here: https://expensify.slack.com/archives/C05DWUDHVK7/p1702577149414069

[puneetlath]

Going to assign to @dylanexpensify to figure out ideal behavior and distribute as part of wave5.

[melvin-bot]

@dylanexpensify, @0xmiroslav Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

@dylanexpensify, @0xmiroslav Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

📣 @mkhutornyi 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[dylanexpensify]

@mkhutornyi when can we expect PR?

[mkhutornyi]

raising PR today. Not overdue, was just weekend

[dylanexpensify]

Nice! @fedirjh to review!

[dylanexpensify]

@fedirjh mind giving an update

[fedirjh]

PR is ready to get merged. Just awaiting feedback about a code change related to TS migration:

• prevent profile view of expensify notification email #35385 (comment)
• [TS migration] Migrate 'ReportParticipants' page to TypeScript #34882 (comment)

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.4.42-5 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• prevent profile view of expensify notification email #35385

If no regressions arise, payment will be issued on 2024-02-26. 🎊

For reference, here are some details about the assignees on this issue:

• @fedirjh requires payment automatic offer (Reviewer)
• @mkhutornyi requires payment automatic offer (Contributor)

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@fedirjh] The PR that introduced the bug has been identified. Link to the PR:
• [@fedirjh] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@fedirjh] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@fedirjh] Determine if we should create a regression test for this bug.
• [@fedirjh] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@dylanexpensify] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[dylanexpensify]

payment coming up!

[fedirjh]

BugZero Checklist:

• Link to the PR: Hide notifications@expensify.com from basically everywhere #32361
• Link to comment: Hide notifications@expensify.com from basically everywhere #32361 (comment)
• Link to discussion: N/A This should have been caught during PR review.
• Determine if we should create a regression test for this bug: NA, this is a minor bug that doesn't affect UX.

[dylanexpensify]

payment today!

[dylanexpensify]

Payment summary:

• Contributor: @mkhutornyi $500
• Contributor+: @fedirjh $500

Please apply

[dylanexpensify]

paid!