[$500] Web - Admin can submit and approve their own report when "Prevent Self-Approval" is on #36425
Comments
kbecciv
added
External
melvin-bot
bot
changed the title
|
Job added to Upwork: https://www.upwork.com/jobs/~011beabd7ddef2a97c |
melvin-bot
bot
added
the
Help Wanted
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @alitoshmatov ( |
|
Triggered auto assignment to @kevinksullivan ( |
|
We think that this bug might be related #wave7-collect-approvers |
ProposalPlease re-state the problem that we are trying to solve in this issue.We are able to approve reports in newdot when we configured on old dot to now allow this. What is the root cause of that problem?We are not using the logic What changes do you think we should make in order to solve the problem?We can use the condition that determines We can additionally decide to just remove the approval button as well if this condition is met. The conditions that determine the rendering of the button is found here: App/src/components/SettlementButton.tsx Line 36 in 19e2849 What alternative solutions did you explore? (Optional) |
ProposalPlease re-state the problem that we are trying to solve in this issue.Admin is allowed to approve it's own expense report even when "Prevent Self-Approval" is enabled. What is the root cause of that problem?The FE does not check is the user is self approving and always display the submit button. This can be seen here: App/src/components/MoneyReportHeader.tsx Line 81 in d50d603 App/src/components/MoneyReportHeader.tsx Lines 133 to 142 in d50d603 What changes do you think we should make in order to solve the problem?We create a new method on ReportUtils.ts called function isAllowedToSumitDraftExpenseReport(report: OnyxEntry<Report>): boolean {
const policy = getPolicy(report?.policyID);
const {submitsTo, isPreventSelfApprovalEnabled} = policy;
// return isPreventSelfApprovalEnabled && isSelfApproval
const isSelfApproval = currentUserAccountID === submitsTo;
return !isPreventSelfApprovalEnabled || !isSelfApproval;
}We then enable/disable the Submit button based on the value of <Button
medium
success={isWaitingForSubmissionFromCurrentUser}
text={translate('common.submit')}
style={[styles.mnw120, styles.pv2, styles.pr0]}
onPress={() => IOU.submitReport(moneyRequestReport)}
isDisabled={!ReportUtils.isAllowedToSumitDraftExpenseReport(chatReport)}
/>Note that there are two buttons on the same component (mobile/desktop) and the logic must be applied to both. Similar logic needs to be implemented on ReportPreview.tsx to hide/show or disable/enable the Submit button from the report preview. Here's a couple of screenshots:
There's also another issue here with the APPROVAL. Currently the front end will show the "Oops, you can't submit to yourself" message but if it's already submitted, it will not show a similar message when the next action is "Approve". See screenshot.
If you click approve the backend won't let you because you can't approve your own reports. I propose we apply a similar logic to check for self-approval here: Lines 188 to 243 in d50d603 Using similar logic we have here: Lines 163 to 182 in d50d603 For the sake of DRY, make the logic above use the new Once this part is taken care of we also have to disable the approve button on the FE. We can do this by passing There might also be yet another issue where the FE is allowing us to
If this is really not intentional, we need to update the App/src/components/ReportActionItem/ReportPreview.tsx Lines 219 to 222 in 9c4c4ac And here: App/src/components/MoneyReportHeader.tsx Lines 79 to 82 in 9c4c4ac To check if report is approved or not. What alternative solutions did you explore? (Optional)Reminder: Please use plain English, be brief and avoid jargon. Feel free to use images, charts or pseudo-code if necessary. Do not post large multi-line diffs or write walls of text. Do not create PRs unless you have been hired for this job. |
|
@jeremy-croff Thank you for your proposal. There is not much details in your proposal and you are only suggesting to disable approve button whereas in OP expected result is to prevent user from submitting proposal to themself when self approving is disabled. |
|
@barros001 Thank you for your proposal. Did you mean to say |
Yes, that was an oversight of mine. I'll update the proposal to reflect that. We can apply the same/similar logic to disable the |
|
So it looks like I have the steps for approval, and @barros001 for submit. And we need a combination of both. |
|
@kevinksullivan, @alitoshmatov Whoops! This issue is 2 days overdue. Let's get this updated quick! |
|
📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸 |
ProposalAdded other scenarios that need to be accounted for such as displaying a message saying that user can't approve their own report, disabling the Approve button in this scenario and also removing the payment buttons if report is not yet approved (pending determination is that's really how it should behave). |
|
We can go with @barros001 's proposal @barros001 One note, can't we just not show approve button? C+ reviewed 🎀 👀 🎀 |
|
Triggered auto assignment to @lakchote, see https://stackoverflow.com/c/expensify/questions/7972 for more details. |
Do you mean hiding the approve button on this drop-down?
We could, but I don't think any of these options should really be available if the report is not approved. If I try clicking Pay, backend won't let me (BE doesn't return any specific message but I'm assuming it's because you can't pay it until it's approved), so disabling the main button so the entire drop-down is disabled sounds like the right thing here. Unless you mean instead of disabling, just hiding the button (both the settlement dropdown - which contains the approve - and the submit button). That could work as well and was in fact my first thought, but then I thought this would look weird without a button: 
Let me know what you think is best and we can adjust it on the PR. |
|
I was meaning whole button with dropdown. But let's see what @lakchote thinks about it |
|
This issue has not been updated in over 15 days. @barros001, @lakchote, @kevinksullivan, @alitoshmatov eroding to Monthly issue. P.S. Is everyone reading this sure this is really a near-term priority? Be brave: if you disagree, go ahead and close it out. If someone disagrees, they'll reopen it, and if they don't: one less thing to do! |
|
The PR went into production in 27th of march, only payment is left. |
I was wondering the same as it didn’t technically break something but rather was a missed edge case during implementation. |
|
Friendly bump. |
|
I'd say it's not a regression and more of an edge case that wasn't properly handled. Thoughts @kevinksullivan? |
|
@kevinksullivan Friendly bump |
|
@kevinksullivan @lakchote @alitoshmatov looks like this bug slip through the cracks. Just wanted to bump it one more time. |
|
DMed @kevinksullivan to make sure this is not missed. |
|
Sorry for the delay, I missed this. |
|
had to create a new job @barros001 @alitoshmatov . Lmk when you accept https://www.upwork.com/ab/applicants/1793302649633525760/job-details |
|
@kevinksullivan accepted, thanks! |
|
paid @barros001 |
|
Accepted the offer |
|
@kevinksullivan Bump |
|
Contributor: @barros001 paid $500 via Upwork (by Kev, as mentioned above) This looks like a bug we'd want a regression test for, do you agree @alitoshmatov ? IF so, please fill out the BZ checklist below. BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:
|
mallenexpensify
added
Daily
|
|
@mallenexpensify Completed the checklist |
|
Are we should we don't want a regression test for this? It was a bug that didn't come from an existing regression test. |
|
Waiting for @alitoshmatov response here |
|
@mallenexpensify I think regression tests created in this #28771 should be sufficient.
Based on this comment I think existing regression test steps are the same as test steps in #34450 which caught this issue as OP states:
But we can create a new regression test specifically for this case if needed, let me know your thoughts |
|
Thanks @alitoshmatov , I agree, closing Section is likely this one (there are many) |
If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!
Version Number: v1.4.40-4
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: Applause - Internal Team
Slack conversation:
Issue found when executing PR #34450
Action Performed:
Precondition:
Expected Result:
Admin will be prevented from submitting and approving the report as indicated by this line " Looks like you're submitting to yourself. Approving your own reports is forbidden by your policy." in Next step message.
Actual Result:
Admin is able to submit and approve their own report when "Prevent Self-Approval" is enabled.
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Screenshots/Videos
Add any screenshot/video evidence
Bug6378275_1707840606490.20240214_000634.mp4
View all open jobs on GitHub
Upwork Automation - Do Not Edit
Issue Owner
Current Issue Owner: @kevinksullivanThe text was updated successfully, but these errors were encountered: