[$125] Delete card transactions when "allow deleting transactions" is disabled on card feed

[joekaufmanexpensify]

Context

Third-party workspace card feeds in NewDot have an "allow deleting transactions" toggle on the feed settings. You should not be able to delete any card transactions imported while it was deleted. Similarly, you should be able to delete any transactions imported while it is enabled. The rule only applies to new transactions, eg: if you import transactions while this is disabled and later enable it, those past transactions can't be deleted and vice versa.

Problem

As discussed here, you can currently delete card transactions imported when this toggle is disabled, counter to how this feature is supposed to work.

2024-12-19_13-52-37.mp4

Solution

the default value for liabilityType (even when not saved in the JSON) should be personal for now.

Issue Owner

Current Issue Owner: @

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~021879495944828519700
• Upwork Job ID: 1879495944828519700
• Last Price Increase: 2025-01-15
• Automatic offers:
• DylanDylann | Reviewer | 105721402
• nkdengineer | Contributor | 105721404

[melvin-bot]

Triggered auto assignment to @kadiealexander (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[kadiealexander]

Just noting that I'll be OOO until Jan 6th, not reassigning given most people will be out but please tag someone online from the bug zero team if any urgent action is needed!

[DylanDylann]

I would love to help on this issue as C+

[mountiny]

@DylanDylann not sure if there is much to do for you here

[melvin-bot]

@mountiny, @kadiealexander, @DylanDylann Whoops! This issue is 2 days overdue. Let's get this updated quick!

[mountiny]

Havent got around yet

[melvin-bot]

@mountiny, @kadiealexander, @DylanDylann Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

@mountiny @kadiealexander @DylanDylann this issue was created 2 weeks ago. Are we close to a solution? Let's make sure we're treating this as a top priority. Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!

[melvin-bot]

@mountiny, @kadiealexander, @DylanDylann Eep! 4 days overdue now. Issues have feelings too...

[mountiny]

On my list

[nkuoch]

Will start looking tomorrow

[nkuoch]

@robertjchen Does this feature already exist on oldDot? Do we currently store it at feed level? When scraping, do we currently store it a transaction level? If it's all new, did we already decide on where the deletable state should be stored at feed and transaction level? Thanks!

[nkuoch]

I couldn't reproduce. I connected my corporate card, then toggled off allow deleting transactions then assigned myself a card, which imported transactions. I didn't have the option to delete those (because "liabilityType":"corporate" was set in the eNVPs when the transactions got imported).

@joekaufmanexpensify Are you sure you toggled "allow deleting transactions" off BEFORE the transactions got imported?

Settings apply only for transactions imported after the setting was set.

[mountiny]

Actually discussing this one in here with @joekaufmanexpensify https://expensify.slack.com/archives/C07HPDRELLD/p1736538317020839 I thin there might be a bug in the default value we use in App as the default value in backend is personal

[DylanDylann]

@mountiny As I see, this is the condition to display "Delete expense" button

App/src/libs/ReportUtils.ts

Line 1978 in 12f4847

function canAddOrDeleteTransactions(moneyRequestReport: OnyxEntry<Report>): boolean {

And I don't see any condition that relates to liabilityType. It means that the "Delete expense" button will be always displayed no matter what the value of liabilityType is

[melvin-bot]

@nkuoch, @mountiny, @kadiealexander, @DylanDylann Huh... This is 4 days overdue. Who can take care of this?

[mountiny]

But Nathalie for example could not see the button

[mountiny]

I think the conclusion from Slack that we want to change the default to be corporate. I would treat that as a separate issue though as we will need to update it across stack and for oldDot too - will require more testing.

In the meantime, I would update the App code to correctly treaty default (no liabilityType means personal for now)
@DylanDylann do you want to make a proposal for that?

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~021879495944828519700

[melvin-bot]

Current assignee @DylanDylann is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Upwork job price has been updated to $125

[DylanDylann]

I will create a proposal here if there are no contributors post proposal in a day

[saadi123]

Here's the approach that I plan to follow for this issue in your app.

Technical Approach:

Identify the Source of the Bug:

Review the conditional logic in the front-end React Native components responsible for rendering the delete option.
Investigate the API endpoint handling the delete transaction requests to ensure proper validation of user permissions based on the "enable delete transaction" setting.

### Front-End Fix:

Locate the component that displays the delete button (likely in the transaction detail view).
Ensure that the button's visibility is conditional on the "enable delete transaction" setting.
Implement a state management solution to track the "enable delete transaction" setting reliably and pass it down as props to the relevant components.

### Back-End Validation:

Enhance the API endpoint that handles transaction deletion to double-check the "enable delete transaction" setting server-side.
Add middleware or a service layer validation to ensure that delete operations are blocked if the setting is disabled.
This ensures a defense-in-depth strategy, preventing unauthorized deletion even if front-end checks fail.
Testing Strategy:

Write unit tests for the front-end components to validate that the delete button is hidden when the setting is off.
Implement integration tests for the API to verify that delete requests are rejected when the setting is disabled.
Perform manual testing in a staging environment to simulate various user scenarios and confirm the fix.

I hope this makes sense.

Contributor Details
Expensify account email: saadpaki@gmail.com
Upwork Profile Link: https://www.upwork.com/freelancers/~017ebfe5c4c42a00f3

[melvin-bot]

📣 @saadi123! 📣
Hey, it seems we don’t have your contributor details yet! You'll only have to do this once, and this is how we'll hire you on Upwork.
Please follow these steps:

1. Make sure you've read and understood the contributing guidelines.
2. Get the email address used to login to your Expensify account. If you don't already have an Expensify account, create one here. If you have multiple accounts (e.g. one for testing), please use your main account email.
3. Get the link to your Upwork profile. It's necessary because we only pay via Upwork. You can access it by logging in, and then clicking on your name. It'll look like this. If you don't already have an account, sign up for one here.
4. Copy the format below and paste it in a comment on this issue. Replace the placeholder text with your actual details.
   
   Format:

Contributor details
Your Expensify account email: <REPLACE EMAIL HERE>
Upwork Profile Link: <REPLACE LINK HERE>

[nkdengineer]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Delete card transactions when "allow deleting transactions" is disabled on card feed

What is the root cause of that problem?

We are activating the 'allow deleting transactions' button when liabilityType is personal

App/src/pages/workspace/companyCards/WorkspaceCompanyCardsSettingsPage.tsx

Line 49 in 5133090

const isPersonal = liabilityType === CONST.COMPANY_CARDS.DELETE_TRANSACTIONS.ALLOW;

What changes do you think we should make in order to solve the problem?

We should change this condition to cover also the case where liabilityType is null as expected here

    const isPersonal = liabilityType !== CONST.COMPANY_CARDS.DELETE_TRANSACTIONS.RESTRICT;

App/src/libs/ReportUtils.ts

Line 1978 in 12f4847

function canAddOrDeleteTransactions(moneyRequestReport: OnyxEntry<Report>): boolean {

Optional: if we want to hide the delete expense button then we can update the function canAddOrDeleteTransactions return false when liabilityType !== CONST.COMPANY_CARDS.DELETE_TRANSACTIONS.RESTRICT

App/src/libs/ReportUtils.ts

Line 1978 in 12f4847

function canAddOrDeleteTransactions(moneyRequestReport: OnyxEntry<Report>): boolean {

What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?

None

What alternative solutions did you explore? (Optional)

Reminder: Please use plain English, be brief and avoid jargon. Feel free to use images, charts or pseudo-code if necessary. Do not post large multi-line diffs or write walls of text. Do not create PRs unless you have been hired for this job.

[melvin-bot]

@nkuoch @mountiny @kadiealexander @DylanDylann this issue is now 4 weeks old, please consider:

• Finding a contributor to fix the bug
• Closing the issue if BZ has been unable to add the issue to a VIP or Wave project
• If you have any questions, don't hesitate to start a discussion in #expensify-open-source

Thanks!

[DylanDylann]

Let's go with @nkdengineer

🎀 👀 🎀 C+ Reviewed

[melvin-bot]

Current assignees @nkuoch and @mountiny are eligible for the choreEngineerContributorManagement assigner, not assigning anyone new.

[melvin-bot]

📣 @DylanDylann 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[melvin-bot]

📣 @nkdengineer 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖