-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[$250] Hide "Reveal Details" button when logged in as Copilot #57618
Comments
Triggered auto assignment to @greg-schroeder ( |
Job added to Upwork: https://www.upwork.com/jobs/~021895518523085098853 |
Triggered auto assignment to Contributor-plus team member for initial proposal review - @fedirjh ( |
🚨 Edited by proposal-police: This proposal was edited at 2025-02-28 18:01:20 UTC. ProposalPlease re-state the problem that we are trying to solve in this issue.Missing email in "Please enter the magic code sent to" when revealing card details as copilot What is the root cause of that problem?When acting as a delegate, the
What changes do you think we should make in order to solve the problem?Use the util here to fallback to Lines 260 to 262 in 9672b4a
We can optionally apply this same fix to other pages using What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?None - UI bug What alternative solutions did you explore? (Optional)None |
|
This comment has been minimized.
This comment has been minimized.
ProposalPlease re-state the problem that we are trying to solve in this issue.
What is the root cause of that problem?
In case of copilot, the What changes do you think we should make in order to solve the problem?
to:
Additionally, we need to add a modal to handle restricted access. This modal should be placed at
as follows:
What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?
What alternative solutions did you explore? (Optional) |
@greg-schroeder I believe we should prevent copilots from revealing card details for security and privacy reasons, especially if their role is limited. What are your thoughts? |
ProposalPlease re-state the problem that we are trying to solve in this issue.Missing email in "Please enter the magic code sent to" when revealing card details as copilot What is the root cause of that problem?The primaryLogin is fetched from the current accounts primary login value, when someone co-pilots in the account we do not have this field set as now we are acting as a delegate, this causes the bug in the OP, this is the RCA:
What changes do you think we should make in order to solve the problem?I tested the steps in the OP and observed that the magic code is sent to the email ID of the original account holder. So for our case it won't make any sense to show the input code modal or blocking modal as the code is never sent to the co-piloted account. So I propose to hide the const isSignedInAsdelegate = !!account?.delegatedAccess?.delegate || false;
<MenuItemWithTopDescription
description={translate('cardPage.virtualCardNumber')}
title={maskCard('')}
interactive={false}
titleStyle={styles.walletCardNumber}
shouldShowRightComponent
rightComponent={
isSignedInAsdelegate ? (
<Button
text={translate('cardPage.cardDetails.revealDetails')}
onPress={() => openValidateCodeModal(card.cardID)}
isDisabled={isCardDetailsLoading[card.cardID] || isOffline}
isLoading={isCardDetailsLoading[card.cardID]}
/>
) : undefined
}
/> This will make sure that whether the delegate has full or limited access we never show then the button as it is not of any use Minor style adjustments can be made during PR phase What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?We write up a UI test for this bug, we should update the onyx data to show that the current user has been logged in as a copilot, then render the virtual expensify card page, and confirm that we do not have the reveal details button What alternative solutions did you explore? (Optional)
const primaryLogin = formatPhoneNumber(currentUserPersonalDetails?.login ?? '');
|
@fedirjh @greg-schroeder I think we shouldn't show the button at all because the magic code goes to the original account and not to the account the co-pilot is on regardless of full or limited, my proposal outlines the same |
Okay, confirmed we don't allow Full Access Copilots to view virtual card details via delegated access; I think that's for obvious reasons, and we shouldn't do that for NewDot either. |
In that case, I think this issue should be adjusted to say: "Block Copilots from attempting to access virtual card details" |
@greg-schroeder In this PR, a new DelegateNoAccessModal was introduced. As mentioned in the PR details:
This means that instead of hiding buttons from the copilot, we simply display the restriction modal when they attempt to interact with them. Following the same logic, in this case, we should also show the restriction modal when the copilot clicks on the reveal button. |
Confirming with the team the best approach: https://expensify.slack.com/archives/C03U7DCU4/p1741013290450699 Stand by |
All right; team consensus is to mirror OldDot behavior and simply hide the "Show Details" button; this shouldn't be accessible by Copilots in the first place. While this PR did introduce the I updated the issue title and OP |
I think this might actually be more of a #retain issue rather than #quality given the change in scope |
Next up is proposal adjustments most likely, then review by @fedirjh |
📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸 |
@twilight2294's proposal looks good to me. |
@fedirjh I am unsure why my proposal did not look good enough. But My proposal mostly is similar to the selected proposal and includes an extra case which should be handled here. And I request even though if you don't change your mind and want to continue with the currently selected proposal, then please ask contributor to handle the case 2 I mentioned in my proposal as well to avoid an extra issue. Thank you. |
@fedirjh can you also put the 🎀 👀 🎀 C+ reviewed label here please, internal engineer didn't get assigned here |
Friendly bump @fedirjh on the above so we can assign someone to confirm contributor assignment <3 |
@ChavdaSachin Thanks for your proposal and for highlighting the extra case! The selected proposal is complete, includes a testing plan, and addresses the main issue. Since your proposal is nearly identical, I proceeded with the selected one. The extra case you mentioned should be handled in review. Appreciate your input! |
@twilight2294's proposal looks good to me. Let's cover the extra case mentioned by @ChavdaSachin. 🎀 👀 🎀 C+ reviewed |
Triggered auto assignment to @iwiznia, see https://stackoverflow.com/c/expensify/questions/7972 for more details. |
📣 @ChavdaSachin 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app! Offer link |
Proposal looks good, is there other places where we ask for a validate code that we need to update too besides this one? |
Oh crap, sorry, yes I totally assigned the wrong person |
📣 @twilight2294 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app! Offer link |
@fedirjh I think such simple UI changes does not need any tests. |
Hey @twilight2294 let me know once you have a draft PR up so we can link it to the issue, thanks! |
@fedirjh PR ready for review |
@greg-schroeder PR is here: |
If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!
Version Number: 9.1.7-1
Reproducible in staging?: Y
Reproducible in production?: Y
If this was caught on HybridApp, is this reproducible on New Expensify Standalone?: N/A
If this was caught during regression testing, add the test name, ID and link from TestRail: N/A
Email or phone of affected tester (no customers): applausetester+sj9032@applause.expensifail.com
Issue reported by: Applause - Internal Team
Action Performed:
Precondition:
Expected Result:
"Reveal Details" button is hidden from view
Actual Result:
"Reveal Details" button is clickable and prompts a magic code to be sent with inconsistent UI
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Screenshots/Videos
Add any screenshot/video evidence
Bug6757593_1740754288053.20250228_224146.mp4
View all open jobs on GitHub
Upwork Automation - Do Not Edit
Issue Owner
Current Issue Owner: @fedirjhThe text was updated successfully, but these errors were encountered: