[aimane-chnaif please complete] [HOLD for payment 2023-07-26] [$1000] Web - The user added to workspace can see invite page but can't add the members

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. User A - Create a workspace and add user B
2. Now go to workspace's invite member page, copy the url after the base - something like - /workspace/<workspace id>/invite
3. Now go to different browser where user B is logged in.
4. Append the copied part to url after the base urls, ex - https://staging.new.expensify.com/workspace/<workspace id>/invite
5. Notice the User B can see the invite page
6. Try inviting a user to the workspace by following the workflow

Expected Result:

If user doesn't have permission to invite new members to workspace, the page should provide the error message

Actual Result:

User can see the invite page and can invite the user but after adding gives the error

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.34-1
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

workspace.invite.link.error.mp4

Recording.3350.mp4

Expensify/Expensify Issue URL:
Issue reported by: @BhuvaneshPatil
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1688059822067529

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0148a57d74a819953e
• Upwork Job ID: 1676321039486058496
• Last Price Increase: 2023-07-04

[melvin-bot]

Triggered auto assignment to @sonialiap (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[kbecciv]

Proposal

by @BhuvaneshPatil

Please re-state the problem that we are trying to solve in this issue.

The user added to workspace can see invite page but can't add the members

What is the root cause of that problem?

There are two ways to go to invite members page in workspace -

1. Using workspace settings page - go to workspace -> members -> invite
2. Directly pasting the link as mentioned
   For the first way, we are checking if the current user has access to workspace settings -
   

   App/src/pages/workspace/WorkspaceInitialPage.js

   Lines 178 to 182 in 0bbf3fc

   	<FullPageNotFoundView
   	onBackButtonPress={() => Navigation.goBack(ROUTES.SETTINGS_WORKSPACES)}
   	shouldShow={_.isEmpty(props.policy) || !Policy.isPolicyOwner(props.policy)}
   	subtitleKey={_.isEmpty(props.policy) ? undefined : 'workspace.common.notAuthorized'}
   	>

   
   We are providing error if the props.policy is empty.
   But in the case of directly pasting link we land on WorkspaceInvitePage , we don't have any access checks for this.

What changes do you think we should make in order to solve the problem?

We shall wrap the workspace invite page with FullPageNotFoundView, that will display error if policy is empty.
We shall create a new error message for subtitleKey.

What alternative solutions did you explore? (Optional)

[ghost]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Web - The user added to workspace can see invite page but can't add the members

What is the root cause of that problem?

In WorkspaceInitialPage, Let's see

App/src/pages/workspace/WorkspaceInitialPage.js

Line 187 in c0ece67

shouldShow={_.isEmpty(props.policy) || !Policy.isPolicyOwner(props.policy)}

We have a condition to check if the current user is admin or not and show FullPageNotFoundView

The root cause, In WorkspaceMembersPage, we don't add the condition to check if the current user is workspace's admin

App/src/pages/workspace/WorkspaceMembersPage.js

Line 405 in c0ece67

shouldShow={_.isEmpty(props.policy)}

This bug also happen in WorkspaceInitialPage, WorkspaceInviteMessagePage, ReimbursementAccountPage, BankAccountStep, CompanyStep, RequestorStep

What changes do you think we should make in order to solve the problem?

In WorkspaceInitialPage, WorkspaceInviteMessagePage, ReimbursementAccountPage, We should add this condition to shouldShow prop

!Policy.isPolicyOwner(props.policy)} 

In BankAccountStep, CompanyStep, RequestorStep, We should wrap these component by

<FullPageNotFoundView
                    onBackButtonPress={() => Navigation.goBack(ROUTES.SETTINGS_WORKSPACES)}
                    shouldShow={_.isEmpty(props.policy) || !Policy.isPolicyOwner(props.policy)}
                    subtitleKey={_.isEmpty(props.policy) ? undefined : 'workspace.common.notAuthorized'}
 >

What alternative solutions did you explore? (Optional)

[melvin-bot]

Looks like something related to react-navigation may have been mentioned in this issue discussion.

As a reminder, please make sure that all proposals are not workarounds and that any and all attempt to fix the issue holistically have been made before proceeding with a solution. Proposals to change our DeprecatedCustomActions.js files should not be accepted.

Feel free to drop a note in #expensify-open-source with any questions.

[BhuvaneshPatil]

Proposal

by @BhuvaneshPatil

Please re-state the problem that we are trying to solve in this issue.

The user added to workspace can see invite page but can't add the members

What is the root cause of that problem?

There are two ways to go to invite members page in workspace -

1. Using workspace settings page - go to workspace -> members -> invite

2. Directly pasting the link as mentioned
   For the first way, we are checking if the current user has access to workspace settings -
   https://github.com/Expensify/App/blob/0bbf3fccfce0994ddf4fd9e95fb33dd9edbd1868/src/pages/workspace/WorkspaceInitialPage.js#L178-L182
   
   We are providing error if the `props.policy` is empty.
   But in the case of directly pasting link we land on `WorkspaceInvitePage` , we don't have any access checks for this.

What changes do you think we should make in order to solve the problem?

We shall wrap the workspace invite page with FullPageNotFoundView, that will display error if policy is empty. We shall create a new error message for subtitleKey.

What alternative solutions did you explore? (Optional)

The code diff will be -

  shouldShow={_.isEmpty(props.policy) || !Policy.isAdminOfFreePolicy([props.policy])}

This is for <FullPageNotFoundView/>, that will be wrapped around WorkspaceInvitePage component

Above will be the condition if we decide to only give access for admin of policy

This proposal was written for WorkspaceInvitePage, but as pointed by @ChengDzun , if we want to increase the scope for this and add other pages

expanding upon the proposal -
We can add similar logic to other places as well as suggested above. i.e WorkspaceInviteMessagePage

[sonialiap]

Reproducible, triaging to external

Expected result: only admin can access workspace settings, including the invite page. So anyone else who tries to follow the workspace link would get an error.

[sonialiap]

We had a similar issue here for accessing the Workspace > Settings page via a copied URL. Linking in case it's useful to selecting a solution to this issue #18910

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0148a57d74a819953e

[melvin-bot]

Current assignee @sonialiap is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @aimane-chnaif (External)

[sonialiap]

@aimane-chnaif what do you think of the above proposals?

[aimane-chnaif]

@BhuvaneshPatil can you please list all workspace pages which have this issue?

[BhuvaneshPatil]

Sure @aimane-chnaif , I will look through the pages and will update you here.

[BhuvaneshPatil]

@aimane-chnaif
Here are my findings -

1. WorkspaceMembersPage
2. WorkspaceInvitePage
3. WorkspaceInviteMessagePage
4. ReimbursementAccountPage
   

   App/src/pages/ReimbursementAccount/ReimbursementAccountPage.js

   Lines 333 to 343 in 401b459

   	if (_.isEmpty(this.props.policy)) {
   	return (
   	<ScreenWrapper>
   	<FullPageNotFoundView
   	shouldShow
   	onBackButtonPress={() => Navigation.navigate(ROUTES.SETTINGS_WORKSPACES)}
   	shouldShowLink
   	/>
   	</ScreenWrapper>
   	);
   	}

We can add conditions here, to check if the current user is policy owner.

I have tried going every route related to workspace, this is how much I could find out. Will keep you posted here.

[aimane-chnaif]

@BhuvaneshPatil's proposal looks good to me.
Once we confirm that there's no other pages which have same issue in addition to #21998 (comment), we can go ahead PR.
🎀 👀 🎀 C+ reviewed

[melvin-bot]

📣 @aimane-chnaif 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Upwork job

[melvin-bot]

📣 @BhuvaneshPatil 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

📣 @BhuvaneshPatil 🎉 An offer has been automatically sent to your Upwork account for the Reporter role 🎉 Thanks for contributing to the Expensify app!

Upwork job

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.42-26 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: added owner check for WS pages #22761

If no regressions arise, payment will be issued on 2023-07-26. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@aimane-chnaif] The PR that introduced the bug has been identified. Link to the PR:
• [@aimane-chnaif] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@aimane-chnaif] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@aimane-chnaif] Determine if we should create a regression test for this bug.
• [@aimane-chnaif] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@sonialiap] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[sonialiap]

@BhuvaneshPatil report, fix, bonus ($1750) - paid ✔️
@aimane-chnaif review, bonus ($1500) - paid ✔️

[sonialiap]

@aimane-chnaif please complete the checklist

[melvin-bot]

@AndrewGable, @sonialiap, @BhuvaneshPatil, @aimane-chnaif Huh... This is 4 days overdue. Who can take care of this?

[sonialiap]

@aimane-chnaif bump to complete the checklist

[melvin-bot]

@AndrewGable, @sonialiap, @BhuvaneshPatil, @aimane-chnaif Whoops! This issue is 2 days overdue. Let's get this updated quick!

[sonialiap]

@aimane-chnaif waiting on you to complete the checklist

[aimane-chnaif]

No PRs caused regression. This case was missed while implementing policy pages.
We recently added new item in checklist, related to deep link:

• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.

So this is enough for regression test case

[sonialiap]

Thanks!