Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/30654: Only allow admins to manually edit distance request amount and currency #31778

Merged
merged 5 commits into from
Jan 4, 2024
Merged

Fix/30654: Only allow admins to manually edit distance request amount and currency #31778

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
41ef4a9
fix unable to change currency when offline
DylanDylann Nov 23, 2023
8836578
fix conflict
DylanDylann Jan 2, 2024
350f519
fix only allow admin to edit amount in distance request
DylanDylann Jan 2, 2024
0988d01
fix remove not related change
DylanDylann Jan 2, 2024
7723973
fix lint
DylanDylann Jan 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/components/ReportActionItem/MoneyRequestView.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ function MoneyRequestView({report, parentReport, parentReportActions, policyCate
const isSettled = ReportUtils.isSettled(moneyRequestReport.reportID);
const isCancelled = moneyRequestReport && moneyRequestReport.isCancelledIOU;
const canEdit = ReportUtils.canEditMoneyRequest(parentReportAction);
const canEditAmount = canEdit && !isSettled && !isCardTransaction;
const canEditAmount = ReportUtils.canEditMoneyRequest(parentReportAction, CONST.EDIT_REQUEST_FIELD.AMOUNT, transaction) && !isSettled && !isCardTransaction;
const canEditReceipt = ReportUtils.canEditFieldOfMoneyRequest(parentReportAction, moneyRequestReport.reportID, CONST.EDIT_REQUEST_FIELD.RECEIPT);

// A flag for verifying that the current report is a sub-report of a workspace chat
Expand Down
16 changes: 12 additions & 4 deletions src/libs/ReportUtils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1812,7 +1812,7 @@ function getTransactionDetails(transaction: OnyxEntry<Transaction>, createdDateF
* - the current user is the requestor and is not settled yet
* - or the user is an admin on the policy the expense report is tied to
*/
function canEditMoneyRequest(reportAction: OnyxEntry<ReportAction>, fieldToEdit = ''): boolean {
function canEditMoneyRequest(reportAction: OnyxEntry<ReportAction>, fieldToEdit = '', transaction?: OnyxEntry<Transaction>): boolean {
const isDeleted = ReportActionsUtils.isDeletedAction(reportAction);

if (isDeleted) {
Expand All @@ -1839,11 +1839,14 @@ function canEditMoneyRequest(reportAction: OnyxEntry<ReportAction>, fieldToEdit
const isApproved = isReportApproved(moneyRequestReport);
const isAdmin = isExpenseReport(moneyRequestReport) && (getPolicy(moneyRequestReport?.policyID ?? '')?.role ?? '') === CONST.POLICY.ROLE.ADMIN;
const isRequestor = currentUserAccountID === reportAction?.actorAccountID;
const isDistanceRequest = !isEmpty(transaction) && TransactionUtils.isDistanceRequest(transaction);

if (isAdmin && !isRequestor && fieldToEdit === CONST.EDIT_REQUEST_FIELD.RECEIPT) {
return false;
}

if (isDistanceRequest && fieldToEdit === CONST.EDIT_REQUEST_FIELD.AMOUNT) {
return isAdmin;
}
if (isAdmin) {
return true;
}
Expand All @@ -1855,7 +1858,12 @@ function canEditMoneyRequest(reportAction: OnyxEntry<ReportAction>, fieldToEdit
* Checks if the current user can edit the provided property of a money request
*
*/
function canEditFieldOfMoneyRequest(reportAction: OnyxEntry<ReportAction>, reportID: string, fieldToEdit: ValueOf<typeof CONST.EDIT_REQUEST_FIELD>): boolean {
function canEditFieldOfMoneyRequest(
reportAction: OnyxEntry<ReportAction>,
reportID: string,
fieldToEdit: ValueOf<typeof CONST.EDIT_REQUEST_FIELD>,
transaction: OnyxEntry<Transaction>,
): boolean {
// A list of fields that cannot be edited by anyone, once a money request has been settled
const nonEditableFieldsWhenSettled: string[] = [
CONST.EDIT_REQUEST_FIELD.AMOUNT,
Expand All @@ -1866,7 +1874,7 @@ function canEditFieldOfMoneyRequest(reportAction: OnyxEntry<ReportAction>, repor
];

// Checks if this user has permissions to edit this money request
if (!canEditMoneyRequest(reportAction, fieldToEdit)) {
if (!canEditMoneyRequest(reportAction, fieldToEdit, transaction)) {
return false; // User doesn't have permission to edit
}

Expand Down
4 changes: 2 additions & 2 deletions src/pages/EditRequestPage.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,15 +104,15 @@ function EditRequestPage({report, route, parentReport, policyCategories, policyT
// Decides whether to allow or disallow editing a money request
useEffect(() => {
// Do not dismiss the modal, when a current user can edit this property of the money request.
if (ReportUtils.canEditFieldOfMoneyRequest(parentReportAction, parentReport.reportID, fieldToEdit)) {
if (ReportUtils.canEditFieldOfMoneyRequest(parentReportAction, parentReport.reportID, fieldToEdit, transaction)) {
return;
}

// Dismiss the modal when a current user cannot edit a money request.
Navigation.isNavigationReady().then(() => {
Navigation.dismissModal();
});
}, [parentReportAction, parentReport.reportID, fieldToEdit]);
}, [parentReportAction, parentReport.reportID, fieldToEdit, transaction]);

// Update the transaction object and close the modal
function editMoneyRequest(transactionChanges) {
Expand Down
Loading