[HOLD for payment 2023-12-28] [$500] Task - user can can edit task details even if user is not assigned nor task creator

[lanitochka17]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: 1.4.3-0
Reproducible in staging?: Y
Reproducible in production?: Y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: Applause - Internal Team
Slack conversation:

Action Performed:

1. Create a workspace
2. Go to settings > workspace > members
3. Add userB as member
4. Go to #annoince
5. Click on + icon and select assign task
6. Enter title and description
7. Assign it to yourself and create a task
8. Sign in as userB
9. Go to task report screen
10. Edit the task details

Expected Result:

Only task creator or assignee can edit the task details

Actual Result:

Anyone from room can edit the task details

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android: Native
• Android: mWeb Chrome
• iOS: Native
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Add any screenshot/video evidence

Bug6286742_1700717240618.Screen_Recording_2023-11-22_at_12.47.35_PM.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~011716884c6ff12695
• Upwork Job ID: 1728446042061295616
• Last Price Increase: 2023-11-25
• Automatic offers:
• Ollyws | Reviewer | 27874125
• DylanDylann | Contributor | 27874126

[melvin-bot]

Triggered auto assignment to @isabelastisser (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~011716884c6ff12695

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @Ollyws (External)

[DylanDylann]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Task - user can can edit task details even if user is not assigned nor task creator

What is the root cause of that problem?

Let's see the condition to modify the task

App/src/libs/actions/Task.js

Line 875 in d985a0e

function canModifyTask(taskReport, sessionAccountID) {

Because the members of the workspace have permission to comment to announce the room, as above condition they also edit the report in that room

Let's this PR: #23971
We allow members in a group to edit the task in that group. But we don't prevent the same thing in the policy room

What changes do you think we should make in order to solve the problem?

We need to add a condition to check if It is a policy room (announce room), we will only allow the admin of the policy or the assignee to edit the task

const parentReport = ReportUtils.getParentReport(taskReport);
    const policy = allPolicies[`${ONYXKEYS.COLLECTION.POLICY}${parentReport.policyID}`];
    
if (ReportUtils.isAnnounceRoom(parentReport) && lodashGet(policy, 'role', '') !== CONST.POLICY.ROLE.ADMIN) {
        return false
    }

If we want to do the same behavior in normal room, we will update to use isChatRoom function instead of isAnnounceRoom

What alternative solutions did you explore? (Optional)

[giltron]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Member of workspace (not admin) is allowed to edit a task they are not assigned to

What is the root cause of that problem?

During canModifyTask, the check is not correct, as it only validates the user is a part of any parent (as per comments its only supposed to be #admins

  // If you don't have access to the task report (maybe haven't opened it yet), check if you can access the parent report
  // - If the parent report is an #admins only room
  // - If you are a policy admin
  var parentReport = ReportUtils.getParentReport(taskReport);
  return ReportUtils.isAllowedToComment(parentReport);

What changes do you think we should make in order to solve the problem?

Within canModifyReport it should be added (as per notes) that the parent report is an #admins only, or they are a policy admin

const policyReports = ReportUtils.getAllPolicyReports(parentReport.policyID);
return ReportUtils.isAllowedToComment(parentReport) && (ReportUtils.isAdminRoom(parentReport) || (!ReportUtils.isAdminRoom(report) && ReportUtils.isPolicyAdmin(parentReport.policyID, [policyReports]))

What alternative solutions did you explore? (Optional)

N/A

[Ollyws]

@DylanDylann's proposal LGTM however I think we should also add the ability for the creator of the task to edit it not just the admin/assignee.

🎀👀🎀 C+ reviewed

[melvin-bot]

Triggered auto assignment to @aldo-expensify, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[DylanDylann]

@Ollyws

Currently, we have logic to make sure that creator and assignee always have permission to edit task

App/src/libs/actions/Task.js

Line 880 in 48e0c1e

if (sessionAccountID === getTaskOwnerAccountID(taskReport) || sessionAccountID === getTaskAssigneeAccountID(taskReport)) {

[melvin-bot]

📣 @Ollyws 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[melvin-bot]

📣 @DylanDylann 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[DylanDylann]

@aldo-expensify @Ollyws
Because this issue only mentions the bug in the announce room, could you help to confirm that we will only allow assignee, creator, and admin of the room to edit the task?

1. In both the policy room and normal room,
2. Only apply to announce room

[DylanDylann]

@Ollyws The PR is ready for review

[Ollyws]

@DylanDylann I think it makes sense that only the assignee, creator, and admin should be able to edit the task in all rooms. Let me know if you disagree @aldo-expensify.

[aldo-expensify]

That makes sense to me too!

[DylanDylann]

@Ollyws I did that in my PR. Please help to review.

[isabelastisser]

@Ollyws please provide an update. Thanks!

[Ollyws]

PR was merged a few days ago.

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.4.14-6 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Fix/31863: Don't allow member to edit task in room #32165

If no regressions arise, payment will be issued on 2023-12-28. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @Ollyws requires payment automatic offer (Reviewer)
• @DylanDylann requires payment automatic offer (Contributor)

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@Ollyws] The PR that introduced the bug has been identified. Link to the PR:
• [@Ollyws] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@Ollyws] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@Ollyws] Determine if we should create a regression test for this bug.
• [@Ollyws] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@isabelastisser] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[melvin-bot]

@Ollyws, @isabelastisser, @aldo-expensify, @DylanDylann Huh... This is 4 days overdue. Who can take care of this?

[melvin-bot]

@Ollyws, @isabelastisser, @aldo-expensify, @DylanDylann Huh... This is 4 days overdue. Who can take care of this?

[isabelastisser]

@Ollyws, please complete the checklist above so I can close the issue. Thanks!

I will process the payments in Upwork.

[Ollyws]

BugZero Checklist:

• The PR that introduced the bug has been identified. Link to the PR:

#23971

• The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:

https://github.com/Expensify/App/pull/23971/files#r1440342282

• A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:

N/A

• Determine if we should create a regression test for this bug.

Yes.

[Ollyws]

Regression Test Proposal

1. Create a workspace
2. Go to settings > workspace > members
3. Add userB as member
4. Go to #announce
5. Click on + icon and select assign task
6. Enter title and description
7. Assign it to yourself and create a task
8. Sign in as userB
9. Go to task report screen
10. Edit the task details
11. Verify that user B can't edit task

Do we agree 👍 or 👎

[isabelastisser]

All set!