[HOLD for payment 2024-02-14] [$500] Task – Able to edit task as room's member but not a member of Workspace

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: v1.4.15-4
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: Applause - Internal team
Slack conversation:

Action Performed:

1. Go to https://staging.new.expensify.com/
2. Log in
3. Navigate to a Room Chat that has 2 or more participants
4. Click on the + in the compose box and select "Assign task"
5. Enter a Title only
6. Create the task
7. Log in as another participant of the #Room
8. Navigate to the #Room conversation where the task was created
9. Verify that user B can't edit task
10. Log in as another participant of the #Room who is not a member of Workspace
11. Navigate to the #Room conversation where the task was created
12. Click on Assignee

Expected Result:

Able to edit task as room's member but not a member of Workspace

Actual Result:

Room's member but not a member of Workspace can't edit task

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android: Native
• Android: mWeb Chrome
• iOS: Native
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Add any screenshot/video evidence

Bug6322845_1703172828811.Room_task.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0118689f6671de101d
• Upwork Job ID: 1737861669620363264
• Last Price Increase: 2024-01-18
• Automatic offers:
• aimane-chnaif | Reviewer | 28121679
• DylanDylann | Contributor | 28121680

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0118689f6671de101d

[melvin-bot]

Triggered auto assignment to @puneetlath (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @aimane-chnaif (External)

[namhihi237]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Users in the same room can not modify the task

What is the root cause of that problem?

This issue come from here.
we only allow the user as an admin can modify task in the room here and if the user is a member of the WS we don't allow modification, but if the user is not in the WS the policyRole is empty so they can modify the task.

App/src/libs/actions/Task.js

Lines 882 to 884 in 8970aa3

	if (policyRole && (ReportUtils.isChatRoom(parentReport) || ReportUtils.isPolicyExpenseChat(parentReport)) && policyRole !== CONST.POLICY.ROLE.ADMIN) {
	return false;
	}

What changes do you think we should make in order to solve the problem?

We should remove this logic to allow all member edit the task

App/src/libs/actions/Task.js

Lines 882 to 884 in 8970aa3

	if (policyRole && (ReportUtils.isChatRoom(parentReport) || ReportUtils.isPolicyExpenseChat(parentReport)) && policyRole !== CONST.POLICY.ROLE.ADMIN) {
	return false;
	}

Also we revert this PR

What alternative solutions did you explore? (Optional)

[unidev727]

Proposal

from: @unicorndev-727

Please re-state the problem that we are trying to solve in this issue.

Users in the same room can not modify the task

What is the root cause of that problem?

The root cause is that we don't check if the users are the room member in chatRoom here.

App/src/libs/actions/Task.js

Lines 871 to 886 in 8970aa3

	function canModifyTask(taskReport, sessionAccountID, policyRole = '') {
	if (ReportUtils.isCanceledTaskReport(taskReport)) {
	return false;
	}
	if (sessionAccountID === getTaskOwnerAccountID(taskReport) || sessionAccountID === getTaskAssigneeAccountID(taskReport)) {
	return true;
	}
	const parentReport = ReportUtils.getParentReport(taskReport);
	if (policyRole && (ReportUtils.isChatRoom(parentReport) || ReportUtils.isPolicyExpenseChat(parentReport)) && policyRole !== CONST.POLICY.ROLE.ADMIN) {
	return false;
	}
	// If you don't have access to the task report (maybe haven't opened it yet), check if you can access the parent report

What changes do you think we should make in order to solve the problem?

We need to add this condition in canModifyTask method so that users who is the member in chat room can edit the task.

if (ReportUtils.isChatRoom(parentReport) && parentReport.participantAccountIDs.includes(sessionAccountID)) {
        return true;
    }

screen-capture.4.webm

screen-capture.5.webm

What alternative solutions did you explore?

(Optional)
N/A

[FitseTLT]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Able to edit task as room's member but not a member of Workspace

What is the root cause of that problem?

Now in canModifyTask we are not denying modifying a task if a user is only a memeber of the room but not member of the workspace.

What changes do you think we should make in order to solve the problem?

We should disallow the user to modify if the user is not a member of the workspace in Task.canModifyTask
under here

App/src/libs/actions/Task.js

Lines 882 to 884 in 2f7c2b2

	if (policyRole && (ReportUtils.isChatRoom(parentReport) || ReportUtils.isPolicyExpenseChat(parentReport)) && policyRole !== CONST.POLICY.ROLE.ADMIN) {
	return false;
	}

if (ReportUtils.isPolicyExpenseChat(parentReport) && !policyRole) {
        return false;
    }

What alternative solutions did you explore? (Optional)

[puneetlath]

Coming from this discussion, the behavior we want is that any room member should be able to edit tasks created in the room.

[namhihi237]

updated proposal

[unidev727]

@puneetlath
I added the result video.

[melvin-bot]

@puneetlath, @aimane-chnaif Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

@puneetlath, @aimane-chnaif Huh... This is 4 days overdue. Who can take care of this?

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[puneetlath]

@aimane-chnaif thoughts on the proposals?

[DylanDylann]

@puneetlath Currently, If I create a new room in workspace A and create a new task in that room:

• If we invite a new user (B) to that room, User B can edit this task
• If we invite a new user (C) to the workspace A, User C can't edit this task

Please help to confirm the expected. Note that in the previous issue we only allow creator, admin and assignee edit task

cc @aldo-expensify ping you here because we did a related task #31863 before

[melvin-bot]

@puneetlath, @aimane-chnaif Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

@puneetlath, @aimane-chnaif Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[puneetlath]

The expectation is that any room member can edit the task. Specifically when the task is in a room. cc @quinthar @thienlnam

[unidev727]

@puneetlath
Here my solution checks if the user is room member and allows him to edit the task.

if (ReportUtils.isChatRoom(parentReport) && parentReport.participantAccountIDs.includes(sessionAccountID)) {
        return true;
    }

[melvin-bot]

Current assignee @aimane-chnaif is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

📣 @aimane-chnaif 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[melvin-bot]

📣 @DylanDylann 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[DylanDylann]

@aimane-chnaif The PR is ready for review #35219

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.4.37-7 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Fix/33420: Allow member to edit task #35219

If no regressions arise, payment will be issued on 2024-02-14. 🎊

For reference, here are some details about the assignees on this issue:

• @aimane-chnaif requires payment automatic offer (Reviewer)
• @DylanDylann requires payment automatic offer (Contributor)

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@aimane-chnaif / @DylanDylann] The PR that introduced the bug has been identified. Link to the PR:
• [@aimane-chnaif / @DylanDylann] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@aimane-chnaif / @DylanDylann] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@aimane-chnaif / @DylanDylann] Determine if we should create a regression test for this bug.
• [@aimane-chnaif / @DylanDylann] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@puneetlath] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[puneetlath]

@aimane-chnaif friendly reminder about the checklist so that we can pay in a couple of days.

[aimane-chnaif]

• The PR that introduced the bug has been identified. Link to the PR: Fix/31863: Don't allow member to edit task in room #32165
• The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment: https://github.com/Expensify/App/pull/32165/files#r1486566646
• A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion: N/A
• Determine if we should create a regression test for this bug.
• If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.

Regression Test Proposal

1. Create workspace A
2. Create a room of above workspace
3. Create the task in this room
4. Invite user B, C to this room
5. Invite user B to workspace A
6. As user B, navigate to the room conversation where the task was created
7. Verify that user B can edit task
8. As user C, navigate to the room conversation where the task was created
9. Verify that user C can edit task

[puneetlath]

Issue for regression test: https://github.com/Expensify/Expensify/issues/369720

[puneetlath]

All paid. Thanks y'all!