[HOLD for payment 2024-07-24] [$250] Public room - User is able to leave public room when user is not logged in

[izarutskaya]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: 1.4.81-3
Reproducible in staging?: Y
Reproducible in production?: Y
Logs: https://stackoverflow.com/c/expensify/questions/4856
Issue reported by: Applause-Internal team

Action Performed:

1. Go to staging.new.expensify.com
2. Log out if logged in.
3. Navigate to public room link.
4. Click on the public room chat header.
5. Click Leave.

Expected Result:

Login modal will open.

Actual Result:

User is able to leave the public room, and the public room reappears.

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android: Native
• Android: mWeb Chrome
• iOS: Native
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Bug6508355_1718037560053.bandicam_2024-06-11_00-34-48-344.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~012198a597d90e1a9d
• Upwork Job ID: 1800460939784883037
• Last Price Increase: 2024-06-11
• Automatic offers:
• situchan | Reviewer | 102730618
• codinggeek2023 | Contributor | 102730619
• truph01 | Contributor | 102895803

Issue Owner

Current Issue Owner: @greg-schroeder

[melvin-bot]

Triggered auto assignment to @garrettmknight (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[izarutskaya]

We think this issue might be related to the #vip-vsb

[devguest07]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Users can leave a public room without being logged in.

What is the root cause of that problem?

The leave button is displayed regardless of whether the user is anonymous or not.

App/src/pages/ReportDetailsPage.tsx

Line 207 in 60530f6

if (isGroupChat || (isChatRoom && ReportUtils.canLeaveChat(report, policy ?? null))) {

What changes do you think we should make in order to solve the problem?

We need to add a condition to check for anonymous users before displaying the leave button, similar to other parts of the application.

https://github.com/Expensify/App/blob/60530f643b30f30510914ed28e2a90ed5d37184a/src/pages/home/report/ReportFooter.tsx#L91C12-L91C27

Add !isAnonymousUser to the condition controlling the display of the leave menu item.

App/src/pages/ReportDetailsPage.tsx

Line 207 in 60530f6

if (isGroupChat || (isChatRoom && ReportUtils.canLeaveChat(report, policy ?? null))) {

What alternative solutions did you explore?

[eucool]

Proposal

Please re-state the problem that we are trying to solve in this issue.

User is able to leave public room when user is not logged in

What is the root cause of that problem?

We have set isAnonymousAction to true which allows the user to proceed with exiting the room but that won't happen as the user is not logged in and hence we get redirected to concierge.

App/src/pages/ReportDetailsPage.tsx

Lines 207 to 212 in 60530f6

	if (isGroupChat || (isChatRoom && ReportUtils.canLeaveChat(report, policy ?? null))) {
	items.push({
	key: CONST.REPORT_DETAILS_MENU_ITEM.LEAVE_ROOM,
	translationKey: 'common.leave',
	icon: Expensicons.Exit,
	isAnonymousAction: true,

What changes do you think we should make in order to solve the problem?

The expected results is to redirect the user to login page, so we need to set isAnonymousAction to false.

Result Video

Screen.Recording.2024-06-11.at.1.11.52.AM.mov

[Tony-MK]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Workspace - Error page when navigating to Workspace Join link after leaving the workspace

What is the root cause of that problem?

The root cause of the problem is that in the ReportDetailsPage we use the ReportUtils.canLeaveChat function instead of the ReportUtils.canLeaveRoom function.

App/src/pages/ReportDetailsPage.tsx

Line 207 in 65db650

if (isGroupChat || (isChatRoom && ReportUtils.canLeaveChat(report, policy ?? null))) {

What changes do you think we should make in order to solve the problem?

Change the code snippet above and use the ReportUtils.canLeaveRoom function as shown below.

if (isGroupChat || (isChatRoom && ReportUtils.canLeaveRoom(report, isPolicyEmployee))) 

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~012198a597d90e1a9d

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @situchan (External)

[TheGithubDev]

Proposal

Please re-state the problem that we are trying to solve in this issue:

The problem is that an anonymous (not logged in) user can leave a public room by clicking the "Leave" button in the public room chat header. Instead of being prompted to log in, the user is able to leave the room, and the public room reappears.

What is the root cause of that problem?

The root cause of this problem is that the leave action is not correctly checking for the user's authentication status before executing. The logic to handle the leave action does not verify if the user is logged in, allowing anonymous users to perform actions that should be restricted to authenticated users.

What changes do you think we should make in order to solve the problem?

To address this issue, we need to:

1. Add Authentication Check:
   • Before executing the leave action, verify if the user is authenticated. If not, prompt the user to log in.

Example of changes:

1. Add Authentication Check:

• Update the leave action handler to include an authentication check. If the user is not logged in, show the login modal instead of allowing the leave action to proceed.

  const handleLeaveRoom = () => {
      if (!isUserLoggedIn()) {
          showLoginModal();
          return;
      }
  
      // Proceed with the leave room action
      leavePublicRoom();
  };
  
  <Button onPress={handleLeaveRoom}>Leave</Button>
  

What alternative solutions did you explore?

• Restricting UI elements: Instead of checking authentication in the leave action handler, we can disable or hide the "Leave" button for anonymous users.

• Server-Side Validation: We can implement server-side validation to ensure that only authenticated users can perform the leave action, adding an extra layer of security.

• Different User Experience: Also, by redirecting anonymous users to a different user experience flow where they can't see the "Leave" option at all, focusing instead on encouraging them to log in.

Please note that the above explanation outlines only the technical approach I plan to take, as mentioned.

Regards.

[truph01]

Proposal

Please re-state the problem that we are trying to solve in this issue.

User is able to leave the public room, and the public room reappears.

What is the root cause of that problem?

When the user views the room before logged in, they are essentially "anonymous" users. So they're technically not part of the room yet, that's also the reason for the Join the discussion. CTA at the bottom of the public report.

So the anonymous user should only be able to join the room, not leave the room.

What changes do you think we should make in order to solve the problem?

We should hide Leave button and show Join button for public room if the user is viewing anonymously.

1. In canLeaveChat, add the early return false if it's public room and the user is anonymous

if (isPublicRoom(report) && Session.isAnonymousUser()) {
    return false;
}

This will make sure the button is hidden in both the ReportDetailsPage and HeaderView of the report

2. In canJoinChat, add early return true if it's public room and the user is anonymous

if (isPublicRoom(report) && Session.isAnonymousUser()) {
    return true;
}

What alternative solutions did you explore? (Optional)

NA

[garrettmknight]

@situchan can you have a look at these when you get chance? Thanks!

[situchan]

Login modal will open.

This is the expected result.

@codinggeek2023's proposal makes sense but I asked author why isAnonymousAction was set to true before approving.

EDIT: confirmed

[situchan]

Let's go with @codinggeek2023's proposal!
🎀👀🎀 C+ reviewed

[melvin-bot]

Triggered auto assignment to @MonilBhavsar, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[melvin-bot]

📣 @situchan 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[melvin-bot]

📣 @codinggeek2023 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

⚠️ Looks like this issue was linked to a Deploy Blocker here

If you are the assigned CME please investigate whether the linked PR caused a regression and leave a comment with the results.

If a regression has occurred and you are the assigned CM follow the instructions here.

If this regression could have been avoided please consider also proposing a recommendation to the PR checklist so that we can avoid it in the future.

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 9.0.7-8 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Fix: User is able to leave public room when user is not logged in #44560

If no regressions arise, payment will be issued on 2024-07-24. 🎊

For reference, here are some details about the assignees on this issue:

• @situchan requires payment automatic offer (Reviewer)
• @truph01 requires payment automatic offer (Contributor)

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@situchan] The PR that introduced the bug has been identified. Link to the PR:
• [@situchan] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@situchan] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@situchan] Determine if we should create a regression test for this bug.
• [@situchan] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@garrettmknight] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[garrettmknight]

Payment summary:

• Contributor: @truph01 $250 paid via upwork
• Reviewer: @situchan $250 paid via upwork

@situchan can you fill out the checklist when you get a chance?

[melvin-bot]

Triggered auto assignment to @greg-schroeder (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[garrettmknight]

@greg-schroeder just handing this one off while I'm OOO - only awaiting the checklist. If it doesn't get done by the time I'm back I'll pick back up. Thanks!

[situchan]

• The PR that introduced the bug has been identified. Link to the PR: Fix leave option does not appear in group chat thread #40529
• The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment: https://github.com/Expensify/App/pull/40529/files#r1690295516
• A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion: N/A

Regression Test Proposal

1. Log out if logged in.
2. Navigate to public room link.
3. Verify that "Join" button is displayed in the top right.
4. Click on the public room chat header.
5. Verify that there is no "Leave" button.

[greg-schroeder]

Adding regression test 👍