Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/28925: Anonymous user can edit profile #29248

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import tryResolveUrlFromApiRoot from '@libs/tryResolveUrlFromApiRoot';
import * as Url from '@libs/Url';
import styles from '@styles/styles';
import * as Link from '@userActions/Link';
import * as Session from '@userActions/Session';
import CONFIG from '@src/CONFIG';
import CONST from '@src/CONST';
import ROUTES from '@src/ROUTES';
Expand Down Expand Up @@ -52,6 +53,10 @@ function AnchorRenderer(props) {
// If we are handling a New Expensify link then we will assume this should be opened by the app internally. This ensures that the links are opened internally via react-navigation
// instead of in a new tab or with a page refresh (which is the default behavior of an anchor tag)
if (internalNewExpensifyPath && hasSameOrigin) {
if (Session.isAnonymousUser() && !Session.canAccessRouteByAnonymousUser(internalNewExpensifyPath)) {
Session.signOutAndRedirectToSignIn();
return;
}
Navigation.navigate(internalNewExpensifyPath);
return;
}
Expand Down
6 changes: 6 additions & 0 deletions src/libs/actions/Report.js
Original file line number Diff line number Diff line change
Expand Up @@ -1999,6 +1999,12 @@ function openReportFromDeepLink(url, isAuthenticated) {
navigateToConciergeChat(true);
return;
}
if (Session.isAnonymousUser() && !Session.canAccessRouteByAnonymousUser(route)) {
Navigation.isNavigationReady().then(() => {
Session.signOutAndRedirectToSignIn();
});
return;
}
Navigation.navigate(route, CONST.NAVIGATION.TYPE.PUSH);
});
});
Expand Down
28 changes: 28 additions & 0 deletions src/libs/actions/Session/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -871,6 +871,33 @@ function waitForUserSignIn(): Promise<boolean> {
});
}

/**
* check if the route can be accessed by anonymous user
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updating this comment (or adding a comment in the function) to say why an anonymous user can only access different routes would be helpful for future programmers like me who don't have context on why this exists (in general, comments should be used to explain why the code is like that, not what the code is obviously doing)

*
* @param {string} route
*/

const canAccessRouteByAnonymousUser = (route: string) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

canAnonymousUserAccessRoute would sound better

const reportID = ReportUtils.getReportIDFromLink(route);
if (reportID) {
return true;
}
const parsedReportRouteParams = ReportUtils.parseReportRouteParams(route);
let routeRemovedReportId = route;
if ((parsedReportRouteParams as {reportID: string})?.reportID) {
routeRemovedReportId = route.replace((parsedReportRouteParams as {reportID: string})?.reportID, ':reportID');
}
if (route.startsWith('/')) {
routeRemovedReportId = routeRemovedReportId.slice(1);
}
const routesCanAccessByAnonymousUser = [ROUTES.SIGN_IN_MODAL, ROUTES.REPORT_WITH_ID_DETAILS.route, ROUTES.REPORT_WITH_ID_DETAILS_SHARE_CODE.route];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

routesAccessibleByAnonymousUser would sound better

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed here: #37952


if ((routesCanAccessByAnonymousUser as string[]).includes(routeRemovedReportId)) {
return true;
}
return false;
};

export {
beginSignIn,
beginAppleSignIn,
Expand Down Expand Up @@ -900,4 +927,5 @@ export {
toggleTwoFactorAuth,
validateTwoFactorAuth,
waitForUserSignIn,
canAccessRouteByAnonymousUser,
};
2 changes: 1 addition & 1 deletion src/pages/signin/SignInModal.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ function SignInModal() {
shouldEnableMaxHeight
testID={SignInModal.displayName}
>
<HeaderWithBackButton />
<HeaderWithBackButton onBackButtonPress={Navigation.dismissModal} />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This caused inconsistency between browser back button and modal back button. (Coming from #33417)

<SignInPage isInModal />
</ScreenWrapper>
);
Expand Down
Loading