[$1000] Web - Can pay IOU with PayPal even if the recipient has no PayPal payment method

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

Precondition: User A must not have a PayPal paypal method set.

1. On User A, make a money request to User B
2. On User B, observe that the PayPal payment method is available for paying this request
3. On User B, pay the request via PayPal
4. On User B, observe that the PayPal URL is incorrect

Expected Result:

The PayPal payment method should not be available.

Actual Result:

The PayPal payment method is available.

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.46-1
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

paypal-iou-bug.mp4

Recording.3994.mp4

Expensify/Expensify Issue URL:
Issue reported by: @samh-nl
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1690565339451529

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~018a86abe5b75ae6ce
• Upwork Job ID: 1691095540333400064
• Last Price Increase: 2023-08-21

[melvin-bot]

Triggered auto assignment to @muttmuure (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[kbecciv]

Proposal by: @samh-nl
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1690565339451529

Proposal

Please re-state the problem that we are trying to solve in this issue.

Can pay IOU with PayPal even if the recipient has no PayPal payment method

What is the root cause of that problem?

This affects two usages of the SettlementButton component.

1. MoneyReportHeader: The shouldShowPayPal prop is used to determine whether Paypal is a valid payment method. However, we are checking whether the sender has a PayPal.me account configured instead of the recipient.
   

   App/src/components/MoneyReportHeader.js

   Line 62 in eb02006

   const shouldShowPaypal = Boolean(lodashGet(props.personalDetails, [moneyRequestReport.managerID, 'payPalMeAddress']));

2. ReportPreview: We don't show a payment options list, instead the last used payment method is taken as default.
   

   App/src/components/SettlementButton.js

   Line 111 in eb02006

   let paymentMethod = this.props.nvp_lastPaymentMethod[this.props.policyID] || '';

But in the case that this is PayPal, we don't check if the recipient actually has it configured:

App/src/components/SettlementButton.js

Lines 125 to 128 in eb02006

	// In case the last payment method has been PayPal, but this request is made in currency unsupported by Paypal, default to Elsewhere
	if (paymentMethod === CONST.IOU.PAYMENT_TYPE.PAYPAL_ME && !_.includes(CONST.PAYPAL_SUPPORTED_CURRENCIES, this.props.currency)) {
	paymentMethod = CONST.IOU.PAYMENT_TYPE.ELSEWHERE;
	}

What changes do you think we should make in order to solve the problem?

1. We should check whether the recipient has a PayPal.me account configured in MoneyReportHeader:

const shouldShowPaypal = Boolean(moneyRequestReport.submitterPayPalMeAddress);

2. In ReportPreview, we should also define and pass the shouldShowPaypal prop to the SettlementButton. Consequently, we should add a condition to the if-statement to ensure shouldShowPaypal is true, so that otherwise the fallback to the payment method 'elsewhere' is used.

To reduce code duplicity in declaring shouldShowPaypal, we can add a util function in IOUUtils.

What alternative solutions did you explore? (Optional)

N/A

[melvin-bot]

@muttmuure Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[melvin-bot]

@muttmuure Huh... This is 4 days overdue. Who can take care of this?

[melvin-bot]

@muttmuure Now this issue is 8 days overdue. Are you sure this should be a Daily? Feel free to change it!

[muttmuure]

I don't think this is a bug. You should be able to pay anyone with PayPal

[samh-nl]

If the recipient has no PayPal.me username provided, it goes to the wrong person. It uses the money amount as the username, please see the video.

[samh-nl]

Thoughts?

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~018a86abe5b75ae6ce

[melvin-bot]

Current assignee @muttmuure is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @ArekChr (External)

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[ArekChr]

Confirming that bug exists. NewDot redirects to www.paypal.com/paypalme/{amount}{currency}. This is a significant bug with potential security implications, as it could result in funds being sent to the wrong individual.

Here is an example: https://www.paypal.com/paypalme/12PLN

@muttmuure I'm in favour of removing the option if the recipient doesn't have a PayPal payment method.
any thoughts/ideas?

[melvin-bot]

@ArekChr, @muttmuure Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[samh-nl]

Bump

[melvin-bot]

@ArekChr @muttmuure this issue is now 4 weeks old and preventing us from maintaining WAQ, can you:

• Decide whether any proposals currently meet our guidelines and can be approved as-is today
• If no proposals meet that standard, please take this issue internal and treat it as one of your highest priorities
• If you have any questions, don't hesitate to start a discussion in #expensify-open-source

Thanks!

[melvin-bot]

Current assignee @ArekChr is eligible for the Internal assigner, not assigning anyone new.

[muttmuure]

I don't think we should remove the option, we want to encourage users to add their PayPal account

[ArekChr]

@muttmuure, Where NewDot should redirect if user 'A' presses pay with PayPal to user 'B' in case user 'B' doesn't have a PayPal account? Right now it redirects to the wrong person.

[melvin-bot]

@ArekChr, @muttmuure Whoops! This issue is 2 days overdue. Let's get this updated quick!

[muttmuure]

Yeah, actually, I can see what you mean.

Let's remove it if user B doesn't have one

[ArekChr]

Great! @samh-nl, your proposal looks good to me then.

🎀 👀 🎀 C+ reviewed

[melvin-bot]

Triggered auto assignment to @Gonals, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[sophiepintoraetz]

We are deprecating paypal (decision here, GH here) so closing this out, thanks!