[$500] Request money - User A can request money in the workspace expense room using URL, even though only User B should be able to request money

[lanitochka17]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. Log in to User A's account
2. Create a workspace and invite User B
3. Open the workspace room from User B
4. Navigate to the "Request money" section
5. Enter an amount and click "Next."
6. Copy the URL and click "Request..."
7. Return to User A's account
8. Open the workspace expense room where User B requested money
9. Send the copied URL and open it
10. Enter an amount and request it by clicking on "Request money"

Expected Result:

User A should not be able to request money using the URL in workspace expense room, as it is intended only for User B

Actual Result:

User A can request money in the workspace expense room using URL, even though only User B should be able to request money

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• Windows / Chrome
• MacOS / Desktop

Version Number: 1.3.70-5

Reproducible in staging?: Yes

Reproducible in production?: Yes

If this was caught during regression testing, add the test name, ID and link from TestRail:

Email or phone of affected tester (no customers):

Logs: https://stackoverflow.com/c/expensify/questions/4856

Notes/Photos/Videos: Any additional supporting documentation

screen-recording-2023-09-14-at-23702-am_JtSXgSJ7.mp4

Recording.40.mp4

Expensify/Expensify Issue URL:

Issue reported by: @ayazhussain79

Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1694642540255229

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0193de23f043eea69d
• Upwork Job ID: 1703417313135792128
• Last Price Increase: 2023-10-08

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0193de23f043eea69d

[melvin-bot]

Triggered auto assignment to @JmillsExpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to @zanyrenney (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @situchan (External)

[Pujan92]

Seems not a bug as user B can request it from the workspace report

[ayazhussain79]

There are two expense rooms, one for User A and the other for User B. In User B's expense room, the "Request Money" option is not available for User A, although you can still request money using a URL

[dukenv0307]

Proposal

Please re-state the problem that we are trying to solve in this issue.

User A can request money in the workspace expense room using URL, even though only User B should be able to request money

What is the root cause of that problem?

In order to determine what report money type is available for a report, we normally use the getMoneyRequestOptions, like when getting options to display in the Compose + button here.

But in the MoneyRequestSelectorPage itself we're not validating this condition before allowing users to create the money request.

That's why even though user A does not have permission to request money in user B's workspace room, but still can workaround it by using the URL.

What changes do you think we should make in order to solve the problem?

We need to check that the user has permission to request money in MoneyRequestSelectorPage, to do this we can use the getMoneyRequestOptions method and check that the options contain CONST.IOU.MONEY_REQUEST_TYPE.REQUEST or CONST.IOU.MONEY_REQUEST_TYPE.SPLIT.

Or we can use the canRequestMoney method directly.

If the check return false, we can either show the not found page or just simply dismiss the modal, depending on which UX we want in this case.

What alternative solutions did you explore? (Optional)

This also happens for other screens, like split bill, we should fix it there too.

[zanyrenney]

Not sure why I was assigned via External when there is already a Bug assignee:

Unassigning as the later assignee, to remove the duplication of bug management!

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[melvin-bot]

@JmillsExpensify, @situchan Eep! 4 days overdue now. Issues have feelings too...

[melvin-bot]

@JmillsExpensify, @situchan 6 days overdue. This is scarier than being forced to listen to Vogon poetry!

[melvin-bot]

@JmillsExpensify @situchan this issue was created 2 weeks ago. Are we close to approving a proposal? If not, what's blocking us from getting this issue assigned? Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[melvin-bot]

@JmillsExpensify, @situchan 10 days overdue. I'm getting more depressed than Marvin.

[melvin-bot]

@JmillsExpensify, @situchan 12 days overdue. Walking. Toward. The. Light...

[melvin-bot]

@JmillsExpensify @situchan this issue is now 3 weeks old. There is one more week left before this issue breaks WAQ and will need to go internal. What needs to happen to get a PR in review this week? Please create a thread in #expensify-open-source to discuss. Thanks!

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[melvin-bot]

This issue has not been updated in over 14 days. @JmillsExpensify, @situchan eroding to Weekly issue.

[situchan]

@dukenv0307 is your proposal still valid?

[dukenv0307]

@dukenv0307 is your proposal still valid?

@situchan yes it is

[melvin-bot]

@JmillsExpensify @situchan this issue is now 4 weeks old and preventing us from maintaining WAQ, can you:

• Decide whether any proposals currently meet our guidelines and can be approved as-is today
• If no proposals meet that standard, please take this issue internal and treat it as one of your highest priorities
• If you have any questions, don't hesitate to start a discussion in #expensify-open-source

Thanks!

[melvin-bot]

Current assignee @situchan is eligible for the Internal assigner, not assigning anyone new.

[JmillsExpensify]

@situchan thoughts on next steps and the existing proposals?

[JmillsExpensify]

Or should we keep this internal?

[situchan]

No need to be internal yet. I will confirm today

[melvin-bot]

@JmillsExpensify, @situchan Eep! 4 days overdue now. Issues have feelings too...

[situchan]

I think this was fixed in #23755.
@dukenv0307 can you confirm? As you were the author of that PR.

[dukenv0307]

@situchan Yes, it's fixed since I added the check in MoneyRequestSelectorPage

[JmillsExpensify]

Oh ok perfect! Ok so I'll issue payment for reporting and we're done here.

• Issue reporter: @ayazhussain79 $50

[JmillsExpensify]

@ayazhussain79 I believe I've just sent you an offer in Upwork. Can you please accept.

[ayazhussain79]

@JmillsExpensify offer accepted, Thank you

[JmillsExpensify]

All paid out. Thanks!