-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[$500] Chat - App allows to delete other users messages in # admin of workspace #29823
Comments
Triggered auto assignment to @jliexpensify ( |
Job added to Upwork: https://www.upwork.com/jobs/~016a6d08b85f59984d |
Bug0 Triage Checklist (Main S/O)
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @Santhosh-Sellavel ( |
This seems like a backend issue. |
ProposalPlease re-state the problem that we are trying to solve in this issue.This is primarily a backend issue. If the intended behavior is for this to be forbidden, then the backend needs to not let it happen regardless of frontend actions. That being said, the frontend should also hide the delete action when it is not applicable. According to a JSDocs comment in the ReportUtils.js file, a user should be able to delete a comment if;
This issue implies that it also shouldn't be allowed if the message in question was sent by another admin. Assuming that is correct, the following is a simple proposal to implement that logic on the frontend. What is the root of the issueThe issue comes down to the function
Obviously, this code results in admins of a workspace being able to delete others' messages, even if those users are admins. What changes do you think we should make in order to solve the problem?We have to add a check to see if the user sending the message is an admin: What alternative solutions did you explore? (Optional) |
@Santhosh-Sellavel what do you think? Is this a back-end issue? |
Current assignee @Santhosh-Sellavel is eligible for the Internal assigner, not assigning anyone new. |
Triggered auto assignment to @NikkiWines ( |
Hi @NikkiWines - I have a tongue twister for you: it looks like any Admin can delete another Admin's message in the #admins room where there are multiple admins. Is this an |
Hmm, I'd say it's a combo - we'll need to prevent that action on the backend but it's probably also wise update the UI so we don't show the option to delete another admin's message |
Thanks! Will you tackle both @NikkiWines or just the back-end part? If so, we could turn this GH into an "update the UI" one and make it |
I can take on the backend, let's handle the UI update separately |
Ok cool, I assume the "update the UI" part is simply removing the option (i.e. the If so, is it best to use this GH, or should we create a new one once you're done? |
Yep, that's correct - it basically involves actually adding a check to determine if the commenter is also an admin. If so, we won't show the option to delete the comment. And I think we can use this issue for the UI update! And unless we need another backend update to determine if the commenter is an admin, then we should be able to do the UI update and backend change concurrently |
Backend PR is in review |
@NikkiWines, @jliexpensify, @Santhosh-Sellavel Uh oh! This issue is overdue by 2 days. Don't forget to update your issues! |
Backend PR is live! @Santhosh-Sellavel can you review @graylewis's proposal please 🙇 |
@NikkiWines @jliexpensify @Santhosh-Sellavel this issue was created 2 weeks ago. Are we close to a solution? Let's make sure we're treating this as a top priority. Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks! |
Not overdue - bumping @Santhosh-Sellavel |
Bumped via Slack |
Sorry for the delay. @graylewis proposal looks good. |
@Santhosh-Sellavel Roughly, we can use isAdminOfFreePolicy(policies) from Policy.js and pass it reportAction.actorAccountID from canDeleteReportAction(reportAction, reportID) |
@graylewis That's not the case, can you please check. |
@Santhosh-Sellavel After doing some poking around, it looks like as of now there is no simple way to check if another user is an admin of a workspace. There is no data loaded in Onyx (unless you're on the WorkspaceMembersPage, therefore triggering API.read("OpenWorkspaceMembersPage")) that lists the users and their roles for a given workspace. There are two approaches to solving this issue:
What do you think of these solutions @Santhosh-Sellavel? It doesn't seem like there's any other place in the app where other users' roles are referenced in this way. One other point: It's also not clear to me how different free policies are from full policies. Can free policies even have multiple admins? I can't see a way to add another admin to my workspace, but if not, why even create a #admins chat room? |
@NikkiWines @jliexpensify @Santhosh-Sellavel this issue is now 3 weeks old. There is one more week left before this issue breaks WAQ. What needs to happen to get a PR in review this week? Please create a thread in #expensify-open-source to discuss. Thanks! |
Both sound like an over-engineered solution. @NikkiWines What's your thought here? Also, can you answer this?
|
Free plans only allow for one Admin
|
Hmmm, yeah agreed that both solutions aren't ideal. Especially if we only allow free workspaces with one admin in New Expensify right now.
Full policies can have multiple admins and there are plans to introduce that functionality into New Expensify in the future. But yes at the moment the #admins chat room is a bit lonely 😅 I think this is a bug that users in the future could encounter, but it's not a bug someone could encounter now - at least with a normal set up for New Expensify. I suggest we close this or put it on hold for now until we introduce multiple admins for workspaces in New Expensify. Thoughts? |
@NikkiWines any ideas when this might be? Also - do we actually want to allow Admins to delete other Admin messages? I always thought we would only want users to delete their own messages. |
Nope, not sure where that is on the roadmap.
We don't want admins to be able to delete other admin messages. Admins should only be allowed to delete their own messages and non-admin messages. |
Yep, that's what I thought! Forgive my ignorance here, but can we just blanket remove the delete button in all #admins rooms? Or is that something that's really complex? |
Because we don't just want to disallow admins from deleting other admin messages in just #admins, we want to disallow it across all rooms tied to a workspace. |
Ok cool, thanks Nikki! I'm happy to pay the Reporter but lets probably close this one? |
Payment Summary
|
Paid and job closed! |
If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!
Version Number: 1.3.85.0
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: @dhanashree-sawant
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1697532701974139
Action Performed:
Precondition: To test, user will need to have 1 workspace with multiple admins in it
Expected Result:
App should not allow user to delete other users messages
Actual Result:
App allows user to delete other users messages in # admin
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Screenshots/Videos
Android: Native
Android.native.admin.allows.delete.other.user.msg.mp4
Android: mWeb Chrome
Android.chrome.admin.allows.to.delete.different.user.msg.mp4
iOS: Native
ios.native.admin.allows.to.delete.other.users.mov
iOS: mWeb Safari
ios.safari.admin.allows.to.delete.other.users.mov
MacOS: Chrome / Safari
windows.chrome.admin.allows.to.delete.msg.of.other.users.mp4
mac.chrome.admin.allows.to.delete.others.message.mov
Recording.5047.mp4
MacOS: Desktop
mac.desktop.admin.allows.to.delete.others.message.mov
View all open jobs on GitHub
Upwork Automation - Do Not Edit
The text was updated successfully, but these errors were encountered: