[HOLD for payment 2023-06-19] [$1000] Workspace settings page can be opened by any non-admin member of the workspace

[kavimuru]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. Login as user A and create a workspace.
2. Add user B as a member to the workspace.
3. Go to Workspace General Settings and copy the URL for the workspace.
4. Login as user B and open the link you copied previously.

Expected Result:

Not found or Permission denied error should be shown

Actual Result:

The workspace settings page open and allows the user to see / interact with all the forms.

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.13.3
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

Screen.Recording.2023-05-14.at.3.26.19.AM.mov

Recording.606.mp4

Expensify/Expensify Issue URL:
Issue reported by: @allroundexperts
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1684016823040309

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~013a823356a32c5600
• Upwork Job ID: 1659230141558759424
• Last Price Increase: 2023-06-01

[melvin-bot]

Triggered auto assignment to @sonialiap (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[sonialiap]

https://staging.new.expensify.com/workspace/90F7140C34753F91/settings

I can confirm the behavior

1. Login as user A and create a workspace.
2. Add user B as a member to the workspace.
3. Go to workspace settings and copy the URL for the workspace
4. Login as user B and open the link you copied previously

Expected result: a member of the workspace that is not an admin should not be able to access that workspace's settings. However, instead of the suggested result of throwing an error, I think we should simply redirect the URL to new.expensify.com.

Actual result: following the URL copied and shared by user A allows user B to access A's workspace settings (but doesn't seem to allow B to change anything).

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~013a823356a32c5600

[melvin-bot]

Current assignee @sonialiap is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @mananjadhav (External)

[melvin-bot]

Triggered auto assignment to @yuwenmemon (External), see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[sonialiap]

@allroundexperts what do you think of instead of throwing an error, redirecting user B to new.expensify.com?

[allroundexperts]

@allroundexperts what do you think of instead of throwing an error, redirecting user B to new.expensify.com?

That works as well but it might be confusing for some people.

[victornnaji]

We can redirect the user to another page. I think, it's good solution.

[melvin-bot]

📣 @victornnaji! 📣
Hey, it seems we don’t have your contributor details yet! You'll only have to do this once, and this is how we'll hire you on Upwork.
Please follow these steps:

1. Get the email address used to login to your Expensify account. If you don't already have an Expensify account, create one here. If you have multiple accounts (e.g. one for testing), please use your main account email.
2. Get the link to your Upwork profile. It's necessary because we only pay via Upwork. You can access it by logging in, and then clicking on your name. It'll look like this. If you don't already have an account, sign up for one here.
3. Copy the format below and paste it in a comment on this issue. Replace the placeholder text with your actual details.
   
   Format:

Contributor details
Your Expensify account email: <REPLACE EMAIL HERE>
Upwork Profile Link: <REPLACE LINK HERE>

[LiaKim07]

Contributor details
Your Expensify account email: [email protected]
Upwork Profile Link: https://www.upwork.com/freelancers/~018b24d677a862774a

[melvin-bot]

✅ Contributor details stored successfully. Thank you for contributing to Expensify!

[LiaKim07]

I think, we can simply redirecting to the new.expensify.com.

[mananjadhav]

@sonialiap @yuwenmemon can we confirm the expected result here? We have one of the following:

1. Redirect them to the Workspace page/chat page
2. Redirect to Concierge/New Expensify.com (essentially redirecting to the root URL from point 1)
3. Show Page not found error as below.

[sonialiap]

Bringing it up with the team in slack

[melvin-bot]

📣 @allroundexperts You have been assigned to this job by @yuwenmemon!
Please apply to this job in Upwork and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[allroundexperts]

@mananjadhav @sonialiap Can someone please arrange Spanish translations for this?

[allroundexperts]

PR created #20215

[mananjadhav]

Please allow me a day to review and test this. I am unwell and would be offline most of the day.

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.26-4 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: prevent un-authorized access to workspace pages #20215

If no regressions arise, payment will be issued on 2023-06-19. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@mananjadhav / @allroundexperts] The PR that introduced the bug has been identified. Link to the PR:
• [@mananjadhav / @allroundexperts] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@mananjadhav / @allroundexperts] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@mananjadhav / @allroundexperts] Determine if we should create a regression test for this bug.
• [@mananjadhav / @allroundexperts] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@sonialiap] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[sonialiap]

@allroundexperts @mananjadhav looks like the fix went through without any regressions 🎉 please complete the checklist and I'll issue payment

[mananjadhav]

@sonialiap @yuwenmemon I couldn't exactly pinpoint which PR should we tag here for offending PR? The Workspace settings page exist since Workspace module, and the related pages have gone through multiple refactors.

I don't see any need to update on the checklist, but I do think we should use the Tests from the PR as a regression suite. Because it isn't just settings page that we added the check too, but also other workspace pages.

[mananjadhav]

@sonialiap Quick bump on the payout for this one.

[sonialiap]

Thanks for the checklist review, I'll add the issue steps as a regression test.

Offers sent to @mananjadhav and @allroundexperts

[mananjadhav]

Thanks @sonialiap. I would also like to highlight that this is also eligible for the timeline bonus.

[sonialiap]

I was just opening the PR to review the timeline. You are well within the 3 days. Will add the bonus to both offers during payment 😁

[sonialiap]

Both paid ✅
Sibtain: reporting and fix + bonus
Manan: review + bonus

[sonialiap]

Everyone is paid. Submitting regression test steps now. Closing ✅