[$500] Web - Tasks - Assignee can mark task as completed after task has been #34172
Comments
kbecciv
added
External
melvin-bot
bot
changed the title
|
Job added to Upwork: https://www.upwork.com/jobs/~011401c8786c4cfbb8 |
|
Triggered auto assignment to @CortneyOfstad ( |
melvin-bot
bot
added
the
Help Wanted
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @Santhosh-Sellavel ( |
ProposalPlease re-state the problem that we are trying to solve in this issue.An account can modify task when he isn't the assignee or the creator What is the root cause of that problem?We check the modifiability in the canModifyTask function Lines 907 to 909 in 35a6916 As you can see, we return true if the current user is the owner or the assignee. Even when the user isn't the owner and isn't the assignee, we allow the modification when the parent report is allowed to comment Line 920 in 35a6916 This is the root cause What changes do you think we should make in order to solve the problem?The main idea is that we should return false if the user isn't the creator nor the assignee instead of returning true if the user is the creator or the assignee Updating Lines 907 to 909 in 35a6916 to would solve the issue Note: If we need to allow modification of the task for policy admins in the workspace chat or chat room, we would need to add those conditions with What alternative solutions did you explore? (Optional) |
|
Proposal looks good to need ensure whether this issues comes from any recent PR which is under regression period |
This change will break the ability for public room admins to modify tasks |
Yeah, we need to add those conditions as well if admins should be able to modify tasks. |
ProposalPlease re-state the problem that we are trying to solve in this issue.What is the root cause of that problem?The root cause is that when checking for the user's ability to modify the task, neither of early return conditions are met, and we get all the way to the last return, which checks if the user can comment on the parent chat (their 1:1 chat). Lines 894 to 921 in 382a096 What changes do you think we should make in order to solve the problem?In this function, we should early return false if the parent report is a chat report: const parentReport = ReportUtils.getParentReport(taskReport);
+ if (ReportUtils.isChatReport(parentReport)) {
+ return false;
+ }This is safe to add because:
What alternative solutions did you explore? (Optional) |
|
Seem like it's expected cc @thienlnam |
|
Anyone can modify the task if you can access it - this is intended |
|
@kbecciv Can you please post the TR that created this issue? I believe we fixed a bunch but there might be more that we are missing |
|
This issue discovered when executing PR #33656 @thienlnam |
|
Ah yeah - the expected behavior is that anyone that can view the task can modify the task |
If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!
Version Number: 1.4.23-0
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: Applause - Internal Team
Slack conversation:
Issue found when executing PR #33656
Action Performed:
Expected Result:
Once the task is re assigned to account C account B should not be able to complete the task
Actual Result:
Even if the task is re assigned to account C, account B is still able to mark the task as completed
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Screenshots/Videos
Add any screenshot/video evidence
Bug6336939_1704821571346.assigneeChange.mp4
View all open jobs on GitHub
Upwork Automation - Do Not Edit
The text was updated successfully, but these errors were encountered: