[$1000] Annonymous User can open title/description edit task modal but not able to edit it

[kavimuru]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

• Create a public room, and assign the task
• Copy the room link and open it in incognito window
• Open the task, and add /title to link. link will be -
  http://localhost:8082/r/6576534725992156/title
• Hit enter, the title edit dialogue will open
• Try editing the task, and saving it. No effect.

Expected Result:

Navigates to the sign in page

Actual Result:

Title change page can be opened

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number:
Reproducible in staging?: needs reproduction
Reproducible in production?: Needs reproduction
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

Screen.Recording.2023-08-08.at.2.03.24.PM.mov

Expensify/Expensify Issue URL:
Issue reported by: @BhuvaneshPatil
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1691484016766219
View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~01474a89838f9e93ae
• Upwork Job ID: 1694002267803222016
• Last Price Increase: 2024-01-02

[melvin-bot]

Triggered auto assignment to @slafortune (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[BhuvaneshPatil]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Anonymous User can open title/description edit task modal but not able to edit it

What is the root cause of that problem?

We are not checking if user is anonymous in -TaskTitlePage and TaskDescriptionPage .

What changes do you think we should make in order to solve the problem?

There are two approaches for this -

1. Redirecting user to sign in page

• We can check if user is anonymous using Session.isAnonymousUser and redirect to sign in page
  Session provides the method - signOutAndRedirectToSignIn and if user is anonymous user we can call the mentioned method.
  Caveat here is - recently signOutAndRedirectToSignIn method was changed and new component SignInModal is opened instead of redirecting to original sign in page. That provides a back button in header, that will take us back to /title page.
  Previously redirectToSignIn method was being used in signOutAndRedirectToSignIn to redirect that cleaned the navigation stack.
  If we are okay with not showing SIGN_IN_MODAL and redirect user to original SignInPage, we can pass a parameter to signOutAndRedirectToSignIn that will perform that.
  something like -

function signOutAndRedirectToSignIn(newParam = false) {
    Log.info('Redirecting to Sign In because signOut() was called');
    hideContextMenu(false);
    if (!isAnonymousUser() || newParam) {
        signOut();
        redirectToSignIn();
    } else {
        Navigation.navigate(ROUTES.SIGN_IN_MODAL);
        Linking.getInitialURL().then((url) => {
            const reportID = ReportUtils.getReportIDFromLink(url);
            if (reportID) {
                Report.setLastOpenedPublicRoom(reportID);
            }
        });
    }
}

the default value of newParam will be false by default so it won't have any effect but when we explicitly pass it as true. We can use redirectToSignIn
I am researching more about this, but this can be a possible solution.
This is because when we enter url like this, we are opening app through deep link and thus there is no need for going back
Wrapping the component with FullPageNotFoundView,shouldShow condition should be passed so that FullPageNotFoundView will be displayed. and appropriate message should be displayed using subtitleKey

result -

Screen.Recording.2023-08-23.at.4.42.37.PM.mov

What alternative solutions did you explore? (Optional)

[BhuvaneshPatil]

@mountiny Which approach shall we follow here?

[mountiny]

When you click on such action you should be navigated to the sign in page> Navigates to the sign in page

updated the expected results section

[melvin-bot]

@slafortune Whoops! This issue is 2 days overdue. Let's get this updated quick!

[slafortune]

looks good

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~01474a89838f9e93ae

[melvin-bot]

Current assignee @slafortune is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @sobitneupane (External)

[sobitneupane]

@BhuvaneshPatil Would you like to update your proposal with more details? Please include permalink to refer where the issue exists and which are the files where you are proposing to make the change.

[BhuvaneshPatil]

Sure @sobitneupane .
I will update the proposal shortly.

[sobitneupane]

@BhuvaneshPatil I am having some issue while trying to open task report as an anonymous user. So, It is difficult for me to reproduce the issue.

Screen.Recording.2023-08-24.at.14.41.01.mov

[BhuvaneshPatil]

@sobitneupane I also face same issue many times, What I do is create a new task and open it. There is an issue created for the same.
PS - Finding that issue

[BhuvaneshPatil]

Link to issue - #23491

[sobitneupane]

@BhuvaneshPatil Thanks for the update.

Let's hold this issue for now. We will come back to it after #23491 gets fixed.

cc; @slafortune

[melvin-bot]

@slafortune, @sobitneupane Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

@johncschuster, @sobitneupane Huh... This is 4 days overdue. Who can take care of this?

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[melvin-bot]

@johncschuster, @sobitneupane Still overdue 6 days?! Let's take care of this!

[melvin-bot]

@johncschuster, @sobitneupane Now this issue is 8 days overdue. Are you sure this should be a Daily? Feel free to change it!

[melvin-bot]

📣 It's been a week! Do we have any satisfactory proposals yet? Do we need to adjust the bounty for this issue? 💸

[melvin-bot]

@johncschuster, @sobitneupane 12 days overdue. Walking. Toward. The. Light...

[johncschuster]

@DylanDylann did you follow the exact reproduction steps above to reproduce the behavior, or did you need to modify the repro steps in any way?

@sobitneupane it sounds like this behavior still persists. Do you feel the proposals above are sufficient, or do we need to look for alternatives?

[DylanDylann]

@johncschuster I need to modify the repro steps. See it

[melvin-bot]

@johncschuster, @sobitneupane Eep! 4 days overdue now. Issues have feelings too...

[sobitneupane]

Sorry for the delay @DylanDylann.

Yup. I can still reproduce the issue.

Proposal from @DylanDylann looks good to me.

🎀 👀 🎀 C+ reivewed

[melvin-bot]

Triggered auto assignment to @youssef-lr, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[DylanDylann]

@youssef-lr What do you think about my proposal here ?

[melvin-bot]

@johncschuster, @youssef-lr, @sobitneupane Whoops! This issue is 2 days overdue. Let's get this updated quick!

[youssef-lr]

Sorry folks, I don't think this is a bug worth fixing at the moment. @johncschuster what do you think?

[DylanDylann]

@youssef-lr @johncschuster This bug will affect not only the title/description, but also all the flow that we do not want the anonymous user can access

[johncschuster]

@DylanDylann, can you elaborate on this comment?:

but also all the flow that we do not want the anonymous user can access

I'm having a hard time understanding what you mean.

[DylanDylann]

@johncschuster I mean that:

• This bug happened when the anonymous user clicked on the link /r/:reportId/title or /r/:reportId/description
• Also It happened when the anonymous user clicked on /settings/profile or whatever link that we do not want anonymous users to access

[youssef-lr]

@DylanDylann I don't think this is reproducible anymore, modifying the URL still takes me to the sign in page. The inputs show up for a split second, but again I don't think we need to worry about this bug at the moment, as long as clicking on the fields takes us immediately to the sign in page, I think it's fine.

Screen.Recording.2024-01-13.at.00.42.15.mov

Thanks for you input here!

[DylanDylann]

@youssef-lr No. You need to paste the link to the report, send it then click on that

[DylanDylann]

@youssef-lr Here is the evidence video. You can follow its reproduce steps

Screencast.from.13-01-2024.06.58.00.webm

[youssef-lr]

Right @DylanDylann, but I don't think this is affecting real world users currently, we can definitely revisit it once it does.

[DylanDylann]

This bug still can be reproduced. User can go to the protected route through internal link

Screencast.from.28-02-2024.14.42.21.webm