[HOLD for payment 2023-10-09] [$500] Web - Can edit private note of archived workspace using URL

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. Go to https://staging.new.expensify.com
2. Click on the #admins room of a workspace
3. Click on the room details > Privacy Notes > My Note > Note
4. Create a note > Save
5. Copy the URL
6. Delete that workspace
7. Past the copied URL

Expected Result:

User should not be able to edit private note of archived workspace

Actual Result:

User is able to edit private note of archived workspace

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.72.6
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

note-archived.1.webm

Recording.4661.mp4

Expensify/Expensify Issue URL:
Issue reported by: @hichamcc
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1695067265209059

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~011c113c6aa5282936
• Upwork Job ID: 1704594359596937216
• Last Price Increase: 2023-09-20
• Automatic offers:
• jjcoffee | Reviewer | 26875976
• dukenv0307 | Contributor | 26875977

[dukenv0307]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Can edit private notes of archived workspace using URL

What is the root cause of that problem?

We do not have the logic to check if the room is archived, as a result, users can access and edit the note

What changes do you think we should make in order to solve the problem?

We should add the logic to check whether the room is archived by adding to the shouldShow prop of the FullPageNotFoundView component

App/src/pages/PrivateNotes/PrivateNotesEditPage.js

Line 85 in bb84ee1

shouldShow={_.isEmpty(report) || _.isEmpty(report.privateNotes) || !_.has(report, ['privateNotes', route.params.accountID, 'note']) || !isCurrentUserNote}

ReportUtils.isArchivedRoom(report)

What alternative solutions did you explore? (Optional)

[ahmedGaber93]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Can edit private note of archived workspace using URL

What is the root cause of that problem?

In ReportDetailsPage.js page, We hide private notes based on isArchivedRoom, but in PrivateNotesEditPage.js page we don't show not fount screen in this case.

What changes do you think we should make in order to solve the problem?

we need to add condition isArchivedRoom in FullPageNotFoundView shouldShow

const isArchivedRoom = useMemo(() => ReportUtils.isArchivedRoom(report), [report]);

<FullPageNotFoundView
    shouldShow={..... || isArchivedRoom}

here

We can apply the same fix in other notes pages, like PrivateNotesViewPage.js, PrivateNotesListPage.js ..., I think other proposals not included these places.

What alternative solutions did you explore? (Optional)

we can instead allow displaying the private notes, but disable edit it when isArchived

[melvin-bot]

Triggered auto assignment to @Christinadobrzyn (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~011c113c6aa5282936

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to @puneetlath (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @jjcoffee (External)

[iamuddeshya]

Suggestion: This must be handled on the backend as well. If the workspace is archived and yet a PUT/PATCH to Note is made, the backend must throw 405 [ Not Allowed ].

[jjcoffee]

Reviewing tomorrow!

[jjcoffee]

Assuming the expected behaviour is to display "not found", then since we have two pretty much identical proposals, we can go with @dukenv0307's proposal - it was first and LGTM!

🎀👀🎀 C+ reviewed

[melvin-bot]

Current assignee @puneetlath is eligible for the choreEngineerContributorManagement assigner, not assigning anyone new.

[ahmedGaber93]

since we have two pretty much identical proposals

Hi @jjcoffee
I think my proposal is not identical, I propose to do this change in PrivateNotesEditPage.js and the other note page like PrivateNotesViewPage.js, and PrivateNotesListPage.js, but the other proposal doesn't.

Navigation flow: report details ⇾ notes list ⇾ note ⇾ edit note.
Report details page is already handled isArchived, so we need to fix the other note pages in the middle, not fix edit note page only.

Thanks!

[ahmedGaber93]

@jjcoffee can you please give me the last opinion about this #27891 (comment)

[jjcoffee]

@ahmedGaber93 Small additional changes like those you mention can be addressed in the PR and don't usually influence proposal selection.

[ahmedGaber93]

@jjcoffee I just thought this wouldn't be remembered, so I refer to it.
Thanks for your time.

[melvin-bot]

📣 @jjcoffee 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[melvin-bot]

📣 @dukenv0307 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

📣 @hichamcc We're missing your Upwork ID to automatically send you an offer for the Reporter role.
Once you apply to the Upwork job, your Upwork ID will be stored and you will be automatically hired for future jobs!

[puneetlath]

Cool, @dukenv0307's proposal sounds good to me. I'll also update the back-end to disallow editing this for archived rooms.

[dukenv0307]

@jjcoffee The PR is ready for review

[melvin-bot]

🎯 ⚡️ Woah @jjcoffee / @dukenv0307, great job pushing this forwards! ⚡️

The pull request got merged within 3 working days of assignment, so this job is eligible for a 50% #urgency bonus 🎉

• when @dukenv0307 got assigned: 2023-09-26 03:45:13 Z
• when the PR got merged: 2023-09-28 08:32:39 UTC

On to the next one 🚀

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.75-12 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• fix: can edit private note of archived workspace using URL #28252

If no regressions arise, payment will be issued on 2023-10-09. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @jjcoffee requires payment offer (Reviewer)
• @dukenv0307 requires payment offer (Contributor)
• @hichamcc requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@jjcoffee] The PR that introduced the bug has been identified. Link to the PR:
• [@jjcoffee] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@jjcoffee] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@jjcoffee] Determine if we should create a regression test for this bug.
• [@jjcoffee] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@Christinadobrzyn] Link the GH issue for creating/updating the regression test once above steps have been agreed upon: https://github.com/Expensify/Expensify/issues/325423

[Christinadobrzyn]

@jjcoffee Can you complete the checklist and list any regression test steps?

Payouts due:

Issue Reporter: $50 @hichamcc (paid in Upwork)
Contributor: $500 + $250 bonus @dukenv0307 (paid in Upwork)
Contributor+: $500 + $250 bonus @jjcoffee (paid in Upwork)

Eligible for 50% #urgency bonus? Y - based on #27891 (comment)

Upwork job is here.

[hichamcc]

@Christinadobrzyn accepted

[jjcoffee]

• The PR that introduced the bug has been identified. Link to the PR: N/A - behaviour has always been there
• The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment: N/A
• A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion: N/A
• Determine if we should create a regression test for this bug. Yes
• If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again. See below

[jjcoffee]

Regression Test Proposal

1. On any workspace's #admin room, open the details pane and create a note and save it
2. Copy the URL to the edit note page
3. Delete the workspace
4. Open the copied URL and verify that the "not found" screen shows

Do we agree 👍 or 👎

[jjcoffee]

@Christinadobrzyn Checklist updated - apologies for the delay!

[Christinadobrzyn]

Thanks! Test regression made and paid out based on #27891 (comment)

Closing!