[HOLD for payment 2023-09-27] [$500] Web - Request money - Users can modify the paid requested money amount using the URL

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Log in to User A's account.
2. Create a workspace and invite User B.
3. Go to the workspace room(Expense room) from User B.
4. Navigate to the "Request money".
5. Enter a specific amount and initiate the request.
6. Return to User A's account.
7. Open the "Requested money" from the LHN sent by User B.
8. Open the detail page for the requested money.
9. Click on the "Amount" field.
10. Copy the URL associated with the amount.
11. Navigate back and select "Pay elsewhere."
12. Revisit the requested money detail page.
13. Paste the previously copied URL and modify the amount.
14. Observe that the amount has been successfully modified despite the IOU being marked as paid.

Expected Result:

Users should be unable to modify the amount of a paid requested money via URL

Actual Result:

Users can modify the paid requested money amount using the URL

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• [ ] Android / native
• [ ] Android / Chrome
• [ ] iOS / native
• [ ] iOS / Safari
• [x] MacOS / Chrome / Safari
• [ ] MacOS / Desktop

Version Number: 1.3.67.1 Reproducible in staging?: y Reproducible in production?: y If this was caught during regression testing, add the test name, ID and link from TestRail: Email or phone of affected tester (no customers): Logs: https://stackoverflow.com/c/expensify/questions/4856 Notes/Photos/Videos: Any additional supporting documentation

https://github.com/Expensify/App/assets/93399543/b8f177a3-5d68-42ad-9d77-1452df69c3dd

https://github.com/Expensify/App/assets/93399543/374cfb10-864d-446c-92ae-68b486d167d6

Expensify/Expensify Issue URL: Issue reported by: @ayazhussain79 Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1694158187633499

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~01fc5f75afccaf359e
• Upwork Job ID: 1701323718123368448
• Last Price Increase: 2023-09-11
• Automatic offers:
• 0xmiroslav | Reviewer | 26661068
• b4s36t4 | Contributor | 26661069

[melvin-bot[bot]]

Triggered auto assignment to @flaviadefaria (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot[bot]]

Job added to Upwork: https://www.upwork.com/jobs/~01fc5f75afccaf359e

[melvin-bot[bot]]

Bug0 Triage Checklist (Main S/O)

• [ ] This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• [ ] This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• [ ] This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• [ ] This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• [ ] I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot[bot]]

Triggered auto assignment to @dylanexpensify (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

[melvin-bot[bot]]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @0xmiroslav (External)

[b4s36t4]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Web - Request money - Users can modify the paid requested money amount using the URL

What is the root cause of that problem?

We already have a condition in which we're checking if the user can edit the request amount. If not we're dismissing modal but due the fact of we're opening page using URL. By the time when the condition run navigation is not yet fully completed so nothing is happening.

https://github.com/Expensify/App/blob/5f9bb2e1d901eb6dc0110d8214e679d4d2aa6822/src/pages/EditRequestPage.js#L87

This is where the issue of code snippet lies.

What changes do you think we should make in order to solve the problem?

1. We can use Navigation.isNavigationReady to run the Navigation.dismissModal() call to make it run only after navigation is ready. (tested | recommended)

2. We can use useFocusEffect hook from react-navigation and build logic around it to run Navigation.dismissModal once again. (not-tested)

What alternative solutions did you explore? (Optional)

NA

[DylanDylann]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Web - Request money - Users can modify the paid requested money amount using the URL

What is the root cause of that problem?

https://github.com/Expensify/App/blob/8032edd27d9e7918beee234c33428df21652fcb6/src/pages/EditRequestPage.js#L88-L93 We had logic to dismiss modal when the request is paid. But Navigation.dismissModal() is executed before the transition end It causes this issue

What changes do you think we should make in order to solve the problem?

we should wrap dismissModal function by InteractionManager.runAfterInteractions to ensure that it will be executed after transition

InteractionManager.runAfterInteractions(()=> {
            Navigation.dismissModal();
        })

What alternative solutions did you explore? (Optional)

[needpower]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Users can change the requested amount of money after completing a payment with the Pay elsewhere option.

What is the root cause of that problem?

The EditRequestPage component doesn't prevent modal appearance, despite there is a code that tries to do this: https://github.com/Expensify/App/blob/3fe7ab1c7d860f40eeb9a52b911f8d7bc4781dd5/src/pages/EditRequestPage.js#L87-L88

What changes do you think we should make in order to solve the problem?

1. Remove useEffect in the code referenced above cause it can make additional re-renders
2. Display the message You can not edit amount after payment is completed instead of an editable amount. The same should be done for other payment fields: Description, Date, Merchant.

What alternative solutions did you explore? (Optional)

Block navigation to Edit amount page on the route level by checking all conditions and redirecting to a Money Request detailed view if an amount is not editable. (It's an untested assumption if the solution will work out)

The solution @DylanDylann proposed fixes the issue but causes RHP flickering, which may confuse a user:

https://github.com/Expensify/App/assets/9203524/dbd7dcc1-24dc-4f81-98e3-99acb53772f0

[dylanexpensify]

seems I was assigned by mistake due to label error!

[0xmiros]

@b4s36t4's Solution 1 looks good to me. The root cause is also correct. 🎀 👀 🎀 C+ reviewed

[melvin-bot[bot]]

Triggered auto assignment to @chiragsalian, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[chiragsalian]

Proposal looks good to me. Feel free to create the PR. @b4s36t4.

One thing confuses me the video. After the expense is edited at the end i see the new amount reflected in both userA and userB, this means that the API request succeeded. That looks odd to me because i would think that EditMoneyRequest should fail on a paid expense. Testing locally i see that it failed so I'm confused why it did not for the tester.

Can someone confirm this, because if EditMoneyRequest then we should open an issue to fix it internally, otherwise people can just modify their expense via postman and that would be bad.

[melvin-bot[bot]]

📣 @0xmiroslav 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link Upwork job

[melvin-bot[bot]]

📣 @b4s36t4 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Offer link Upwork job Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻 Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot[bot]]

📣 @ayazhussain79 We're missing your Upwork ID to automatically send you an offer for the Reporter role. Once you apply to the Upwork job, your Upwork ID will be stored and you will be automatically hired for future jobs!

[b4s36t4]

@chiragsalian Yes, backend request is getting success even though request is settled. This needs fix from backend as well.

[chiragsalian]

@luacmartins, tagging you since you worked on money request. Can you checkEditMoneyRequest, can you verify that an expense amount can be modified even after the expense is settled? If so can you create a GH issue to fix this in PHP and auth layer.

[b4s36t4]

@chiragsalian @0xmiroslav Raised PR here #27460. Thanks!

[melvin-bot[bot]]

🎯 ⚡️ Woah @0xmiroslav / @b4s36t4, great job pushing this forwards! ⚡️

The pull request got merged within 3 working days of assignment, so this job is eligible for a 50% #urgency bonus 🎉

• when @b4s36t4 got assigned: 2023-09-13 20:53:46 Z
• when the PR got merged: 2023-09-14 21:25:40 UTC

On to the next one 🚀

[luacmartins]

@mountiny worked on EditMoneyRequest but I don't think we allow you to change the amount for a settled request.

[mountiny]

@b4s36t4 is this only in case of expenses or IOU reports?

[b4s36t4]

I have checked it for a distance request, not for manual or scan.

[b4s36t4]

I think as per issue's description it happens with manual too.

[mountiny]

But what about the requests made between two users?

[mountiny]

@b4s36t4 I am trying but I cannot reproduce even in staging, when I edit the paid report, it reverts back

[b4s36t4]

https://github.com/Expensify/App/assets/59088937/9622e4db-0782-40f5-b19b-7e66735306e5

@mountiny Just tried on the staging.

[mountiny]

@b4s36t4 can you stry with normal cash request?

[b4s36t4]

https://github.com/Expensify/App/assets/59088937/b586956f-c8ec-408d-acb6-917d9f8d56b3

@mountiny

[b4s36t4]

BTW header looks different this maybe a UI bug.

[mountiny]

@b4s36t4 I am not seeing the same, for me it reverts automatically.

[b4s36t4]

You're trying with any workspace? maybe try on a new workspace?

[b4s36t4]

The above recordings are with workspace, maybe you're trying with 1:1 chats?

[mountiny]

@b4s36t4 are you trying with an admin? I think I just reproduced on a new workspace when the requestor was an admin

[b4s36t4]

I'm an admin.

[mountiny]

okok so I have chatted with Jason and actually you can edit the expenses even after they are paid as an admin, however, currency, amount and date cannot be changed.

I will update the permissions on the backend

[mountiny]

Put up a PR which updates the permissions

[melvin-bot[bot]]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot[bot]]

The solution for this issue has been :rocket: deployed to production :rocket: in version 1.3.71-12 and is now subject to a 7-day regression period :calendar:. Here is the list of pull requests that resolve this issue:

• https://github.com/Expensify/App/pull/27460

If no regressions arise, payment will be issued on 2023-09-27. :confetti_ball:

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• [ ] External issue reporter
• [ ] Contributor that fixed the issue
• [ ] Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @b4s36t4 requires payment offer (Contributor)
• @0xmiroslav requires payment offer (Reviewer)
• @ayazhussain79 requires payment

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot[bot]]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [x] [@0xmiroslav] The PR that introduced the bug has been identified. Link to the PR:
• [x] [@0xmiroslav] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [x] [@0xmiroslav] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [x] [@0xmiroslav] Determine if we should create a regression test for this bug.
• [x] [@0xmiroslav] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [x] [@flaviadefaria] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[melvin-bot[bot]]

@chiragsalian, @mountiny, @b4s36t4, @flaviadefaria, @0xmiroslav Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[flaviadefaria]

@0xmiroslav can you please address the comment above so that I can proceed to making payments? Thanks!

[flaviadefaria]

Payment summary:

For reference, here are some details about the assignees on this issue: @b4s36t4 requires payment offer (Contributor) @0xmiroslav requires payment offer (Reviewer) @ayazhussain79 requires payment

The pull request got merged within 3 working days of assignment, so this job is eligible for a 50% #urgency bonus 🎉

@b4s36t4 (Contributor) = $500 + 50% bonus = $750 @0xmiroslav (Reviewer) = $500 + 50% bonus = $750 @ayazhussain79 (Reporter) = $50

[0xmiros]

No PR caused regression. This is unusual case. The bug was reproducible only when visit deep link directly. So I don't think regression test is needed here as we already prevented editing in backend.

[flaviadefaria]

@b4s36t4 and @0xmiroslav have been paid @ayazhussain79 I'm waiting for you to accept my offer.

[ayazhussain79]

@flaviadefaria offer accepted, Thank you

[flaviadefaria]

Everyone has been paid so closing this.