[Due for payment 2025-02-18] [$250] All members should be able to post in the workspace chat and Who can post option should not have Admins only

[m-natarajan]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: 9.0.89-7
Reproducible in staging?: y
Reproducible in production?: y
If this was caught on HybridApp, is this reproducible on New Expensify Standalone?:
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: @danielrvidal
Slack conversation (hyperlinked to channel name): migrate

Action Performed:

1. Open the workspace chat
2. Go to settings
3. Hit who can post

Expected Result:

Admins only Shouldn't be an option as all members can post

Actual Result:

There is an option for the employees to not allow to post

Workaround:

unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android: Standalone
• Android: HybridApp
• Android: mWeb Chrome
• iOS: Standalone
• iOS: HybridApp
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Add any screenshot/video evidence

Recording.929.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~021885116331419624859
• Upwork Job ID: 1885116331419624859
• Last Price Increase: 2025-01-31
• Automatic offers:
• rayane-d | Reviewer | 106014858

Issue Owner

Current Issue Owner: @johncschuster

[melvin-bot]

Triggered auto assignment to @johncschuster (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[nyomanjyotisa]

Proposal

Please re-state the problem that we are trying to solve in this issue.

All members should be able to post in the workspace chat and Who can post option should not have Admins only

What is the root cause of that problem?

We don't filter the options here on writeCapabilityOptions for a specific room

App/src/pages/settings/Report/WriteCapabilityPage.tsx

Lines 37 to 42 in 50df6eb

	const writeCapabilityOptions = Object.values(CONST.REPORT.WRITE_CAPABILITIES).map((value) => ({
	value,
	text: translate(`writeCapabilityPage.writeCapability.${value}`),
	keyForList: value,
	isSelected: value === (report?.writeCapability ?? CONST.REPORT.WRITE_CAPABILITIES.ALL),
	}));

What changes do you think we should make in order to solve the problem?

Add a filter to writeCapabilityOptions to ensure that if isPolicyExpenseChat is true, only the "All members" option is shown

    const writeCapabilityOptions = Object.values(CONST.REPORT.WRITE_CAPABILITIES)
        .filter((value) => !isPolicyExpenseChat(report) || value === CONST.REPORT.WRITE_CAPABILITIES.ALL)
        .map((value) => ({
            value,
            text: translate(`writeCapabilityPage.writeCapability.${value}`),
            keyForList: value,
            isSelected: value === (report?.writeCapability ?? CONST.REPORT.WRITE_CAPABILITIES.ALL),
        }));

What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?

What alternative solutions did you explore? (Optional)

We could remove the shouldAllowWriteCapabilityEditing condition to disable write capability editing. This involves removing the MenuItemWithTopDescription component entirely and always rendering the View with the Text elements.

App/src/pages/settings/Report/ReportSettingsPage.tsx

Lines 68 to 91 in 50df6eb

	{shouldShowWriteCapability &&
	(shouldAllowWriteCapabilityEditing ? (
	<MenuItemWithTopDescription
	shouldShowRightIcon
	title={writeCapabilityText}
	description={translate('writeCapabilityPage.label')}
	onPress={() => Navigation.navigate(ROUTES.REPORT_SETTINGS_WRITE_CAPABILITY.getRoute(reportID, backTo))}
	/>
	) : (
	<View style={[styles.ph5, styles.pv3]}>
	<Text
	style={[styles.textLabelSupporting, styles.lh16, styles.mb1]}
	numberOfLines={1}
	>
	{translate('writeCapabilityPage.label')}
	</Text>
	<Text
	numberOfLines={1}
	style={[styles.optionAlternateText, styles.pre]}
	>
	{writeCapabilityText}
	</Text>
	</View>
	))}

{shouldShowWriteCapability && (
    <View style={[styles.ph5, styles.pv3]}>
        <Text
            style={[styles.textLabelSupporting, styles.lh16, styles.mb1]}
            numberOfLines={1}
        >
            {translate('writeCapabilityPage.label')}
        </Text>
        <Text
            numberOfLines={1}
            style={[styles.optionAlternateText, styles.pre]}
        >
            {writeCapabilityText}
        </Text>
    </View>
)}

Result

[github-actions]

⚠️ @nyomanjyotisa Thanks for your proposal. Please update it to follow the proposal template, as proposals are only reviewed if they follow that format (note the mandatory sections).

[bernhardoj]

Proposal

Please re-state the problem that we are trying to solve in this issue.

The admin can change the write capability to admins only on a workspace chat.

What is the root cause of that problem?

Currently, the condition to decide whether the user can change the write capability or not is this.

App/src/libs/ReportUtils.ts

Lines 7696 to 7698 in 50df6eb

	function canEditWriteCapability(report: OnyxEntry<Report>, policy: OnyxEntry<Policy>): boolean {
	return isPolicyAdminPolicyUtils(policy) && !isAdminRoom(report) && !isArchivedReport(getReportNameValuePairs(report?.reportID)) && !isThread(report) && !isInvoiceRoom(report);
	}

There is no check whether the report is a workspace chat or not.

What changes do you think we should make in order to solve the problem?

Add a check for workspace chat too, so it returns false when it's a workspace chat.

function canEditWriteCapability(report: OnyxEntry<Report>, policy: OnyxEntry<Policy>): boolean {
    return isPolicyAdminPolicyUtils(policy) && ... && !isPolicyExpenseChat(report);
}

This will not allow the user to click the Who can post and a not found show is shown if the user directly accesses the page through url.

we can add more condition if needed

What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?

We can do unit test for canEditWriteCapability to make sure it returns false when it's a workspace chat.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~021885116331419624859

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @rayane-djouah (External)

[melvin-bot]

@johncschuster, @rayane-djouah Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

[rayane-d]

Sorry for the delay; I was sick at the end of last week. I'll review the issue today.

[flaviadefaria]

I wouldn't say this is a migration issue (despite being reported there) as chat isn't part of Classic. So I'd suggest moving this to #retain.

[rayane-d]

@bernhardoj's proposal looks good to me.
It addresses the issue at the permission level (canEditWriteCapability function), ensuring comprehensive protection by disabling editing entirely for workspace chats. This prevents both UI access and direct URL manipulation, and aligns with existing patterns.

🎀👀🎀 C+ reviewed

[melvin-bot]

Triggered auto assignment to @puneetlath, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[melvin-bot]

📣 @rayane-d 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Offer link
Upwork job

[bernhardoj]

PR is ready

cc: @rayane-d

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 9.0.95-6 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Don't allow user to change write capability in workspace chat #56453

If no regressions arise, payment will be issued on 2025-02-18. 🎊

For reference, here are some details about the assignees on this issue:

• @bernhardoj requires payment through NewDot Manual Requests
• @rayane-d requires payment automatic offer (Reviewer)

[melvin-bot]

@rayane-d @johncschuster @rayane-d The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed. Please copy/paste the BugZero Checklist from here into a new comment on this GH and complete it. If you have the K2 extension, you can simply click: [this button]

[melvin-bot]

@puneetlath @johncschuster @bernhardoj @rayane-d this issue was created 2 weeks ago. Are we close to approving a proposal? If not, what's blocking us from getting this issue assigned? Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!

[johncschuster]

Payment Summary

Contributor: @bernhardoj owed $250 via NewDot
Contributor+: @rayane-d owed $250 via NewDot

@rayane-d I see you are now on the list of contributors that can accept payment via NewDot and I've modified the payment summary to reflect that. Let me know if you need me to issue payment via Upwork instead!

[johncschuster]

BugZero Checklist:

• [Contributor] Classify the bug:

Bug classification

Source of bug:

• 1a. Result of the original design (eg. a case wasn't considered)
• 1b. Mistake during implementation
• 1c. Backend bug
• 1z. Other:

Where bug was reported:

• 2a. Reported on production (eg. bug slipped through the normal regression and PR testing process on staging)
• 2b. Reported on staging (eg. found during regression or PR testing)
• 2d. Reported on a PR
• 2z. Other:

Who reported the bug:

• 3a. Expensify user
• 3b. Expensify employee
• 3c. Contributor
• 3d. QA
• 3z. Other:

• [Contributor] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake.

  Link to comment:

• [Contributor] If the regression was CRITICAL (e.g. interrupts a core flow) A discussion in #expensify-open-source has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner.

  Link to discussion:

• [Contributor] If it was decided to create a regression test for the bug, please propose the regression test steps using the template below to ensure the same bug will not reach production again.

Regression Test Proposal Template

• [BugZero Assignee] Create a GH issue for creating/updating the regression test once above steps have been agreed upon.

  Link to issue:

Regression Test Proposal

Precondition:

Test:

Do we agree 👍 or 👎

[bernhardoj]

Requested in ND.

[JmillsExpensify]

$250 approved for @bernhardoj

[rayane-d]

BugZero Checklist:

• [Contributor] Classify the bug:

Bug classification

Source of bug:

• 1a. Result of the original design (eg. a case wasn't considered)
• 1b. Mistake during implementation
• 1c. Backend bug
• 1z. Other:

Where bug was reported:

• 2a. Reported on production (eg. bug slipped through the normal regression and PR testing process on staging)
• 2b. Reported on staging (eg. found during regression or PR testing)
• 2d. Reported on a PR
• 2z. Other:

Who reported the bug:

• 3a. Expensify user
• 3b. Expensify employee
• 3c. Contributor
• 3d. QA
• 3z. Other:

• [Contributor] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake.

  Link to comment: Add ability for admins to restrict who can post within rooms #19094 (comment)

• [Contributor] If the regression was CRITICAL (e.g. interrupts a core flow) A discussion in #expensify-open-source has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner.

  Link to discussion: N/A

• [Contributor] If it was decided to create a regression test for the bug, please propose the regression test steps using the template below to ensure the same bug will not reach production again.

• [BugZero Assignee] Create a GH issue for creating/updating the regression test once above steps have been agreed upon.

  Link to issue:

Regression Test Proposal

Precondition:

• Create a workspace if you don't have one

Test:

1. Open your own workspace chat
2. Press the header
3. Press Settings
4. Verify the "Who can post" field is not accessible

Do we agree 👍 or 👎

[rayane-d]

Requested in NewDot

[garrettmknight]

$250 approved for @rayane-d