[HOLD for payment 2023-07-26] [$1000] Web - UserB can access the room "Welcome message" page and update it without permission

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Action Performed:

1. Login to userA's account
2. Go to the "New room" section
3. Enter a room name and select userA's workspace
4. Set the visibility to "Public"
5. Click on "Create room"
6. Go to the room details.
7. Go to Share code > Copy the URL to the clipboard
8. Return to the room details
9. Navigate to Settings > Welcome message
10. Open a different browser and login to userB's account
11. Join the room by pasting the room URL
12. Now copy the “Welcome message” page URL from userA account
13. Paste it on userB’s browser
14. Update the "Welcome message"
15. Now copy the room URL from userA's account
16. Paste the URL in another browser

Expected Result:

UserB should be unable to access the "Welcome message" page and should not be able to modify it

Actual Result:

UserB can access the "Welcome message" page and update it without permission

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.34-1
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

screen-recording-2023-06-30-at-125608-am_4BuHkCsb.1.mp4

Recording.5257.mp4

Expensify/Expensify Issue URL:
Issue reported by: @ayazhussain79
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1688069999157569

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0112e180fbc88a066d
• Upwork Job ID: 1676001917057400832
• Last Price Increase: 2023-07-03

[esh-g]

Proposal

Please re-state the problem

Unauthorized users are able to edit the welcome message of the workspace room.

What is the root cause of that problem?

The root cause is that there are no checks in place either on the backend or the front-end if the user has access to the workspace as an admin.

What changes do you think we should make to solve this problem?

On the front-end, we should prevent the user from accessing the welcomeMessage page if the user is not an admin of the workspace.

First we need to add the withOnyx HOC to access the policy in ReportWelcomeMessagePage.js:

withOnyx({
    policy: {
        key: ({report}) => `${ONYXKEYS.COLLECTION.POLICY}${report.policyID}`
    }
}),

Here are the possible approaches:

1. We can navigate the user back if they are not an admin.
2. We can show the not found page if they are not an admin.

Option 1
We can add a userEffect hook to check if the user is admin and if they not, just navigate them back like this:

useEffect(() => {
      if (PolicyUtils.isPolicyAdmin(props.policy)) {
          return;
      }
      Navigation.goBack();
  }, [props.policy]);

Option 2
We are already using FullPageNotFoundView and we can add an additional condition for that as follows:

const shouldHide = _.isEmpty(props.report) || !PolicyUtils.isPolicyAdmin(props.policy);

Additional Note

We should also do this for settings like who can post and room name.
Currently, we allow the user to see the edit room name page, but there is an error as soon as we try to change the name from the backend. I believe we should add this backend functionality to all other settings (like who can post, welcome message) also while adding the front-end safeguards proposed above.

What other approach did you explore

[melvin-bot]

Looks like something related to react-navigation may have been mentioned in this issue discussion.

As a reminder, please make sure that all proposals are not workarounds and that any and all attempt to fix the issue holistically have been made before proceeding with a solution. Proposals to change our DeprecatedCustomActions.js files should not be accepted.

Feel free to drop a note in #expensify-open-source with any questions.

[melvin-bot]

Triggered auto assignment to @puneetlath (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[hungvu193]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Web - UserB can access the room "Welcome message" page and update it without permission

What is the root cause of that problem?

In current ReportWelcomeMessagePage we didn't have a check if current user has permission to open it, we only prevent it from ReportSettingsPage.

What changes do you think we should make in order to solve the problem?

Since we need to reuse this in few other places, the best way to reuse the logic is to write a HOC. Let's call it withPolicyAdmin, we will wrap this HOC with any page that only can be access by admin user ie: Welcome message, who can post....etc.

import PropTypes from 'prop-types';
import React from 'react';
import {withOnyx} from 'react-native-onyx';
import _ from 'underscore';
import getComponentDisplayName from '../../../libs/getComponentDisplayName';
import NotFoundPage from '../../ErrorPage/NotFoundPage';
import ONYXKEYS from '../../../ONYXKEYS';
import reportPropTypes from '../../reportPropTypes';
import FullscreenLoadingIndicator from '../../../components/FullscreenLoadingIndicator';
import * as ReportUtils from '../../../libs/ReportUtils';
import * as PolicyUtils from "../../../libs/PolicyUtils";

export default function (WrappedComponent) {
    const propTypes = {
        /** The HOC takes an optional ref as a prop and passes it as a ref to the wrapped component.
         * That way, if a ref is passed to a component wrapped in the HOC, the ref is a reference to the wrapped component, not the HOC. */
        forwardedRef: PropTypes.func,

        /** The report currently being looked at */
        report: reportPropTypes,

        /** The policies which the user has access to */
        policies: PropTypes.objectOf(
            PropTypes.shape({
                /** The policy name */
                name: PropTypes.string,

                /** The type of the policy */
                type: PropTypes.string,
            }),
        ),

        /** Beta features list */
        betas: PropTypes.arrayOf(PropTypes.string),

        /** Indicated whether the report data is loading */
        isLoadingReportData: PropTypes.bool,
    };

    const defaultProps = {
        forwardedRef: () => {},
        report: {},
        policies: {},
        betas: [],
        isLoadingReportData: true,
    };

    // eslint-disable-next-line rulesdir/no-negated-variables
    function WithPolicyAdmin(props) {
        if (props.isLoadingReportData && (_.isEmpty(props.report) || !props.report.reportID)) {
            return <FullscreenLoadingIndicator />;
        } 
      // if we don't have permission, show not found page.
        if (_.isEmpty(props.report) || !props.report.reportID || !ReportUtils.canAccessReport(props.report, props.policies, props.betas) || !PolicyUtils.isPolicyAdmin(props.policy)) {
            return <NotFoundPage />;
        }
        const rest = _.omit(props, ['forwardedRef']);
        return (
            <WrappedComponent
                // eslint-disable-next-line react/jsx-props-no-spreading
                {...rest}
                ref={props.forwardedRef}
            />
        );
    }

    WithPolicyAdmin.propTypes = propTypes;
    WithPolicyAdmin.defaultProps = defaultProps;
    WithPolicyAdmin.displayName = `withPolicyAdmin(${getComponentDisplayName(WrappedComponent)})`;

    // eslint-disable-next-line rulesdir/no-negated-variables
    const withPolicyAdmin = React.forwardRef((props, ref) => (
        <WithPolicyAdmin
            // eslint-disable-next-line react/jsx-props-no-spreading
            {...props}
            forwardedRef={ref}
        />
    ));

    return withOnyx({
        report: {
            key: ({route}) => `${ONYXKEYS.COLLECTION.REPORT}${route.params.reportID}`,
        },
        isLoadingReportData: {
            key: ONYXKEYS.IS_LOADING_REPORT_DATA,
        },
        betas: {
            key: ONYXKEYS.BETAS,
        },
        policies: {
            key: ONYXKEYS.COLLECTION.POLICY,
        },
    })(withPolicyAdmin);
}

Since this logic will cover withReportOrNotFound we can deprecate it.

What alternative solutions did you explore? (Optional)

N/A

[puneetlath]

Interesting. I agree that we need to restrict this from both the front-end and back-end.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0112e180fbc88a066d

[melvin-bot]

Current assignee @puneetlath is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @mollfpr (External)

[puneetlath]

@mollfpr thoughts on the proposal?

[mollfpr]

Reviewing now!

[esh-g]

Just a note that we are trying to move away from HOCs with the typescript migration as mentioned here: https://expensify.slack.com/archives/C01GTK53T8Q/p1688768735041469?thread_ts=1688768338.846769&channel=C01GTK53T8Q&message_ts=1688768735.041469

[mollfpr]

Thanks for the proposal guys!

The HOC seems tempting and can do the conditional rendering. But this is pretty simple checking, and I am okay with doing it on each component page. As mentioned before by @esh-g, we are trying to move away from HOCs, and migrating to typescript will give us a headache 😅

So the proposal from @esh-g looks good. I think showing the not found page seems good. Also, we should update the RoomNamePage and WriteCapabilityPage.

🎀 👀 🎀 C+ reviewed!

[melvin-bot]

Triggered auto assignment to @grgia, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[hungvu193]

Thanks for the proposal guys!

The HOC seems tempting and can do the conditional rendering. But this is pretty simple checking, and I am okay with doing it on each component page. As mentioned before by @esh-g, we are trying to move away from HOCs, and migrating to typescript will give us a headache 😅

So the proposal from @esh-g looks good. I think showing the not found page seems good. Also, we should update the RoomNamePage and WriteCapabilityPage.

🎀 👀 🎀 C+ reviewed!

Cool, I agreed with ya about the HOC. Since RoomNamePage is already handled in my PR here (#22316), so you don't need to handle it in this issue @esh-g

[mollfpr]

Well played @hungvu193 👍

[melvin-bot]

📣 @mollfpr 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app!

Upwork job

[melvin-bot]

📣 @esh-g 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app!

Upwork job
Please accept the offer and leave a comment on the Github issue letting us know when we can expect a PR to be ready for review 🧑‍💻
Keep in mind: Code of Conduct | Contributing 📖

[melvin-bot]

📣 @ayazhussain79 We're missing your Upwork ID to automatically send you an offer for the Reporter role.
Once you apply to the Upwork job, your Upwork ID will be stored and you will be automatically hired for future jobs!

[esh-g]

Thanks for assigning me! 🚀
Here is the PR: #22820
cc @mollfpr

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.42-26 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Restrict workspace settings to admins #22820

If no regressions arise, payment will be issued on 2023-07-26. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter @ayazhussain79
• Contributor that fixed the issue @esh-g
• Contributor+ that helped on the issue and/or PR @mollfpr

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@mollfpr] The PR that introduced the bug has been identified. Link to the PR:
• [@mollfpr] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@mollfpr] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@mollfpr] Determine if we should create a regression test for this bug.
• [@mollfpr] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@puneetlath] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[puneetlath]

Looks like everyone has had contracts sent.

@mollfpr friendly reminder on the checklist.

[puneetlath]

Issue reporter: @ayazhussain79 $250
Contributor: @esh-g $1500 (including bonus)
C+: @mollfpr $1500 (including bonus)

I've paid the first two. @mollfpr just waiting on the checklist for you.

[mollfpr]

Sorry, I swear I already complete the checklist of the issues near the payment date 😅

[@mollfpr] The PR that introduced the bug has been identified. Link to the PR:

#18662
#21857

[@mollfpr] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:

https://github.com/Expensify/App/pull/18662/files#r1278793008
https://github.com/Expensify/App/pull/21857/files#r1278797201

[@mollfpr] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:

The regression step should be enough.

[@mollfpr] Determine if we should create a regression test for this bug.
[@mollfpr] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.

Test Setup

1. From account A, create a new workspace.
2. Invite account B.
3. Create a workspace from account B.

Therefore, B is an admin in workspace B and not workspace A.

We need to prepare a chat with deep links to the correct page for testing. This setup can be done once on web, and then can be tested on other platforms with the same account.

✅ The page will open
❌ The not found page will be open
Please look at the 'Test Setup (Web)' in the screenshots section to ensure steps are followed correctly.

1. We first need to copy the reportID of #announce of workspace A and workspace B then also #admin of workspace B. This can be done by opening the room and copying the number in the URL localhost:8080/r/[reportID].

2. [#announce B] means the reportID of the #announce room of workspace B. The same format applies for all other reportIDs copied.

3. Go to any chat on account B.

4. Add a comment 'Welcome message as admin' and add a link like this: https://staging.new.expensify.com/r/[#announce B]/welcomeMessage ✅

5. Add another comment 'Welcome message not as admin' and add a link like this: https://staging.new.expensify.com/r/[#announce A]/welcomeMessage. ❌

6. Add another comment 'Who can post (in #admin)' and add this a link like this: https://staging.new.expensify.com/r/[#admin B]/settings-who-can-post. ❌

7. Add another comment 'Who can post (as admin)' and add a link like this: https://staging.new.expensify.com/r/[#announce B]/settings/who-can-post. ✅

8. Add another comment 'Who can post (not as admin)' and add a link like this: https://staging.new.expensify.com/r/[#announce A]/settings/who-can-post. ❌

9. Click on each link and verify that it opens correctly according to ✅ and ❌.

[puneetlath]

Great, thanks. Paid!