[$500] Request Money - The user is able to request money from the Concierge by changing chat ID

[kbecciv]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Go to any chat
2. Click Request Money
3. Change the ID in the URL by the concierge chat ID
4. Fill in the amount and click next

Expected Result:

The user shouldn't be able to request money from the Concierge

Actual Result:

The user is able to request money from the Concierge by changing chat ID

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.74.2
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

request-concierge.1.webm

Screenrecorder-2023-09-26-22-37-44-384.1.mp4

RPReplay_Final1695833886.MP4

Recording.4777.mp4

Expensify/Expensify Issue URL:
Issue reported by: @hichamcc
Slack conversation: https://expensify.slack.com/archives/C049HHMV9SM/p1695722715634289

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~01e314f8f81116a44a
• Upwork Job ID: 1707078365282140160
• Last Price Increase: 2023-09-27

[c3024]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Can request money from Concierge by changing report id in link

What is the root cause of that problem?

We are not checking if the participant account ID(s) is a valid account ID for requesting money in MoneyRequestSelectorPage

What changes do you think we should make in order to solve the problem?

We should check if there are any participant account IDs that are invalid for requesting money. For Concierge we can make these changes.

const containsInvalidParticipant = props.report?.participantAccountIDs?.includes(CONST.ACCOUNT_ID.CONCIERGE);

<FullPageNotFoundView shouldShow={!IOUUtils.isValidMoneyRequestType(iouType) || containsInvalidParticipant}>

We can check for other invalid participants as well in this by using something like this

const containsInvalidParticipant = props.report?.participantAccountIDs?.some(participantAccountID => (CONST.EXPENSIFY_ACCOUNT_IDS.includes(participantAccountID)));

but I think from some of the Expensify ids money can be requested. We can make an array of ids that cannot be participants for money requests and use it in place of CONST.EXPENSIFY_ACCOUNT_IDS in the above line.
We can make these changes in other pages like MoneyRequestConfirmPage and other places as applicable making a common function containsInvalidParticipant in ReportUtils or IOUUtils

What alternative solutions did you explore? (Optional)

[ahmedGaber93]

Proposal

Please re-state the problem that we are trying to solve in this issue.

User is able to request money from Concierge

What is the root cause of that problem?

There is no handling to display not found page for this case when opening by link

App/src/pages/iou/MoneyRequestSelectorPage.js

Line 101 in 31bb197

<FullPageNotFoundView shouldShow={!IOUUtils.isValidMoneyRequestType(iouType)}>

What changes do you think we should make in order to solve the problem?

We need to add condition ReportUtils.isConciergeChatReport(props.report) || to FullPageNotFoundView shouldShow to prevent request money pages to appear to concierge

What alternative solutions did you explore? (Optional)

N/A

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~01e314f8f81116a44a

[melvin-bot]

Triggered auto assignment to @adelekennedy (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @aimane-chnaif (External)

[dukenv0307]

This will be fixed here #26149.

[adelekennedy]

@aimane-chnaif from the comment above I think we should close this then!