[Due for payment 2025-04-28] [$250] Expense - Report field is accessible by receiver in p2p expense and it opens blank page

[mitarachim]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

Version Number: 9.1.28-1
Reproducible in staging?: Yes
Reproducible in production?: Unable to check
If this was caught on HybridApp, is this reproducible on New Expensify Standalone?: No, reproducible on hybrid only
If this was caught during regression testing, add the test name, ID and link from TestRail: Exp
Email or phone of affected tester (no customers): [email protected]
Issue reported by: Applause Internal Team
Device used: Mac 15.3 / Chrome
App Component: Money Requests

Action Performed:

1. Go to staging.new.expensify.com
2. [User A] Submit an expense to User B.
3. [User A] Go to transaction thread.
4. [User A] Click Report field.
5. [User A] Note that it opens a blank page.
6. [User B] Open chat with User A.
7. [User B] Go to transaction thread.
8. [User B] Click Report field.
9. [User B] Note that it opens a blank page.

Expected Result:

Report field should not be accessible for the receiver in p2p expense.

Actual Result:

Report field is accessible for the receiver in p2p expense and it opens blank page.

Workaround:

Unknown

Platforms:

• Android: Standalone
• Android: HybridApp
• Android: mWeb Chrome
• iOS: Standalone
• iOS: HybridApp
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Bug6802363_1744692214234.20250415_124045.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~021912074972490831782
• Upwork Job ID: 1912074972490831782
• Last Price Increase: 2025-04-15

Issue Owner

Current Issue Owner: @jliexpensify

[melvin-bot]

Triggered auto assignment to @madmax330 (DeployBlockerCash), see https://stackoverflowteams.com/c/expensify/questions/9980/ for more details.

[melvin-bot]

Triggered auto assignment to @jliexpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[melvin-bot]

💬 A slack conversation has been started in #expensify-open-source

[github-actions]

👋 Friendly reminder that deploy blockers are time-sensitive ⏱ issues! Check out the open `StagingDeployCash` deploy checklist to see the list of PRs included in this release, then work quickly to do one of the following:

1. Identify the pull request that introduced this issue and revert it.
2. Find someone who can quickly fix the issue.
3. Fix the issue yourself.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~021912074972490831782

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @eVoloshchak (External)

[rayane-d]

Discussing in https://expensify.slack.com/archives/C01GTK53T8Q/p1744712146580769

[daledah]

Proposal

Please re-state the problem that we are trying to solve in this issue.

• Report field is accessible for the receiver in p2p expense and it opens blank page.

What is the root cause of that problem?

• We don't disable this row when we don't have valid report data to display, which can lead to a blank screen.

What changes do you think we should make in order to solve the problem?

• We should update:
  

  App/src/components/ReportActionItem/MoneyRequestView.tsx

  Line 807 in bbe094e

  shouldShowRightIcon

  
  

  App/src/components/ReportActionItem/MoneyRequestView.tsx

  Line 820 in bbe094e

  interactive

  so that it receives value:

!!getOutstandingReports(policyID, allReports ?? {}).at(0)

• Then, we should ensure the report selector screen handles the empty state gracefully. In:
  

  App/src/pages/iou/request/step/IOURequestStepReport.tsx

  Line 94 in 4ee6daa

  <StepScreenWrapper

  we can display a "not found" or empty state view when no report options are available by setting:

shouldShowNotFoundPage={expenseReports.length === 0}

What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?

• None

What alternative solutions did you explore? (Optional)

[PiyushChandra17]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Expense - Report field is accessible by receiver in p2p expense and it opens blank page

What is the root cause of that problem?

The issue here is that the “Report” field is clickable even for the receiver in a P2P expense, and it leads to a blank page — likely because the report?.reportID is invalid or inaccessible for that user.

What changes do you think we should make in order to solve the problem?

Only allow valid, authorized users (e.g. the sender) to click on the report field. Otherwise, the UI should either:

• Not be interactive, or
• Do nothing on click (or show a tooltip/message).

I think we should apply the following changes here,

App/src/components/ReportActionItem/MoneyRequestView.tsx

Lines 804 to 824 in 9a7d420

	{!!parentReportID && (
	<OfflineWithFeedback pendingAction={getPendingFieldAction('reportID')}>
	<MenuItemWithTopDescription
	shouldShowRightIcon
	title={parentReport?.reportName}
	description={translate('common.report')}
	style={[styles.moneyRequestMenuItem]}
	titleStyle={styles.flex1}
	onPress={() => {
	if (!report?.reportID || !transaction?.transactionID) {
	return;
	}
	Navigation.navigate(
	ROUTES.MONEY_REQUEST_STEP_REPORT.getRoute(CONST.IOU.ACTION.EDIT, iouType, transaction?.transactionID, report.reportID, getReportRHPActiveRoute()),
	);
	}}
	interactive
	shouldRenderAsHTML
	/>
	</OfflineWithFeedback>
	)}

1. Modify shouldShowRightIcon={canViewReport} and interactive={canViewReport}

<OfflineWithFeedback pendingAction={getPendingFieldAction('reportID')}>
                    <MenuItemWithTopDescription
                        shouldShowRightIcon={canViewReport}
                        title={parentReport?.reportName}
                        description={translate('common.report')}
                        style={[styles.moneyRequestMenuItem]}
                        titleStyle={styles.flex1}
                        onPress={() => {
                            if (!canViewReport || !report?.reportID || !transaction?.transactionID) {
                                return;
                            }
                
                            Navigation.navigate(
                                ROUTES.MONEY_REQUEST_STEP_REPORT.getRoute(
                                    CONST.IOU.ACTION.EDIT,
                                    iouType,
                                    transaction.transactionID,
                                    report.reportID,
                                    getReportRHPActiveRoute()
                                )
                            );
                        }}
                        interactive={canViewReport}
                        shouldRenderAsHTML
                    />
                </OfflineWithFeedback>

2. Add the canViewReport Check

Define canViewReport using the appropriate logic based on:

• If the user is the sender
• Or has access to report.reportID

3. Add this before rendering, This ensures only the sender of the parent report can navigate to the full report screen.

const isCurrentUserSender = parentReport?.ownerAccountID === currentUserAccountID;
const canViewReport = Boolean(parentReportID && isCurrentUserSender && report?.reportID && transaction?.transactionID);

also, add:

const [session, setSession] = useOnyx(ONYXKEYS.SESSION, {});
const currentUserAccountID = session?.accountID;

Here, in MoneyRequestView in order to pull the currentUserAccountID

What specific scenarios should we cover in automated tests to prevent reintroducing this issue in the future?

N/A

What alternative solutions did you explore? (Optional)

Absolute NONE

Reminder: Please use plain English, be brief and avoid jargon. Feel free to use images, charts or pseudo-code if necessary. Do not post large multi-line diffs or write walls of text. Do not create PRs unless you have been hired for this job.

[PiyushChandra17]

@jliexpensify Since this is a deploy blocker, I can a raise a quick PR. Also update my proposal accordingly if needed. Thank You

[waterim]

Thank you @PiyushChandra17, but it will be fixed in my follow-up PR

[luacmartins]

We'll put this button behind a beta and tackle the issue as a follow up.

[jliexpensify]

Can we move this one to a Daily so we don't get pings? 😅

[luacmartins]

No longer available in staging. Demoting.

[melvin-bot]

@eVoloshchak Huh... This is 4 days overdue. Who can take care of this?

[jliexpensify]

Just a heads up that I am OOO until the 30th but will fix up any payments when I'm back.

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 9.1.30-4 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• [Follow-up]: fix issues related to ChangeTransactionsReport #60318

If no regressions arise, payment will be issued on 2025-04-28. 🎊

For reference, here are some details about the assignees on this issue:

• @eVoloshchak requires payment through NewDot Manual Requests
• @waterim does not require payment (Contractor)

[melvin-bot]

@eVoloshchak @jliexpensify @eVoloshchak The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed. Please copy/paste the BugZero Checklist from here into a new comment on this GH and complete it. If you have the K2 extension, you can simply click: [this button]

[luacmartins]

We can close this one since it's been fixed by #60318 and payment will be handled in #60288