Expensify
Onyx data sent to the incorrect accounts at incorrect times
If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!
Version Number: 9.0.72-2 Reproducible in staging?: Y Reproducible in production?: Y If this was caught on HybridApp, is this reproducible on New Expensify Standalone?: If this was caught during regression testing, add the test name, ID and link from TestRail: Email or phone of affected tester (no customers): Logs: https://stackoverflow.com/c/expensify/questions/4856 Expensify/Expensify Issue URL: Issue reported by: @Beamanator Slack conversation (hyperlinked to channel name): #expense
Action Performed:
- Create brand new workspace in NewDot A. Collect, Non IS (enable Delayed Submissions), S&A (Add basic Approvals) B. Invited 3 extra non-admin members C. submitter, category approver, tag approver D. Enabled Rules to upgrade workspace to Control & to enable rule approvals E. Deleted all categories, added 1 called CAT_APPR_1 & assigned category approver F. Enabled tags & added 1 called TAG_APPR_1 & assigned tag approver
- As Tag approver, sign in & open onyx data
- As submitter, create 1 expense w/ no category / tag A. Take note of the created reportID
- On tag approver, wait a few seconds for Onyx updates to arrive A. View report_<reportID> - see that you now see the report data, including some invalid Onyx data: B. hasParentAccess: true C. permissions: (4) ['read', 'write', 'share', 'own'] Note: ^ is also reproducible as Category approver
Expected Result:
Onyx data not sent to the incorrect accounts at incorrect times
Actual Result:
Onyx data sent to the incorrect accounts at incorrect times
Workaround:
Can the user still use Expensify without this being fixed? Have you informed them of the workaround?
Platforms:
Which of our officially supported platforms is this issue occurring on?
- [ ] Android: Standalone
- [ ] Android: HybridApp
- [ ] Android: mWeb Chrome
- [ ] iOS: Standalone
- [ ] iOS: HybridApp
- [ ] iOS: mWeb Safari
- [x] MacOS: Chrome / Safari
- [ ] MacOS: Desktop
Screenshots/Videos
Add any screenshot/video evidence
Triggered auto assignment to @joekaufmanexpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.
![melvin-bot[bot] avatar](https://avatars.githubusercontent.com/in/179547?v=4 "Published by a pub.dev verified publisher"){kind=small}
Just a note that this might fit just as well in #quality since it's likely degrading performance.
Sounds good! I'll adjust into quality as I see Matt agreed with moving it here.
@m-natarajan Can you please add more details about what exact Onyx data is wrong and give specific examples?
B. hasParentAccess: true C. permissions: (4) ['read', 'write', 'share', 'own']
Why are these wrong or sent to the wrong accounts? What accounts should the data go to?
I can try to help with that :D
hasParentAccess: true should NOT be sent to rule approvers (in the expense report Onyx data) in this flow at that step b/c they haven't been invited to the submitter's workspace chat - we should not EVER be inviting rule approvers to the submitter workspace chat (unless they get added to the submitter's approval chain)
Idk which all accounts get hasParentAccess: true via onyx updates, i didn't test that deep - i just found out that that's being sent to ruleApprovers but shouldn't be
Similarly, permissions: (4) ['read', 'write', 'share', 'own'] isn't valid for those rule approvers b/c they aren't admins of the expense report, they don't even have the expense report "shared" with them at that point, the expense report gets shared with them when it's submitted / forwarded to them
@Beamanator since it sounds like you have some more context on this, would you be willing to work on it? Maybe I can trade you for something else :D
I’m super down :D feel free to take your pick! I’m OOO today, back Monday
On Fri, Dec 13, 2024 at 9:24 AM Tim Golen @.***> wrote:
@Beamanator https://github.com/Beamanator since it sounds like you have some more context on this, would you be willing to work on it? Maybe I can trade you for something else :D
— Reply to this email directly, view it on GitHub https://github.com/Expensify/App/issues/53737#issuecomment-2541806616, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5UTP6FTBWGNVCARU2L52T2FMC5JAVCNFSM6AAAAABTGUJI36VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBRHAYDMNRRGY . You are receiving this because you were mentioned.Message ID: @.***>
Hmm In my opinion this isn't a "Critical" priority - the onyx data of the report gets sent to unsuspecting victims, but those people can't actually load the report in their device - it would show "Not here" 🤷
As an fyi, I am OOO until the new year. Please ask in slack if anything urgent BZ related comes up. Otherwise, I will continue assisting when I return!
@Beamanator @joekaufmanexpensify this issue was created 2 weeks ago. Are we close to a solution? Let's make sure we're treating this as a top priority. Don't hesitate to create a thread in #expensify-open-source to align faster in real time. Thanks!
Ok did a bit of investigation today 🤕
Found that it loooooks like we're inserting this onyx update into the database:
[QUEUE] type: 2, channelIDs: '2717375250706656'
[QUEUE UPDATES] [{"key":"transactions_1447186542243139874","onyxMethod":"merge","value":{"amount":-5000,"bank":"","billable":false,"cardID":0,"cardName":"Cash Expense","cardNumber":"","category":"","comment":{"comment":"Test Transaction"},"created":"2025-01-27 14:22:13","currency":"USD","filename":"","hasEReceipt":false,"inserted":"2025-01-27 14:22:13","managedCard":false,"mcc":"","merchant":"Expense","modifiedAmount":0,"modifiedCreated":"","modifiedCurrency":"","modifiedMCC":"","modifiedMerchant":"","originalAmount":0,"originalCurrency":"","parentTransactionID":"","posted":"","receipt":{},"reimbursable":true,"reportID":"2717375250706656","status":"Posted","tag":"","transactionID":"1447186542243139874"}},{"key":"report_2717375250706656","onyxMethod":"merge","value":{"avatarUrl":null,"chatReportID":"2754660733433125","chatType":"","currency":"USD","description":"","errorFields":{"export":null,"notFound":null},"fieldList":null,"hasOutstandingChildRequest":false,"hasOutstandingChildTask":false,"hasParentAccess":true,"invoiceReceiver":null,"iouReportID":null,"isCancelledIOU":false,"isDeletedParentAction":null,"isOwnPolicyExpenseChat":false,"isPinned":false,"isWaitingOnBankAccount":false,"lastActionType":"IOU","lastActorAccountID":"8","lastMentionedTime":null,"lastMessageHtml":"$50.00 expense for Test Transaction","lastMessageText":"$50.00 expense for Test Transaction","lastReadSequenceNumber":0,"lastReadTime":null,"lastVisibleActionCreated":"2025-01-27 14:22:13.230","lastVisibleActionLastModified":"2025-01-27 14:22:13.230","managerID":9,"nonReimbursableTotal":0,"oldPolicyName":"","ownerAccountID":8,"parentReportActionID":"6824567002406030840","parentReportID":"2754660733433125","participants":{"10":{"notificationPreference":"hidden"},"11":{"notificationPreference":"hidden"},"7":{"notificationPreference":"hidden"},"8":{"notificationPreference":"hidden"},"9":{"notificationPreference":"hidden"}},"permissions":[],"policyAvatar":null,"policyID":"878407C27D81A5C1","policyName":null,"private_isArchived":"","reportID":"2717375250706656","reportName":"Expense Report #2717375250706656","stateNum":0,"statusNum":0,"total":-5000,"tripData":null,"type":"expense","unheldNonReimbursableTotal":0,"unheldTotal":-5000,"visibility":null,"welcomeMessage":"","writeCapability":"all"}},{"key":"reportNameValuePairs_2717375250706656","onyxMethod":"merge","value":{"type":"expense"}}]
where type: 2 is "Report" and the channelID is the expense report created by the new money request.
That's all fine, but then it seems like somehow GetOnyxUpdatesForAsyncNotification is retrieving that from the DB and adding it to both the submitter AND the category approver