Part of #76750
Problem:
Currently, when attempting to move a domain member into a group that has a Preferred Policy, the backend validates whether the acting user is a Policy Admin of that policy. If not, the API returns the following error:
Cannot move member to the Domain Group. You must be a Policy Admin for the Preferred Policy set on the Domain Group you are trying to move this user to.
This validation is only performed server-side. To improve UX and avoid unnecessary API calls, we need to implement equivalent validation on the frontend using existing Onyx data.
Discussion: https://expensify.slack.com/archives/C0A1VKRKEE9/p1777070335149149?thread_ts=1776188523.070079&cid=C0A1VKRKEE9
Reproduction steps:
- Set up a domain with two domain admins: accountA and accountB.
- From accountA, create a policy where accountA is the only Policy Admin.
- In OldDot -> Domain -> Groups, create a new group and set its Preferred Policy to the policy from step 2. Ensure accountB is not a Policy Admin of that policy.
- As accountA, invite a new domain member and assign them to the new group - confirm this succeeds and the new domain member is invited to the policy.
- Log in as accountB.
- As accountB, go to Domain -> Domain Members and try moving an existing member into the new group - an error occurs:
Cannot move member to the Domain Group. You must be a Policy Admin for the Preferred Policy set on the Domain Group you are trying to move this user to.
Current Behavior:
- Validation is performed only on the backend.
- The frontend allows the action, then surfaces the error returned by the API.
Expected Behavior:
- The frontend should validate this condition before making the API call.
- If the user is not a Policy Admin of the group's Preferred Policy, the action should be blocked immediately and the same error message displayed.
Solution:
High-level proposal for frontend validation:
- Get the destination group data from Onyx.
- Check if a Preferred Policy is configured for the group.
- If no Preferred Policy is set -> allow the operation.
- If a Preferred Policy exists:
- Get its policyID from the Group data from Onyx.
- Check whether the current user is a Policy Admin for that policy. we can determine this from Onyx.
- If the user is a Policy Admin -> allow the operation.
- Otherwise -> block the action and display the validation error.
This is a follow-up to PR #81973
cc @jmusial @war-in @mountiny @ZhenjaHorbach
Issue Owner
Current Issue Owner: @ZhenjaHorbach
Part of #76750
Problem:
Currently, when attempting to move a domain member into a group that has a Preferred Policy, the backend validates whether the acting user is a Policy Admin of that policy. If not, the API returns the following error:
This validation is only performed server-side. To improve UX and avoid unnecessary API calls, we need to implement equivalent validation on the frontend using existing Onyx data.
Discussion: https://expensify.slack.com/archives/C0A1VKRKEE9/p1777070335149149?thread_ts=1776188523.070079&cid=C0A1VKRKEE9
Reproduction steps:
Current Behavior:
Expected Behavior:
Solution:
High-level proposal for frontend validation:
This is a follow-up to PR #81973
cc @jmusial @war-in @mountiny @ZhenjaHorbach
Issue Owner
Current Issue Owner: @ZhenjaHorbach