Skip to content

Fix people admin workspace access pages#95338

Merged
flodnv merged 4 commits into
Expensify:mainfrom
ShridharGoel:fix/people-admin-workspace-access
Jul 7, 2026
Merged

Fix people admin workspace access pages#95338
flodnv merged 4 commits into
Expensify:mainfrom
ShridharGoel:fix/people-admin-workspace-access

Conversation

@ShridharGoel

@ShridharGoel ShridharGoel commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Explanation of Change

This PR fixes two people admin access issues in workspace settings.

People admins can now open member custom field editors because the page uses the same MEMBERS write access check as the member details page.

It also avoids showing "Not here" on workflow approver picker pages while policy data is still loading. The pages now wait until policy data is loaded before blocking on missing WORKFLOWS_APPROVALS write access.

Fixed Issues

$ #95090
$ #95091

Tests

  1. Sign in as a people admin on a Control workspace.
  2. Go to Workspace settings > Members.
  3. Open a member profile.
  4. Click a custom field.
  5. Verify the custom field editor opens.
  6. Go to Workspace settings > Workflows.
  7. Click Add approval workflow.
  8. Select a member in the Expenses from step and click Next.
  9. Click the Approver field.
  10. Verify the approver list opens.
  • Verify that no errors appear in the JS console

Offline tests

N/A. These changes only update access checks for already-loaded workspace settings pages.

QA Steps

Same as tests.

  • Verify that no errors appear in the JS console

PR Author Checklist

  • I linked the correct issue in the ### Fixed Issues section above
  • I wrote clear testing steps that cover the changes made in this PR
    • I added steps for local testing in the Tests section
    • I added steps for the expected offline behavior in the Offline steps section
    • I added steps for Staging and/or Production testing in the QA steps section
    • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
    • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
    • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
  • I included screenshots or videos for tests on all platforms
  • I ran the tests on all platforms & verified they passed on:
    • Android: Native
    • Android: mWeb Chrome
    • iOS: Native
    • iOS: mWeb Safari
    • MacOS: Chrome / Safari
  • I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
  • I followed proper code patterns (see Reviewing the code)
    • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
    • I verified that comments were added to code that is not self explanatory
    • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
    • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
  • I followed the guidelines as stated in the Review Guidelines
  • I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
  • If any new file was added I verified that:
    • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
  • If a new CSS style is added I verified that:
    • A similar style doesn't already exist
    • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
  • If new assets were added or existing ones were modified, I verified that:
    • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
    • The assets load correctly across all supported platforms.
  • If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
  • If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
  • If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
  • If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
  • If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
    • I verified that all the inputs inside a form are aligned with each other.
    • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
  • I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
  • If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native
Android: mWeb Chrome
iOS: Native
iOS: mWeb Safari
MacOS: Chrome / Safari

@ShridharGoel ShridharGoel marked this pull request as ready for review July 5, 2026 14:56
@ShridharGoel ShridharGoel requested review from a team as code owners July 5, 2026 14:56
@melvin-bot melvin-bot Bot requested review from JmillsExpensify and Pujan92 and removed request for a team July 5, 2026 14:56
@melvin-bot

melvin-bot Bot commented Jul 5, 2026

Copy link
Copy Markdown

@Pujan92 Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

@melvin-bot melvin-bot Bot removed the request for review from a team July 5, 2026 14:56
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ Changes either increased or maintained existing code coverage, great job!

Files with missing lines Coverage Δ
...s/workspace/WorkspaceInviteMessageApproverPage.tsx 90.47% <100.00%> (+0.47%) ⬆️
...rkspace/members/WorkspaceMemberCustomFieldPage.tsx 0.00% <ø> (ø)
...rovals/WorkspaceWorkflowsApprovalsApproverPage.tsx 0.00% <0.00%> (ø)
...rkspaceWorkflowsApprovalsOverLimitApproverPage.tsx 0.00% <0.00%> (ø)
... and 53 files with indirect coverage changes

@Pujan92

Pujan92 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Reviewer Checklist

  • I have verified the author checklist is complete (all boxes are checked off).
  • I verified the correct issue is linked in the ### Fixed Issues section above
  • I verified testing steps are clear and they cover the changes made in this PR
    • I verified the steps for local testing are in the Tests section
    • I verified the steps for Staging and/or Production testing are in the QA steps section
    • I verified the steps cover any possible failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
    • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I checked that screenshots or videos are included for tests on all platforms
  • I included screenshots or videos for tests on all platforms
  • I verified that the composer does not automatically focus or open the keyboard on mobile unless explicitly intended. This includes checking that returning the app from the background does not unexpectedly open the keyboard.
  • I verified tests pass on all platforms & I tested again on:
    • Android: HybridApp
    • Android: mWeb Chrome
    • iOS: HybridApp
    • iOS: mWeb Safari
    • MacOS: Chrome / Safari
  • If there are any errors in the console that are unrelated to this PR, I either fixed them (preferred) or linked to where I reported them in Slack
  • I verified proper code patterns were followed (see Reviewing the code)
    • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick).
    • I verified that comments were added to code that is not self explanatory
    • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
    • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
  • I verified that this PR follows the guidelines as stated in the Review Guidelines
  • I verified other components that can be impacted by these changes have been tested, and I retested again (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar have been tested & I retested again)
  • If a new component is created I verified that:
    • A similar component doesn't exist in the codebase
    • All props are defined accurately and each prop has a /** comment above it */
    • The file is named correctly
    • The component has a clear name that is non-ambiguous and the purpose of the component can be inferred from the name alone
    • The only data being stored in the state is data necessary for rendering and nothing else
    • For Class Components, any internal methods passed to components event handlers are bound to this properly so there are no scoping issues (i.e. for onClick={this.submit} the method this.submit should be bound to this in the constructor)
    • Any internal methods bound to this are necessary to be bound (i.e. avoid this.submit = this.submit.bind(this); if this.submit is never passed to a component event handler like onClick)
    • All JSX used for rendering exists in the render method
    • The component has the minimum amount of code necessary for its purpose, and it is broken down into smaller components in order to separate concerns and functions
  • If any new file was added I verified that:
    • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
  • If a new CSS style is added I verified that:
    • A similar style doesn't already exist
    • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG)
  • If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
  • If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
  • If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
  • If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
  • If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
    • I verified that all the inputs inside a form are aligned with each other.
    • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
  • For any bug fix or new feature in this PR, I verified that sufficient unit tests are included to prevent regressions in this flow.
  • If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.
  • I have checked off every checkbox in the PR reviewer checklist, including those that don't apply to this PR.

Screenshots/Videos

Android: HybridApp
Android: mWeb Chrome
iOS: HybridApp
iOS: mWeb Safari
MacOS: Chrome / Safari
Screen.Recording.2026-07-06.at.19.14.44.mov
Screen.Recording.2026-07-06.at.11.27.28.mov

@ShridharGoel ShridharGoel requested a review from Pujan92 July 6, 2026 07:34
@Pujan92

Pujan92 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
Screenshot 2026-07-06 at 13 49 59

It is still showing notFound page for invite message approver page, we need to pass shouldShowNotFoundView={false} here.

<ApproverSelectionList
testID="WorkspaceInviteMessageApproverPage"
headerTitle={translate('workflowsPage.approver')}
policy={policy}

@Pujan92 Pujan92 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@melvin-bot melvin-bot Bot requested a review from flodnv July 6, 2026 13:46

@JmillsExpensify JmillsExpensify left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@flodnv flodnv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@flodnv flodnv merged commit f1182da into Expensify:main Jul 7, 2026
36 checks passed
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🚧 flodnv has triggered a test Expensify/App build. You can view the workflow run here.

@OSBotify

OSBotify commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release.

@OSBotify

OSBotify commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🚀 Deployed to staging by https://github.com/flodnv in version: 9.4.29-0 🚀

platform result
🕸 web 🕸 success ✅
🤖 android 🤖 success ✅
🍎 iOS 🍎 success ✅

@MelvinBot

Copy link
Copy Markdown
Contributor

🤖 Help site review: no changes required

I reviewed the changes in this PR against the help-site articles under App/docs/articles, and no documentation updates are needed.

Why: This PR is a pure access-control bug fix. It corrects the internal write-access checks so that:

  • People admins can open member custom field editors (the page now uses the same MEMBERS write-access check as the member details page).
  • Workflow approver picker pages no longer show "Not here" while policy data is still loading.

These changes restore the intended behavior of pages that already exist — they don't add, remove, or rename any user-facing feature, tab, setting, or button. The help-site articles that touch these areas (member custom fields, approval workflows) already describe the correct working behavior that this fix delivers, so they remain accurate as written. There is no "people admin" access matrix documented on the help site that would need revising, and no UI copy changed.

Since no help-site content becomes inaccurate as a result of this PR, I have not created a draft docs PR.

@ShridharGoel, please review the linked help site PR and confirm it reflects the current behavior. Then mark the linked help site PR Ready for review

(Note: no help site PR was created because no documentation changes are required for this access-control fix. If you believe a specific article should be updated, let me know which behavior it should describe and I'll draft the change.)

@IuliiaHerets

Copy link
Copy Markdown

QA team has a different behavior now. As a people admin, we get the Not here page when opening the workspace

Recording.1063.mp4

@flodnv

flodnv commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

😕 @ShridharGoel can you check what's up with that?

@IuliiaHerets

Copy link
Copy Markdown

@flodnv @ShridharGoel Sorry, my mistake. I commented on the wrong PR.

This PR has already been tested and passed by the QA team.

@OSBotify

OSBotify commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🚀 Deployed to staging by https://github.com/flodnv in version: 9.4.31-0 🚀

platform result
🕸 web 🕸 success ✅
🤖 android 🤖 success ✅
🍎 iOS 🍎 success ✅

@MelvinBot

Copy link
Copy Markdown
Contributor

🤖 Help site review: no docs changes required.

I reviewed the changes in this PR against the help site articles under App/docs/articles and did not create a docs PR. Here's why:

  • This PR is an internal access-control bug fix. It restores intended behavior for people admins on two already-documented areas:
    1. People admins can open member custom field editors (WorkspaceMemberCustomFieldPage now uses the same MEMBERS write-access check as the member details page).
    2. Workflow approver picker pages no longer flash "Not here" while policy data is still loading (the WORKFLOWS_APPROVALS write check was removed / deferred).
  • These are corrections to permission gating and loading states — they do not introduce or change any user-facing feature, setting label, tab, or documented workflow.
  • The help site documents workspace roles and capabilities at a high level (e.g. Managing-Workspace-Members, Add-Approvals, Workspace-Workflows), where an Admin is already described as able to "manage members, roles, workflows, and settings." The granular "people admin" scope and the specific pages this PR fixes are not documented, so there is no article whose content becomes inaccurate or incomplete as a result of this change.

Since the PR only makes the product match what the docs already imply admins can do, no help site update is needed.

ShridharGoel — if you believe any of these access flows are described in a help article that I should update (or if "people admin" behavior should be documented separately), let me know and I'll draft the changes.

@OSBotify

OSBotify commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🚀 Deployed to production by https://github.com/grgia in version: 9.4.31-0 🚀

platform result
🕸 web 🕸 success ✅
🤖 android 🤖 success ✅
🍎 iOS 🍎 success ✅

Bundle Size Analysis (Sentry):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants