[$250] Copilot with limited access level can reject expenses, which contradicts the statement

[jponikarchuk]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: 9.2.58-2
Reproducible in staging?: Yes
Reproducible in production?: Yes
If this was caught during regression testing, add the test name, ID and link from BrowserStack: Exp https://test-management.browserstack.com/projects/2219752/test-runs/TR-1965/41236699/1013855572?q=copilot&issue_type=jira
Email or phone of affected tester (no customers): applausetester+141104kh@applause.expensifail.com
Issue reported by: Applause Internal Team
Device used: Mac 15.5 / Chrome
App Component: Money Requests

Action Performed:

1. Go to staging.new.expensify.com
2. Go to Account > Security.
3. Click Add copilot.
4. Select User B.
5. Select Limited access level.
   → On confirm page, it states "Allow another member to take most actions in your paccount, on your behalf. Excludes approvals, payments, rejections, and holds."
6. Click Add copilot and enter magic code.
7. Go to workspace chat.
8. Create an expense and click Submit.
9. As User B (copilot), open account switcher and switch to User A.
10. [Copilot] Go to workspace chat and open the expense report.
11. [Copilot] Click More > Hold.
    → Hold action is denied in accordance with "Allow another member to take most actions in your paccount, on your behalf. Excludes approvals, payments, rejections, and holds." - Expected.
12. [Copilot] Click More > Reject.
13. [Copilot] Enter reason and click Reject expense.

Expected Result:

Copilot with limited access level should be blocked from rejecting expense because it states "Allow another member to take most actions in your paccount, on your behalf. Excludes approvals, payments, rejections, and holds."

Actual Result:

Copilot with limited access level can reject expense despite the Limited access level statement "Allow another member to take most actions in your paccount, on your behalf. Excludes approvals, payments, rejections, and holds."

Workaround:

Unknown

Platforms:

• Android: App
• Android: mWeb Chrome
• iOS: App
• iOS: mWeb Safari
• iOS: mWeb Chrome
• Windows: Chrome
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

1.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~021989470519323088195
• Upwork Job ID: 1989470519323088195
• Last Price Increase: 2025-11-21

Issue Owner

Current Issue Owner: @marcaaron

[melvin-bot]

Triggered auto assignment to @lydiabarclay (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[Eskalifer1]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Copilot with limited access level can reject expenses, which contradicts the statement

What is the root cause of that problem?

We are missing here check:

App/src/components/MoneyReportHeader.tsx

Lines 1204 to 1212 in 41e4e50

	onSelected: () => {
	if (dismissedRejectUseExplanation) {
	if (requestParentReportAction) {
	rejectMoneyRequestReason(requestParentReportAction);
	}
	} else {
	setRejectModalAction(CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.REJECT);
	}
	},

What changes do you think we should make in order to solve the problem?

We should add check for copilot:

                if (isDelegateAccessRestricted) {
                    showDelegateNoAccessModal();
                    return;
                }

1. App/src/components/MoneyRequestHeader.tsx

   Lines 383 to 397 in 75971bc

   	[CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.REJECT]: {
   	text: translate('common.reject'),
   	icon: expensifyIcons.ThumbsDown,
   	value: CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.REJECT,
   	onSelected: () => {
   	if (dismissedRejectUseExplanation) {
   	if (parentReportAction) {
   	rejectMoneyRequestReason(parentReportAction);
   	}
   	} else {
   	setRejectModalAction(CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.REJECT);
   	}
   	},
   	},
   	};

2. App/src/components/MoneyReportHeader.tsx

   Lines 613 to 619 in 75971bc

   	const dismissModalAndUpdateUseHold = () => {
   	setIsHoldEducationalModalVisible(false);
   	setNameValuePair(ONYXKEYS.NVP_DISMISSED_HOLD_USE_EXPLANATION, true, false, !network?.shouldFailAllRequests);
   	if (requestParentReportAction) {
   	changeMoneyRequestHoldStatus(requestParentReportAction);
   	}
   	};

3. App/src/components/MoneyReportHeader.tsx

   Lines 621 to 634 in 75971bc

   	const dismissRejectModalBasedOnAction = () => {
   	if (rejectModalAction === CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.HOLD) {
   	dismissRejectUseExplanation();
   	if (requestParentReportAction) {
   	changeMoneyRequestHoldStatus(requestParentReportAction);
   	}
   	} else {
   	dismissRejectUseExplanation();
   	if (requestParentReportAction) {
   	rejectMoneyRequestReason(requestParentReportAction);
   	}
   	}
   	setRejectModalAction(null);
   	};

4. App/src/components/MoneyReportHeader.tsx

   Lines 1232 to 1240 in 75971bc

   	onSelected: () => {
   	if (dismissedRejectUseExplanation) {
   	if (requestParentReportAction) {
   	rejectMoneyRequestReason(requestParentReportAction);
   	}
   	} else {
   	setRejectModalAction(CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.REJECT);
   	}
   	},

5. App/src/components/MoneyRequestHeader.tsx

   Lines 285 to 291 in 75971bc

   	const dismissModalAndUpdateUseHold = () => {
   	setIsHoldEducationalModalVisible(false);
   	setNameValuePair(ONYXKEYS.NVP_DISMISSED_HOLD_USE_EXPLANATION, true, false, !network?.shouldFailAllRequests);
   	if (parentReportAction) {
   	changeMoneyRequestHoldStatus(parentReportAction);
   	}
   	};

6. App/src/components/MoneyRequestHeader.tsx

   Lines 293 to 306 in 75971bc

   	const dismissRejectModalBasedOnAction = () => {
   	if (rejectModalAction === CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.HOLD) {
   	dismissRejectUseExplanation();
   	if (parentReportAction) {
   	changeMoneyRequestHoldStatus(parentReportAction);
   	}
   	} else {
   	dismissRejectUseExplanation();
   	if (parentReportAction) {
   	rejectMoneyRequestReason(parentReportAction);
   	}
   	}
   	setRejectModalAction(null);
   	};

7. App/src/pages/iou/RejectReasonPage.tsx

   Lines 26 to 33 in 75971bc

   	const onSubmit = (values: FormOnyxValues<typeof ONYXKEYS.FORMS.MONEY_REQUEST_REJECT_FORM>) => {
   	const urlToNavigateBack = rejectMoneyRequest(transactionID, reportID, values.comment);
   	removeTransaction(transactionID);
   	Navigation.dismissModal();
   	if (urlToNavigateBack) {
   	Navigation.isNavigationReady().then(() => Navigation.goBack(urlToNavigateBack));
   	}
   	};

8. App/src/pages/iou/HoldReasonPage.tsx

   Lines 37 to 47 in 75971bc

   	const onSubmit = (values: FormOnyxValues<typeof ONYXKEYS.FORMS.MONEY_REQUEST_HOLD_FORM>) => {
   	// We have extra isWorkspaceRequest condition since, for 1:1 requests, canEditMoneyRequest will rightly return false
   	// as we do not allow requestee to edit fields like description and amount.
   	// But, we still want the requestee to be able to put the request on hold
   	if (isMoneyRequestAction(parentReportAction) && !canEditMoneyRequest(parentReportAction) && isWorkspaceRequest) {
   	return;
   	}
   	putOnHold(transactionID, values.comment, reportID);
   	Navigation.goBack(backTo);
   	};

9. App/src/pages/home/report/ContextMenu/ContextMenuActions.tsx

   Lines 429 to 437 in 75971bc

   	onPress: (closePopover, {moneyRequestAction}) => {
   	if (closePopover) {
   	hideContextMenu(false, () => changeMoneyRequestHoldStatus(moneyRequestAction));
   	return;
   	}
   	// No popover to hide, call changeMoneyRequestHoldStatus immediately
   	changeMoneyRequestHoldStatus(moneyRequestAction);
   	},

In case we want to have this logic in remove hold actions:
10.

App/src/components/MoneyReportHeader.tsx

Lines 849 to 864 in 75971bc

	onPress={() => {
	const parentReportAction = getReportAction(moneyRequestReport?.parentReportID, moneyRequestReport?.parentReportActionID);
	const IOUActions = getAllExpensesToHoldIfApplicable(moneyRequestReport, reportActions, transactions, policy);
	if (IOUActions.length) {
	IOUActions.forEach(changeMoneyRequestHoldStatus);
	return;
	}
	const moneyRequestAction = transactionThreadReportID ? requestParentReportAction : parentReportAction;
	if (!moneyRequestAction) {
	return;
	}
	changeMoneyRequestHoldStatus(moneyRequestAction);

11.

App/src/components/MoneyReportHeader.tsx

Lines 1084 to 1090 in 75971bc

	onSelected: () => {
	if (!requestParentReportAction) {
	throw new Error('Parent action does not exist');
	}
	changeMoneyRequestHoldStatus(requestParentReportAction);
	},

12.

App/src/components/MoneyRequestHeader.tsx

Lines 220 to 222 in 75971bc

	onPress={() => {
	changeMoneyRequestHoldStatus(parentReportAction);
	}}

13.

App/src/components/MoneyRequestHeader.tsx

Lines 338 to 344 in 75971bc

	onSelected: () => {
	if (!parentReportAction) {
	throw new Error('Parent action does not exist');
	}
	changeMoneyRequestHoldStatus(parentReportAction);
	},

14.

App/src/pages/home/report/ContextMenu/ContextMenuActions.tsx

Lines 407 to 415 in 75971bc

	onPress: (closePopover, {moneyRequestAction}) => {
	if (closePopover) {
	hideContextMenu(false, () => changeMoneyRequestHoldStatus(moneyRequestAction));
	return;
	}
	// No popover to hide, call changeMoneyRequestHoldStatus immediately
	changeMoneyRequestHoldStatus(moneyRequestAction);
	},

Search page:
15.

App/src/pages/Search/SearchPage.tsx

Lines 506 to 513 in 75971bc

	onSelected: () => {
	if (isOffline) {
	setIsOfflineModalVisible(true);
	return;
	}
	Navigation.navigate(ROUTES.TRANSACTION_HOLD_REASON_RHP);
	},

In case of remove hold:
16.

App/src/pages/Search/SearchPage.tsx

Lines 525 to 536 in 75971bc

	onSelected: () => {
	if (isOffline) {
	setIsOfflineModalVisible(true);
	return;
	}
	unholdMoneyRequestOnSearch(hash, selectedTransactionsKeys);
	// eslint-disable-next-line @typescript-eslint/no-deprecated
	InteractionManager.runAfterInteractions(() => {
	clearSelectedTransactions();
	});
	},

17. App/src/pages/Search/SearchHoldReasonPage.tsx

    Lines 29 to 42 in 75971bc

    	const onSubmit = useCallback(
    	({comment}: FormOnyxValues<typeof ONYXKEYS.FORMS.MONEY_REQUEST_HOLD_FORM>) => {
    	if (route.name === SCREENS.SEARCH.MONEY_REQUEST_REPORT_HOLD_TRANSACTIONS) {
    	putTransactionsOnHold(context.selectedTransactionIDs, comment, reportID);
    	context.clearSelectedTransactions(true);
    	} else {
    	holdMoneyRequestOnSearch(context.currentSearchHash, Object.keys(context.selectedTransactions), comment, allTransactions, allReportActions);
    	context.clearSelectedTransactions();
    	}
    	Navigation.goBack();
    	},
    	[route.name, context, reportID, allTransactions, allReportActions],
    	);

18. App/src/pages/Search/SearchPage.tsx

    Lines 416 to 444 in 75971bc

    	onSelected: () => {
    	if (isOffline) {
    	setIsOfflineModalVisible(true);
    	return;
    	}
    	// Check if any of the selected items have DEW enabled
    	const selectedPolicyIDList = selectedReports.length
    	? selectedReports.map((report) => report.policyID)
    	: Object.values(selectedTransactions).map((transaction) => transaction.policyID);
    	const hasDEWPolicy = selectedPolicyIDList.some((policyID) => {
    	const policy = policies?.[`${ONYXKEYS.COLLECTION.POLICY}${policyID}`];
    	return hasDynamicExternalWorkflow(policy);
    	});
    	if (hasDEWPolicy) {
    	setIsDEWModalVisible(true);
    	return;
    	}
    	const reportIDList = !selectedReports.length
    	? Object.values(selectedTransactions).map((transaction) => transaction.reportID)
    	: (selectedReports?.filter((report) => !!report).map((report) => report.reportID) ?? []);
    	approveMoneyRequestOnSearch(hash, reportIDList);
    	// eslint-disable-next-line @typescript-eslint/no-deprecated
    	InteractionManager.runAfterInteractions(() => {
    	clearSelectedTransactions();
    	});
    	},

19. we might also want to add this logic here:
    

    App/src/pages/Search/SearchPage.tsx

    Line 207 in 75971bc

    const onBulkPaySelected = useCallback(

20. App/src/hooks/useSelectedTransactionsActions.ts

    Lines 188 to 193 in 75971bc

    	onSelected: () => {
    	if (!report?.reportID) {
    	return;
    	}
    	Navigation.navigate(ROUTES.SEARCH_MONEY_REQUEST_REPORT_HOLD_TRANSACTIONS.getRoute({reportID: report.reportID}));
    	},

21. App/src/hooks/useSelectedTransactionsActions.ts

    Lines 202 to 211 in 75971bc

    	onSelected: () => {
    	for (const transactionID of selectedTransactionIDs) {
    	const action = getIOUActionForTransactionID(reportActions, transactionID);
    	if (!action?.childReportID) {
    	continue;
    	}
    	unholdRequest(transactionID, action?.childReportID);
    	}
    	clearSelectedTransactions(true);
    	},

What alternative solutions did you explore? (Optional)

Reminder: Please use plain English, be brief and avoid jargon. Feel free to use images, charts or pseudo-code if necessary. Do not post large multi-line diffs or write walls of text. Do not create PRs unless you have been hired for this job.

[daledah]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Copilot with limited access level can reject expense despite the Limited access level statement "Allow another member to take most actions in your paccount, on your behalf. Excludes approvals, payments, rejections, and holds."

What is the root cause of that problem?

We are missing to check for the copilot when the user clicks reject button

App/src/components/MoneyReportHeader.tsx

Lines 1207 to 1213 in cecf68a

	if (dismissedRejectUseExplanation) {
	if (requestParentReportAction) {
	rejectMoneyRequestReason(requestParentReportAction);
	}
	} else {
	setRejectModalAction(CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.REJECT);
	}

App/src/components/MoneyRequestHeader.tsx

Lines 372 to 381 in cecf68a

	onSelected: () => {
	if (dismissedRejectUseExplanation) {
	if (parentReportAction) {
	rejectMoneyRequestReason(parentReportAction);
	}
	} else {
	setRejectModalAction(CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.REJECT);
	}
	},
	},

What changes do you think we should make in order to solve the problem?

We should add the check for the copilot to show the delegate no access modal in both MoneyReportHeader and MoneyRequestHeader to avoid the regressions

      if (isDelegateAccessRestricted) {
          showDelegateNoAccessModal();
          return;
      }

App/src/components/MoneyRequestHeader.tsx

Lines 293 to 306 in 63e1eed

	const dismissRejectModalBasedOnAction = () => {
	if (rejectModalAction === CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.HOLD) {
	dismissRejectUseExplanation();
	if (parentReportAction) {
	changeMoneyRequestHoldStatus(parentReportAction);
	}
	} else {
	dismissRejectUseExplanation();
	if (parentReportAction) {
	rejectMoneyRequestReason(parentReportAction);
	}
	}
	setRejectModalAction(null);
	};

App/src/components/MoneyRequestHeader.tsx

Lines 388 to 391 in 63e1eed

	if (dismissedRejectUseExplanation) {
	if (parentReportAction) {
	rejectMoneyRequestReason(parentReportAction);
	}

App/src/components/MoneyRequestHeader.tsx

Lines 220 to 222 in 63e1eed

	onPress={() => {
	changeMoneyRequestHoldStatus(parentReportAction);
	}}

App/src/components/MoneyRequestHeader.tsx

Lines 288 to 290 in 63e1eed

	if (parentReportAction) {
	changeMoneyRequestHoldStatus(parentReportAction);
	}

App/src/components/MoneyRequestHeader.tsx

Lines 339 to 343 in 63e1eed

	if (!parentReportAction) {
	throw new Error('Parent action does not exist');
	}
	changeMoneyRequestHoldStatus(parentReportAction);

App/src/components/MoneyReportHeader.tsx

Lines 620 to 631 in 63e1eed

	const dismissRejectModalBasedOnAction = () => {
	if (rejectModalAction === CONST.REPORT.TRANSACTION_SECONDARY_ACTIONS.HOLD) {
	dismissRejectUseExplanation();
	if (requestParentReportAction) {
	changeMoneyRequestHoldStatus(requestParentReportAction);
	}
	} else {
	dismissRejectUseExplanation();
	if (requestParentReportAction) {
	rejectMoneyRequestReason(requestParentReportAction);
	}
	}

App/src/components/MoneyReportHeader.tsx

Lines 1232 to 1235 in 63e1eed

	if (dismissedRejectUseExplanation) {
	if (requestParentReportAction) {
	rejectMoneyRequestReason(requestParentReportAction);
	}

App/src/components/MoneyReportHeader.tsx

Lines 615 to 617 in 63e1eed

	if (requestParentReportAction) {
	changeMoneyRequestHoldStatus(requestParentReportAction);
	}

App/src/components/MoneyReportHeader.tsx

Lines 853 to 855 in 63e1eed

	if (IOUActions.length) {
	IOUActions.forEach(changeMoneyRequestHoldStatus);
	return;

App/src/components/MoneyReportHeader.tsx

Lines 1084 to 1088 in 63e1eed

	if (!requestParentReportAction) {
	throw new Error('Parent action does not exist');
	}
	changeMoneyRequestHoldStatus(requestParentReportAction);

What alternative solutions did you explore? (Optional)

Reminder: Please use plain English, be brief and avoid jargon. Feel free to use images, charts or pseudo-code if necessary. Do not post large multi-line diffs or write walls of text. Do not create PRs unless you have been hired for this job.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~021989470519323088195

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @aimane-chnaif (External)

[aimane-chnaif]

PS: we can add this check for other actions if needed

@Eskalifer1 if you want your proposal to be approved, can you please find out all instances where copilot can access hold/reject (or any other limited actions) throughout the app?
Please check all cases - one transaction report, multiple transactions report, etc.

(Note: @daledah's proposal is not complete, still missing cases)