Skip to content

AcceptSpotnanaTerms sends wrong parameter name, causing permission denied for non-owner domains #84473

New issue
New issue
Open
Open
AcceptSpotnanaTerms sends wrong parameter name, causing permission denied for non-owner domains#84473
Labels
ReviewingHas a PR in reviewWeeklyKSv2
@blimpich

Description

@blimpich
blimpich
opened on Mar 7, 2026

Problem

Coming from here. When a domain admin on a non-owner domain (e.g. cardtest.expensify.com) tries to enable Expensify Travel, they receive:

"You don't have permission to enable Expensify Travel for this domain"

Root Cause

The App client sends the domain as parameter domain in the AcceptSpotnanaTerms API call, but api.php reads domainName. This causes the domain to be empty when passed to Auth, which then falls back to the policy owner's email domain (e.g. expensify.com), failing the membership check.

Fix

Rename the domain parameter to domainName in:

  • AcceptSpotnanaTermsParams.ts
  • Travel.ts

so it matches what the backend expects.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ReviewingHas a PR in reviewWeeklyKSv2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions