[Due for payment 2026-04-14] Reports - Approver can be bypassed by bulk changing approver when self-approval is disabled

[jponikarchuk]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Version Number: 9.2.75-0
Reproducible in staging?: Yes
Reproducible in production?: N/A - new feature, doesn't exist in prod
If this was caught during regression testing, add the test name, ID and link from BrowserStack: #75729
Email or phone of affected tester (no customers): jsdonijsdojoisjdiosnjdo11@gmail.com
Issue reported by: Applause Internal Team
Bug source: Pull Request QA execution
Device used: Mac 26.1 / Chrome
App Component: Money Requests

Action Performed:

Precondition:

• Create two workspaces - A and B.
• User B is invited to Workspace A and B and is the workspace approver in both workspaces.
• "Prevent self-approvals" is enabled in Workspace A only.

1. Go to staging.new.expensify.com
2. Create an expense in both Workspace A and B and click Submit for each report.
3. Open the expense report in workspace chat A.
4. Click More > Change approver.
   → Bypass approver option is hidden because "Prevent self-approvals" is enabled.
5. Go to Reports > Reports.
6. Select both reports from both workspaces via checkbox.
7. Click dropdown button > Change approver.
8. Click Bypass approver > Change approver.
9. Open expense report from workspace chat A.

Expected Result:

In Step 8, Bypass approver option should be hidden when bulk changing approver for both reports from both workspaces because "Prevent self-approvals" is enabled in Workspace A (the same way the option is hidden in Step 4).

Actual Result:

In Step 8, Bypass approver option is shown when bulk changing approver for both reports from both workspaces when "Prevent self-approvals" is enabled in Workspace A.
As a result, user can change approver to themselves despite self-approval settings.

Workaround:

Unknown

Platforms:

• Android: App
• Android: mWeb Chrome
• iOS: App
• iOS: mWeb Safari
• iOS: mWeb Chrome
• Windows: Chrome
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

1.mp4

View all open jobs on GitHub

[melvin-bot]

Triggered auto assignment to @bfitzexpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[melvin-bot]

Triggered auto assignment to @deetergp (DeployBlockerCash), see https://stackoverflowteams.com/c/expensify/questions/9980/ for more details.

[melvin-bot]

💬 A slack conversation has been started in #expensify-open-source

[github-actions]

👋 Friendly reminder that deploy blockers are time-sensitive ⏱ issues! Check out the open `StagingDeployCash` deploy checklist to see the list of PRs included in this release, then work quickly to do one of the following:

1. Identify the pull request that introduced this issue and revert it.
2. Find someone who can quickly fix the issue.
3. Fix the issue yourself.

[Nodebrute]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Approver can be bypassed by bulk changing approver when self-approval is disabled

What is the root cause of that problem?

In shouldShowBypassApproversOption we don't have any check to hide bypass option if any of the reports have preventSelfApprovals enabled

App/src/pages/Search/SearchChangeApproverPage.tsx

Lines 181 to 193 in ffe620f

	const shouldShowBypassApproversOption =
	hasPermission &&
	selectedReports.some((selectedReport) => {
	const policy = allPolicies?.[`${ONYXKEYS.COLLECTION.POLICY}${selectedReport.policyID}`];
	const report = onyxReports?.get(selectedReport.reportID);
	if (!policy || !report) {
	return false;
	}
	const isCurrentUserManager = report.managerID === currentUserDetails.accountID;
	return !isCurrentUserManager && isAllowedToApproveExpenseReport(report, currentUserDetails.accountID, policy);
	});

What changes do you think we should make in order to solve the problem?

We should hide bypass option if any of the reports have preventSelfApprovals enabled We can add another check in shouldShowBypassApproversOption

&&
            selectedReports.every((selectedReport) => {
                const policy = allPolicies?.[`${ONYXKEYS.COLLECTION.POLICY}${selectedReport.policyID}`];
                const report = onyxReports?.get(selectedReport.reportID);

                if (!policy || !report) {
                    return true;
                }

                return !(policy.preventSelfApproval && isCurrentUserSubmitter(report));
            });

Note: This is only pseudocode for now. We can clean up the duplication and polish the implementation in the PR.

What alternative solutions did you explore? (Optional)

We can also do it in one iteration

    let hasAnyReportAllowingBypass = false;
    let hasAnyReportPreventingBypass = false;

    for (const selectedReport of selectedReports) {
        const policy = allPolicies?.[`${ONYXKEYS.COLLECTION.POLICY}${selectedReport.policyID}`];
        const report = onyxReports?.get(selectedReport.reportID);

        if (!policy || !report) {
            continue;
        }

        // Check if this report allows bypassing
        const isCurrentUserManager = report.managerID === currentUserDetails.accountID;
        if (!isCurrentUserManager && isAllowedToApproveExpenseReport(report, currentUserDetails.accountID, policy)) {
            hasAnyReportAllowingBypass = true;
        }

        // Check if this report prevents bypassing
        if (policy.preventSelfApproval && isCurrentUserSubmitter(report)) {
            hasAnyReportPreventingBypass = true;
        }
    }

    const shouldShowBypassApproversOption = hasPermission && hasAnyReportAllowingBypass && !hasAnyReportPreventingBypass;

[deetergp]

This seems to be related to/caused by: #75729