chore(PayoutMethods): disable restore

Author: Betree

server/graphql/common/expenses.ts

@@ -23,6 +23,7 @@ import {
   omit,
   omitBy,
   pick,
+  remove,
   set,
   size,
   uniq,
@@ -378,15 +379,25 @@ export const canSeeExpensePayoutMethodPrivateDetails: ExpensePermissionEvaluator
     return true;
   }
 
-  return remoteUserMeetsOneCondition(req, expense, [
+  const allowedRoles = [
     isOwner,
     isOwnerAccountant,
     isHostAdmin,
     isHostAccountant,
     isAdminOrAccountantOfHostWhoPaidExpense,
     isAdminOfCollectiveWithPermissivePayoutMethodPermissions, // Some fiscal hosts rely on the collective admins to do some verifications on the payout method
     isAdminOfCollectiveAndExpenseIsAVirtualCardButNotManuallyCreated, // Virtual cards are created by the collective admins, but manually created ones are managed by host admins
-  ]);
+  ];
+
+  // Submitter can see own information until the expense is paid
+  if (expense.status === expenseStatus.PAID) {
+    const payoutMethod = await req.loaders.PayoutMethod.byId.load(expense.PayoutMethodId);
+    if (!payoutMethod.isSaved) {
+      remove(allowedRoles, [isOwner, isOwnerAccountant]);
+    }
+  }
+
+  return remoteUserMeetsOneCondition(req, expense, allowedRoles);
 };
 
 /** Checks if the user can see expense's invoice information (the generated PDF) */

server/graphql/schemaV2.graphql

@@ -23694,16 +23694,6 @@ type Mutation {
   Remove the given payout method. Scope: "expenses".
   """
   removePayoutMethod(payoutMethodId: String!): PayoutMethod!
-
-  """
-  Restore the given payout method. Scope: "expenses".
-  """
-  restorePayoutMethod(
-    """
-    Payout Method reference
-    """
-    payoutMethod: PayoutMethodReferenceInput!
-  ): PayoutMethod!
   editPayoutMethod(
     """
     Payout Method reference

server/graphql/v2/mutation/PayoutMethodMutations.ts

@@ -11,7 +11,7 @@ import { Forbidden, NotFound, Unauthorized, ValidationFailed } from '../../error
 import { idDecode, IDENTIFIER_TYPES } from '../identifiers';
 import { fetchAccountWithReference, GraphQLAccountReferenceInput } from '../input/AccountReferenceInput';
 import { GraphQLPayoutMethodInput } from '../input/PayoutMethodInput';
-import { fetchPayoutMethodWithReference, GraphQLPayoutMethodReferenceInput } from '../input/PayoutMethodReferenceInput';
+import { fetchPayoutMethodWithReference } from '../input/PayoutMethodReferenceInput';
 import GraphQLPayoutMethod from '../object/PayoutMethod';
 
 const payoutMethodMutations = {
@@ -89,24 +89,16 @@ const payoutMethodMutations = {
   },
   restorePayoutMethod: {
     description: 'Restore the given payout method. Scope: "expenses".',
+    deprecationReason: '2025-02-10: Payout methods cannot be restored.',
     type: new GraphQLNonNull(GraphQLPayoutMethod),
     args: {
       payoutMethod: {
         type: new GraphQLNonNull(GraphQLPayoutMethodReferenceInput),
         description: 'Payout Method reference',
       },
     },
-    async resolve(_: void, args, req: express.Request): Promise<PayoutMethodModel> {
-      checkRemoteUserCanUseExpenses(req);
-
-      const payoutMethod = await fetchPayoutMethodWithReference(args.payoutMethod);
-
-      const collective = await req.loaders.Collective.byId.load(payoutMethod.CollectiveId);
-      if (!req.remoteUser.isAdminOfCollective(collective)) {
-        throw new Forbidden();
-      }
-
-      return payoutMethod.update({ isSaved: true });
+    async resolve() {
+      return null;
     },
   },
   editPayoutMethod: {
@@ -130,6 +122,10 @@ const payoutMethodMutations = {
       // Enforce 2FA
       await twoFactorAuthLib.enforceForAccount(req, collective);
 
+      if (!payoutMethod.isSaved && args.payoutMethod.isSaved === true) {
+        throw new Forbidden('Archived payout methods cannot be restored.');
+      }
+
       if (await payoutMethod.canBeEdited()) {
         return await payoutMethod.update({
           ...pick(args.payoutMethod, ['name', 'data', 'isSaved']),

server/graphql/v2/object/PayoutMethod.ts

@@ -24,7 +24,7 @@ const GraphQLPayoutMethod = new GraphQLObjectType({
     name: {
       type: GraphQLString,
       description: 'A friendly name for users to easily find their payout methods',
-      resolve: async (payoutMethod, _, req: express.Request): Promise<string> => {
+      resolve: async (payoutMethod, _, req: express.Request): Promise<string | null> => {
         const collective = await req.loaders.Collective.byId.load(payoutMethod.CollectiveId);
         if (
           req.remoteUser?.isAdminOfCollective(collective) ||
@@ -54,10 +54,10 @@ const GraphQLPayoutMethod = new GraphQLObjectType({
     data: {
       type: GraphQLJSON,
       description: 'The actual data for this payout method. Content depends on the type.',
-      resolve: async (payoutMethod, _, req: express.Request): Promise<Record<string, unknown>> => {
+      resolve: async (payoutMethod, _, req: express.Request): Promise<Record<string, unknown> | null> => {
         const collective = await req.loaders.Collective.byId.load(payoutMethod.CollectiveId);
         if (
-          req.remoteUser?.isAdminOfCollective(collective) ||
+          (req.remoteUser?.isAdminOfCollective(collective) && payoutMethod.isSaved) ||
           getContextPermission(req, PERMISSION_TYPE.SEE_PAYOUT_METHOD_DETAILS, payoutMethod.id)
         ) {
           if (checkScope(req, 'expenses')) {

test/server/graphql/v2/mutation/PayoutMethodMutations.test.ts

@@ -226,5 +226,25 @@ describe('server/graphql/v2/mutation/PayoutMethodMutations', () => {
       expect(result.errors).to.exist;
       expect(result.errors[0].message).to.eql('You are authenticated but forbidden to perform this action');
     });
+
+    it('Rejects setting isSaved true on an archived payout method (restore via edit)', async () => {
+      const archivedPayoutMethod = await fakePayoutMethod({
+        CollectiveId: adminUser.CollectiveId,
+        isSaved: false,
+        name: 'Archived Bank',
+      });
+      await fakeExpense({ PayoutMethodId: archivedPayoutMethod.id, status: 'PAID' });
+      const mutationArgs = {
+        payoutMethod: {
+          id: idEncode(archivedPayoutMethod.id, IDENTIFIER_TYPES.PAYOUT_METHOD),
+          isSaved: true,
+        },
+      };
+      const result = await graphqlQueryV2(editPayoutMethodMutation, mutationArgs, adminUser);
+      expect(result.errors).to.exist;
+      expect(result.errors[0].message).to.include('Archived payout methods cannot be restored');
+      await archivedPayoutMethod.reload();
+      expect(archivedPayoutMethod.isSaved).to.be.false;
+    });
   });
 });

test/server/graphql/v2/object/PayoutMethod.test.ts

@@ -159,4 +159,89 @@ describe('server/graphql/v2/object/PayoutMethod', () => {
       }
     });
   });
+
+  describe('archived payout method obfuscation', () => {
+    it('returns null for name and data when collective admin queries an archived payout method', async () => {
+      const user = await fakeUser();
+      const archivedPm = await fakePayoutMethod({
+        type: PayoutMethodTypes.BANK_ACCOUNT,
+        name: 'Secret Bank',
+        CollectiveId: user.CollectiveId,
+        isSaved: false,
+        data: {
+          accountHolderName: 'Secret Holder',
+          currency: 'EUR',
+          type: 'IBAN',
+          details: { iban: 'FR123456789' },
+        },
+      });
+      await fakeExpense({ PayoutMethodId: archivedPm.id, status: 'PAID' });
+
+      const result = await graphqlQueryV2(
+        gql`
+          query Account($slug: String!) {
+            account(slug: $slug) {
+              id
+              payoutMethods(includeArchived: true) {
+                id
+                name
+                data
+                isSaved
+                type
+              }
+            }
+          }
+        `,
+        { slug: user.collective.slug },
+        user,
+      );
+      expect(result.errors).to.not.exist;
+      const archivedFromQuery = result.data.account.payoutMethods.find(pm => pm.id && !pm.isSaved);
+      expect(archivedFromQuery).to.exist;
+      expect(archivedFromQuery.name).to.be.null;
+      expect(archivedFromQuery.data).to.be.null;
+      expect(archivedFromQuery.isSaved).to.be.false;
+      expect(archivedFromQuery.type).to.equal('BANK_ACCOUNT');
+    });
+
+    it('returns name and data for saved payout methods when collective admin queries', async () => {
+      const user = await fakeUser();
+      await fakePayoutMethod({
+        type: PayoutMethodTypes.BANK_ACCOUNT,
+        name: 'My Bank',
+        CollectiveId: user.CollectiveId,
+        isSaved: true,
+        data: {
+          accountHolderName: 'Holder',
+          currency: 'EUR',
+          type: 'IBAN',
+          details: { iban: 'FR999999999' },
+        },
+      });
+
+      const result = await graphqlQueryV2(
+        gql`
+          query Account($slug: String!) {
+            account(slug: $slug) {
+              id
+              payoutMethods {
+                id
+                name
+                data
+                isSaved
+              }
+            }
+          }
+        `,
+        { slug: user.collective.slug },
+        user,
+      );
+      expect(result.errors).to.not.exist;
+      const pm = result.data.account.payoutMethods.find(p => p.name === 'My Bank');
+      expect(pm).to.exist;
+      expect(pm.name).to.equal('My Bank');
+      expect(pm.data).to.exist;
+      expect(pm.isSaved).to.be.true;
+    });
+  });
 });