Description
All record producer requests go through the Service Catalog processor. Once the processor has been made public, if the user logs out, the request still proceeds even though the user has logged out.
Steps to Reproduce
- Make the Service Catalog public per the instructions in KB0551300.
- Open any catalog item or record producer.
- Add an item to the cart.
- Before checkout, open another tab and log out.
- Proceed to check out.
The session will now be a Guest user and under certain conditions, the sc_request and sc_req_item is created by the Guest user.
Workaround
In Service Catalog Processor, add the following lines at line 7:
var item = g_request.getParameter("sysparm_id");
if(item && !GlideappCatalogItem.get(item).canView()) {
gs.addErrorMessage(gs.getMessage("Not Authorized"));
g_response.sendRedirect("navpage.do");
return;
}
Related Problem: PRB677094
