213 views

Description

Users without any roles are able to move around calendar entries on show_schedule.do pages. For example, on the Maintenance Windows and Changes calendar page, the user can move entries around even though no ACLs allow them to do so. This results in the underlying data getting updated even though user does not have access to edit those records.

Steps to Reproduce

 

  1. Impersonate a user without any roles (Joe Employee).

  2. Go to /show_schedule.do?sysparm_type=maint.

  3. Move one of the spans that are coloured black or orange into another column or cell.

    Note that although it should not be movable, the span is moved to another cell or column.

 

Workaround

This issue is under review. To receive notifications when more information is available, subscribe to this Known Error article by clicking the Subscribe button at the top right of the article. If you are able to upgrade, review the Fixed In field to determine whether any versions have a permanent fix.


Related Problem: PRB759767

Seen In

Eureka Patch 10 Hot Fix 1
Geneva Patch 5

Fixed In

Helsinki Patch 11
Istanbul Patch 6
Jakarta

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2018-03-12 10:27:56
Published:2017-05-15