Users without any roles are able to move around calendar entries on show_schedule.do pages. For example, on the Maintenance Windows and Changes calendar page, the user can move entries around even though no ACLs allow them to do so. This results in the underlying data getting updated even though user does not have access to edit those records.
Steps to Reproduce
Impersonate a user without any roles (Joe Employee).
Go to /show_schedule.do?sysparm_type=maint.
Move one of the spans that are coloured black or orange into another column or cell.
Note that although it should not be movable, the span is moved to another cell or column.
This issue is under review. To receive notifications when more information is available, subscribe to this Known Error article by clicking the Subscribe button at the top right of the article. If you are able to upgrade, review the Fixed In field to determine whether any versions have a permanent fix.
Related Problem: PRB759767