Notifications

43 views

Description

If any user with the template_editor creates a template with the name same as the target table name, the template is applied to all new records created for that table by any other user. No user other than administrators should be able to create such a global template automatically applied on any new record.

Steps to Reproduce

 

1. Impersonate an itil user or any user with the template_editor role, but not the admin role.
2. Go to any table, like incident.list.
3. Open a record.
4. Create a new template and name it the same as the target table, like 'incident' in this case.
5. Set the field values for the template and submit it. Note that the user field is read-only and has the logged in user name filled in.
6. Impersonate any other user and try to create a new record for the incident table. Observe all new records get the template applied.

Workaround

This problem is fixed in London. The fix is in the Client Script "SNC - default template name check" (sys_script_client_6896a95037002000a4c12bb6dcbe5d60), which has an added check for the Admin role before allowing the user to set the name field to an existing table:

if (g_user.hasRole('admin')) {
g_form.showFieldMsg('name', 'Name matches an existing table name, so template will be automatically applied to new records in that table', 'info');
g_form.setValue("table", newValue);
return;
} else {
g_form.setValue("name", "");
g_form.showFieldMsg('name', 'Name cannot match an existing table name', 'error');
}


Related Problem: PRB1255696

Seen In

There is no data to report.

Fixed In

London

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2018-11-13 23:34:35
Published:2018-11-14