My Oracle Support Banner

Customers Are Able To Access Catalog Sections That Are Excluded From Site They Have Access To (Doc ID 1551888.1)

Last updated on MARCH 31, 2020

Applies to:

Oracle iStore - Version 12.1.3 and later
Information in this document applies to any platform.

Symptoms

On All instances: 12.1.3 version, Runtime Catalog

ACTUAL BEHAVIOR
---------------
Users are able to access catalog that are excluded from site they have access to.

EXPECTED BEHAVIOR
-----------------------
User should not see catalog when they are not allowed.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Setup site with responsibility-checked
2. Exclude this site on section
3. Login as a user who does not have access to this site but to a different site
4. Edit the URL, change the section_id and item_id and run
5. See..item is displayed from the section that was excluded

BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users can see products even though they are not supposed to.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.