My Oracle Support Banner

User Should Not Be Able To Approve A Purchase Requisition Through Email If He Has No Approval Access (Doc ID 2747684.1)

Last updated on FEBRUARY 01, 2021

Applies to:

Oracle iProcurement - Version 12.2.4 and later
Information in this document applies to any platform.

Symptoms

On : 12.2.4 version,

ACTUAL BEHAVIOR
-----------------------

Unauthorized user is able to approve a Purchase Requisition by accessing it through the URL for "Please click here to respond" which was initially sent in the approval notification email.
After approval, the Action History shows action taken by the original approver although it was approved by a different user.
 

EXPECTED BEHAVIOR
---------------------------

Unauthorized user should not be able to approve a Purchase requisition through email if he has no approval access.



STEPS
-----------------------

The issue can be reproduced at will with the following steps:
1. Navigate to iProcurement
2. Submit a Requisition for approval
3. In the approval notification, there is a url for "Please click here to respond".
4. Use that URL to access the application as a different user and approve the Purchase Requisition.
5. The Action History shows approval action taken by the original approver.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.