My Oracle Support Banner

Task List URL in Portal 9.1 Bypass Authorization and can be Accessed by any Other User (Doc ID 2610140.1)

Last updated on NOVEMBER 13, 2019

Applies to:

PeopleSoft Enterprise PRTL Interaction Hub - Version 9.1 and later
Information in this document applies to any platform.

Symptoms

Task Detail/Task List URL in Portal 9.1 PT 8.57 bypass authorization and can be accessed by any user for other users. This was not an issue in PT 8.54.35.

 

The issue can be reproduced with the following steps:

---------------------------------------------------
1. Login into the application with user lets say PS
2. Navigate to Task list and create a new task
3. Access the task and copy the link to the task.
4. Now, login into the application using a different user account, lets say VP1 using this link.
5. "VP1" has unauthorized access to view and update the task list of "PS" user.
6. Edit the task and save.
7. Go to task list of VP1. User does not have access to new task created by PS.
8. Login into the application "PS" user account. Go to task list. Task data is shown as edited by user VP1.

Refer attached replication for more details.

Changes

 NA

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.