If I login with a restricted (Dummy) user (No groups added and no global rights) and I paste a URL of an Action Item of other user, then the Dummy user can access and view all the information of the Action Item.
My main concern with this issue is that another user will be able to update another user's action item (ex: John is able to update an action item "approved" that has been assigned to Ann). The use-case in order to duplicate this issue is not a typical use-case.
Steps to Reproduce:
- Create a restricted (Dummy) user with no security rights added
- Login to the application as 'Dummy' user
- Using a URL for an Action Item for another user, paste into the browser address bar
Expected Result: The user should not be able to access the Action Item because security access rights are not granted to that user.
Actual Result: The restricted user can access and view all the information of the Action Item.
Applies to all supported PAS environments for specified releases.
Caused by CLRT-74487
The application does not have a security access rights check for the Action Item.
Resolved in CA PPM 14.2
Added check that current user should be assignee/owner of particular action item to view that action item. Otherwise, throw error and prevent user from clicking 'Return' to see the Organizer page (removed 'Return' button for this scenario).
Reference CA PPM Resolved Defects Index for CA PPM 14.2