A restricted user can access and view Action Item details

Document ID : KB000032029
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem: 

If I login with a restricted (Dummy) user (No groups added and no global rights) and I paste a URL of an Action Item of other user, then the Dummy user can access and view all the information of the Action Item.

My main concern with this issue is that another user will be able to update another user's action item (ex: John is able to update an action item "approved" that has been assigned to Ann). The use-case in order to duplicate this issue is not a typical use-case.   

Steps to Reproduce:

  1. Create a restricted (Dummy) user with no security rights added
  2. Login to the application as 'Dummy' user
  3. Using a URL for an Action Item for another user, paste into the browser address bar

Expected Result:  The user should not be able to access the Action Item because security access rights are not granted to that user. 

Actual Result: The restricted user can access and view all the information of the Action Item.  

Environment:

Applies to all supported PAS environments for specified releases.

Cause:

Caused by CLRT-74487

The application does not have a security access rights check for the Action Item.

Resolution:

Resolved in CA PPM 14.2

Added check that current user should be assignee/owner of particular action item to view that action item. Otherwise, throw error and prevent user from clicking 'Return' to see the Organizer page (removed 'Return' button for this scenario).

Additional Information:

Reference CA PPM Resolved Defects Index for CA PPM 14.2