INC-145033 · Issue 599482
ForgotPassword responses made consistent
Resolved in Pega Version 8.4.4
To prevent possible exposure of valid usernames, the ForgotPassword logic has been updated so that it will show the same messages and set of screens to both valid and invalid users if a lost password request is made.
INC-146434 · Issue 602740
Accessibility added to Security Event Configuration headers
Resolved in Pega Version 8.4.4
Labels for the headers in the Security Event Configuration screen have been converted to dynamic layout headers so they will be detected by JAWS screen reader.
INC-146921 · Issue 601638
Cross-site scripting update for Dev Studio
Resolved in Pega Version 8.4.4
Cross Site Scripting (XSS) protections have been added to Developer Studio.
INC-154627 · Issue 619570
Re-enabled users are able to log in
Resolved in Pega Version 8.4.4
When disabled operators were re-enabled through operator management, the forced password change on next login was manually unchecked but the operators were unable to login because the change password screen was displayed without any password entry fields. This was a missed use case for handling the change password flag on a requestor , and has been resolved by having the system skip setting the change password on next login flag for disabled users.
INC-127981 · Issue 562998
Rulesets removed from direct invocation ability
Resolved in Pega Version 8.2.7
The following rules have been updated such that they are no longer available to be invoked directly by a client or service: Clipboard_ExecuteActivity, getClassInstances, getOperatorIDs, and GetXMLRuleData. In addition, pzAutoGenClipboard_ExecuteActivity will now require authentication.
SR-D79831 · Issue 562800
Access Deny working as expected for Offers
Resolved in Pega Version 8.2.7
It was possible to Save-As an offer in PegaMKT-Work-Offer after encountering an access deny rule. The record was not created in Dev Studio, however, and an expected denial of access was not registered at runtime. This was due to Access deny rules not being considered as a part of validation, and has been resolved by adding the necessary permission validation to the new harness that will produce the error message informing the user that they are missing a permission. Additional work has also been done to pass the 'pzKeepPageMessages' parameter as true so that page level error messages are correctly displayed.
SR-D87673 · Issue 548627
PegaCESvcsIntegrator security updated
Resolved in Pega Version 8.2.7
Security updates have been made which now require authentication to consume the services from the PegaCESvcsIntegrator package.
SR-D88451 · Issue 550848
Testcases are not available for 'access when' rules
Resolved in Pega Version 8.2.7
Attempting to create test cases for access when rules resulted in guardrail warnings about the need to create a test case. Because Test Cases are not available for the Access When rule type as per Pega expected behavior, the guardrail warnings are not valid and have been removed.
SR-D91834 · Issue 554424
Related cases of different types properly linked in Case Worker Portal
Resolved in Pega Version 8.2.7
After creating a case of type1 in the Case Worker portal, creating a case of type2 from the first case showed the case ID of the second case in the Related Work section as expected. However, after clicking on the link of the case ID of the second case from the related work section, the second case opened but the case ID of the first case was not shown in the Related work. The cases were correctly associated when the Case Manager portal was used instead. This was traced to the Case Worker clipboard continuing to hold the previous case ID thread, and has been resolved.
INC-118838 · Issue 560691
OKTA receives parameters on logout
Resolved in Pega Version 8.2.7
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the DB, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.