INC-149728 · Issue 608107
Application wizard security updated
Resolved in Pega Version 8.4.4
A user having PegaRULES:User1 role only was able to run the Create Application wizard until an authorization block was reached, yet some rules were created. No operator records were created as part of this process. This was traced to code left in place after the creation of pxAppConfig and pzAppConfig portals, and has been resolved. The New Application wizard UI will display a message to a user when they lack access to build a new application, and an error will be displayed for any attempt to create a new application directly via pzCreateNewApplication to address a scenario where a user might be trying to call the activity without the front end.
INC-150039 · Issue 608044
Adjusted validation of literal value of a parameter
Resolved in Pega Version 8.4.4
When mapping a parameterized when rule to the proposition filter, parameters passed from the proposition filter page were not getting flown to the when rule. This was caused by special character validation for a literal value of a parameter which necessitated putting the parameter value within quotes and which resulted in a parameter value mismatch at run time. To support this use, this validation has been disabled as parameter values would not get included within quotes. This change does not have any impact on when rule or proposition filter rules java generation.
INC-150845 · Issue 606354
OpenRule logic updated for GetRuleInfo
Resolved in Pega Version 8.4.4
The exception "InsufficientPrivileges:RuleExecutionDenied RULE-OBJ-ACTIVITY @BASECLASS PZGETRULEINFO" was thrown for some access groups when attempting to view a section from the end-user perspective on the Opportunity screen. Investigation showed this happened when a section had a table in which "Optimize code" was unchecked. If "Optimize code" was checked, then the exception was not thrown. This was traced to recent security changes in pzGetRuleInfo which affected the BAC registration process, and has been resolved by updating the way the openRule action registration logic invokes the activity.
INC-151669 · Issue 618042
Formulas corrected for GenerateExcelFile
Resolved in Pega Version 8.4.4
After upgrade, using pxGenerateExcelFile to generate an Excel file resulted in some formulas and values not displaying. This scenario used an Excel template with two tabs - one showing direct page values and the second displaying the calculated values of first sheet. In the exported file, the formula was not getting evaluated unless and until the cell was activated with the enter key. This is a known limitation, and a temporary solution has been made here to add parameters that force the formula evaluations on the saved Excel document when editing is turned on. A more complete solution will be included in the next patch release.
SR-D40662 · Issue 511396
OpenRuleAdvanced updated
Resolved in Pega Version 8.3.2
After upgrade, the Update Page and Append and Map to step in Data transform was generating the error "No Server connection while giving page name to Target and Source". This was traced to the OpenRuleAdvanced_OverLabel control, and investigation showed that a variable was not being resolved when invoking pzEncryptURLActionString. This has been resolved by updating OpenRuleAdvanced and reimplementing two parameters as well as moving the call of these variables to the beginning of the script. Security has also been improved by moving some of the encryption to SafeUrls.
SR-D41636 · Issue 521731
Route to configuration in the approval flow accepts Specific User parameters
Resolved in Pega Version 8.3.2
Route to configuration in the approval flow was not accepting a parameter value/property value when select Specific User option from drop down was chosen. This was traced to unique ID change work done in the 8.2 release: the pzSimpleApproval section has two controls (DropDown for Participant & AutoComplete for Operator) configured on same property pyOperatorToAssign with "run visibility on client configuration), and when the control value was being changed in the AutoComplete control, the empty value of DropDown control was being posted to the clipboard. To correct this, the section Work-.pzSimpleApproval has been modified to remove performing run-visibility conditions at client side. Instead, the system will use the ".pyApproverType Changes" condition to refresh the wrapper DL which contains the routeTo type Operator/WB/Participant property controls.
SR-D42566 · Issue 512871
ApplicationInventory function deleted
Resolved in Pega Version 8.3.2
It was possible to call the activity "ApplicationInventory of class Rule-" by appending the activity name in the URL. To improve security, the ApplicationInventory activity and HTML rule have been removed from the system.
SR-D44942 · Issue 518352
Guided tour popups handling added for right-to-left language locales
Resolved in Pega Version 8.3.2
Guided Tour Popups were still appearing in the default EN location after switching to the ar_AR locale. This was traced to a missed use case for locales using a right-to-left mode such as Arabic or Hebrew, and has been resolved by updating the guided tour engine openPopOver function to account for the HTML tag dir attribute for value of "rtl". This will anchor the pop over to rightBottom / and display the arrow on the rightTop instead of leftBottom / leftTop.
SR-D47975 · Issue 514012
OpenRuleAdvanced updated
Resolved in Pega Version 8.3.2
After upgrade, the Update Page and Append and Map to step in Data transform was generating the error "No Server connection while giving page name to Target and Source". This was traced to the OpenRuleAdvanced_OverLabel control, and investigation showed that a variable was not being resolved when invoking pzEncryptURLActionString. This has been resolved by updating OpenRuleAdvanced and reimplementing two parameters as well as moving the call of these variables to the beginning of the script. Security has also been improved by moving some of the encryption to SafeUrls.
SR-D48248 · Issue 517237
cross-site scripting filtering added to URLs
Resolved in Pega Version 8.3.2
Cross-site scripting filtering has been added to prevent the injection of a script into a URL using ViewXML.