SR-C1107 · Issue 351606
Oauth tokens obtained on login timeout
Resolved in Pega Version 7.4
When the client idle time expires, the user must perform a login in order to get back into the application. If OAuth is being used for authentication there is no need to re-send the credentials to NetIQ if neither the refresh token nor access token are expired yet, but the hybrid client was repeating the ROPC flow and obtaining a new refresh token each time the user logged in after the client idle timeout expires. With this change, the tokens are obtained on login timeout. There will be a further update targeted for the next release to show the lock screen and not log the user out.
SR-C147 · Issue 343884
Security improvements for generateCellContent RUF
Resolved in Pega Version 7.4
Code changes have been made to improve security for getting the parameter value in the generateCellContent RUF.
SR-C1787 · Issue 346038
XSS filtering added for insHandle
Resolved in Pega Version 7.4
XSS filtering has been added for the inshandle parameter in the downloadFile activity.
SR-C1787 · Issue 320158
Exception message will not include invalid filename
Resolved in Pega Version 7.4
To enhance security, the exception message In the activity Rule-File-Binary.downloadFile will not display the invalid filename.
SR-B47858 · Issue 304348
Access Group Guardrail warning removed from password change
Resolved in Pega Version 7.4
Changing the password for the '[email protected]' operator generated the warning: 'The same Access Group should not be shared by Operators and Requestor Types. Access group PRPC:Agents was also referenced by Requestor Type DATA-ADMIN-REQUESTOR PRPC!BATCH'. The password change did take effect as expected. This guardrail warning was shown if the Access group used by the [email protected] operator, i.e. PRPC:Agents, was specified in any of Data-Admin-Requestor instance, and has been resolved by removing the unnecessary check.
SR-B96972 · Issue 343423
Specification rule save-as loads requirements
Resolved in Pega Version 7.4
While doing 'Save As' of a Specification rule from a locked ruleset version to a higher unlocked version of the ruleset, the linked Requirements were not shown in the Requirements section under the Details tab. Sometimes a refresh would show the requirements, but intermittently an exception would be generated. This was traced to the system not auto-populating the requirements list on 'save as' of the specification, and code has been added to PostActionSaveAs of the 'Rule-Application-UseCase' class to populate the Requirements link on 'save as' of this rule.