INC-206049 · Issue 703468
Resolved activity registration error for Scan Barcode/QR Code
Resolved in Pega Version 8.6.4
Attempting to add the action 'Scan Barcode/QR Code' to a button generated the warning "Unauthorized request detected : Unregistered request encountered with params pyActivity:pzRunActionWrapper pySubAction:runAct pzActivity:pzScanCode". Investigation showed this was due to the pzScanCode activity referred to in pzpega_control_actions_scanCode.js file not being registered, and has been resolved by adding code to register the necessary events for both button and navigation.
INC-210526 · Issue 705640
Mobile supports icons for file attachment
Resolved in Pega Version 8.6.4
Attaching a file to a case in a mobile browser generated a script error popup. This has been resolved with code to support using icons to attach files on mobile.
INC-211208 · Issue 709646
Added fallback handling for missing Google Maps marker value
Resolved in Pega Version 8.6.4
The Google maps location position control was not showing the marker if the marker source was a Property. No issues were seen if a data page was used as the marker source. This was due to the pega.util.Dom.getElementsByName(markerPropertyHandle) being returned as null. Since the property value was not found in DOM, the latitude and longitude values were not resolved for the marker object. This has been resolved by relying on the markerPropertyValue as a fallback in case the property bound to the marker is not part of the DOM.
INC-214160 · Issue 709281
Access group context handling updated for Mobile
Resolved in Pega Version 8.6.4
After update, a new mobile application for a specific access group was not applying the correct access group for an operator with multiple access groups but instead used the default access group. This has been resolved by moving the logic responsible for switching access groups for Pega Mobile Client from the Authorization.getInitialAccessGroup class to the SessionAccessgroupInfo class to ensure Authorization/SessionAuthorization gets the information about the default access group for the current context.
INC-164432 · Issue 696294
Global obfuscation key initialized on first requestor call
Resolved in Pega Version 8.6.4
When using URLEncryption = true and SubmitObfuscatedURL = optional, attempting to export an Excel spreadsheet resulted in the error "Invalid character found in the request target". This was traced to the variable pega.d.globalobfuscateKey having a null value which was then converted to a byte array and decoded, generating improper characters in the URL. After a browser refresh, the correct value was set in pega.d.globalobfuscateKey and the export worked as expected. To resolve this, an update has been made to initialize the key on the very first call in PRRequestorImpl when the global obfuscation key is determined to be NULL instead of initializing the global obfuscation key by on-demand basis from HTTPAPI.
INC-182827 · Issue 691528
URL security updated
Resolved in Pega Version 8.6.4
Security has been updated for URL tampering defense and Rule Security Mode.
INC-209298 · Issue 704141
Added security tokens to Worklist assignment error wizard
Resolved in Pega Version 8.6.4
After enabling CSRF, moving to 'Configure -> Case Management -> Tools -> Work Admin -> Worklist assignment errors' and then selecting a record and clicking on 'Delete' resulted in a '403 Forbidden' error. This has been resolved by adding CSRF and fingerprint tokens as part of the form data.
INC-211426 · Issue 706061
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.6.4
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.
INC-215343 · Issue 711141
Security updates
Resolved in Pega Version 8.6.4
Security updates have been made relating to rulesets using allow lists, checks for Java code injections, SAML-based SSO code, and supporting SFTP as part of the validation in the pxValidateURL rule.
INC-188469 · Issue 714844
Updated retainLock for DoClose activity
Resolved in Pega Version 8.6.5
After sending an external email notification from a case, attempting to use the "close" button resulted in an access denied error. This was traced to a missed use case for recent security improvements which resulted in not setting the required parameter retainLock for the DoClose activity, and has been resolved.