INC-147658 · Issue 604684
Handling added for Top and Primary page references in flow action
Resolved in Pega Version 8.5.2
Handling added for Top and Primary page references in flow actionAfter upgrade, if a flow action had a class of the section which was different from the class of the flow action, the DXAPI code retrieved the section as the same class of the flow action and not the class defined in the flow action. In flow action, the section was configured be rendered in the context of page reference as Top, however, this was not handled so the section was resolved in the context of primary page. This has been resolved by adding the missing handling for Top and Primary page references in flow action.
INC-148817 · Issue 604969
Added check for ABAC policy to getassignmentdetailsinternal
Resolved in Pega Version 8.5.2
When an attribute based access control (ABAC) policy was defined on a particular class, the policy was properly applied when browsing instances of the class and directly opening the work object. However when an associated assignment was processed via the DXAPI (using the assignments service) the security was not applied and users who should not have access were able to progress the case. This has been resolved by adding a check in the pzgetassignmentdetailsinternal activity to check for work object opening security.
INC-149823 · Issue 608352
DX API returns properly referenced icon class for embedded page
Resolved in Pega Version 8.5.2
When using the DX API to build an Angular JS UI, the response returned from the GET /cases/{ID}/actions/{actionID} api did not return the iconStyle for an icon class that uses a property reference when the flow is on an embedded page. This has been resolved by adding code to set the correct context for pzAPICreateJsonForModes and pzAPICreateJsonForField Rule-Utility-Function.
INC-130703 · Issue 597255
Operator provisioning on authentication service corrected
Resolved in Pega Version 8.5.2
When operator provisioning was triggered on user login via authentication service, the error "ModelOperatorName is not valid. Reason: declare page parameters not supported by PropertyReference" was generated. This was traced to optimization work that had been done on the expression evaluation for operator identification, and has been resolved by adding the required GRS Syntax support in the Operator Provisioning section in SAML and OIDC.
INC-132191 · Issue 582550
Option added to return to same authenticationService after SAML logoff
Resolved in Pega Version 8.5.2
An enhancement has been added which provides a check box on the Authentication Service ruleform to select the option of redirecting users back to their original authentication service screen after logoff.
INC-133518 · Issue 592227
Context updated for IACAuthentication activity trace
Resolved in Pega Version 8.5.2
After upgrade, tracing the IACAuthentication activity was not working. Investigation showed that the context object had a null tracer value, which has been resolved by updating the system so the tracer runs with the correct context.
INC-134808 · Issue 590711
Property check handling updated for Ajax requestor
Resolved in Pega Version 8.5.2
SECU0001 alerts were seen when submitting a case in the interaction portal. Logging indicated the errors were related to the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties which are included in an Ajax request when they exist in the DOM and the 'pyGeolocationTrackingIsEnabled' when rule is true. The error was traced to a condition where a new thread request results in an unexpected property check that encounters a clipboard which doesn't have any pages created for that thread. To resolve this, the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties have been added to an allow list to handle the unexpected properties check.
INC-137873 · Issue 596159
Java injection security updated
Resolved in Pega Version 8.5.2
Protections have been updated against a Java injection.
INC-140101 · Issue 597637
System will attempt to decrypt data ending in "+"
Resolved in Pega Version 8.5.2
Encrypting and decrypting one specific email address was not working properly when showing on the UI. It was possible to force a decryption using decryptproperty, but Pega generated an error. This was due to the actual encrypted value ending with '+', which conflicted with a system check that skips decryption if the encrypted property value ends with + . To resolve this, the system will attempt to decrypt the property even when encryptedText ends with + .
INC-140111 · Issue 594375
CSRF token handling added to Bulk Processing
Resolved in Pega Version 8.5.2
On click of submit button from the bulk transfer screen, the pzbulkprocess harness was loaded and the portal was automatically logged off. Investigation showed that when CSRF was enabled, loading pzBulkProcess failed with a 403 error that resulted in logging off the current session due to a missing fingerprint token. This has been resolved by adding both CSRF token and fingerprint generation logic to pzBulkProcessingList.