INC-173068 · Issue 654064
HTML tags escaped in Audit History field values
Resolved in Pega Version 8.4.6
The case narrative section was showing case statuses with encoded special characters such as % or ( ), resulting in entries such as "Status changed to Complete &# 40;approved& #41; !@#$ %^& amp;*&# 40;&# 41;_&# 43;.". This has been resolved by updating the PyMemo field from type Text Input to DisplayAsLiteral for case narrative, which matches the setting for case history.
INC-175882 · Issue 658642
Updated bulk action audit history logic and security
Resolved in Pega Version 8.4.6
After update, using the standard bulk action feature did not record an audit history entry for the SLA action on a case. This was traced to changes made around authorization for opening worklists when using pzBulkProcessItem that limited the audit history to reassign, transfer or transfer assignment, and has been resolved by updating the login the Work-pzBulkProcessItem activity. In addition, the Require authentication to run checkbox has been enabled on the Security tab of the activity, and the Allow invocation from browser checkbox has been disabled.
INC-177183 · Issue 660537
Refresh assignment checks updated
Resolved in Pega Version 8.4.6
Additional privilege checks have been added to refresh assignment.
INC-178650 · Issue 673550
Cross-site scripting protections updated
Resolved in Pega Version 8.4.6
Cross-site scripting protections have been updated around the DisplayAttachment function.
INC-183947 · Issue 673735
Query split added to handle Oracle expressions limit
Resolved in Pega Version 8.4.6
The PXCHECKFLOWDEPENDENCIES activity was throwing the Oracle error message "ORA-01795: maximum number of expressions in a list is 1000" when a case had a very large number of sub-cases, causing a failure in trying to submit additional child cases which sent them into the broken process. This has been resolved by updating the pxCheckFlowDependencies rule to break down the query parameter into batches of 999 so they can be handled by Oracle.
INC-184271 · Issue 668414
Portal Header persists appropriately
Resolved in Pega Version 8.4.6
The Portal header was disappearing immediately after case attachments were opened from the right sidebar and did not reappear even after refresh. This was traced to the absence of pd(event), and has been resolved by adding pd(event) to the onclick attribute in the anchor tag in the attachment UIKit rules.
INC-175706 · Issue 659527
SSLContext created using protocol from REST connector rule form
Resolved in Pega Version 8.4.6
After upgrading to IBM websphere v9.0.5.6 or higher, API calls Like REST, Connect-HTTP etc were failing to connect to endpoints using TLSv1.2. Investigation showed that although the connector was configured to send TLSv1.2, the ClientHello handshake was triggered for TLSv1.3. Because the SSLContext was created with highest version supported by protocol in the WAS container, this has been resolved by modifying the code to create SSLContext based on the the protocol selected in the REST connector rule form. Additionally, please note that the Connect-HTTP connector has been deprecated and the Connect-REST capabilities in the platform should be used instead.
INC-179360 · Issue 662178
Check added for allowed editing with CSRF
Resolved in Pega Version 8.4.6
After enabling CSRF, it was not possible to edit a data table used to define ACL rules due to security preventing the adding/editing of rows and user group entitlements. This has been resolved by using browser FingerPrint validation to check whether an activity is in a secured list and skipping validation for allowed activities.
INC-180275 · Issue 666457
Collaboration control hidden if data type is delegated
Resolved in Pega Version 8.4.6
When collaborating using a customized CaseManager portal with some delegated data types, the admin user refreshing the Data Type view changed the collaborator's view from the portal to show the Data Type tabs, allowing the second person to open rules (properties, Data Pages, etc) and see the configuration even though they could not make any changes. This has been resolved by updating pzDataTypeDelegated to display the collaboration control only if pzDelegation is false.
INC-180594 · Issue 670956
Filtering added for DisableDormantOperators
Resolved in Pega Version 8.4.6
When running the Disable Dormant Operators agent, many operators were seen which were dormant but not disabled. Investigation showed the activity was fetching all of the operators without filtering the deactivation state. This has been resolved by adding a filter condition in pzDisableDormantOperators to fetch only deactivate state users.