INC-149728 · Issue 608107
Application wizard security updated
Resolved in Pega Version 8.4.4
A user having PegaRULES:User1 role only was able to run the Create Application wizard until an authorization block was reached, yet some rules were created. No operator records were created as part of this process. This was traced to code left in place after the creation of pxAppConfig and pzAppConfig portals, and has been resolved. The New Application wizard UI will display a message to a user when they lack access to build a new application, and an error will be displayed for any attempt to create a new application directly via pzCreateNewApplication to address a scenario where a user might be trying to call the activity without the front end.
INC-150039 · Issue 608044
Adjusted validation of literal value of a parameter
Resolved in Pega Version 8.4.4
When mapping a parameterized when rule to the proposition filter, parameters passed from the proposition filter page were not getting flown to the when rule. This was caused by special character validation for a literal value of a parameter which necessitated putting the parameter value within quotes and which resulted in a parameter value mismatch at run time. To support this use, this validation has been disabled as parameter values would not get included within quotes. This change does not have any impact on when rule or proposition filter rules java generation.
INC-150845 · Issue 606354
OpenRule logic updated for GetRuleInfo
Resolved in Pega Version 8.4.4
The exception "InsufficientPrivileges:RuleExecutionDenied RULE-OBJ-ACTIVITY @BASECLASS PZGETRULEINFO" was thrown for some access groups when attempting to view a section from the end-user perspective on the Opportunity screen. Investigation showed this happened when a section had a table in which "Optimize code" was unchecked. If "Optimize code" was checked, then the exception was not thrown. This was traced to recent security changes in pzGetRuleInfo which affected the BAC registration process, and has been resolved by updating the way the openRule action registration logic invokes the activity.
INC-151669 · Issue 618042
Formulas corrected for GenerateExcelFile
Resolved in Pega Version 8.4.4
After upgrade, using pxGenerateExcelFile to generate an Excel file resulted in some formulas and values not displaying. This scenario used an Excel template with two tabs - one showing direct page values and the second displaying the calculated values of first sheet. In the exported file, the formula was not getting evaluated unless and until the cell was activated with the enter key. This is a known limitation, and a temporary solution has been made here to add parameters that force the formula evaluations on the saved Excel document when editing is turned on. A more complete solution will be included in the next patch release.
INC-137874 · Issue 599131
Cross-site scripting update for Dev Studio
Resolved in Pega Version 8.4.4
Cross Site Scripting (XSS) protections have been added to Developer Studio.
INC-140224 · Issue 604006
Corrected SAML SSO error
Resolved in Pega Version 8.4.4
After opening a case from the Pega-FCM portal or after logging in from SSO, closing the Pega window and opening it again resulted in the error "Unable to process the SAML WebSSO request : Violation of PRIMARY KEY constraint %27pr_data_saml_requestor_PK%27. Cannot insert duplicate key in object". This was a missed use case that happens only under the old SAML configuration, and has been resolved by removing a when condition that checks for stepstatus fail for the pySAMLwebSSOAuthentication activity.
INC-141595 · Issue 602715
CSRF and Browser fingerprint tokens added for testing custom scripts
Resolved in Pega Version 8.4.4
After upgrade, the test window appeared blank when attempting to test Decision Table rules. This was traced to there not being CSRF token and Browser fingerprint handling in the custom script used to show a prompt screen to the user. Because the CSRF token validation was missing, the request failed. To resolve this, CSRF and Browser fingerprint tokens have been added as hidden fields.
INC-141940 · Issue 601543
Revoke Access Token check removed from OAuth Client Registration
Resolved in Pega Version 8.4.4
When client credentials were implemented, the OAuth 2.0 Client Registration form was designed such that once the instance was created and a token issued, the access tokens were deleted on save. Process changes now indicate that it should be possible to save the form because it may only have History Description/Usage changes made to it and Revoke Token and Regenerate Secret buttons are already available. To address this, the Revoke Access Token check has been removed from the validate activity of Client Registration.
INC-144591 · Issue 601611
Oauth and beanutils jars upgraded
Resolved in Pega Version 8.4.4
The third party Oauth2 jars and commons-beanutils jar have been updated to the latest versions.
INC-144597 · Issue 598307
Updated handling for MT query of pr_data_admin table
Resolved in Pega Version 8.4.4
When using a multi-tenant environment with Oracle, as the number of users in the environment increased, the number of queries of the pr_data_admin table "WHERE pyEnableAuthService" increased exponentially and causes system slowness. This was traced to missed handling for the @ character in the authentication service cache while requesting, and has been resolved by updating authservicecache.java.