SR-A16899 · Issue 233288
ID Security enhanced for PostToSocialStream
Resolved in Pega Version 7.2.1
It was possible to to change the actor name with a runactionwrapper call to pzPostToSocialStream. This was a potential security issue where the parameter could be altered to post a message on some other's behalf. Since the actor is always the current operator, the parameter is not needed and a validation has been added in its place to check if the actor is indeed the current user. If this is true the message will be posted, and otherwise the activity will exit.
SR-A16904 · Issue 234334
Wrapper added to expression builder for the jump transition on a step
Resolved in Pega Version 7.2.1
While using expression builder, selecting the option for "Enable conditions after this action" in an activity and submitting the expression did not show the expected result in the When input box. Attempting to use the expression builder again and submitting it then resulted in the screen freezing and requiring a refresh. To resolve this, a "pyStepsTransSection" wrapper section was been added for the "pyStepsTransParamsWhen" when condition.
SR-A16942 · Issue 239819
IAC updated to parse all gateway header paths
Resolved in Pega Version 7.2.1
While parsing the PegaRUles-SetGateWayContextURI, a problem was found with the system only considering the last two parts in the base URL multiple context/servlet paths. The system has been updated to parse all paths in gateway header while constructing servlet name.
SR-A17065 · Issue 233138
Support added for custom XSS headers
Resolved in Pega Version 7.2.1
After upgrade, problems were found with setting XSS headers. To resolve this, the new Dynamic System Setting "http/responseHeaders" has been added to support custom HttpResponseHeaders.
SR-A17175 · Issue 234726
Corrected results display for upgraded pysearchResultWork filters
Resolved in Pega Version 7.2.1
When applying the pysearchResultWork filter on the native work objects search bar, some results were not displayed as expected after upgrade. This was caused by an error in setting the property for ad hoc cases inside a child activity, and has been fixed.
SR-A17338 · Issue 233583
Upgrade error resolved for localized rulesets in custom access group
Resolved in Pega Version 7.2.1
Due to an error in the MostFrequentlyUsedMap code, upgrading was failing if a particular environment had Requestor Type records referencing a custom Access Group that had localized rulesets. This has been fixed.
SR-A17399 · Issue 233769
Cleared authentication requirement check box for PZINVOKECASETYPE
Resolved in Pega Version 7.2.1
SOAP clients were not able to execute authenticated activities (DATA-PARTY-PERSON VALIDATE , WORK-COVER- PZINVOKECASETYPE) due to the out-of-the-box final activity pzInvokeCaseType having 'Require authentication to run' default to checked. This default interfered with the ability to remove a covered case from a cover case, and has been changed.
SR-A17425 · Issue 233173
Memory leak fixed in Field Value Conclusion Cache
Resolved in Pega Version 7.2.1
A memory leak was found with Field Value Conclusion caching not being correctly cleared of the dummy conclusion values for null objects. This as been resolved.
SR-A17560 · Issue 234697
Added dynamic check to HarnessPurpose parameter
Resolved in Pega Version 7.2.1
If a main flow referenced a subflow with a parameter "HarnessPurpose" and value "Perform", accessing the subflow generated the error "Failed to find instance XXX-Work-Test.Param.HarnessPurpose of type Rule-HTML-Harness." This was an issue where the HarnessPurpose parameter caused a reset of the pxFormName property in the newassignPage, and this has been fixed by checking if the harnesspurpose is dynamic before setting the pxFormName.
SR-A17670 · Issue 236156
New display control for attachment category delete privilege
Resolved in Pega Version 7.2.1
If an attachment category delete privilege was set to 'never' but there was no access group referenced for it, it was possible for the user to delete the attachment. This was a scenario where even though the delete-all option was enabled for the attachment category, the display of the delete icon was not controlled by this access specifier. A new when condition "HaveAttachmentDeletePrivileges" has now been added on the delete icon to control whether or not the icon appears.