End users can change the task type (sys_class_name) for task records

Kenny_vl
Tera Contributor

We can't pinpoint when this started happening but suddenly we found a record with numbering prefix SCTASK in our Enhancements table.

When checking with the end-user who did this change (an itil user), it appears he was able to change the task type using list edig.
I checked and when I add the column task type to the task table, I'm able to change the value for any record. I requested a pristine development instance and notice the same behaviour there. 

Surely this should not be the case, right ? Changing sys_class_name for any record is always a bad idea. Can anyone confirm this? 

image.png

 

2 REPLIES 2

Slava Savitsky
Giga Sage

There are use cases where it may be necessary to change the task type (sys_class_name), but for sure it should not be available for bulk update via list editing. Consider creating a list_edit ACL to prevent this from happening. You can use "asset_task.sys_class_name" base system ACL as an example.

Sure, I could do that. But I'm sure this is a bug and all I needed was the confirmation from other people they are experiencing the same.