End users can change the task type (sys_class_name) for task records

Kenny_vl
Tera Contributor

‎06-20-2024 03:11 AM

We can't pinpoint when this started happening but suddenly we found a record with numbering prefix SCTASK in our Enhancements table.

When checking with the end-user who did this change (an itil user), it appears he was able to change the task type using list edig.
I checked and when I add the column task type to the task table, I'm able to change the value for any record. I requested a pristine development instance and notice the same behaviour there. 

Surely this should not be the case, right ? Changing sys_class_name for any record is always a bad idea. Can anyone confirm this? 

image.png

 

0 Helpfuls
  • 535 Views
2 REPLIES 2

Slava Savitsky
Giga Sage

‎06-20-2024 03:31 AM

There are use cases where it may be necessary to change the task type (sys_class_name), but for sure it should not be available for bulk update via list editing. Consider creating a list_edit ACL to prevent this from happening. You can use "asset_task.sys_class_name" base system ACL as an example.


Blog: https://sys.properties | Telegram: https://t.me/sys_properties | LinkedIn: https://www.linkedin.com/in/slava-savitsky/
0 Helpfuls

Kenny_vl
Tera Contributor
In response to Slava Savitsky

‎06-20-2024 03:34 AM

Sure, I could do that. But I'm sure this is a bug and all I needed was the confirmation from other people they are experiencing the same. 

0 Helpfuls