Hello Pega enthusiasts,
I’ve stumbled upon an issue while using the “NewCovered” Harness (Work- class) in order to create a child case. Once “Create” button is clicked it results in 403 Forbidden http response from my tomcat app server. I did some digging and I believe it might be caused by some OOTB script triggered by the button using window.location DOM object which should probably be overriden by calling openWorkByURL(url, event) js method instead.
The button is supposed to call the “AddCovered” activity from what I can see in the harness definition, but run-time config does not reach it. Instead, in DevTools I can see a URL being called and returning the aforementioned http response:
<>/cVjFeUmk728xqo0ffb_-v2h-YVkZiL3dQNSVYhykdWM*/!TABTHREAD4?pyActivity=pzRunActionWrapper&pzFromFrame=pyWorkPage&pzPrimaryPageName=pyWorkPage&pzTransactionId=46faecd24ea64f89775057b5cf8e82f9&pzHarnessID=HIDDBA34D67698CCB6F06AB80C3788B7B40&pzActivity=AddCovered&skipReturnResponse=true&pySubAction=runAct
This URL has got to be somehow generated and I think it must be the rootcause here.
Is anyone able to give me a hint where this URL could be generated?
Many thanks for your help in advance,
Robert
@RobertW6776 I imagine that you are already familiar with Verifying requests when using custom controls
Can you clarify which Pega version you are on?
I found a BUG which was supposedly fixed as of 8.6: BAC issue in cosmos while launching child cases (BUG-632253)
The BAC issue occurred when the newcover activity is supported from the theme cosmos and called from addCaseWorkFromActionMenu - it was not registered for BAC . In the later version this bac issue was fixed by registering the new activity NewCovered in pycaseactionparams.
if you have no further luck here on the forum I suggest that you log a support incident for this.
@MarijeSchillern hi, thanks for the response. Truth be told the application I’m contracted to work on is a legacy one not even built on UI-Kit, not to mention Theme Cosmos application. I assume you understand Broken Access Control under “BAC” and indeed it looked like 403 response was caused by Pega blocking unregistered requests and thus throwing “Unregistered request encountered” security alert log message as per the resource highlighted by you.
At the end of the day I’ve managed to register requests generated by the depracated button control by overriding the NewCovered harness and calling one of js functions under pega.ui.HarnessActions (I think it was addFlowFromActionsMenu) directly with “Run script” action from a button.
@RobertW6776 it sounds like you managed to fix the issue?
Are you happy to click ‘Accept Solution’ to indicate your workaround has resolved your issue?