Currently the java stack doesn't test whether a user has access to view an erratum before looking it up. The result is that a user could type in the eid in the url for the Errata Details page and view an erratum that he or she does not have access to view.
Ken, this will need a testplan.
Test Plan: First, find an id for an erratum some user cannot view. An erratum is viewable by anyone in an org that has permissions to a channel in which that erratum is. Log in as the user that cannot view the selected erratum. Go to Errata->Click an Erratum->Modify the url so that the eid parameter is the selected, non-viewable erratum. This can be done on every java page that shows details about errata. Expected Results: A Lookup error page. Failure Results: Errata Details
will QA this.
works fine, tested each of the errata java pages. prod_ready.