Possibility to create a record in 'sys_ui_list' table with empty user field by non-admin user by users who do not have 'personalize_list' role



There is no list record available in "sys_ui_list" for a table, let's say "alm_asset" for "Default view".

And then some non-admin user try to access asset table list view, In such a case, a new list record will get created in "sys_ui_list" table with that user name.


Steps to reproduce:

  1. Go to the 'sys_ui_list.list' as an administrator.
    2. Locate any GLOBAL list view (with view = 'Default view', user is empty) and delete it. (for ex- alm_asset)
    3. Impersonate an ITIL user and type 'alm_asset.list' in filter navigator to access it.
    4. Go back to an admin account.
    5. Go to 'sys_ui_list.list' again.
    6. Note the GLOBAL Default View (field 'User' with value 'empty') created by the previous non-admin user.



If a list does not exist, then the first user to attempt to access that list will auto-generate a new list. It will be the first ten columns of the table, sorted alphabetically.

If there wasn't a list view, they'd have nowhere to go. The 'created_by' here is really irrelevant, it could be anyone. Whoever gets to the list first will have that honor, but it was the system that made it. Not them.

Please note that this is an expected behavior.