I promise only to send this one one time (really!).

This release addresses the following Service Request and Error Report:
Service Request 83181
Asks that view-only access be provided for the Web Merit application.  Users 
with the new view-only access should be able to view anything within the 
Merit Review/Input selection on the Merit Menu but should not be able to 
modify or save any data, regardless of cycle status.  They should have the 
ability to navigate within the Merit Review/Input portion of the application and 
view information on pop-up windows (e.g. cycle information, title information, 
employee information).
Specifically, the SR asks for two types of view-only access:
•	View-only access that is restricted to particular departments 
•	Universal view-only access 

Error Report 2363
UCLA has reported that the Web Merit application has the following security 
vulnerabilities: 
1.	The application does not adequately scrub user submitted data 
which can potentially allow for cross-site scripting and cross-site request 
forgery. 
2.	The application is susceptible to cross-site request forgery (CSRF). 
3.	In terms of application error diagnostics, when the application 
encounters and error, it allows the user to see the stack trace; it should give 
the user a reference that the support team can use to find the stack trace in 
the application log.  This is a minor threat but it is good practice to avoid 
revealing internal application details to end users. 

Release documents are at http://www.ucop.edu/payroll/REL2011/R1974

Please approve as soon as possible.

Thanks!
Christopher Scott