Open cecilia-donnelly opened 6 years ago
Some more details from PR #716: "Currently the search results pages are the same pages/JSP templates for both service admin and provider roles. We should create a separate template and page for the provider search results. Then we can have separate user help links/modals for the action column for each role." This will also allow us to address this issue (#498).
Additionally, when logged in as a provider, in the results on the 'advanced search' or 'quick search' pages there are "COS" links that lead to "Access is Denied" pages. There's no need to present these "COS" links to providers.
If a provider searches for their submitted enrollment (e.g., one with a "Pending" status) in simple or advanced search, it will show up in results. The results include an "Action" column, like the Dashboard, and one of the possible actions is "Edit." This allows providers to edit a submitted enrollment. We have been clear that providers are not able to edit a submitted enrollment, and @chj124's comments have confirmed that.
This looks like a security hole to me -- thanks for catching it, @jcunard! See the list for screenshots.
(Security problems will be handled in accordance with #92 once the PSM is in production use.)