Merative ™ Social Program Management 220.127.116.11 iFix6
Merative ™ Social Program Management is now Cúram ™ by Merative™
Merative Social Program Management 18.104.22.168 iFix6 Release Notes
Welcome to the Merative Social Program Management 22.214.171.124 iFix6 release.
This is a cumulative release which incorporates the Improvements, Resolved Issues and Third Party Updates contained in all previous 126.96.36.199 iFix releases. Details of these Improvements, Resolved Issues and Third Party Updates are included separately in the release notes for each of the previous iFix releases. For the latest version of the release notes, see https://curam-spm-devops.github.io/wh-support-docs/spm/release-notes
Full product documentation can be found in the documentation
For information about the supported software and hardware for this release, see the Merative Social Program Management Prerequisites
See the download instructions for this release at https://www.merative.com/support/spm
Prior to running the installer please ensure all files in your Merative Social Program Management installation are writable.
The installation steps are as follows:
- Extract the contents of the zip file to a local drive location.
- Run the Merative Social Program Management installer, which can be found in the INSTALLER folder at that location.
- After installing, the appropriate build targets must be run as necessary for your installation.
Additional installation instructions can be found in the Development Environment Installation Guide.
If you are upgrading from a previous version, the Merative Social Program Management Upgrade Helper contains documentation and tooling to help you to upgrade your Merative Social Program Management application codebase and database to work with your new version of Merative Social Program Management. The Merative Social Program Management Upgrade Guide describes a recommended process for performing application and database upgrades. The Upgrade Helper contains tools to assist you with implementing the upgrade, including tooling to produce a schedule of required migrations for your upgrade, tooling to provide information about database schema changes and tooling to generate initial SQL scripts for applying changes to your database.
To download the appropriate version of the Merative Social Program Management Upgrade Helper, see the download instructions at https://www.merative.com/support/spm
PO09164 , WorkItem:267659 - External user who is member of only Provider 1 can access few details for Provider 2 by intercepting the request and modifying the ConcenroleID
In the Provider Management self service application, an external user who is a member of a provider should only have access to details related to the provider of which they are member. However, if this same external user knows the concern role identifier of another provider, they can access some information and functions of another provider by supplying that provider's concern role identifier in the URLs of some of the pages contained within the self service external application. This should not be permitted.
User Interface Impact: No
Steps to Reproduce:
- Login to application as a Caseworker user.
- Register two people.
- Login to application as an Administrator user.
- Navigate to Users section, then select New External User.
- For person 1 from above, enter the required details. In the Application field select ExternalProviderCustomHome as the application homepage, in the Role field select 'ExternalUserSecureRole', and enable the account.
- Select the 'Link a Participant' action from the tab actions menu. In the External User's Relationship field select 'Is associated with'. Search for Person 1 and save.
- Repeat steps 4 - 6 for person 2.
- Login to application as a 'Provider Management Resource Manager' user.
- Enroll and approve two providers.
- Navigate to the Provider Members page under the Relationships tab and add Person 1 from above as a provider member to Provider 1. In the Role field select 'Employee'.
- Add the Person 2 from above as a provider member to Provider 2.
- Login to CPM External Application as the newly created External User 1 from Step 4. URL: https://<server_name>:<port_number>/CPMExternalS
- Navigate to My Details -> Service Enquiries
- Right click somewhere on the page (below the heading) and select “View Frame Info”
- Observe the URL under “Address” and write down the concernRoleID number from concernRoleID URL parameter. This should be concernRoleID of Provider 1.
- Login to CPM External Application as the newly created External User 2 from Step 4.
- Navigate to My Details -> Service Enquiries.
- Right click somewhere on the page (below the heading) and select “View Frame Info”.
- Copy the URL listed under “Address” into a new browser window, but substitute concernRoleID number with the concernRoleID from Provider 1.
- Issue: The page is accessible, while it should give a user permissions error.
- This is true for the following pages: Financials -> Transactions, Rosters, Facility -> Reservations, Facility -> Wait Lists.
External users can now only view the details for providers for which they are a provider member.
This issue occurred due to the lack of a user permissions check in some of the facades used to service these pages in the Provider Management self service application.
This issue has been resolved by adding a permissions check to the following facades:
A new facade, ExternalProviderFinancial.listFinancialTransactions, has been added which contains the permissions check and this is now called from the following pages:
- PME_listProviderGroupPaymentTransactions pages
Note that the page MyDetails -> Requests, and the actions "New Service Invoice Request", "Request Member Login Credentials", and "Change Password" do not show the error message. This is correct behavior as the data is always displayed for the logged in user due to these facades not requiring a concernRoleID as a parameter and are thus not affected by this issue. As a result, if Provider 1 is logged into the CPM self service application, but an attempt is made to pass in the concernRoleID of Provider 2 for these specific pages and actions, the data specific to Provider 1 will still be displayed.
Before using this information and the product it supports, read the information in "Notices"