diff --git a/atst/domain/authz.py b/atst/domain/authz.py
index 5b476aad..9f4d4cf6 100644
--- a/atst/domain/authz.py
+++ b/atst/domain/authz.py
@@ -36,9 +36,13 @@ class Authorization(object):
     def is_ccpo(cls, user):
         return user.atat_role.name == "ccpo"
 
+    @classmethod
+    def is_ko(cls, user, task_order):
+        return task_order.contracting_officer == user
+
     @classmethod
     def check_task_order_permission(cls, user, task_order, permission, message):
-        if Authorization._check_is_task_order_officer(task_order, user):
+        if Authorization._check_is_task_order_officer(user, task_order):
             return True
 
         Authorization.check_portfolio_permission(
@@ -46,7 +50,7 @@ class Authorization(object):
         )
 
     @classmethod
-    def _check_is_task_order_officer(cls, task_order, user):
+    def _check_is_task_order_officer(cls, user, task_order):
         for officer in [
             "contracting_officer",
             "contracting_officer_representative",
diff --git a/atst/forms/ko_review.py b/atst/forms/ko_review.py
index 4f1a2c9d..4664b80d 100644
--- a/atst/forms/ko_review.py
+++ b/atst/forms/ko_review.py
@@ -36,11 +36,9 @@ class KOReviewForm(CacheableForm):
         translate("forms.ko_review.pdf_label"),
         description=translate("forms.ko_review.pdf_description"),
         validators=[
-            FileAllowed(
-                ["pdf", "png"], translate("forms.task_order.file_format_not_allowed")
-            )
+            FileAllowed(["pdf"], translate("forms.task_order.file_format_not_allowed"))
         ],
-        render_kw={"required": False, "accept": ".pdf,.png,application/pdf,image/png"},
+        render_kw={"required": False, "accept": ".pdf,application/pdf"},
     )
     number = StringField(
         translate("forms.ko_review.to_number"), validators=[Length(min=10), IsNumber()]
diff --git a/atst/routes/portfolios/task_orders.py b/atst/routes/portfolios/task_orders.py
index af5ac64a..a35445a2 100644
--- a/atst/routes/portfolios/task_orders.py
+++ b/atst/routes/portfolios/task_orders.py
@@ -7,6 +7,7 @@ from . import portfolios_bp
 from atst.database import db
 from atst.domain.task_orders import TaskOrders
 from atst.domain.portfolios import Portfolios
+from atst.domain.authz import Authorization
 from atst.forms.officers import EditTaskOrderOfficersForm
 from atst.models.task_order import Status as TaskOrderStatus
 from atst.forms.ko_review import KOReviewForm
@@ -74,19 +75,16 @@ def view_task_order(portfolio_id, task_order_id):
 def ko_review(portfolio_id, task_order_id):
     task_order = TaskOrders.get(g.current_user, task_order_id)
     portfolio = Portfolios.get(g.current_user, portfolio_id)
-    if task_order.contracting_officer == g.current_user:
+    if not Authorization.is_ko(g.current_user, task_order):
+        message = "review Task Order {}".format(task_order.id)
+        raise UnauthorizedError(g.current_user, message)
+    else:
         return render_template(
             "/portfolios/task_orders/review.html",
             portfolio=portfolio,
             task_order=task_order,
             form=KOReviewForm(obj=task_order),
         )
-    else:
-        return render_template(
-            "portfolios/task_orders/show.html",
-            portfolio=portfolio,
-            task_order=task_order,
-        )
 
 
 @portfolios_bp.route(