search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
New version of save.php for submitting via ajax without leaving form page
[openemr.git] / library / auth.inc
blobaa9232b6ac6b47d2e3427d8b6b05028639e8b162
1 <?php
2 //----------THINGS WE ALWAYS DO
3
4 require_once("{$GLOBALS['srcdir']}/log.inc");
5 require_once("{$GLOBALS['srcdir']}/sql.inc");
6
7 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
8         isset($_POST['authPass']) && isset($_POST['authProvider']))
9 {
10         if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
11         {
12                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure");
13                 authLoginScreen();
14         }
15         newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success");
16         //store the very first initial timestamp for timeout errors
17         $_SESSION["last_update"] = time();
18 }
19 else if ( (isset($_GET['auth'])) && ($_GET['auth'] == "logout") )
20 {
21         newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
22         authCloseSession();
23         authLoginScreen();
24 }
25 else
26 {
27         if (authCheckSession())
28         {
29                 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG']))
30                 {
31                         require_once("{$GLOBALS['srcdir']}/patient.inc");
32                         $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
33                         newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
34                                 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
35                                 $_SESSION['encounter']);
36                 }
37                 //LOG EVERYTHING
38                 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
39         }
40         else {
41                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
42                 authLoginScreen();
43         }
44 }
45
46 if (!isset($_SESSION["last_update"])) {
47         authLoginScreen();
48 } else {
49          //if page has not been updated in a given period of time, we call login screen
50         if ((time() - $_SESSION["last_update"]) > $timeout) {
51                 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
52                 authCloseSession();
53                 authLoginScreen();
54         } else {
55                 if (empty($GLOBALS['DAEMON_FLAG'])) $_SESSION["last_update"] = time();
56         }
57 }
58
59 //----------THINGS WE DO IF WE STILL LIKE YOU
60
61 function authNewSession ($user, $pass, $provider)
62 {
63         //session_name("OpenEMR");
64         //session_id("81279258720".str_replace(".", "", $_SERVER['REMOTE_ADDR']));
65         if(!session_id()) {
66           session_start();
67         }
68         //echo "user is: $user pass is: $pass provider is: $provider<br />";
69         $authDB = sqlQuery("select id, password, authorized, see_auth from users " .
70                 "where username = '$user'");
71         //echo "<br>auth pass: ".$authDB['password'];
72         if ($authDB['password'] == $pass)
73         {
74         //here, we check to see if the user is in fact a member of the correct group:
75                 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'")) {
76                         $_SESSION['authUser'] = $user;
77                         $_SESSION['authGroup'] = $authGroup['name'];
78                         $_SESSION['authUserID'] = $authDB['id'];
79                         $_SESSION['authPass'] = $pass;
80                         $_SESSION['authProvider'] = $provider;
81                         $_SESSION['authId'] = $authDB{'id'};
82                         $_SESSION['userauthorized'] = $authDB['authorized'];
83                         // Some users may be able to authorize without being providers:
84                         if ($authDB['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
85                         return true;
86                 } else {
87                         return false;
88                 }
89         }
90         else
91                 return false;
92 }
93
94 function authCheckSession ()
95 {
96         if (isset($_SESSION['authId'])) {
97                 $authDB = sqlQuery("select username, password from users where id = '" .
98                         $_SESSION['authId']."'");
99                 if ($_SESSION['authUser'] == $authDB['username'] &&
100                         $_SESSION['authPass'] == $authDB['password'])
101                 {
102                         return true;
103                 }
104                 else {
105                         return false;
106                 }
107         }
108         else {
109                 return false;
110         }
111 }
112
113 function authCloseSession ()
114 {
115         ob_start();
116         session_unset();
117 //      $_SESSION = array();
118         session_destroy();
119         //setcookie(session_name(),"","","/");
120         //the following does the same as the above line:
121         //if(isset($_COOKIE[session_name()])) {
122         // session_start();
123         // session_destroy();
124         unset($_COOKIE[session_name()]);
125         //}
126 }
127
128 function authLoginScreen()
129 {
130         //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
131         header("Location: {$GLOBALS['login_screen']}");
132         exit;
133 }
134
135 function addUser ($username, $password_md5, $info, $authorized = 'yes')
136 {
137         return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
138 }
139
140 function delUser ($id)
141 {
142         return sqlQuery("delete from users where id = '$id' limit 0,1");
143 }
144
145 function changePasword ($id, $new_md5)
146 {
147         return sqlQuery("update users set password = '$new_md5' where id = '$id'");
148 }
149
150 function getUserList ($cols = '*', $limit = 'all', $start = '0')
151 {
152         if ($limit = "all")
153                 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
154         else
155                 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
156         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
157                 $tbl[$iter] = $row;
158         return $tbl;
159 }
160
161 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
162 {
163         if ($limit = "all")
164                 $rez = sqlStatement("select $cols from groups order by date DESC");
165         else
166                 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
167         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
168                 $tbl[$iter] = $row;
169         return $tbl;
170 }
171
172 function addGroup ($groupname)
173 {
174         return sqlInsert("insert into groups (name) values ('$groupname')");
175 }
176
177 function delGroup ($group_id)
178 {
179         return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
180 }
181
182 /***************************************************************
183 //pennfirm
184 //Function currently user by new post calendar code to determine
185 //if a given user is in a group with another user
186 //and if so to allow editing of that users events
187 //
188 //*************************************************************/
189
190 function validateGroupStatus ($user_to_be_checked, $group_user) {
191         if (isset($user_to_be_checked) && isset($group_user)) {
192                 if ($user_to_be_checked == $group_user) {
193
194                         return true;
195                 }
196                 elseif ($_SESSION['authorizeduser'] == 1)
197                         return true;
198
199                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
200                                  "AND users.username = groups.user group by groups.name";
201                 $result = sqlStatement($query);
202
203                 $usertbcGroups = array();
204
205                 while ($row = mysql_fetch_array($result)) {
206                         $usertbcGroups[] = $row[0];
207                 }
208
209                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($group_user) . "\" " .
210                                  "AND users.username = groups.user group by groups.name";
211                 $result = sqlStatement($query);
212
213                 $usergGroups = array();
214
215                 while ($row = mysql_fetch_array($result)) {
216                         $usergGroups[] = $row[0];
217                 }
218                 foreach ($usertbcGroups as $group) {
219                         if(in_array($group,$usergGroups)) {
220                           return true;
221                         }
222                 }
223
224         }
225
226         return false;
227 }
228 ?>
Mirror of official OpenEMR Sourceforge repository