| blob | 9da452a9bfd3a4819043651e2dbee541b9ad0db6 |
1 <?php
2 /**
3 * library/acl.inc
4 *
5 * Functions wrapping php-GACL's functionality, to create a generic OpenEMR access control system.
6 *
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see
17 * http://www.gnu.org/licenses/licenses.html#GPL .
18 *
19 * @package OpenEMR
20 * @license http://www.gnu.org/licenses/licenses.html#GPL GNU GPL V3+
21 * @author Brady Miller <brady.g.miller@gmail.com>
22 * @author Rod Roark <rod@sunsetsystems.com>
23 * @link http://www.open-emr.org
24 */
26 // php-GACL access controls are included in OpenEMR. The below
27 // function will automatically create the path where gacl.class.php
28 // can be found. Note that this path can be manually set below
29 // for users who are using an external version of php-GACL.
30 // Also note that php-GACL access controls can be turned off
31 // below.
33 $phpgacl_location = dirname(__FILE__).'/../gacl';
35 // If using an external version of phpGACL, then uncomment the following
36 // line and manually place the path below. IN THIS CASE YOU MUST ALSO
37 // COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT ABOVE, OR BACKUPS WILL
38 // NOT RESTORE PROPERLY!
39 //
40 //$phpgacl_location = "/var/www/gacl";
41 //
42 // If you want to turn off php-GACL, then uncomment the following line.
43 // IN THIS CASE YOU MUST ALSO COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT(S)
44 // ABOVE, OR BACKUPS WILL NOT RESTORE PROPERLY!
45 //
46 //unset($phpgacl_location);
47 //
49 // The following Access Control Objects (ACO) are currently supported.
50 // These are the "things to be protected":
51 //
52 // Section "admin" (Administration):
53 // super Superuser - can delete patients, encounters, issues
54 // calendar Calendar Settings
55 // database Database Reporting
56 // forms Forms Administration
57 // practice Practice Settings
58 // superbill Superbill Codes Administration
59 // users Users/Groups/Logs Administration
60 // batchcom Batch Communication Tool
61 // language Language Interface Tool
62 // drugs Pharmacy Dispensary
63 // acl ACL Administration
64 // multipledb Multipledb
65 //
66 // Section "acct" (Accounting):
67 // bill Billing (write optional)
68 // disc Allowed to discount prices (in Fee Sheet or Checkout form)
69 // eob EOB Data Entry
70 // rep Financial Reporting - my encounters
71 // rep_a Financial Reporting - anything
72 //
73 // Section "patients" (Patient Information):
74 // appt Appointments (write,wsome optional)
75 // demo Demographics (write,addonly optional)
76 // med Medical Records and History (write,addonly optional)
77 // trans Transactions, e.g. referrals (write optional)
78 // docs Documents (write,addonly optional)
79 // notes Patient Notes (write,addonly optional)
80 // sign Sign Lab Results (write,addonly optional)
81 // reminder Patient Reminders (write,addonly optional)
82 // alert Clinical Reminders/Alerts (write,addonly optional)
83 // disclosure Disclosures (write,addonly optional)
84 // rx Prescriptions (write,addonly optional)
85 // amendment Amendments (write,addonly optional)
86 // lab Lab Results (write,addonly optional)
87 //
88 // Section "encounters" (Encounter Information):
89 // auth Authorize - my encounters
90 // auth_a Authorize - any encounters
91 // coding Coding - my encounters (write,wsome optional)
92 // coding_a Coding - any encounters (write,wsome optional)
93 // notes Notes - my encounters (write,addonly optional)
94 // notes_a Notes - any encounters (write,addonly optional)
95 // date_a Fix encounter dates - any encounters
96 // relaxed Less-private information (write,addonly optional)
97 // (e.g. the Sports Fitness encounter form)
98 //
99 // Section "squads" applies to sports team use only:
100 // acos in this section define the user-specified list of squads
101 //
102 // Section "sensitivities" (Sensitivities):
103 // normal Normal
104 // high High
105 //
106 // Section "lists" (Lists):
107 // default Default List (write,addonly optional)
108 // state State List (write,addonly optional)
109 // country Country List (write,addonly optional)
110 // language Language List (write,addonly optional)
111 // ethrace Ethnicity-Race List (write,addonly optional)
112 //
113 // Section "placeholder" (Placeholder):
114 // filler Placeholder (Maintains empty ACLs)
115 //
116 // Section "nationnotes" (Nation Notes):
117 // nn_configure Nation Notes
118 //
119 // Section "patientportal" (Patient Portal):
120 // portal Patient Portal
121 //
122 // Section "menus" (Menus):
123 // modle Module
124 //
125 // Section "groups" (Groups):
126 // gadd View/Add/Update groups
127 // gcalendar View/Create/Update groups appointment in calendar
128 // glog Group encounter log
129 // gdlog Group detailed log of appointment in patient record
130 // gm Send message from the permanent group therapist to the personal therapist
132 if (isset($phpgacl_location)) {
133 $GLOBALS['phpgacl_location_global'] = $phpgacl_location;
134 require_once("$phpgacl_location/gacl.class.php");
135 $gacl_object = new gacl();
136 //DO NOT CHANGE BELOW VARIABLE
137 $section_aro_value = 'users';
138 $GLOBALS['section_aro_value_global'] = $section_aro_value;
139 }
141 /**
142 * Check if a user has a given type or types of access to an access control object.
143 *
144 * Globals that can use are:
145 * $GLOBALS['phpgacl_location_global']
146 * $GLOBALS['section_aro_value_global']
147 *
148 * This function will check for access to the given ACO.
149 * view - The user may view but not add or modify entries
150 * write - The user may add or modify the ACO
151 * wsome - The user has limited add/modify access to the ACO
152 * addonly - The user may view and add but not modify entries
153 *
154 * @param string $section Category of ACO
155 * @param string $value Subcategory of ACO
156 * @param string $user Optional user being checked for access.
157 * @param string|array $return_value Type or types of access being requested.
158 * @return bool|array FALSE if access is denied, TRUE if allowed. An
159 * array() of bools is returned if $return_value is an
160 * array, representing results for each type of access
161 * requested.
162 */
163 function acl_check($section, $value, $user = '', $return_value = '')
164 {
165 if (! $user) {
166 $user = $_SESSION['authUser'];
167 }
169 // Superuser always gets access to everything.
170 if (($section != 'admin' || $value != 'super') && acl_check('admin', 'super', $user)) {
171 return true;
172 }
174 if ($GLOBALS['phpgacl_location_global']) {
175 // This will return all pertinent ACL's (including return_values and whether allow/deny)
176 // Walk through them to assess for access
177 $gacl_object = new gacl();
178 $acl_results = $gacl_object->acl_query($section, $value, $GLOBALS['section_aro_value_global'], $user, null, null, null, null, null, true);
179 if (empty($acl_results)) {
180 return false; //deny access
181 }
182 $access=false; //flag
183 $deny=false; //flag
184 foreach ($acl_results as $acl_result) {
185 if (empty($acl_result['acl_id'])) {
186 return false; //deny access, since this happens if no pertinent ACL's are returned
187 }
188 if (is_array($return_value)) {
189 foreach ($return_value as $single_return_value) {
190 if (empty($single_return_value)) {
191 // deal with case if not looking for specific return value
192 if ($acl_result['allow']) {
193 $access=true;
194 } else {
195 $deny=true;
196 }
197 } else { //!empty($single_return_value)
198 // deal with case if looking for specific return value
199 if ($acl_result['return_value'] == $single_return_value) {
200 if ($acl_result['allow']) {
201 $access=true;
202 } else {
203 $deny=true;
204 }
205 }
206 }
207 }
208 } else { // $return_value is not an array (either empty or with one value)
209 if (empty($return_value)) {
210 // deal with case if not looking for specific return value
211 if ($acl_result['allow']) {
212 $access=true;
213 } else {
214 $deny=true;
215 }
216 } else { //!empty($return_value)
217 // deal with case if looking for specific return value
218 if ($acl_result['return_value'] == $return_value) {
219 if ($acl_result['allow']) {
220 $access=true;
221 } else {
222 $deny=true;
223 }
224 }
225 }
226 }
227 }
229 // Now decide whether user has access
230 // (Note a denial takes precedence)
231 if (!$deny && $access) {
232 return true;
233 }
234 return false;
235 }
237 // If no phpgacl, then apply the old static rules whereby "authorized"
238 // users (providers) can do anything, and other users can do most things.
239 // If you want custom access control but don't want to mess with phpGACL,
240 // then you could customize the code below instead.
242 if ($user == 'admin') {
243 return 'write';
244 }
245 if ($section == 'admin' && $value == 'super') {
246 return 0;
247 }
248 if ($_SESSION['userauthorized']) {
249 return 'write';
250 }
252 if ($section == 'patients') {
253 if ($value == 'med') {
254 return 1;
255 }
256 return 'write';
257 } else if ($section == 'encounters') {
258 if (strpos($value, 'coding') === 0) {
259 return 'write';
260 }
261 if (strpos($value, 'notes') === 0) {
262 return 'write';
263 }
264 if ($value == 'relaxed') {
265 return 'write';
266 }
267 } else if ($section != 'admin') {
268 return 'write';
269 }
271 return 0;
272 }
274 // Get the ACO name/value pairs for a designated section. Each value
275 // is an array (section_value, value, order_value, name, hidden).
276 //
277 function acl_get_section_acos($section)
278 {
279 global $phpgacl_location;
280 if ($phpgacl_location) {
281 include_once("$phpgacl_location/gacl_api.class.php");
282 $gacl = new gacl_api();
283 $arr1 = $gacl->get_objects($section, 1, 'ACO');
284 $arr = array();
285 if (!empty($arr1[$section])) {
286 foreach ($arr1[$section] as $value) {
287 $odata = $gacl->get_object_data($gacl->get_object_id($section, $value, 'ACO'), 'ACO');
288 $arr[$value] = $odata[0];
289 }
290 }
291 return $arr;
292 }
293 return 0;
294 }
296 // Sort squads by their order value. Used only by acl_get_squads().
297 function _acl_squad_compare($a, $b)
298 {
299 if ($a[2] == $b[2]) {
300 // If order value is the same, sort by squad name.
301 if ($a[3] == $b[3]) {
302 return 0;
303 }
304 return ($a[3] < $b[3]) ? -1 : 1;
305 }
306 return ($a[2] < $b[2]) ? -1 : 1;
307 }
309 // Return an array keyed on squad ACO names.
310 // This is only applicable for sports team use.
311 //
312 function acl_get_squads()
313 {
314 $squads = acl_get_section_acos('squads');
315 uasort($squads, "_acl_squad_compare");
316 return $squads;
317 }
319 // Return an array keyed on encounter sensitivity level ACO names.
320 // Sensitivities are useful when some encounter notes are not
321 // medically sensitive (e.g. a physical fitness test), and/or if
322 // some will be "for doctor's eyes only" (e.g. STD treatment).
323 //
324 // When a non-blank sensitivity value exists in the new encounter
325 // form, it names an additional ACO required for access to all forms
326 // in the encounter. If you want some encounters to be non-sensitive,
327 // then you also need some default nonblank sensitivity for normal
328 // encounters, as well as greater encounter notes permissions for
329 // those allowed to view non-sensitive encounters.
330 //
331 function acl_get_sensitivities()
332 {
333 return acl_get_section_acos('sensitivities');
334 }
336 //
337 // Returns true if aco exist
338 // Returns false if aco doesn't exist
339 // $section_name = name of section (string)
340 // $aco_name = name of aco (string)
341 //
342 function aco_exist($section_name, $aco_name)
343 {
344 global $phpgacl_location;
345 if (isset($phpgacl_location)) {
346 include_once("$phpgacl_location/gacl_api.class.php");
347 $gacl = new gacl_api();
348 $aco_id = $gacl->get_object_id($section_name, $aco_name, 'ACO');
349 if ($aco_id) {
350 return true;
351 }
352 }
353 return false;
354 }
356 //
357 // Returns a sorted array of all available Group Titles.
358 //
359 function acl_get_group_title_list()
360 {
361 global $phpgacl_location;
362 if (isset($phpgacl_location)) {
363 include_once("$phpgacl_location/gacl_api.class.php");
364 $gacl = new gacl_api();
365 $parent_id = $gacl->get_root_group_id();
366 $arr_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
367 $arr_group_titles = array();
368 foreach ($arr_group_ids as $value) {
369 $arr_group_data = $gacl->get_group_data($value, 'ARO');
370 $arr_group_titles[$value] = $arr_group_data[3];
371 }
372 sort($arr_group_titles);
373 return $arr_group_titles;
374 }
375 return 0;
376 }
378 //
379 // Returns a sorted array of group Titles that a user belongs to.
380 // Returns 0 if does not belong to any group yet.
381 // $user_name = Username, which is login name.
382 //
383 function acl_get_group_titles($user_name)
384 {
385 global $phpgacl_location, $section_aro_value;
386 if (isset($phpgacl_location)) {
387 include_once("$phpgacl_location/gacl_api.class.php");
388 $gacl = new gacl_api();
389 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
390 if ($user_aro_id) {
391 $arr_group_id = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
392 if ($arr_group_id) {
393 foreach ($arr_group_id as $key => $value) {
394 $arr_group_data = $gacl->get_group_data($value, 'ARO');
395 $arr_group_titles[$key] = $arr_group_data[3];
396 }
397 sort($arr_group_titles);
398 return $arr_group_titles;
399 }
400 }
401 }
402 return 0;
403 }
405 //
406 // This will place the user aro object into selected group(s)
407 // It uses the set_user_aro() function
408 // $username = username (string)
409 // $group = title of group(s) (string or array)
410 //
411 function add_user_aros($username, $group)
412 {
413 $current_user_groups = acl_get_group_titles($username);
414 if (!$current_user_groups) {
415 $current_user_groups = array();
416 }
417 if (is_array($group)) {
418 foreach ($group as $value) {
419 if (!in_array($value, $current_user_groups)) {
420 array_push($current_user_groups, $value);
421 }
422 }
423 } else {
424 if (!in_array($group, $current_user_groups)) {
425 array_push($current_user_groups, $group);
426 }
427 }
428 $user_data = sqlFetchArray(sqlStatement("select * from users where username='" .
429 $username . "'"));
430 set_user_aro(
431 $current_user_groups,
432 $username,
433 $user_data["fname"],
434 $user_data["mname"],
435 $user_data["lname"]
436 );
437 return;
438 }
440 //
441 // This will remove the user aro object from the selected group(s)
442 // It uses the set_user_aro() function
443 // $username = username (string)
444 // $group = title of group(s) (string or array)
445 //
446 function remove_user_aros($username, $group)
447 {
448 $current_user_groups = acl_get_group_titles($username);
449 $new_user_groups = array();
450 if (is_array($group)) {
451 foreach ($current_user_groups as $value) {
452 if (!in_array($value, $group)) {
453 array_push($new_user_groups, $value);
454 }
455 }
456 } else {
457 foreach ($current_user_groups as $value) {
458 if ($value != $group) {
459 array_push($new_user_groups, $value);
460 }
461 }
462 }
463 $user_data = sqlFetchArray(sqlStatement("select * from users where username='" .
464 $username . "'"));
465 set_user_aro(
466 $new_user_groups,
467 $username,
468 $user_data["fname"],
469 $user_data["mname"],
470 $user_data["lname"]
471 );
472 return;
473 }
475 //
476 // This will either create or edit a user aro object, and then place it
477 // in the requested groups. It will not allow removal of the 'admin'
478 // user or gacl_protected users from the 'admin' group.
479 // $arr_group_titles = titles of the groups that user will be added to.
480 // $user_name = username, which is login name.
481 // $first_name = first name
482 // $middle_name = middle name
483 // $last_name = last name
484 //
485 function set_user_aro($arr_group_titles, $user_name, $first_name, $middle_name, $last_name)
486 {
487 global $phpgacl_location, $section_aro_value;
489 if (isset($phpgacl_location)) {
490 include_once("$phpgacl_location/gacl_api.class.php");
491 $gacl = new gacl_api();
493 //see if this user is gacl protected (ie. do not allow
494 //removal from the Administrators group)
495 require_once(dirname(__FILE__).'/user.inc');
496 require_once(dirname(__FILE__).'/calendar.inc');
497 $userNametoID = getIDfromUser($user_name);
498 if (checkUserSetting("gacl_protect", "1", $userNametoID) || $user_name == "admin") {
499 $gacl_protect = true;
500 } else {
501 $gacl_protect = false;
502 }
504 //get array of all available group ID numbers
505 $parent_id = $gacl->get_root_group_id();
506 $arr_all_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
508 //Cycle through ID array to find and process each selected group
509 //Create a counter since processing of first hit is unique
510 $counter = 0;
511 foreach ($arr_all_group_ids as $value) {
512 $arr_group_data = $gacl->get_group_data($value, 'ARO');
513 if ((empty($arr_group_titles)) ||
514 (in_array($arr_group_data[3], $arr_group_titles))) {
515 //We have a hit, so need to add group and increment counter
516 // because processing of first hit is unique
517 //This will also deal with an empty $arr_group_titles array
518 // removing user from all groups unless 'admin'
519 $counter = $counter + 1;
520 //create user full name field
521 if ($middle_name) {
522 $full_name = $first_name . " " . $middle_name . " " . $last_name;
523 } else {
524 if ($last_name) {
525 $full_name = $first_name . " " . $last_name;
526 } else {
527 $full_name = $first_name;
528 }
529 }
531 //If this is not the first group to be added, then will skip below
532 // and will be added. If this is the first group, then need to
533 // go thru several steps before adding the group.
534 if ($counter == 1) {
535 //get ID of user ARO object, if it exist
536 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
537 if ($user_aro_id) {
538 //user ARO object already exist, so will edit it
539 $gacl->edit_object($user_aro_id, $section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
541 //remove all current user ARO object group associations
542 $arr_remove_group_ids = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
543 foreach ($arr_remove_group_ids as $value2) {
544 $gacl->del_group_object($value2, $section_aro_value, $user_name, 'ARO');
545 }
546 } else {
547 //user ARO object does not exist, so will create it
548 $gacl->add_object($section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
549 }
550 }
552 //place the user ARO object in the selected group (if group(s) is selected)
553 if (!empty($arr_group_titles)) {
554 $gacl->add_group_object($value, $section_aro_value, $user_name, 'ARO');
555 }
557 //
558 //Below will not allow 'admin' or gacl_protected user to be removed from 'admin' group
559 //
560 if ($gacl_protect) {
561 $boolean_admin=0;
562 $admin_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
563 $arr_admin = $gacl->get_object_groups($admin_id, 'ARO', 'NO_RECURSE');
564 foreach ($arr_admin as $value3) {
565 $arr_admin_data = $gacl->get_group_data($value3, 'ARO');
566 if (strcmp($arr_admin_data[2], 'admin') == 0) {
567 $boolean_admin=1;
568 }
569 }
570 if (!$boolean_admin) {
571 foreach ($arr_all_group_ids as $value4) {
572 $arr_temp = $gacl->get_group_data($value4, 'ARO');
573 if ($arr_temp[2] == 'admin') {
574 $gacl->add_group_object($value4, $section_aro_value, $user_name, 'ARO');
575 }
576 }
577 }
578 }
579 }
580 //if array of groups was empty, then we are done, and can break from loop
581 if (empty($arr_group_titles)) {
582 break;
583 }
584 }
585 return true;
586 }
587 return false;
588 }
590 //
591 // Returns true if acl exist
592 // Returns false if acl doesn't exist
593 // EITHER $title or $name is required(send FALSE in variable
594 // not being used). If both are sent, then only $title will be
595 // used.
596 // $return_value is required
597 // $title = title of acl (string)
598 // $name = name of acl (string)
599 // $return_value = return value of acl (string)
600 //
601 function acl_exist($title, $name, $return_value)
602 {
603 global $phpgacl_location;
604 if (isset($phpgacl_location)) {
605 include_once("$phpgacl_location/gacl_api.class.php");
606 $gacl = new gacl_api();
607 if (!$name) {
608 $acl = $gacl->search_acl(false, false, false, false, $title, false, false, false, $return_value);
609 } else if (!$title) {
610 $group_id = $gacl->get_group_id($name, null, 'ARO');
611 if ($group_id) {
612 $group_data = $gacl->get_group_data($group_id, 'ARO');
613 $acl = $gacl->search_acl(false, false, false, false, $group_data[3], false, false, false, $return_value);
614 } else {
615 return false;
616 }
617 } else {
618 $acl = $gacl->search_acl(false, false, false, false, $title, false, false, false, $return_value);
619 }
620 if (!empty($acl)) {
621 return true;
622 } else {
623 return false;
624 }
625 }
626 }
628 //
629 // This will add a new acl and group(if group doesn't yet exist)
630 // with one aco in it.
631 // $acl_title = title of acl (string)
632 // $acl_name = name of acl (string)
633 // $return_value = return value of acl (string)
634 // $note = description of acl (array)
635 //
636 function acl_add($acl_title, $acl_name, $return_value, $note)
637 {
638 global $phpgacl_location;
639 if (isset($phpgacl_location)) {
640 include_once("$phpgacl_location/gacl_api.class.php");
641 $gacl = new gacl_api();
642 $group_id = $gacl->get_group_id($acl_name, $acl_title, 'ARO');
643 if ($group_id) {
644 //group already exist, so just create acl
645 $gacl->add_acl(
646 array("placeholder"=>array("filler")),
647 null,
648 array($group_id),
649 null,
650 null,
651 1,
652 1,
653 $return_value,
654 $note
655 );
656 } else {
657 //create group, then create acl
658 $parent_id = $gacl->get_root_group_id();
659 $aro_id = $gacl->add_group($acl_name, $acl_title, $parent_id, 'ARO');
660 $gacl->add_acl(
661 array("placeholder"=>array("filler")),
662 null,
663 array($aro_id),
664 null,
665 null,
666 1,
667 1,
668 $return_value,
669 $note
670 );
671 }
672 return;
673 }
674 return 0;
675 }
677 //
678 // This will remove acl. It will also remove group(if the group
679 // is no longer associated with any acl's).
680 // $acl_title = title of acl (string)
681 // $acl_name = name of acl (string)
682 // $return_value = return value of acl (string)
683 // $note = description of acl (array)
684 //
685 function acl_remove($acl_title, $return_value)
686 {
687 global $phpgacl_location;
688 if (isset($phpgacl_location)) {
689 include_once("$phpgacl_location/gacl_api.class.php");
690 $gacl = new gacl_api();
691 //First, delete the acl
692 $acl_id=$gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
693 $gacl->del_acl($acl_id[0]);
694 //Then, remove the group(if no more acl's are remaining)
695 $acl_search=$gacl->search_acl(false, false, false, false, $acl_title, false, false, false, false);
696 if (empty($acl_search)) {
697 $group_id=$gacl-> get_group_id(null, $acl_title, 'ARO');
698 $gacl->del_group($group_id, true, 'ARO');
699 }
700 return;
701 }
702 return 0;
703 }
705 //
706 // This will place the aco(s) into the selected acl
707 // $acl_title = title of acl (string)
708 // $return_value = return value of acl (string)
709 // $aco_id = id of aco (array)
710 //
711 function acl_add_acos($acl_title, $return_value, $aco_id)
712 {
713 global $phpgacl_location;
714 if (isset($phpgacl_location)) {
715 include_once("$phpgacl_location/gacl_api.class.php");
716 $gacl = new gacl_api();
717 $acl_id = $gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
718 foreach ($aco_id as $value) {
719 $aco_data = $gacl->get_object_data($value, 'ACO');
720 $aco_section = $aco_data[0][0];
721 $aco_name = $aco_data[0][1];
722 $gacl->append_acl($acl_id[0], null, null, null, null, array($aco_section=>array($aco_name)));
723 }
724 return;
725 }
726 return 0;
727 }
729 //
730 // This will remove the aco(s) from the selected acl
731 // Note if all aco's are removed, then will place the filler-placeholder
732 // into the acl to avoid complete removal of the acl.
733 // $acl_title = title of acl (string)
734 // $return_value = return value of acl (string)
735 // $aco_id = id of aco (array)
736 //
737 function acl_remove_acos($acl_title, $return_value, $aco_id)
738 {
739 global $phpgacl_location;
740 if (isset($phpgacl_location)) {
741 include_once("$phpgacl_location/gacl_api.class.php");
742 $gacl = new gacl_api();
743 $acl_id = $gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
745 // Check to see if removing all acos. If removing all acos then will
746 // ensure the filler-placeholder aco in acl to avoid complete
747 // removal of the acl.
748 if (count($aco_id) == acl_count_acos($acl_title, $return_value)) {
749 //1-get the filler-placeholder aco id
750 $filler_aco_id = $gacl->get_object_id('placeholder', 'filler', 'ACO');
751 //2-add filler-placeholder aco
752 acl_add_acos($acl_title, $return_value, array($filler_aco_id));
753 //3-ensure filler-placeholder aco is not to be deleted
754 $safeListaco = remove_element($_POST["selection"], $filler_aco_id);
755 //4-prepare to safely delete the acos
756 $aco_id = $safeListaco;
757 }
759 foreach ($aco_id as $value) {
760 $aco_data = $gacl->get_object_data($value, 'ACO');
761 $aco_section = $aco_data[0][0];
762 $aco_name = $aco_data[0][1];
763 $gacl->shift_acl($acl_id[0], null, null, null, null, array($aco_section=>array($aco_name)));
764 }
765 return;
766 }
767 return 0;
768 }
770 //
771 // This will return the number of aco objects
772 // in a specified acl.
773 // $acl_title = title of acl (string)
774 // $return_value = return value of acl (string)
775 //
776 function acl_count_acos($acl_title, $return_value)
777 {
778 global $phpgacl_location;
779 if (isset($phpgacl_location)) {
780 include_once("$phpgacl_location/gacl_api.class.php");
781 $gacl = new gacl_api();
782 $acl_id = $gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
783 $acl_data = $gacl->get_acl($acl_id[0]);
784 $aco_count = 0;
785 foreach ($acl_data['aco'] as $key => $value) {
786 $aco_count = $aco_count + count($acl_data['aco'][$key]);
787 }
788 return $aco_count;
789 }
790 return 0;
791 }
793 //
794 // Function to remove an element from an array
795 //
796 function remove_element($arr, $val)
797 {
798 $arr2 = array();
799 foreach ($arr as $value) {
800 if ($value != $val) {
801 array_push($arr2, $value);
802 }
803 }
804 return $arr2;
805 }
806 /**
807 * Checks ACL
808 *
809 * Same Functionality in the Zend Module
810 * for ACL Check in Zend
811 * Path openemr/interface/modules/zend_modules/module/Application/src/Application/Model/ApplicationTable
812 * Function Name zAclCheck
813 *
814 * @param String $user_id Auth user Id
815 * $param String $section_identifier ACL Section id
816 * @return boolean
817 */
818 function zh_acl_check($user_id, $section_identifier)
819 {
820 $sql_user_acl = " SELECT
821 COUNT(allowed) AS count
822 FROM
823 module_acl_user_settings AS usr_settings
824 LEFT JOIN module_acl_sections AS acl_sections
825 ON usr_settings.section_id = acl_sections.`section_id`
826 WHERE
827 acl_sections.section_identifier = ? AND usr_settings.user_id = ? AND usr_settings.allowed = ?";
828 $sql_user_group = " SELECT
829 gagp.id AS group_id
830 FROM
831 gacl_aro AS garo
832 LEFT JOIN `gacl_groups_aro_map` AS gamp
833 ON garo.id = gamp.aro_id
834 LEFT JOIN `gacl_aro_groups` AS gagp
835 ON gagp.id = gamp.group_id
836 RIGHT JOIN `users_secure` usr
837 ON usr. username = garo.value
838 WHERE
839 garo.section_value = ? AND usr. id = ?";
840 $res_groups = sqlStatement($sql_user_group, array('users',$user_id));
842 // Prepare the group queries with the placemakers and binding array for the IN part
843 $groups_sql_param = array();
844 $groupPlacemakers = "";
845 $firstFlag = true;
846 while ($row = sqlFetchArray($res_groups)) {
847 array_push($groups_sql_param, $row['group_id']);
848 if ($firstFlag) {
849 $groupPlacemakers = "?";
850 $firstFlag = false;
851 } else {
852 $groupPlacemakers .= ",?";
853 }
854 }
855 $sql_group_acl_base = " SELECT
856 COUNT(allowed) AS count
857 FROM
858 module_acl_group_settings AS group_settings
859 LEFT JOIN module_acl_sections AS acl_sections
860 ON group_settings.section_id = acl_sections.section_id
861 WHERE
862 group_settings.group_id IN (".$groupPlacemakers.") AND acl_sections.`section_identifier` = ? ";
864 $sql_group_acl_allowed = $sql_group_acl_base . " AND group_settings.allowed = '1'";
866 // Complete the group queries sql binding array
867 array_push($groups_sql_param, $section_identifier);
869 $count_group_allowed = 0;
870 $count_user_allowed = 0;
872 $res_user_allowed = sqlQuery($sql_user_acl, array($section_identifier,$user_id,1));
873 $count_user_allowed = $res_user_allowed['count'];
875 $res_group_allowed = sqlQuery($sql_group_acl_allowed, $groups_sql_param);
876 $count_group_allowed = $res_group_allowed['count'];
878 if ($count_user_allowed > 0) {
879 return true;
880 } elseif ($count_group_allowed > 0) {
881 return true;
882 } else {
883 return false;
884 }
885 }
887 // This generates an HTML options list for all ACOs.
888 // The caller inserts this between <select> and </select> tags.
889 //
890 function gen_aco_html_options($default = '')
891 {
892 $acoArray = gen_aco_array();
893 $s = '';
894 foreach ($acoArray as $section => $acos_array) {
895 $s .= "<optgroup label='" . xla($section) . "'>\n";
896 foreach ($acos_array as $aco_array) {
897 $s .= "<option value='" . attr($aco_array['value']) . "'";
898 if ($aco_array['value'] == $default) {
899 $s .= ' selected';
900 }
901 $s .= ">" . xlt($aco_array['name']) . "</option>";
902 }
903 $s .= "</optgroup>";
904 }
905 return $s;
906 }
909 // Returns array of all ACOs
910 function gen_aco_array()
911 {
912 global $phpgacl_location;
913 require_once("$phpgacl_location/gacl_api.class.php");
914 $acoArray = array();
915 $gacl = new gacl_api();
916 // collect and sort all aco objects
917 $list_aco_objects = $gacl->get_objects(null, 0, 'ACO');
918 ksort($list_aco_objects);
919 foreach ($list_aco_objects as $seckey => $dummy) {
920 if (empty($dummy)) {
921 continue;
922 }
923 asort($list_aco_objects[$seckey]);
924 $aco_section_data = $gacl->get_section_data($seckey, 'ACO');
925 $aco_section_title = $aco_section_data[3];
926 foreach ($list_aco_objects[$seckey] as $acokey) {
927 $aco_id = $gacl->get_object_id($seckey, $acokey, 'ACO');
928 $aco_data = $gacl->get_object_data($aco_id, 'ACO');
929 $aco_title = $aco_data[0][3];
930 $optkey = "$seckey|$acokey";
931 $acoArray[$aco_section_title][$aco_id]['name'] = $aco_title;
932 $acoArray[$aco_section_title][$aco_id]['value'] = $optkey;
933 }
934 }
935 return $acoArray;
936 }
939 // Permissions check for an ACO in "section|aco" format.
940 // Note $return_value may be an array of return values.
941 //
942 function acl_check_aco_spec($aco_spec, $user = '', $return_value = '')
943 {
944 if (empty($aco_spec)) {
945 return true;
946 }
947 $tmp = explode('|', $aco_spec);
948 if (!is_array($return_value)) {
949 $return_value = array($return_value);
950 }
951 foreach ($return_value as $rv) {
952 if (acl_check($tmp[0], $tmp[1], $user, $rv)) {
953 return true;
954 }
955 }
956 return false;
957 }
959 // Permissions check for a specified encounter form type.
960 // Note $return_value may be an array of return values.
961 //
962 function acl_check_form($formdir, $user = '', $return_value = '')
963 {
964 require_once(dirname(__FILE__) . '/registry.inc');
965 $tmp = getRegistryEntryByDirectory($formdir, 'aco_spec');
966 return acl_check_aco_spec($tmp['aco_spec'], $user, $return_value);
967 }
969 // Permissions check for a specified issue type.
970 // Note $return_value may be an array of return values.
971 //
972 function acl_check_issue($type, $user = '', $return_value = '')
973 {
974 require_once(dirname(__FILE__) . '/lists.inc');
975 global $ISSUE_TYPES;
976 if (empty($ISSUE_TYPES[$type][5])) {
977 return true;
978 }
979 return acl_check_aco_spec($ISSUE_TYPES[$type][5], $user, $return_value);
980 }
982 // Permissions check for a specified document category name.
983 // Note $return_value may be an array of return values.
984 //
985 function acl_check_cat_name($catname, $user = '', $return_value = '')
986 {
987 $tmp = sqlQuery(
988 "SELECT aco_spec FROM categories WHERE name = ? ORDER BY id LIMIT 1",
989 array($catname)
990 );
991 if (empty($tmp['aco_spec'])) {
992 return true;
993 }
994 return acl_check_aco_spec($tmp['aco_spec'], $user, $return_value);
995 }
997 //Fetches aco for given postcalendar category
998 function fetchPostCalendarCategoryACO($pc_catid)
999 {
1000 $aco = sqlQuery(
1001 "SELECT aco_spec FROM openemr_postcalendar_categories WHERE pc_catid = ? LIMIT 1",
1002 array($pc_catid)
1003 );
1004 return $aco['aco_spec'];
1005 }