| blob | 6e22a0ff246684e062840f86a9bb737d08f129ac |
1 <?php
2 // This program is free software; you can redistribute it and/or
3 // modify it under the terms of the GNU General Public License
4 // as published by the Free Software Foundation; either version 2
5 // of the License, or (at your option) any later version.
7 //----------THINGS WE ALWAYS DO
9 require_once("{$GLOBALS['srcdir']}/log.inc");
10 require_once("{$GLOBALS['srcdir']}/sql.inc");
11 // added for the phpGACL group check -- JRM
12 require_once("{$GLOBALS['srcdir']}/acl.inc");
13 require_once("$srcdir/formdata.inc.php");
15 $incoming_site_id = '';
17 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
18 isset($_POST['authPass']) && isset($_POST['authProvider']))
19 {
20 // set the language
21 if (!empty($_POST['languageChoice'])) {
22 $_SESSION['language_choice'] = $_POST['languageChoice'];
23 }
24 else {
25 $_SESSION['language_choice'] = 1;
26 }
27 //If password expiration option is enabled call authCheckExpired() to check whether login user password is expired or not
28 if($GLOBALS['password_expiration_days'] != 0){
29 authCheckExpired();
30 }
31 $ip=$_SERVER['REMOTE_ADDR'];
32 //VicarePlus :: authNewPass is set ,only if the password in DB is encrypted using MD5.
33 if (isset($_POST['authNewPass']))
34 {
35 if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider'], $_POST['authNewPass']))
36 {
37 $_SESSION['loginfailure'] = 1;
38 authLoginScreen();
39 }
40 }
41 else
42 {
43 if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider'],''))
44 {
45 $_SESSION['loginfailure'] = 1;
46 authLoginScreen();
47 }
48 }
49 $_SESSION['loginfailure'] = null;
50 unset($_SESSION['loginfailure']);
51 //store the very first initial timestamp for timeout errors
52 $_SESSION["last_update"] = time();
53 }
54 else if ( (isset($_GET['auth'])) && ($_GET['auth'] == "logout") )
55 {
56 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 1, "success");
57 authCloseSession();
58 authLoginScreen();
59 }
60 else
61 {
62 if (authCheckSession())
63 {
64 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG']))
65 {
66 require_once("{$GLOBALS['srcdir']}/patient.inc");
67 /**
68 $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
69 newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
70 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
71 $_SESSION['encounter']);
72 **/
73 }
74 //LOG EVERYTHING
75 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
76 }
77 else {
78 newEvent("login",$_POST['authUser'], $_POST['authProvider'], 0, "insufficient data sent");
79 authLoginScreen();
80 }
81 }
83 if (!isset($_SESSION["last_update"])) {
84 authLoginScreen();
85 } else {
86 //if page has not been updated in a given period of time, we call login screen
87 if ((time() - $_SESSION["last_update"]) > $timeout) {
88 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 0, "timeout");
89 authCloseSession();
90 authLoginScreen();
91 } else {
92 // Have a mechanism to skip the timeout reset mechanism if a skip_timeout_reset parameter exists. This
93 // can be used by scripts that continually request information from the server; for example the Messages
94 // and Reminders automated intermittent requests that happen in the Messages Center script and in
95 // the left navigation menu script.
96 if (empty($GLOBALS['DAEMON_FLAG']) && empty($_REQUEST['skip_timeout_reset'])) $_SESSION["last_update"] = time();
97 }
98 }
100 //----------THINGS WE DO IF WE STILL LIKE YOU
102 function authNewSession ($user, $pass, $provider, $new_upgrade_pass)
103 {
104 $ip = $_SERVER['REMOTE_ADDR'];
105 // check to see if the user belongs to *any* OpenEMR groups in phpGACL -- JRM
106 global $phpgacl_location;
107 if (isset ($phpgacl_location)) {
108 if (acl_get_group_titles($user) == 0) {
109 newEvent( 'login', $user, $provider, 0, "failure: $ip. user not in any phpGACL groups. (bad username?)");
110 return false;
111 }
112 }
114 // get details about the user
115 $authDB = sqlQuery("select id, password, authorized, see_auth".
116 ", cal_ui, active ".
117 " from users where username = '$user'");
119 // if the user is NOT active, get out
120 if ($authDB['active'] != 1) {
121 newEvent( 'login', $user, $provider, 0, "failure: $ip. user not active or not found in users table");
122 return false;
123 }
125 //VicarePlus :: If the password in DB is encrypted using 'md5' , it is updated with 'sha1' encryption and
126 //Vicareplus :: the user is asked to login again.
127 if (strlen($pass) == 32)
128 {
129 if ($authDB['password'] == $pass)
130 {
131 sqlStatement("update users set password='$new_upgrade_pass' where username = '$user'");
132 $_SESSION['relogin'] = 1;
133 }
134 else
135 {
136 newEvent( 'login', $user, $provider, 0, "failure: $ip. user password mismatch ($pass)");
137 return false;
138 }
139 }
140 // compare the submitted password with the stored password
141 if ($authDB['password'] == $pass)
142 {
143 //here, we check to see if the user is in fact a member of the correct group:
144 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'"))
145 {
146 $_SESSION['authUser'] = $user;
147 $_SESSION['authGroup'] = $authGroup['name'];
148 $_SESSION['authUserID'] = $authDB['id'];
149 $_SESSION['authPass'] = $pass;
150 $_SESSION['authProvider'] = $provider;
151 $_SESSION['authId'] = $authDB{'id'};
152 $_SESSION['cal_ui'] = $authDB['cal_ui'];
153 $_SESSION['userauthorized'] = $authDB['authorized'];
154 // Some users may be able to authorize without being providers:
155 if ($authDB['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
156 newEvent( 'login', $user, $provider, 1, "success: $ip");
157 return true;
158 } else {
159 newEvent( 'login', $user, $provider, 0, "failure: $ip. user not in group: $provider");
160 return false;
161 }
162 }
164 newEvent( 'login', $user, $provider, 0, "failure: $ip. user password mismatch ($pass)");
165 return false;
166 }
168 function authCheckSession ()
169 {
170 if (isset($_SESSION['authId'])) {
171 $authDB = sqlQuery("select username, password from users where id = '" .
172 $_SESSION['authId']."'");
173 if ($_SESSION['authUser'] == $authDB['username'] &&
174 $_SESSION['authPass'] == $authDB['password'])
175 {
176 return true;
177 }
178 else {
179 return false;
180 }
181 }
182 else {
183 return false;
184 }
185 }
187 function authCloseSession ()
188 {
189 // Before destroying the session, save its site_id so that the next
190 // login will default to that same site.
191 global $incoming_site_id;
192 $incoming_site_id = $_SESSION['site_id'];
193 ob_start();
194 session_unset();
195 session_destroy();
196 unset($_COOKIE[session_name()]);
197 }
199 function authLoginScreen()
200 {
201 // See comment in authCloseSession().
202 global $incoming_site_id;
203 header("Location: {$GLOBALS['login_screen']}?error=1&site=$incoming_site_id");
204 exit;
205 }
207 // Check if the user's password has expired beyond the grace limit.
208 // If so, deactivate the user
209 function authCheckExpired()
210 {
211 $auser=formData('authUser','P');
212 $result = sqlStatement("select pwd_expiration_date from users where username = '".$auser."'");
213 if($row = sqlFetchArray($result))
214 {
215 $pwd_expires = $row['pwd_expiration_date'];
216 }
217 $current_date = date("Y-m-d");
218 if($pwd_expires != "0000-00-00")
219 {
220 $grace_time1 = date("Y-m-d", strtotime($pwd_expires . "+".$GLOBALS['password_grace_time'] ."days"));
221 }
222 if(($grace_time1 != "") && strtotime($current_date) > strtotime($grace_time1))
223 {
224 sqlStatement("update users set active=0 where username = '".$auser."'");
225 $_SESSION['loginfailure'] = 1;
226 }
227 }
230 function addUser ($username, $password_md5, $info, $authorized = 'yes')
231 {
232 return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
233 }
235 function delUser ($id)
236 {
237 return sqlQuery("delete from users where id = '$id' limit 0,1");
238 }
240 function changePasword ($id, $new_md5)
241 {
242 return sqlQuery("update users set password = '$new_md5' where id = '$id'");
243 }
245 function getUserList ($cols = '*', $limit = 'all', $start = '0')
246 {
247 if ($limit = "all")
248 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
249 else
250 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
251 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
252 $tbl[$iter] = $row;
253 return $tbl;
254 }
256 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
257 {
258 if ($limit = "all")
259 $rez = sqlStatement("select $cols from groups order by date DESC");
260 else
261 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
262 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
263 $tbl[$iter] = $row;
264 return $tbl;
265 }
267 function addGroup ($groupname)
268 {
269 return sqlInsert("insert into groups (name) values ('$groupname')");
270 }
272 function delGroup ($group_id)
273 {
274 return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
275 }
277 /***************************************************************
278 //pennfirm
279 //Function currently user by new post calendar code to determine
280 //if a given user is in a group with another user
281 //and if so to allow editing of that users events
282 //
283 //*************************************************************/
285 function validateGroupStatus ($user_to_be_checked, $group_user) {
286 if (isset($user_to_be_checked) && isset($group_user)) {
287 if ($user_to_be_checked == $group_user) {
289 return true;
290 }
291 elseif ($_SESSION['authorizeduser'] == 1)
292 return true;
294 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
295 "AND users.username = groups.user group by groups.name";
296 $result = sqlStatement($query);
298 $usertbcGroups = array();
300 while ($row = mysql_fetch_array($result)) {
301 $usertbcGroups[] = $row[0];
302 }
304 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($group_user) . "\" " .
305 "AND users.username = groups.user group by groups.name";
306 $result = sqlStatement($query);
308 $usergGroups = array();
310 while ($row = mysql_fetch_array($result)) {
311 $usergGroups[] = $row[0];
312 }
313 foreach ($usertbcGroups as $group) {
314 if(in_array($group,$usergGroups)) {
315 return true;
316 }
317 }
319 }
321 return false;
322 }
325 // Attempt to update the user's password, password history, and password expiration.
326 // Verify that the new password does not match the last three passwords used.
327 // Return true if successfull, false on failure
328 function UpdatePasswordHistory($userid,$pwd)
329 {
330 $result = sqlStatement("select password, pwd_history1, pwd_history2 from users where id = $userid");
331 if ($row = sqlFetchArray($result)) {
332 $previous_pwd1=$row['password'];
333 $previous_pwd2=$row['pwd_history1'];
334 $previous_pwd3=$row['pwd_history2'];
335 }
336 if (($pwd != $previous_pwd1) && ($pwd != $previous_pwd2) && ($pwd != $previous_pwd3)) {
337 sqlStatement("update users set pwd_history2='$previous_pwd2', pwd_history1='$previous_pwd1',password='$pwd' where id=$userid");
338 if($GLOBALS['password_expiration_days'] != 0){
339 $exp_days=$GLOBALS['password_expiration_days'];
340 $exp_date = date('Y-m-d', strtotime("+$exp_days days"));
341 sqlStatement("update users set pwd_expiration_date='$exp_date' where id=$userid");
342 }
343 return true;
344 }
345 else {
346 return false;
347 }
348 }
349 ?>