| blob | 0ccd1e067b7c20f860b1e1fcd97d1c090e74d081 |
1 <?php
2 //----------THINGS WE ALWAYS DO
4 require_once("{$GLOBALS['srcdir']}/log.inc");
5 require_once("{$GLOBALS['srcdir']}/sql.inc");
6 // added for the phpGACL group check -- JRM
7 require_once("{$GLOBALS['srcdir']}/acl.inc");
9 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
10 isset($_POST['authPass']) && isset($_POST['authProvider']))
11 {
12 if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
13 {
14 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure");
15 authLoginScreen();
16 }
17 newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success");
18 //store the very first initial timestamp for timeout errors
19 $_SESSION["last_update"] = time();
20 }
21 else if ( (isset($_GET['auth'])) && ($_GET['auth'] == "logout") )
22 {
23 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
24 authCloseSession();
25 authLoginScreen();
26 }
27 else
28 {
29 if (authCheckSession())
30 {
31 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG']))
32 {
33 require_once("{$GLOBALS['srcdir']}/patient.inc");
34 $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
35 newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
36 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
37 $_SESSION['encounter']);
38 }
39 //LOG EVERYTHING
40 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
41 }
42 else {
43 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
44 authLoginScreen();
45 }
46 }
48 if (!isset($_SESSION["last_update"])) {
49 authLoginScreen();
50 } else {
51 //if page has not been updated in a given period of time, we call login screen
52 if ((time() - $_SESSION["last_update"]) > $timeout) {
53 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
54 authCloseSession();
55 authLoginScreen();
56 } else {
57 if (empty($GLOBALS['DAEMON_FLAG'])) $_SESSION["last_update"] = time();
58 }
59 }
61 //----------THINGS WE DO IF WE STILL LIKE YOU
63 function authNewSession ($user, $pass, $provider)
64 {
65 // check to see if the user belongs to *any* OpenEMR groups in phpGACL -- JRM
66 global $phpgacl_location;
67 if (isset ($phpgacl_location)) {
68 if (acl_get_group_titles($user) == 0) return false;
69 }
71 //session_name("OpenEMR");
72 //session_id("81279258720".str_replace(".", "", $_SERVER['REMOTE_ADDR']));
73 if(!session_id()) { session_start(); }
74 //echo "user is: $user pass is: $pass provider is: $provider<br />";
76 //(CHEMED) added cal_ui to the list of fields, so we can change calendar UI for this user.
77 // Is this the right place to do it?
78 $authDB = sqlQuery("select id, password, authorized, see_auth, cal_ui from users " .
79 "where username = '$user'");
80 //echo "<br>auth pass: ".$authDB['password'];
81 if ($authDB['password'] == $pass)
82 {
83 //here, we check to see if the user is in fact a member of the correct group:
84 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'"))
85 {
86 $_SESSION['authUser'] = $user;
87 $_SESSION['authGroup'] = $authGroup['name'];
88 $_SESSION['authUserID'] = $authDB['id'];
89 $_SESSION['authPass'] = $pass;
90 $_SESSION['authProvider'] = $provider;
91 $_SESSION['authId'] = $authDB{'id'};
92 $_SESSION['cal_ui'] = $authDB['cal_ui'];
93 $_SESSION['userauthorized'] = $authDB['authorized'];
94 // Some users may be able to authorize without being providers:
95 if ($authDB['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
96 return true;
97 } else {
98 return false;
99 }
100 }
101 else
102 return false;
103 }
105 function authCheckSession ()
106 {
107 if (isset($_SESSION['authId'])) {
108 $authDB = sqlQuery("select username, password from users where id = '" .
109 $_SESSION['authId']."'");
110 if ($_SESSION['authUser'] == $authDB['username'] &&
111 $_SESSION['authPass'] == $authDB['password'])
112 {
113 return true;
114 }
115 else {
116 return false;
117 }
118 }
119 else {
120 return false;
121 }
122 }
124 function authCloseSession ()
125 {
126 ob_start();
127 session_unset();
128 // $_SESSION = array();
129 session_destroy();
130 //setcookie(session_name(),"","","/");
131 //the following does the same as the above line:
132 //if(isset($_COOKIE[session_name()])) {
133 // session_start();
134 // session_destroy();
135 unset($_COOKIE[session_name()]);
136 //}
137 }
139 function authLoginScreen()
140 {
141 //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
142 header("Location: {$GLOBALS['login_screen']}");
143 exit;
144 }
146 function addUser ($username, $password_md5, $info, $authorized = 'yes')
147 {
148 return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
149 }
151 function delUser ($id)
152 {
153 return sqlQuery("delete from users where id = '$id' limit 0,1");
154 }
156 function changePasword ($id, $new_md5)
157 {
158 return sqlQuery("update users set password = '$new_md5' where id = '$id'");
159 }
161 function getUserList ($cols = '*', $limit = 'all', $start = '0')
162 {
163 if ($limit = "all")
164 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
165 else
166 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
167 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
168 $tbl[$iter] = $row;
169 return $tbl;
170 }
172 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
173 {
174 if ($limit = "all")
175 $rez = sqlStatement("select $cols from groups order by date DESC");
176 else
177 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
178 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
179 $tbl[$iter] = $row;
180 return $tbl;
181 }
183 function addGroup ($groupname)
184 {
185 return sqlInsert("insert into groups (name) values ('$groupname')");
186 }
188 function delGroup ($group_id)
189 {
190 return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
191 }
193 /***************************************************************
194 //pennfirm
195 //Function currently user by new post calendar code to determine
196 //if a given user is in a group with another user
197 //and if so to allow editing of that users events
198 //
199 //*************************************************************/
201 function validateGroupStatus ($user_to_be_checked, $group_user) {
202 if (isset($user_to_be_checked) && isset($group_user)) {
203 if ($user_to_be_checked == $group_user) {
205 return true;
206 }
207 elseif ($_SESSION['authorizeduser'] == 1)
208 return true;
210 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
211 "AND users.username = groups.user group by groups.name";
212 $result = sqlStatement($query);
214 $usertbcGroups = array();
216 while ($row = mysql_fetch_array($result)) {
217 $usertbcGroups[] = $row[0];
218 }
220 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($group_user) . "\" " .
221 "AND users.username = groups.user group by groups.name";
222 $result = sqlStatement($query);
224 $usergGroups = array();
226 while ($row = mysql_fetch_array($result)) {
227 $usergGroups[] = $row[0];
228 }
229 foreach ($usertbcGroups as $group) {
230 if(in_array($group,$usergGroups)) {
231 return true;
232 }
233 }
235 }
237 return false;
238 }
239 ?>