From 6875c62b04103b650c4304e385a346d52889990d Mon Sep 17 00:00:00 2001 From: Rod Roark Date: Wed, 22 Mar 2017 10:14:12 -0700 Subject: [PATCH] Access control for individual issue types and document categories. (#580) * Access control for individual issue types and document categories. --- controllers/C_Document.class.php | 9 +- controllers/C_DocumentCategory.class.php | 49 ++-- interface/forms/newpatient/common.php | 23 +- interface/forms/newpatient/new.php | 8 +- interface/forms/newpatient/save.php | 4 +- interface/patient_file/report/patient_report.php | 6 +- interface/patient_file/summary/add_edit_issue.php | 20 +- interface/patient_file/summary/stats.php | 286 ++++++++++------------ interface/patient_file/summary/stats_full.php | 51 ++-- interface/super/edit_list.php | 61 ++--- library/acl.inc | 42 +++- library/classes/CategoryTree.class.php | 8 +- library/classes/Tree.class.php | 35 ++- library/js/CategoryTreeMenu.js | 9 +- library/lists.inc | 15 +- sql/5_0_0-to-5_0_1_upgrade.sql | 8 + sql/database.sql | 60 ++--- templates/document_categories/general_list.html | 30 ++- templates/practice_settings/general_list.html | 2 +- version.php | 5 +- 20 files changed, 429 insertions(+), 302 deletions(-) diff --git a/controllers/C_Document.class.php b/controllers/C_Document.class.php index cbc63ae24..8a3ff808c 100644 --- a/controllers/C_Document.class.php +++ b/controllers/C_Document.class.php @@ -1105,10 +1105,13 @@ class C_Document extends Controller { $icon = "file3.png"; if (is_array($categories[$id])) { foreach ($categories[$id] as $doc) { + $link = $this->_link("view") . "doc_id=" . $doc['document_id'] . "&"; + // If user has no access then there will be no link. + if (!acl_check_aco_spec($doc['aco_spec'])) $link = ''; if($this->tree->get_node_name($id) == "CCR"){ $current_node->addItem(new HTML_TreeNode(array( 'text' => $doc['docdate'] . ' ' . basename_international($doc['url']), - 'link' => $this->_link("view") . "doc_id=" . $doc['document_id'] . "&", + 'link' => $link, 'icon' => $icon, 'expandedIcon' => $expandedIcon, 'events' => array('Onclick' => "javascript:newwindow=window.open('ccr/display.php?type=CCR&doc_id=" . $doc['document_id'] . "','CCR');") @@ -1116,7 +1119,7 @@ class C_Document extends Controller { }elseif($this->tree->get_node_name($id) == "CCD"){ $current_node->addItem(new HTML_TreeNode(array( 'text' => $doc['docdate'] . ' ' . basename_international($doc['url']), - 'link' => $this->_link("view") . "doc_id=" . $doc['document_id'] . "&", + 'link' => $link, 'icon' => $icon, 'expandedIcon' => $expandedIcon, 'events' => array('Onclick' => "javascript:newwindow=window.open('ccr/display.php?type=CCD&doc_id=" . $doc['document_id'] . "','CCD');") @@ -1124,7 +1127,7 @@ class C_Document extends Controller { }else{ $current_node->addItem(new HTML_TreeNode(array( 'text' => $doc['docdate'] . ' ' . basename_international($doc['url']), - 'link' => $this->_link("view") . "doc_id=" . $doc['document_id'] . "&", + 'link' => $link, 'icon' => $icon, 'expandedIcon' => $expandedIcon ))); diff --git a/controllers/C_DocumentCategory.class.php b/controllers/C_DocumentCategory.class.php index 33c7bd4cf..86cc5f347 100644 --- a/controllers/C_DocumentCategory.class.php +++ b/controllers/C_DocumentCategory.class.php @@ -46,25 +46,50 @@ class C_DocumentCategory extends Controller { function add_node_action($parent_is) { //echo $parent_is ."
"; //echo $this->tree->get_node_name($parent_is); + $info = $this->tree->get_node_info($parent_is); $this->assign("parent_name",$this->tree->get_node_name($parent_is)); $this->assign("parent_is",$parent_is); $this->assign("add_node",true); + $this->assign("edit_node", false); + $this->assign("VALUE", ''); + // Access control defaults to that of the parent. + $this->assign("ACO_OPTIONS", "" . gen_aco_html_options($info['aco_spec'])); return $this->list_action(); } function add_node_action_process() { - if ($_POST['process'] != "true") - return; + if ($_POST['process'] != "true") return; $name = $_POST['name']; $parent_is = $_POST['parent_is']; $parent_name = $this->tree->get_node_name($parent_is); - $this->tree->add_node($parent_is,$name); + $this->tree->add_node($parent_is, $name, $_POST['value'], $_POST['aco_spec']); $trans_message = xl('Sub-category','','',' ') . "'" . xl_document_category($name) . "'" . xl('successfully added to category,','',' ',' ') . "'" . $parent_name . "'"; $this->assign("message",$trans_message); $this->_state = false; return $this->list_action(); } + function edit_node_action($parent_is) { + $info = $this->tree->get_node_info($parent_is); + $this->assign("parent_is",$parent_is); + $this->assign("NAME" , $this->tree->get_node_name($parent_is)); + $this->assign("VALUE", $info['value']); + $this->assign("ACO_OPTIONS", "" . gen_aco_html_options($info['aco_spec'])); + $this->assign("add_node",false); + $this->assign("edit_node",true); + return $this->list_action(); + } + + function edit_node_action_process() { + if ($_POST['process'] != "true") return; + $parent_is = $_POST['parent_is']; + $this->tree->edit_node($parent_is, $_POST['name'], $_POST['value'], $_POST['aco_spec']); + $trans_message = xl('Category changed.'); + $this->assign("message", $trans_message); + $this->_state = false; + return $this->list_action(); + } + function delete_node_action_process($id) { if ($_POST['process'] != "true") return; @@ -93,24 +118,6 @@ class C_DocumentCategory extends Controller { return $this->list_action(); } - function edit_action_process() { - if ($_POST['process'] != "true") - return; - //print_r($_POST); - if (is_numeric($_POST['id'])) { - $this->document_categories[0] = new Pharmacy($_POST['id']); - } - else { - $this->document_categories[0] = new Pharmacy(); - } - parent::populate_object($this->document_categories[0]); - //print_r($this->document_categories[0]); - //echo $this->document_categories[0]->toString(true); - $this->document_categories[0]->persist(); - //echo "action processeed"; - $_POST['process'] = ""; - } - function &_array_recurse($array) { if (!is_array($array)) { $array = array(); diff --git a/interface/forms/newpatient/common.php b/interface/forms/newpatient/common.php index 46f00291f..e49a4adfa 100644 --- a/interface/forms/newpatient/common.php +++ b/interface/forms/newpatient/common.php @@ -19,6 +19,9 @@ */ require_once("$srcdir/options.inc.php"); +require_once("$srcdir/acl.inc"); +require_once("$srcdir/lists.inc"); + if($GLOBALS['enable_group_therapy']){ require_once("$srcdir/group.inc"); } @@ -356,6 +359,18 @@ if ($fres) { + + $dummy) { + if (!acl_check_issue($type, '', 'write')) { + $issuesauth = false; + break; + } + } + if ($issuesauth) { +?>
@@ -365,6 +380,8 @@ if ($fres) { onclick="top.restoreSession()"> + + @@ -374,6 +391,8 @@ if ($fres) { > + + -

+ @@ -472,6 +491,4 @@ if (!$viewmode) { ?> - - diff --git a/interface/forms/newpatient/new.php b/interface/forms/newpatient/new.php index 0eb033151..ccc927efa 100644 --- a/interface/forms/newpatient/new.php +++ b/interface/forms/newpatient/new.php @@ -28,14 +28,10 @@ include_once("$srcdir/lists.inc"); // Check permission to create encounters. $tmp = getPatientData($pid, "squad"); if (($tmp['squad'] && ! acl_check('squads', $tmp['squad'])) || - ! (acl_check('encounters', 'notes_a' ) || - acl_check('encounters', 'notes' ) || - acl_check('encounters', 'coding_a') || - acl_check('encounters', 'coding' ) || - acl_check('encounters', 'relaxed' ))) + !acl_check_form('newpatient', '', array('write', 'addonly'))) { echo "\n\n"; - echo "

(" . xlt('New encounters not authorized'). ")

\n"; + echo "

(" . xlt('New encounters not authorized') . ")

\n"; echo "\n\n"; exit(); } diff --git a/interface/forms/newpatient/save.php b/interface/forms/newpatient/save.php index 34a118a46..5a212f87f 100644 --- a/interface/forms/newpatient/save.php +++ b/interface/forms/newpatient/save.php @@ -101,9 +101,9 @@ else { setencounter($encounter); // Update the list of issues associated with this encounter. -sqlStatement("DELETE FROM issue_encounter WHERE " . - "pid = ? AND encounter = ?", array($pid,$encounter) ); if (is_array($_POST['issues'])) { + sqlStatement("DELETE FROM issue_encounter WHERE " . + "pid = ? AND encounter = ?", array($pid, $encounter)); foreach ($_POST['issues'] as $issue) { $query = "INSERT INTO issue_encounter ( pid, list_id, encounter ) VALUES (?,?,?)"; sqlStatement($query, array($pid,$issue,$encounter)); diff --git a/interface/patient_file/report/patient_report.php b/interface/patient_file/report/patient_report.php index 595254996..3f90cf9cd 100644 --- a/interface/patient_file/report/patient_report.php +++ b/interface/patient_file/report/patient_report.php @@ -457,20 +457,22 @@ while($row = sqlFetchArray($res)) { qstr($pid); $result = $db->Execute($sql); if ($db->ErrorMsg()) echo $db->ErrorMsg(); while ($result && !$result->EOF) { + if (empty($result->fields['aco_spec']) || acl_check_aco_spec($result->fields['aco_spec'])) { echo "
  • "; echo ''; echo '  ' . xl_document_category($result->fields['name']) . ""; echo '  ' . xl('Name') . ': ' . basename($result->fields['url']) . ""; echo '
    • '; - $result->MoveNext(); + } + $result->MoveNext(); } ?> diff --git a/interface/patient_file/summary/add_edit_issue.php b/interface/patient_file/summary/add_edit_issue.php index 264a33698..48c511437 100644 --- a/interface/patient_file/summary/add_edit_issue.php +++ b/interface/patient_file/summary/add_edit_issue.php @@ -60,8 +60,9 @@ $thisenc = 0 + (empty($_REQUEST['thisenc']) ? 0 : $_REQUEST['thisenc']); // A nonempty thistype is an issue type to be forced for a new issue. $thistype = empty($_REQUEST['thistype']) ? '' : $_REQUEST['thistype']; -if ($issue && !acl_check('patients','med','','write') ) die(xlt("Edit is not authorized!")); -if ( !acl_check('patients','med','',array('write','addonly') )) die(xlt("Add is not authorized!")); +if ($thistype && !$issue && !acl_check_issue($thistype, '', array('write', 'addonly'))) { + die(xlt("Add is not authorized!")); +} $tmp = getPatientData($thispid, "squad"); if ($tmp['squad'] && ! acl_check('squads', $tmp['squad'])) @@ -72,7 +73,6 @@ function QuotedOrNull($fld) { return "NULL"; } - // Do not use this function since quotes are added in query escaping mechanism // Only keeping since used in the football injury code football_injury.inc.php that is included. // If start using this function, then incorporate the add_escape_custom() function into it @@ -361,10 +361,15 @@ if ($_POST['form_save']) { } $irow = array(); -if ($issue) - $irow = sqlQuery("SELECT * FROM lists WHERE id = ?",array($issue)); -else if ($thistype) +if ($issue) { + $irow = sqlQuery("SELECT * FROM lists WHERE id = ?", array($issue)); + if (!acl_check_issue($irow['type'], '', 'write')) { + die(xlt("Edit is not authorized!")); + } +} +else if ($thistype) { $irow['type'] = $thistype; +} $type_index = 0; @@ -648,7 +653,7 @@ $(document).ready(function() { $value) { if ($issue || $thistype) { if ($index == $type_index) { echo text($value[1]); @@ -657,6 +662,7 @@ $(document).ready(function() { } else { echo " " . text($value[1]) . " \n"; } ++$index; diff --git a/interface/patient_file/summary/stats.php b/interface/patient_file/summary/stats.php index 0218673c8..850294054 100644 --- a/interface/patient_file/summary/stats.php +++ b/interface/patient_file/summary/stats.php @@ -16,20 +16,6 @@ include_once("$srcdir/options.inc.php");
    -(".htmlspecialchars(xl('Issues not authorized'),ENT_NOQUOTES).")

    \n"; - echo "\n\n"; - exit(); -} -?> - - + - {if $message} {/if} - {if $add_node eq true} + {if $add_node eq true or $edit_node eq true}
    {xl t="Document Categories"}
    {$tree_html}{$message} - {xl t="The new category will be a sub-category of "} {$parent_name}
    + {if $add_node eq true} + {xl t="This new category will be a sub-category of "} {$parent_name}
    + {/if}
    - {xl t="Category Name"}:    - + + + + + + + + + + + + + + +
    {xl t="Category Name"} 
    {xl t="Value"} 
    {xl t="Access Control"} 
    +  
    + +
    diff --git a/templates/practice_settings/general_list.html b/templates/practice_settings/general_list.html index d1363be89..72fbbd5d9 100644 --- a/templates/practice_settings/general_list.html +++ b/templates/practice_settings/general_list.html @@ -28,7 +28,7 @@ {$ACTION_NAME}
    -
    +
    {$display}
    diff --git a/version.php b/version.php index 108128c23..8adeab766 100644 --- a/version.php +++ b/version.php @@ -17,7 +17,7 @@ $v_realpatch = '0'; // is a database change in the course of development. It is used // internally to determine when a database upgrade is needed. // -$v_database = 216; +$v_database = 217; // Access control version identifier, this is to be incremented whenever there // is a access control change in the course of development. It is used @@ -35,8 +35,7 @@ $v_offsite_portal='1.47'; // end with "?v=$v_js_includes". Search the code for examples of doing this. // All this is to keep browsers from using an older cached version. // Need to assign it as a global below to work in template scripts. -$v_js_includes = 20; - +$v_js_includes = 21; // Do note modify below $GLOBALS['v_js_includes'] = $v_js_includes; -- 2.11.4.GIT