search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
allow a non-doc to authorize stuff if see_auth = all
[openemr.git] / library / auth.inc
blobb7395ecbecc194d1200a261ca3070ee8cee3a31e
1 <?php
2 //----------THINGS WE ALWAYS DO
3
4 require_once("{$GLOBALS['srcdir']}/log.inc");
5 require_once("{$GLOBALS['srcdir']}/sql.inc");
6
7 if ($_GET['auth'] == "login" && isset($_POST['authUser']) && isset($_POST['authPass']) && isset($_POST['authProvider']))
8 {
9         if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
10         {
11                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure");
12                 authLoginScreen();
13         }
14         newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success");
15         $_SESSION["last_update"] = time(); //store the very first initial timestamp for timeout errors
16 }
17 else if ($_GET['auth'] == "logout")
18 {
19         newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
20         authCloseSession();
21         authLoginScreen();
22 }
23 else
24 {
25         if (authCheckSession())
26         {
27                 if (isset($_SESSION['pid']) && !$GLOBALS['DAEMON_FLAG'])
28                 {
29                         require_once("{$GLOBALS['srcdir']}/patient.inc");
30                         $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
31                         newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter ".$_SESSION['encounter']);
32                 }
33                 //LOG EVERYTHING
34                 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
35         }
36         else {
37                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
38                 authLoginScreen();
39         }
40 }
41
42 if (!isset($_SESSION["last_update"])) {
43         authLoginScreen();
44 } else {
45          //if page has not been updated in a given period of time, we call login screen
46         if ((time() - $_SESSION["last_update"]) > $timeout) {
47                 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
48                 authCloseSession();
49                 authLoginScreen();
50         } else {
51                 if (!$GLOBALS['DAEMON_FLAG']) $_SESSION["last_update"] = time();
52         }
53 }
54
55 //----------THINGS WE DO IF WE STILL LIKE YOU
56
57 function authNewSession ($user, $pass, $provider)
58 {
59         //session_name("OpenEMR");
60         //session_id("81279258720".str_replace(".", "", $_SERVER['REMOTE_ADDR']));
61         if(!session_id()) {
62           session_start();
63         }
64         //echo "user is: $user pass is: $pass provider is: $provider<br />";
65         $authDB = sqlQuery("select id, password, authorized from users where username = '$user'");
66         //echo "<br>auth pass: ".$authDB['password'];
67         if ($authDB['password'] == $pass)
68         {
69         //here, we check to see if the user is in fact a member of the correct group:
70                 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'")) {
71                         $_SESSION['authUser'] = $user;
72                         $_SESSION['authGroup'] = $authGroup['name'];
73                         $_SESSION['authUserID'] = $authDB['id'];
74                         $_SESSION['authPass'] = $pass;
75                         $_SESSION['authProvider'] = $provider;
76                         $_SESSION['authId'] = $authDB{'id'};
77                         $_SESSION['userauthorized'] = $authDB['authorized'];
78                         return true;
79                 } else {
80                         return false;
81                 }
82         }
83         else
84                 return false;
85 }
86
87 function authCheckSession ()
88 {
89         if (isset($_SESSION['authId'])) {
90                 $authDB = sqlQuery("select username, password from users where id = '".$_SESSION['authId']."'");
91                 if ($_SESSION['authUser'] == $authDB['username'] && $_SESSION['authPass'] == $authDB['password']) {
92                         return true;
93                 }
94                 else {
95                         return false;
96                 }
97         }
98         else {
99                 return false;
100         }
101 }
102
103 function authCloseSession ()
104 {
105         ob_start();
106         session_unset();
107 //      $_SESSION = array();
108         session_destroy();
109         //setcookie(session_name(),"","","/");
110         //the following does the same as the above line:
111         //if(isset($_COOKIE[session_name()])) {
112         //      session_start();
113         //      session_destroy();
114                 unset($_COOKIE[session_name()]);
115         //}
116 }
117
118 function authLoginScreen()
119 {
120         //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
121         header("Location: {$GLOBALS['login_screen']}");
122         exit;
123 }
124
125 function addUser ($username, $password_md5, $info, $authorized = 'yes')
126 {
127         return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
128 }
129
130 function delUser ($id)
131 {
132         return sqlQuery("delete from users where id = '$id' limit 0,1");
133 }
134
135 function changePasword ($id, $new_md5)
136 {
137         return sqlQuery("update users set password = '$new_md5' where id = '$id'");
138 }
139
140 function getUserList ($cols = '*', $limit = 'all', $start = '0')
141 {
142         if ($limit = "all")
143                 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
144         else
145                 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
146         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
147                 $tbl[$iter] = $row;
148         return $tbl;
149 }
150
151 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
152 {
153         if ($limit = "all")
154                 $rez = sqlStatement("select $cols from groups order by date DESC");
155         else
156                 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
157         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
158                 $tbl[$iter] = $row;
159         return $tbl;
160 }
161
162 function addGroup ($groupname)
163 {
164         return sqlInsert("insert into groups (name) values ('$groupname')");
165 }
166
167 function delGroup ($group_id)
168 {
169         return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
170 }
171
172 /***************************************************************
173 //pennfirm
174 //Function currently user by new post calendar code to determine
175 //if a given user is in a group with another user
176 //and if so to allow editing of that users events
177 //
178 //*************************************************************/
179
180 function validateGroupStatus ($user_to_be_checked, $group_user) {
181         if (isset($user_to_be_checked) && isset($group_user)) {
182                 if ($user_to_be_checked == $group_user) {
183
184                         return true;
185                 }
186                 elseif ($_SESSION['authorizeduser'] == 1)
187                         return true;
188
189                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
190                                  "AND users.username = groups.user group by groups.name";
191                 $result = sqlStatement($query);
192
193                 $usertbcGroups = array();
194
195                 while ($row = mysql_fetch_array($result)) {
196                         $usertbcGroups[] = $row[0];
197                 }
198
199                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($group_user) . "\" " .
200                                  "AND users.username = groups.user group by groups.name";
201                 $result = sqlStatement($query);
202
203                 $usergGroups = array();
204
205                 while ($row = mysql_fetch_array($result)) {
206                         $usergGroups[] = $row[0];
207                 }
208                 foreach ($usertbcGroups as $group) {
209                         if(in_array($group,$usergGroups)) {
210                           return true;
211                         }
212                 }
213
214         }
215
216         return false;
217 }
218
219
220 ?>
Mirror of official OpenEMR Sourceforge repository