portal/get_patient_info.php

   1 <?php
   2 /**
   3  *
   4  * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
   5  * Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 3
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author Jerry Padgett <sjpadgett@gmail.com>
  20  * @author Cassian LUP <cassi.lup@gmail.com>
  21  * @author Jerry Padgett <sjpadgett@gmail.com>
  22  * @link http://www.open-emr.org
  23  *
  24  */
  25     //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
  26         session_start();
  27         session_regenerate_id(true);
  28     //
  29
  30     //landing page definition -- where to go if something goes wrong
  31     $landingpage = "index.php?site=".$_SESSION['site_id'];
  32     //
  33
  34     //checking whether the request comes from index.php
  35         if (!isset($_SESSION['itsme'])) {
  36                 session_destroy();
  37         header('Location: '.$landingpage.'&w');
  38         exit;
  39     }
  40     //
  41 require_once (dirname( __FILE__ )."/lib/appsql.class.php" );
  42 $logit = new ApplicationTable();
  43     //some validation
  44         if (!isset($_POST['uname']) || empty($_POST['uname'])) {
  45                 session_destroy();
  46         header('Location: '.$landingpage.'&w&c');
  47         exit;
  48     }
  49         if (!isset($_POST['pass']) || empty($_POST['pass'])) {
  50                 session_destroy();
  51                 header('Location: '.$landingpage.'&w&c');
  52         exit;
  53         }
  54     //
  55
  56     // set the language
  57     if (!empty($_POST['languageChoice'])) {
  58             $_SESSION['language_choice'] = (int)$_POST['languageChoice'];
  59     }
  60     else if (empty($_SESSION['language_choice'])) {
  61             // just in case both are empty, then use english
  62             $_SESSION['language_choice'] = 1;
  63     }
  64     else {
  65             // keep the current session language token
  66     }
  67
  68     //SANITIZE ALL ESCAPES
  69     $fake_register_globals=false;
  70
  71     //STOP FAKE REGISTER GLOBALS
  72     $sanitize_all_escapes=true;
  73
  74     //Settings that will override globals.php
  75         $ignoreAuth = 1;
  76     //
  77
  78     //Authentication
  79     require_once('../interface/globals.php');
  80     require_once("$srcdir/authentication/common_operations.php");
  81     require_once("$srcdir/user.inc");
  82     $password_update=isset($_SESSION['password_update']);
  83     unset($_SESSION['password_update']);
  84     $plain_code= $_POST['pass'];
  85
  86     $authorizedPortal=false; //flag
  87     DEFINE("TBL_PAT_ACC_ON","patient_access_onsite");
  88     DEFINE("COL_PID","pid");
  89     DEFINE("COL_POR_PWD","portal_pwd");
  90     DEFINE("COL_POR_USER","portal_username");
  91     DEFINE("COL_POR_SALT","portal_salt");
  92     DEFINE("COL_POR_PWD_STAT","portal_pwd_status");
  93     $sql= "SELECT ".implode(",",array(COL_ID,COL_PID,COL_POR_PWD,COL_POR_SALT,COL_POR_PWD_STAT))
  94           ." FROM ".TBL_PAT_ACC_ON
  95           ." WHERE ".COL_POR_USER."=?";
  96             $auth = privQuery($sql, array($_POST['uname']));
  97             if($auth===false)
  98             {
  99                 $logit->portalLog('login attempt','',($_POST['uname'].':invalid username'),'','0');
 100                 session_destroy();
 101                 header('Location: '.$landingpage.'&w');
 102                 exit;
 103             }
 104             if(empty($auth[COL_POR_SALT]))
 105             {
 106                 if(SHA1($plain_code)!=$auth[COL_POR_PWD])
 107                 {
 108                     $logit->portalLog('login attempt','',($_POST['uname'].':pass not salted'),'','0');
 109                     session_destroy();
 110                     header('Location: '.$landingpage.'&w');
 111                     exit;
 112                 }
 113                 $new_salt=oemr_password_salt();
 114                 $new_hash=oemr_password_hash($plain_code,$new_salt);
 115                 $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
 116                               ." SET " .COL_POR_PWD."=?, "
 117                               . COL_POR_SALT . "=? "
 118                               ." WHERE ".COL_ID."=?";
 119                 privStatement($sqlUpdatePwd,array($new_hash,$new_salt,$auth[COL_ID]));
 120             }
 121             else {
 122                 if(oemr_password_hash($plain_code,$auth[COL_POR_SALT])!=$auth[COL_POR_PWD])
 123                 {
 124                     $logit->portalLog('login attempt','',($_POST['uname'].':invalid password'),'','0');
 125                     session_destroy();
 126                     header('Location: '.$landingpage.'&w');
 127                     exit;
 128
 129                 }
 130
 131             }
 132     $_SESSION['portal_username']=$_POST['uname'];
 133     $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
 134
 135     if ($userData = sqlQuery($sql, array($auth['pid']) )) { // if query gets executed
 136
 137         if (empty($userData)) {
 138                 $logit->portalLog('login attempt','',($_POST['uname'].':not active patient'),'','0');
 139             session_destroy();
 140             header('Location: '.$landingpage.'&w');
 141             exit;
 142                     }
 143          if ($userData['email'] != $_POST['passaddon']) {
 144                 $logit->portalLog('login attempt','',($_POST['uname'].':invalid email'),'','0');
 145                 session_destroy();
 146                 header('Location: '.$landingpage.'&w');
 147                 exit;
 148                            }
 149
 150         if ($userData['allow_patient_portal'] != "YES") {
 151             // Patient has not authorized portal, so escape
 152             session_destroy();
 153             header('Location: '.$landingpage.'&w');
 154             exit;
 155                     }
 156
 157         if ($auth['pid'] != $userData['pid']) {
 158             // Not sure if this is even possible, but should escape if this happens
 159             session_destroy();
 160             header('Location: '.$landingpage.'&w');
 161             exit;
 162         }
 163
 164         if ( $password_update)
 165             {
 166                 $code_new=$_POST['pass_new'];
 167                 $code_new_confirm=$_POST['pass_new_confirm'];
 168                 if(!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
 169                 $new_salt=oemr_password_salt();
 170                 $new_hash=oemr_password_hash($code_new,$new_salt);
 171
 172                 // Update the password and continue (patient is authorized)
 173                 privStatement("UPDATE ".TBL_PAT_ACC_ON
 174                               ."  SET ".COL_POR_PWD."=?,".COL_POR_SALT."=?,".COL_POR_PWD_STAT."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']) );
 175                 $authorizedPortal = true;
 176                 $logit->portalLog('password update',$auth['pid'],($_SESSION['portal_username'].': '.$_SESSION['ptName'].':success'));
 177             }
 178         }
 179         if ($auth['portal_pwd_status'] == 0) {
 180             if(!$authorizedPortal) {
 181                 // Need to enter a new password in the index.php script
 182                 $_SESSION['password_update'] = 1;
 183                  header('Location: '.$landingpage);
 184                 exit;
 185             }
 186         }
 187
 188         if ($auth['portal_pwd_status'] == 1) {
 189             // continue (patient is authorized)
 190             $authorizedPortal = true;
 191         }
 192
 193         if ($authorizedPortal) {
 194                         // patient is authorized (prepare the session variables)
 195             unset($_SESSION['password_update']); // just being safe
 196             unset($_SESSION['itsme']); // just being safe
 197             $_SESSION['pid'] = $auth['pid'];
 198             $_SESSION['patient_portal_onsite_two'] = 1;
 199
 200             $tmp = getUserIDInfo($userData['providerID']);
 201             $_SESSION['providerName'] = $tmp['fname'].' '.$tmp['lname'];
 202             $_SESSION['providerUName'] = $tmp['username'];
 203             $_SESSION['sessionUser'] = '-patient-'; //$_POST['uname'];
 204             $_SESSION['providerId'] = $userData['providerID']?$userData['providerID']:'undefined';
 205             $_SESSION['ptName'] = $userData['fname'].' '.$userData['lname'];
 206
 207             $logit->portalLog('login',$_SESSION['pid'],($_SESSION['portal_username'].': '.$_SESSION['ptName'].':success'));
 208         }
 209         else {
 210             $logit->portalLog('login','',($_POST['uname'].':not authorized'),'','0');
 211             session_destroy();
 212             header('Location: '.$landingpage.'&w');
 213             exit;
 214         }
 215
 216     }
 217     else { //problem with query
 218         session_destroy();
 219         header('Location: '.$landingpage.'&w');
 220         exit;
 221     }
 222     //require_once('summary_pat_portal.php');
 223
 224     //require_once('home.php');
 225     header('Location: ./home.php');
 226     exit;
 227 ?>