| blob | efbd788e5f723fed6bc42f0fc2e6928779c8b3c8 |
1 <?php
2 // php-GACL access controls are included in OpenEMR. The below
3 // function will automatically create the path where gacl.class.php
4 // can be found. Note that this path can be manually set below
5 // for users who are using an external version of php-GACL.
6 // Also note that php-GACL access controls can be turned off
7 // below.
9 $phpgacl_location = dirname(__FILE__).'/../gacl';
11 //
12 // If using an external version of phpGACL, then uncomment the following
13 // line and manually place the path below. IN THIS CASE YOU MUST ALSO
14 // COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT ABOVE, OR BACKUPS WILL
15 // NOT RESTORE PROPERLY!
16 //
17 //$phpgacl_location = "/var/www/gacl";
18 //
19 // If you want to turn off php-GACL, then uncomment the following line.
20 // IN THIS CASE YOU MUST ALSO COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT(S)
21 // ABOVE, OR BACKUPS WILL NOT RESTORE PROPERLY!
22 //
23 //unset($phpgacl_location);
24 //
26 // The following Access Control Objects (ACO) are currently supported.
27 // These are the "things to be protected":
28 //
29 // Section "admin" (Administration):
30 // super Superuser - can delete patients, encounters, issues
31 // calendar Calendar Settings
32 // database Database Reporting
33 // forms Forms Administration
34 // practice Practice Settings
35 // superbill Superbill Codes Administration
36 // users Users/Groups/Logs Administration
37 // batchcom Batch Communication Tool
38 // language Language Interface Tool
39 // drugs Pharmacy Dispensary
40 // acl ACL Administration
41 //
42 // Section "acct" (Accounting):
43 // bill Billing (write optional)
44 // disc Allowed to discount prices (in Fee Sheet or Checkout form)
45 // eob EOB Data Entry
46 // rep Financial Reporting - my encounters
47 // rep_a Financial Reporting - anything
48 //
49 // Section "patients" (Patient Information):
50 // appt Appointments (write,wsome optional)
51 // demo Demographics (write,addonly optional)
52 // med Medical Records and History (write,addonly optional)
53 // trans Transactions, e.g. referrals (write optional)
54 // docs Documents (write,addonly optional)
55 // notes Patient Notes (write,addonly optional)
56 // sign Sign Lab Results (write,addonly optional)
57 //
58 // Section "encounters" (Encounter Information):
59 // auth Authorize - my encounters
60 // auth_a Authorize - any encounters
61 // coding Coding - my encounters (write,wsome optional)
62 // coding_a Coding - any encounters (write,wsome optional)
63 // notes Notes - my encounters (write,addonly optional)
64 // notes_a Notes - any encounters (write,addonly optional)
65 // date_a Fix encounter dates - any encounters
66 // relaxed Less-private information (write,addonly optional)
67 // (e.g. the Sports Fitness encounter form)
68 //
69 // Section "squads" applies to sports team use only:
70 // acos in this section define the user-specified list of squads
71 //
72 // Section "sensitivities" (Sensitivities):
73 // normal Normal
74 // high High
75 //
76 // Section "lists" (Lists):
77 // default Default List (write,addonly optional)
78 // state State List (write,addonly optional)
79 // country Country List (write,addonly optional)
80 // language Language List (write,addonly optional)
81 // ethrace Ethnicity-Race List (write,addonly optional)
82 //
83 // Section "placeholder" (Placeholder):
84 // filler Placeholder (Maintains empty ACLs)
85 //
86 // Section "nationnotes" (Nation Notes):
87 // nn_configure Nation Notes
88 //
89 // Section "patientportal" (Patient Portal):
90 // portal Patient Portal
92 if (isset ($phpgacl_location)) {
93 include_once("$phpgacl_location/gacl.class.php");
94 $gacl_object = new gacl();
95 //DO NOT CHANGE BELOW VARIABLE
96 $section_aro_value = 'users';
97 }
99 // acl_check should return 0 if access is denied. Otherwise it may
100 // return anything that evaluates to true. In addition if any of the
101 // following types of access are applicable, then the corresponding value
102 // must be returned if and only if such access is granted (ony one may
103 // be specified):
104 //
105 // * write - the user may add or modify the ACO
106 // * wsome - the user has limited add/modify access to the ACO
107 // * addonly - the user may view and add but not modify entries
108 //
109 function acl_check($section, $value, $user = '') {
110 global $gacl_object, $phpgacl_location, $section_aro_value;
111 if (! $user) $user = $_SESSION['authUser'];
113 if ($phpgacl_location) {
114 return $gacl_object->acl_check($section, $value, $section_aro_value, $user);
115 }
117 // If no phpgacl, then apply the old static rules whereby "authorized"
118 // users (providers) can do anything, and other users can do most things.
119 // If you want custom access control but don't want to mess with phpGACL,
120 // then you could customize the code below instead.
122 if ($user == 'admin') return 'write';
123 if ($section == 'admin' && $value == 'super') return 0;
124 if ($_SESSION['userauthorized']) return 'write';
126 if ($section == 'patients') {
127 if ($value == 'med') return 1;
128 return 'write';
129 }
130 else if ($section == 'encounters') {
131 if (strpos($value, 'coding' ) === 0) return 'write';
132 if (strpos($value, 'notes' ) === 0) return 'write';
133 if ($value == 'relaxed') return 'write';
134 }
135 else if ($section != 'admin') {
136 return 'write';
137 }
139 return 0;
140 }
142 // Get the ACO name/value pairs for a designated section. Each value
143 // is an array (section_value, value, order_value, name, hidden).
144 //
145 function acl_get_section_acos($section) {
146 global $phpgacl_location;
147 if ($phpgacl_location) {
148 include_once("$phpgacl_location/gacl_api.class.php");
149 $gacl = new gacl_api();
150 $arr1 = $gacl->get_objects($section, 1, 'ACO');
151 $arr = array();
152 if (!empty($arr1[$section])) {
153 foreach ($arr1[$section] as $value) {
154 $odata = $gacl->get_object_data($gacl->get_object_id($section, $value, 'ACO'), 'ACO');
155 $arr[$value] = $odata[0];
156 }
157 }
158 return $arr;
159 }
160 return 0;
161 }
163 // Sort squads by their order value. Used only by acl_get_squads().
164 function _acl_squad_compare($a, $b) {
165 if ($a[2] == $b[2]) {
166 // If order value is the same, sort by squad name.
167 if ($a[3] == $b[3]) return 0;
168 return ($a[3] < $b[3]) ? -1 : 1;
169 }
170 return ($a[2] < $b[2]) ? -1 : 1;
171 }
173 // Return an array keyed on squad ACO names.
174 // This is only applicable for sports team use.
175 //
176 function acl_get_squads() {
177 $squads = acl_get_section_acos('squads');
178 uasort($squads, "_acl_squad_compare");
179 return $squads;
180 }
182 // Return an array keyed on encounter sensitivity level ACO names.
183 // Sensitivities are useful when some encounter notes are not
184 // medically sensitive (e.g. a physical fitness test), and/or if
185 // some will be "for doctor's eyes only" (e.g. STD treatment).
186 //
187 // When a non-blank sensitivity value exists in the new encounter
188 // form, it names an additional ACO required for access to all forms
189 // in the encounter. If you want some encounters to be non-sensitive,
190 // then you also need some default nonblank sensitivity for normal
191 // encounters, as well as greater encounter notes permissions for
192 // those allowed to view non-sensitive encounters.
193 //
194 function acl_get_sensitivities() {
195 return acl_get_section_acos('sensitivities');
196 }
198 //
199 // Returns true if aco exist
200 // Returns false if aco doesn't exist
201 // $section_name = name of section (string)
202 // $aco_name = name of aco (string)
203 //
204 function aco_exist($section_name, $aco_name) {
205 global $phpgacl_location;
206 if (isset ($phpgacl_location)) {
207 include_once("$phpgacl_location/gacl_api.class.php");
208 $gacl = new gacl_api();
209 $aco_id = $gacl->get_object_id($section_name, $aco_name, 'ACO');
210 if ($aco_id) {
211 return true;
212 }
213 }
214 return false;
215 }
217 //
218 // Returns a sorted array of all available Group Titles.
219 //
220 function acl_get_group_title_list() {
221 global $phpgacl_location;
222 if (isset ($phpgacl_location)) {
223 include_once("$phpgacl_location/gacl_api.class.php");
224 $gacl = new gacl_api();
225 $parent_id = $gacl->get_root_group_id();
226 $arr_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
227 $arr_group_titles = array();
228 foreach ($arr_group_ids as $value) {
229 $arr_group_data = $gacl->get_group_data($value, 'ARO');
230 $arr_group_titles[$value] = $arr_group_data[3];
231 }
232 sort($arr_group_titles);
233 return $arr_group_titles;
234 }
235 return 0;
236 }
238 //
239 // Returns a sorted array of group Titles that a user belongs to.
240 // Returns 0 if does not belong to any group yet.
241 // $user_name = Username, which is login name.
242 //
243 function acl_get_group_titles($user_name) {
244 global $phpgacl_location, $section_aro_value;
245 if (isset ($phpgacl_location)) {
246 include_once("$phpgacl_location/gacl_api.class.php");
247 $gacl = new gacl_api();
248 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
249 if ($user_aro_id) {
250 $arr_group_id = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
251 if ($arr_group_id) {
252 foreach ($arr_group_id as $key => $value) {
253 $arr_group_data = $gacl->get_group_data($value, 'ARO');
254 $arr_group_titles[$key] = $arr_group_data[3];
255 }
256 sort($arr_group_titles);
257 return $arr_group_titles;
258 }
259 }
260 }
261 return 0;
262 }
264 //
265 // This will place the user aro object into selected group(s)
266 // It uses the set_user_aro() function
267 // $username = username (string)
268 // $group = title of group(s) (string or array)
269 //
270 function add_user_aros($username, $group) {
271 $current_user_groups = acl_get_group_titles($username);
272 if (!$current_user_groups) {
273 $current_user_groups = array();
274 }
275 if (is_array($group)){
276 foreach ($group as $value) {
277 if (!in_array($value, $current_user_groups)) {
278 array_push($current_user_groups, $value);
279 }
280 }
281 }
282 else {
283 if (!in_array($group, $current_user_groups)) {
284 array_push($current_user_groups, $group);
285 }
286 }
287 $user_data = mysql_fetch_array(sqlStatement("select * from users where username='" .
288 $username . "'"));
289 set_user_aro($current_user_groups, $username, $user_data["fname"],
290 $user_data["mname"], $user_data["lname"]);
291 return;
292 }
294 //
295 // This will remove the user aro object from the selected group(s)
296 // It uses the set_user_aro() function
297 // $username = username (string)
298 // $group = title of group(s) (string or array)
299 //
300 function remove_user_aros($username, $group) {
301 $current_user_groups = acl_get_group_titles($username);
302 $new_user_groups = array();
303 if (is_array($group)){
304 foreach ($current_user_groups as $value) {
305 if (!in_array($value, $group)) {
306 array_push($new_user_groups, $value);
307 }
308 }
309 }
310 else {
311 foreach ($current_user_groups as $value) {
312 if ($value != $group) {
313 array_push($new_user_groups, $value);
314 }
315 }
316 }
317 $user_data = mysql_fetch_array(sqlStatement("select * from users where username='" .
318 $username . "'"));
319 set_user_aro($new_user_groups, $username, $user_data["fname"],
320 $user_data["mname"], $user_data["lname"]);
321 return;
322 }
324 //
325 // This will either create or edit a user aro object, and then place it
326 // in the requested groups. It will not allow removal of the 'admin'
327 // user or gacl_protected users from the 'admin' group.
328 // $arr_group_titles = titles of the groups that user will be added to.
329 // $user_name = username, which is login name.
330 // $first_name = first name
331 // $middle_name = middle name
332 // $last_name = last name
333 //
334 function set_user_aro($arr_group_titles, $user_name, $first_name, $middle_name, $last_name) {
335 global $phpgacl_location, $section_aro_value;
337 if (isset ($phpgacl_location)) {
338 include_once("$phpgacl_location/gacl_api.class.php");
339 $gacl = new gacl_api();
341 //see if this user is gacl protected (ie. do not allow
342 //removal from the Administrators group)
343 require_once(dirname(__FILE__).'/user.inc');
344 require_once(dirname(__FILE__).'/calendar.inc');
345 $userNametoID = getIDfromUser($user_name);
346 if (checkUserSetting("gacl_protect","1",$userNametoID) || $user_name == "admin") {
347 $gacl_protect = true;
348 }
349 else {
350 $gacl_protect = false;
351 }
353 //get array of all available group ID numbers
354 $parent_id = $gacl->get_root_group_id();
355 $arr_all_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
357 //Cycle through ID array to find and process each selected group
358 //Create a counter since processing of first hit is unique
359 $counter = 0;
360 foreach ($arr_all_group_ids as $value) {
361 $arr_group_data = $gacl->get_group_data($value, 'ARO');
362 if ((empty($arr_group_titles)) ||
363 (in_array($arr_group_data[3], $arr_group_titles))) {
364 //We have a hit, so need to add group and increment counter
365 // because processing of first hit is unique
366 //This will also deal with an empty $arr_group_titles array
367 // removing user from all groups unless 'admin'
368 $counter = $counter + 1;
369 //create user full name field
370 if ($middle_name) {
371 $full_name = $first_name . " " . $middle_name . " " . $last_name;
372 }
373 else {
374 if ($last_name) {
375 $full_name = $first_name . " " . $last_name;
376 }
377 else {
378 $full_name = $first_name;
379 }
380 }
382 //If this is not the first group to be added, then will skip below
383 // and will be added. If this is the first group, then need to
384 // go thru several steps before adding the group.
385 if ($counter == 1) {
386 //get ID of user ARO object, if it exist
387 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
388 if ($user_aro_id) {
389 //user ARO object already exist, so will edit it
390 $gacl->edit_object($user_aro_id, $section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
392 //remove all current user ARO object group associations
393 $arr_remove_group_ids = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
394 foreach ($arr_remove_group_ids as $value2) {
395 $gacl->del_group_object($value2, $section_aro_value, $user_name, 'ARO');
396 }
397 }
398 else {
399 //user ARO object does not exist, so will create it
400 $gacl->add_object($section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
401 }
402 }
404 //place the user ARO object in the selected group (if group(s) is selected)
405 if (!empty($arr_group_titles)) {
406 $gacl->add_group_object($value, $section_aro_value, $user_name, 'ARO');
407 }
409 //
410 //Below will not allow 'admin' or gacl_protected user to be removed from 'admin' group
411 //
412 if ($gacl_protect) {
413 $boolean_admin=0;
414 $admin_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
415 $arr_admin = $gacl->get_object_groups($admin_id, 'ARO', 'NO_RECURSE');
416 foreach ($arr_admin as $value3) {
417 $arr_admin_data = $gacl->get_group_data($value3, 'ARO');
418 if (strcmp($arr_admin_data[2], 'admin') == 0) {
419 $boolean_admin=1;
420 }
421 }
422 if (!$boolean_admin) {
423 foreach ($arr_all_group_ids as $value4) {
424 $arr_temp = $gacl->get_group_data($value4, 'ARO');
425 if ($arr_temp[2] == 'admin') {
426 $gacl->add_group_object($value4, $section_aro_value, $user_name, 'ARO');
427 }
428 }
429 }
430 }
431 }
432 //if array of groups was empty, then we are done, and can break from loop
433 if (empty($arr_group_titles)) break;
434 }
435 return true;
436 }
437 return false;
438 }
440 //
441 // Returns true if acl exist
442 // Returns false if acl doesn't exist
443 // EITHER $title or $name is required(send FALSE in variable
444 // not being used). If both are sent, then only $title will be
445 // used.
446 // $return_value is required
447 // $title = title of acl (string)
448 // $name = name of acl (string)
449 // $return_value = return value of acl (string)
450 //
451 function acl_exist($title, $name, $return_value) {
452 global $phpgacl_location;
453 if (isset ($phpgacl_location)) {
454 include_once("$phpgacl_location/gacl_api.class.php");
455 $gacl = new gacl_api();
456 if (!$name) {
457 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $title, FALSE, FALSE, FALSE, $return_value);
458 }
459 else if (!$title) {
460 $group_id = $gacl->get_group_id($name, NULL, 'ARO');
461 if ($group_id) {
462 $group_data = $gacl->get_group_data($group_id, 'ARO');
463 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $group_data[3], FALSE, FALSE, FALSE, $return_value);
464 }
465 else {
466 return false;
467 }
468 }
469 else {
470 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $title, FALSE, FALSE, FALSE, $return_value);
471 }
472 if (!empty($acl)) {
473 return true;
474 }
475 else {
476 return false;
477 }
478 }
479 }
481 //
482 // This will add a new acl and group(if group doesn't yet exist)
483 // with one aco in it.
484 // $acl_title = title of acl (string)
485 // $acl_name = name of acl (string)
486 // $return_value = return value of acl (string)
487 // $note = description of acl (array)
488 //
489 function acl_add($acl_title, $acl_name, $return_value, $note) {
490 global $phpgacl_location;
491 if (isset ($phpgacl_location)) {
492 include_once("$phpgacl_location/gacl_api.class.php");
493 $gacl = new gacl_api();
494 $group_id = $gacl->get_group_id($acl_name, $acl_title, 'ARO');
495 if ($group_id) {
496 //group already exist, so just create acl
497 $gacl->add_acl(array("placeholder"=>array("filler")),
498 NULL, array($group_id), NULL, NULL, 1, 1, $return_value, $note);
499 }
500 else {
501 //create group, then create acl
502 $parent_id = $gacl->get_root_group_id();
503 $aro_id = $gacl->add_group($acl_name, $acl_title, $parent_id, 'ARO');
504 $gacl->add_acl(array("placeholder"=>array("filler")),
505 NULL, array($aro_id), NULL, NULL, 1, 1, $return_value, $note);
506 }
507 return;
508 }
509 return 0;
510 }
512 //
513 // This will remove acl. It will also remove group(if the group
514 // is no longer associated with any acl's).
515 // $acl_title = title of acl (string)
516 // $acl_name = name of acl (string)
517 // $return_value = return value of acl (string)
518 // $note = description of acl (array)
519 //
520 function acl_remove($acl_title, $return_value) {
521 global $phpgacl_location;
522 if (isset ($phpgacl_location)) {
523 include_once("$phpgacl_location/gacl_api.class.php");
524 $gacl = new gacl_api();
525 //First, delete the acl
526 $acl_id=$gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
527 $gacl->del_acl($acl_id[0]);
528 //Then, remove the group(if no more acl's are remaining)
529 $acl_search=$gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, FALSE);
530 if (empty($acl_search)){
531 $group_id=$gacl-> get_group_id(NULL, $acl_title, 'ARO');
532 $gacl->del_group($group_id, TRUE, 'ARO');
533 }
534 return;
535 }
536 return 0;
537 }
539 //
540 // This will place the aco(s) into the selected acl
541 // $acl_title = title of acl (string)
542 // $return_value = return value of acl (string)
543 // $aco_id = id of aco (array)
544 //
545 function acl_add_acos($acl_title, $return_value, $aco_id) {
546 global $phpgacl_location;
547 if (isset ($phpgacl_location)) {
548 include_once("$phpgacl_location/gacl_api.class.php");
549 $gacl = new gacl_api();
550 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
551 foreach ($aco_id as $value) {
552 $aco_data = $gacl->get_object_data($value, 'ACO');
553 $aco_section = $aco_data[0][0];
554 $aco_name = $aco_data[0][1];
555 $gacl->append_acl($acl_id[0], NULL, NULL, NULL, NULL, array($aco_section=>array($aco_name)));
556 }
557 return;
558 }
559 return 0;
560 }
562 //
563 // This will remove the aco(s) from the selected acl
564 // Note if all aco's are removed, then will place the filler-placeholder
565 // into the acl to avoid complete removal of the acl.
566 // $acl_title = title of acl (string)
567 // $return_value = return value of acl (string)
568 // $aco_id = id of aco (array)
569 //
570 function acl_remove_acos($acl_title, $return_value, $aco_id) {
571 global $phpgacl_location;
572 if (isset ($phpgacl_location)) {
573 include_once("$phpgacl_location/gacl_api.class.php");
574 $gacl = new gacl_api();
575 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
577 // Check to see if removing all acos. If removing all acos then will
578 // ensure the filler-placeholder aco in acl to avoid complete
579 // removal of the acl.
580 if (count($aco_id) == acl_count_acos($acl_title, $return_value)) {
581 //1-get the filler-placeholder aco id
582 $filler_aco_id = $gacl->get_object_id('placeholder','filler','ACO');
583 //2-add filler-placeholder aco
584 acl_add_acos($acl_title, $return_value, array($filler_aco_id));
585 //3-ensure filler-placeholder aco is not to be deleted
586 $safeListaco = remove_element($_POST["selection"],$filler_aco_id);
587 //4-prepare to safely delete the acos
588 $aco_id = $safeListaco;
589 }
591 foreach ($aco_id as $value) {
592 $aco_data = $gacl->get_object_data($value, 'ACO');
593 $aco_section = $aco_data[0][0];
594 $aco_name = $aco_data[0][1];
595 $gacl->shift_acl($acl_id[0], NULL, NULL, NULL, NULL, array($aco_section=>array($aco_name)));
596 }
597 return;
598 }
599 return 0;
600 }
602 //
603 // This will return the number of aco objects
604 // in a specified acl.
605 // $acl_title = title of acl (string)
606 // $return_value = return value of acl (string)
607 //
608 function acl_count_acos($acl_title, $return_value) {
609 global $phpgacl_location;
610 if (isset ($phpgacl_location)) {
611 include_once("$phpgacl_location/gacl_api.class.php");
612 $gacl = new gacl_api();
613 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
614 $acl_data = $gacl->get_acl($acl_id[0]);
615 $aco_count = 0;
616 foreach ($acl_data['aco'] as $key => $value) {
617 $aco_count = $aco_count + count($acl_data['aco'][$key]);
618 }
619 return $aco_count;
620 }
621 return 0;
622 }
624 //
625 // Function to remove an element from an array
626 //
627 function remove_element($arr, $val){
628 $arr2 = array();
629 foreach ($arr as $value){
630 if ($value != $val) {
631 array_push($arr2,$value);
632 }
633 }
634 return $arr2;
635 }
636 ?>