search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Highway to PSR2
[openemr.git] / portal / get_patient_info.php
blobb5ae830465cf970af443304786b50ea667e9b63a
1 <?php
2 /**
3 *
4 * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
5 * Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
6 *
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
17 *
18 * @package OpenEMR
19 * @author Jerry Padgett <sjpadgett@gmail.com>
20 * @author Cassian LUP <cassi.lup@gmail.com>
21 * @author Jerry Padgett <sjpadgett@gmail.com>
22 * @link http://www.open-emr.org
23 *
24 */
25 //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
26 session_start();
27 session_regenerate_id(true);
28 //
29
30 //landing page definition -- where to go if something goes wrong
31 $landingpage = "index.php?site=".$_SESSION['site_id'];
32 //
33
34 //checking whether the request comes from index.php
35 if (!isset($_SESSION['itsme'])) {
36 session_destroy();
37 header('Location: '.$landingpage.'&w');
38 exit;
39 }
40
41 //
42 require_once(dirname(__FILE__)."/lib/appsql.class.php");
43 $logit = new ApplicationTable();
44 //some validation
45 if (!isset($_POST['uname']) || empty($_POST['uname'])) {
46 session_destroy();
47 header('Location: '.$landingpage.'&w&c');
48 exit;
49 }
50
51 if (!isset($_POST['pass']) || empty($_POST['pass'])) {
52 session_destroy();
53 header('Location: '.$landingpage.'&w&c');
54 exit;
55 }
56
57 //
58
59 // set the language
60 if (!empty($_POST['languageChoice'])) {
61 $_SESSION['language_choice'] = (int)$_POST['languageChoice'];
62 } else if (empty($_SESSION['language_choice'])) {
63 // just in case both are empty, then use english
64 $_SESSION['language_choice'] = 1;
65 } else {
66 // keep the current session language token
67 }
68
69 //Settings that will override globals.php
70 $ignoreAuth = 1;
71 //
72
73 //Authentication
74 require_once('../interface/globals.php');
75 require_once("$srcdir/authentication/common_operations.php");
76 require_once("$srcdir/user.inc");
77 $password_update=isset($_SESSION['password_update']);
78 unset($_SESSION['password_update']);
79 $plain_code= $_POST['pass'];
80
81 $authorizedPortal=false; //flag
82 DEFINE("TBL_PAT_ACC_ON", "patient_access_onsite");
83 DEFINE("COL_PID", "pid");
84 DEFINE("COL_POR_PWD", "portal_pwd");
85 DEFINE("COL_POR_USER", "portal_username");
86 DEFINE("COL_POR_SALT", "portal_salt");
87 DEFINE("COL_POR_PWD_STAT", "portal_pwd_status");
88 $sql= "SELECT ".implode(",", array(COL_ID,COL_PID,COL_POR_PWD,COL_POR_SALT,COL_POR_PWD_STAT))
89 ." FROM ".TBL_PAT_ACC_ON
90 ." WHERE ".COL_POR_USER."=?";
91 $auth = privQuery($sql, array($_POST['uname']));
92 if ($auth===false) {
93 $logit->portalLog('login attempt', '', ($_POST['uname'].':invalid username'), '', '0');
94 session_destroy();
95 header('Location: '.$landingpage.'&w');
96 exit;
97 }
98
99 if (empty($auth[COL_POR_SALT])) {
100 if (SHA1($plain_code)!=$auth[COL_POR_PWD]) {
101 $logit->portalLog('login attempt', '', ($_POST['uname'].':pass not salted'), '', '0');
102 session_destroy();
103 header('Location: '.$landingpage.'&w');
104 exit;
105 }
106
107 $new_salt=oemr_password_salt();
108 $new_hash=oemr_password_hash($plain_code, $new_salt);
109 $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
110 ." SET " .COL_POR_PWD."=?, "
111 . COL_POR_SALT . "=? "
112 ." WHERE ".COL_ID."=?";
113 privStatement($sqlUpdatePwd, array($new_hash,$new_salt,$auth[COL_ID]));
114 } else {
115 if (oemr_password_hash($plain_code, $auth[COL_POR_SALT])!=$auth[COL_POR_PWD]) {
116 $logit->portalLog('login attempt', '', ($_POST['uname'].':invalid password'), '', '0');
117 session_destroy();
118 header('Location: '.$landingpage.'&w');
119 exit;
120 }
121 }
122
123 $_SESSION['portal_username']=$_POST['uname'];
124 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
125
126 if ($userData = sqlQuery($sql, array($auth['pid']))) { // if query gets executed
127
128 if (empty($userData)) {
129 $logit->portalLog('login attempt', '', ($_POST['uname'].':not active patient'), '', '0');
130 session_destroy();
131 header('Location: '.$landingpage.'&w');
132 exit;
133 }
134
135 if ($userData['email'] != $_POST['passaddon']) {
136 $logit->portalLog('login attempt', '', ($_POST['uname'].':invalid email'), '', '0');
137 session_destroy();
138 header('Location: '.$landingpage.'&w');
139 exit;
140 }
141
142 if ($userData['allow_patient_portal'] != "YES") {
143 // Patient has not authorized portal, so escape
144 session_destroy();
145 header('Location: '.$landingpage.'&w');
146 exit;
147 }
148
149 if ($auth['pid'] != $userData['pid']) {
150 // Not sure if this is even possible, but should escape if this happens
151 session_destroy();
152 header('Location: '.$landingpage.'&w');
153 exit;
154 }
155
156 if ($password_update) {
157 $code_new=$_POST['pass_new'];
158 $code_new_confirm=$_POST['pass_new_confirm'];
159 if (!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
160 $new_salt=oemr_password_salt();
161 $new_hash=oemr_password_hash($code_new, $new_salt);
162
163 // Update the password and continue (patient is authorized)
164 privStatement("UPDATE ".TBL_PAT_ACC_ON
165 ." SET ".COL_POR_PWD."=?,".COL_POR_SALT."=?,".COL_POR_PWD_STAT."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']));
166 $authorizedPortal = true;
167 $logit->portalLog('password update', $auth['pid'], ($_SESSION['portal_username'].': '.$_SESSION['ptName'].':success'));
168 }
169 }
170
171 if ($auth['portal_pwd_status'] == 0) {
172 if (!$authorizedPortal) {
173 // Need to enter a new password in the index.php script
174 $_SESSION['password_update'] = 1;
175 header('Location: '.$landingpage);
176 exit;
177 }
178 }
179
180 if ($auth['portal_pwd_status'] == 1) {
181 // continue (patient is authorized)
182 $authorizedPortal = true;
183 }
184
185 if ($authorizedPortal) {
186 // patient is authorized (prepare the session variables)
187 unset($_SESSION['password_update']); // just being safe
188 unset($_SESSION['itsme']); // just being safe
189 $_SESSION['pid'] = $auth['pid'];
190 $_SESSION['patient_portal_onsite_two'] = 1;
191
192 $tmp = getUserIDInfo($userData['providerID']);
193 $_SESSION['providerName'] = $tmp['fname'].' '.$tmp['lname'];
194 $_SESSION['providerUName'] = $tmp['username'];
195 $_SESSION['sessionUser'] = '-patient-'; //$_POST['uname'];
196 $_SESSION['providerId'] = $userData['providerID']?$userData['providerID']:'undefined';
197 $_SESSION['ptName'] = $userData['fname'].' '.$userData['lname'];
198
199 $logit->portalLog('login', $_SESSION['pid'], ($_SESSION['portal_username'].': '.$_SESSION['ptName'].':success'));
200 } else {
201 $logit->portalLog('login', '', ($_POST['uname'].':not authorized'), '', '0');
202 session_destroy();
203 header('Location: '.$landingpage.'&w');
204 exit;
205 }
206 } else { //problem with query
207 session_destroy();
208 header('Location: '.$landingpage.'&w');
209 exit;
210 }
211
212 //require_once('summary_pat_portal.php');
213
214 //require_once('home.php');
215 header('Location: ./home.php');
216 exit;
Mirror of official OpenEMR Sourceforge repository