portal/get_patient_info.php

   1 <?php
   2 /**
   3  *
   4  * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
   5  * Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 3
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author Cassian LUP <cassi.lup@gmail.com>
  20  * @author Jerry Padgett <sjpadgett@gmail.com>
  21  * @link http://www.open-emr.org
  22  *
  23  */
  24 // starting the PHP session (also regenerating the session id to avoid session fixation attacks)
  25 session_start();
  26 session_regenerate_id(true);
  27 //
  28
  29 // landing page definition -- where to go if something goes wrong
  30 $landingpage = "index.php?site=" . $_SESSION['site_id'];
  31 //
  32
  33 // checking whether the request comes from index.php
  34 if (! isset($_SESSION['itsme'])) {
  35     session_destroy();
  36     header('Location: ' . $landingpage . '&w');
  37     exit();
  38 }
  39
  40 // some validation
  41 if (! isset($_POST['uname']) || empty($_POST['uname'])) {
  42     session_destroy();
  43     header('Location: ' . $landingpage . '&w&c');
  44     exit();
  45 }
  46
  47 if (! isset($_POST['pass']) || empty($_POST['pass'])) {
  48     session_destroy();
  49     header('Location: ' . $landingpage . '&w&c');
  50     exit();
  51 }
  52
  53 require_once(dirname(__FILE__) . "/lib/appsql.class.php");
  54 $logit = new ApplicationTable();
  55
  56 // set the language
  57 if (! empty($_POST['languageChoice'])) {
  58     $_SESSION['language_choice'] = (int) $_POST['languageChoice'];
  59 } else if (empty($_SESSION['language_choice'])) {
  60     // just in case both are empty, then use english
  61     $_SESSION['language_choice'] = 1;
  62 } else {
  63     // keep the current session language token
  64 }
  65
  66 // Settings that will override globals.php
  67 $ignoreAuth = 1;
  68 //
  69
  70 // Authentication
  71 require_once('../interface/globals.php');
  72 require_once("$srcdir/authentication/common_operations.php");
  73 require_once("$srcdir/user.inc");
  74 $password_update = isset($_SESSION['password_update']);
  75 unset($_SESSION['password_update']);
  76 $plain_code = $_POST['pass'];
  77
  78 $authorizedPortal = false; // flag
  79 DEFINE("TBL_PAT_ACC_ON", "patient_access_onsite");
  80 DEFINE("COL_PID", "pid");
  81 DEFINE("COL_POR_PWD", "portal_pwd");
  82 DEFINE("COL_POR_USER", "portal_username");
  83 DEFINE("COL_POR_SALT", "portal_salt");
  84 DEFINE("COL_POR_PWD_STAT", "portal_pwd_status");
  85 $sql = "SELECT " . implode(",", array(
  86     COL_ID,
  87     COL_PID,
  88     COL_POR_PWD,
  89     COL_POR_SALT,
  90     COL_POR_PWD_STAT
  91 )) . " FROM " . TBL_PAT_ACC_ON . " WHERE " . COL_POR_USER . "=?";
  92 $auth = privQuery($sql, array(
  93     $_POST['uname']
  94 ));
  95 if ($auth === false) {
  96     $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid username'), '', '0');
  97     session_destroy();
  98     header('Location: ' . $landingpage . '&w&u');
  99     exit();
 100 }
 101
 102 if (empty($auth[COL_POR_SALT])) {
 103     if (SHA1($plain_code) != $auth[COL_POR_PWD]) {
 104         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':pass not salted'), '', '0');
 105         session_destroy();
 106         header('Location: ' . $landingpage . '&w&p');
 107         exit();
 108     }
 109
 110     $new_salt = oemr_password_salt();
 111     $new_hash = oemr_password_hash($plain_code, $new_salt);
 112     $sqlUpdatePwd = " UPDATE " . TBL_PAT_ACC_ON . " SET " . COL_POR_PWD . "=?, " . COL_POR_SALT . "=? " . " WHERE " . COL_ID . "=?";
 113     privStatement($sqlUpdatePwd, array(
 114         $new_hash,
 115         $new_salt,
 116         $auth[COL_ID]
 117     ));
 118 } else {
 119     $tmp = oemr_password_hash($plain_code, $auth[COL_POR_SALT]);
 120     if ($tmp != $auth[COL_POR_PWD]) {
 121         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid password'), '', '0');
 122         session_destroy();
 123         header('Location: ' . $landingpage . '&w&p');
 124         exit();
 125     }
 126 }
 127
 128 $_SESSION['portal_username'] = $_POST['uname'];
 129 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
 130
 131 if ($userData = sqlQuery($sql, array(
 132     $auth['pid']
 133 ))) { // if query gets executed
 134
 135     if (empty($userData)) {
 136         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':not active patient'), '', '0');
 137         session_destroy();
 138         header('Location: ' . $landingpage . '&w');
 139         exit();
 140     }
 141
 142     if ($userData['email'] != $_POST['passaddon']) {
 143         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid email'), '', '0');
 144         session_destroy();
 145         header('Location: ' . $landingpage . '&w');
 146         exit();
 147     }
 148
 149     if ($userData['allow_patient_portal'] != "YES") {
 150         // Patient has not authorized portal, so escape
 151         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':allow portal turned off'), '', '0');
 152         session_destroy();
 153         header('Location: ' . $landingpage . '&w');
 154         exit();
 155     }
 156
 157     if ($auth['pid'] != $userData['pid']) {
 158         // Not sure if this is even possible, but should escape if this happens
 159         session_destroy();
 160         header('Location: ' . $landingpage . '&w');
 161         exit();
 162     }
 163
 164     if ($password_update) {
 165         $code_new = $_POST['pass_new'];
 166         $code_new_confirm = $_POST['pass_new_confirm'];
 167         if (! (empty($_POST['pass_new'])) && ! (empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
 168             $new_salt = oemr_password_salt();
 169             $new_hash = oemr_password_hash($code_new, $new_salt);
 170
 171             // Update the password and continue (patient is authorized)
 172             privStatement(
 173                 "UPDATE " . TBL_PAT_ACC_ON . "  SET " . COL_POR_PWD . "=?," . COL_POR_SALT . "=?," . COL_POR_PWD_STAT . "=1 WHERE id=?",
 174                 array(
 175                         $new_hash,
 176                         $new_salt,
 177                         $auth['id']
 178                 )
 179             );
 180             $authorizedPortal = true;
 181             $logit->portalLog(
 182                 'password update',
 183                 $auth['pid'],
 184                 ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success')
 185             );
 186         }
 187     }
 188
 189     if ($auth['portal_pwd_status'] == 0) {
 190         if (! $authorizedPortal) {
 191             // Need to enter a new password in the index.php script
 192             $_SESSION['password_update'] = 1;
 193             header('Location: ' . $landingpage);
 194             exit();
 195         }
 196     }
 197
 198     if ($auth['portal_pwd_status'] == 1) {
 199         // continue (patient is authorized)
 200         $authorizedPortal = true;
 201     }
 202
 203     if ($authorizedPortal) {
 204         // patient is authorized (prepare the session variables)
 205         unset($_SESSION['password_update']); // just being safe
 206         unset($_SESSION['itsme']); // just being safe
 207         $_SESSION['pid'] = $auth['pid'];
 208         $_SESSION['patient_portal_onsite_two'] = 1;
 209
 210         $tmp = getUserIDInfo($userData['providerID']);
 211         $_SESSION['providerName'] = $tmp['fname'] . ' ' . $tmp['lname'];
 212         $_SESSION['providerUName'] = $tmp['username'];
 213         $_SESSION['sessionUser'] = '-patient-'; // $_POST['uname'];
 214         $_SESSION['providerId'] = $userData['providerID'] ? $userData['providerID'] : 'undefined';
 215         $_SESSION['ptName'] = $userData['fname'] . ' ' . $userData['lname'];
 216
 217         $logit->portalLog('login', $_SESSION['pid'], ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success'));
 218     } else {
 219         $logit->portalLog('login', '', ($_POST['uname'] . ':not authorized'), '', '0');
 220         session_destroy();
 221         header('Location: ' . $landingpage . '&w');
 222         exit();
 223     }
 224 } else { // problem with query
 225     session_destroy();
 226     header('Location: ' . $landingpage . '&w');
 227     exit();
 228 }
 229 header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
 230 header("Cache-Control: no-cache");
 231 header("Pragma: no-cache");
 232 header('Location: ./home.php');
 233 exit();