fixed typo in security checks for prescription access
[openemr.git] / library / ajax / adminacl_ajax.php
blobdc89e246ac97b656947274e08aebfda8c450ac1b
1 <?php
2 // Copyright (C) 2007 Brady Miller <brady@sparmy.com>
3 //
4 // This program is free software; you can redistribute it and/or
5 // modify it under the terms of the GNU General Public License
6 // as published by the Free Software Foundation; either version 2
7 // of the License, or (at your option) any later version.
8 //
9 //
10 // This file contains functions that service ajax requests for
11 // ACL(php-gacl) administration within OpenEMR. All returns are
12 // done via xml.
14 // Important - Ensure that display_errors=Off in php.ini settings.
16 include_once("../../interface/globals.php");
17 include_once("$srcdir/acl.inc");
19 header("Content-type: text/xml");
20 header("Cache-Control: no-cache");
22 //initiate error array
23 $error = array();
25 //PENDING, need to clean this up on client side
26 //ensure user has proper access
27 if (!acl_check('admin', 'acl')) {
28 echo error_xml(xl('ACL Administration Not Authorized'));
29 exit;
31 //ensure php is installed
32 if (!isset($phpgacl_location)) {
33 echo error_xml(xl('PHP-gacl is not installed'));
34 exit;
38 //PROCESS USERNAME REQUESTS
39 if ($_POST["control"] == "username") {
40 if ($_POST["action"] == "list") {
41 //return username list with alert if user is not joined to group
42 echo username_listings_xml($error);
47 //PROCESS MEMBERSHIP REQUESTS
48 if ($_POST["control"] == "membership") {
49 if ($_POST["action"] == "list") {
50 //return membership data
51 echo user_group_listings_xml($_POST["name"], $error);
54 if ($_POST["action"] == "add") {
55 if ($_POST["selection"][0] == "null") {
56 //no selection, return soft error, and just return membership data
57 array_push($error, (xl('No group was selected') . "!"));
58 echo user_group_listings_xml($_POST["name"], $error);
59 exit;
61 //add the group, then return updated membership data
62 add_user_aros($_POST["name"], $_POST["selection"]);
63 echo user_group_listings_xml($_POST["name"], $error);
66 if ($_POST["action"] == "remove") {
67 if ($_POST["selection"][0] == "null") {
68 //no selection, return soft error, and just return membership data
69 array_push($error, (xl('No group was selected') . "!"));
70 echo user_group_listings_xml($_POST["name"], $error);
71 exit;
73 if (($_POST["name"] == "admin") && in_array("Administrators",$_POST["selection"])) {
74 //unable to remove admin user from administrators group, process remove,
75 // send soft error, then return data
76 array_push($error, (xl('Not allowed to remove the admin user from the Administrators group') . "!"));
77 remove_user_aros($_POST["name"], $_POST["selection"]);
78 echo user_group_listings_xml($_POST["name"], $error);
79 exit;
81 //remove the group(s), then return updated membership data
82 remove_user_aros($_POST["name"], $_POST["selection"]);
83 echo user_group_listings_xml($_POST["name"], $error);
88 //PROCESS ACL REQUESTS
89 if ($_POST["control"] == "acl") {
90 if ($_POST["action"] == "list") {
91 //return acl titles with return values
92 echo acl_listings_xml($error);
95 if ($_POST["action"] == "add") {
96 //validate form data
97 $form_error = false;
98 if (empty($_POST["title"])) {
99 $form_error = true;
100 array_push($error, ("title_" . xl('Need to enter title') . "!"));
102 else if (!ctype_alpha(str_replace(' ', '', $_POST["title"]))) {
103 $form_error = true;
104 array_push($error, ("title_" . xl('Please only use alphabetic characters') . "!"));
106 else if (acl_exist($_POST["title"], FALSE, $_POST["return_value"])) {
107 $form_error = true;
108 array_push($error, ("title_" . xl('Already used, choose another title') . "!"));
110 if (empty($_POST["identifier"])) {
111 $form_error = true;
112 array_push($error, ("identifier_" . xl('Need to enter identifier') . "!"));
114 else if (!ctype_alpha($_POST["identifier"])) {
115 $form_error = true;
116 array_push($error, ("identifier_" . xl('Please only use alphabetic characters with no spaces') . "!"));
118 else if (acl_exist(FALSE, $_POST["identifier"], $_POST["return_value"])) {
119 $form_error = true;
120 array_push($error, ("identifier_" . xl('Already used, choose another identifier') . "!"));
122 if (empty($_POST["return_value"])) {
123 $form_error = true;
124 array_push($error, ("return_" . xl('Need to enter a Return Value') . "!"));
126 if (empty($_POST["description"])) {
127 $form_error = true;
128 array_push($error, ("description_" . xl('Need to enter a description') . "!"));
130 else if (!ctype_alpha(str_replace(' ', '', $_POST["description"]))) {
131 $form_error = true;
132 array_push($error, ("description_" . xl('Please only use alphabetic characters') . "!"));
134 //process if data is valid
135 if (!$form_error) {
136 acl_add($_POST["title"], $_POST["identifier"], $_POST["return_value"], $_POST["description"]);
137 echo "<?xml version=\"1.0\"?>\n" .
138 "<response>\n" .
139 "\t<success>SUCCESS</success>\n" .
140 "</response>\n";
142 else { //$form_error = true, so return errors
143 echo error_xml($error);
147 if ($_POST["action"] == "remove") {
148 //validate form data
149 $form_error = false;
150 if (empty($_POST["title"])) {
151 $form_error = true;
152 array_push($error, ("aclTitle_" . xl('Need to enter title') . "!"));
154 if ($_POST["title"] == "Administrators") {
155 $form_error = true;
156 array_push($error, ("aclTitle_" . xl('Not allowed to delete the Administrators group') . "!"));
158 //process if data is valid
159 if (!$form_error) {
160 acl_remove($_POST["title"], $_POST["return_value"]);
161 echo "<?xml version=\"1.0\"?>\n" .
162 "<response>\n" .
163 "\t<success>SUCCESS</success>\n" .
164 "</response>\n";
166 else { //$form_error = true, so return errors
167 echo error_xml($error);
171 if ($_POST["action"] == "returns") {
172 //simply return all the possible acl return_values
173 echo return_values_xml($error);
178 //PROCESS ACO REQUESTS
179 if ($_POST["control"] == "aco") {
180 if ($_POST["action"] == "list") {
181 //send acl data
182 echo aco_listings_xml($_POST["name"], $_POST["return_value"], $error);
185 if ($_POST["action"] == "add") {
186 if ($_POST["selection"][0] == "null") {
187 //no selection, return soft error, and just return data
188 array_push($error, (xl('Nothing was selected') . "!"));
189 echo aco_listings_xml($_POST["name"], $_POST["return_value"], $error);
190 exit;
192 //add the aco, then return updated membership data
193 acl_add_acos($_POST["name"], $_POST["return_value"], $_POST["selection"]);
194 echo aco_listings_xml($_POST["name"], $_POST["return_value"], $error);
197 if ($_POST["action"] == "remove") {
198 if ($_POST["selection"][0] == "null") {
199 //no selection, return soft error, and just return data
200 array_push($error, (xl('Nothing was selected') . "!"));
201 echo aco_listings_xml($_POST["name"], $_POST["return_value"], $error);
202 exit;
204 if ($_POST["name"] == "Administrators") {
205 //will not allow removal of acos from Administrators ACL
206 array_push($error, (xl('Not allowed to inactivate anything from the Administrators ACL') . "!"));
207 echo aco_listings_xml($_POST["name"], $_POST["return_value"], $error);
208 exit;
210 if (count($_POST["selection"]) == acl_count_acos($_POST["name"], $_POST["return_value"])) {
211 //will not allow removal of all aco objects
212 array_push($error, (xl('Not allowed to inactivate all security objects') . "!"));
213 echo aco_listings_xml($_POST["name"], $_POST["return_value"], $error);
214 exit;
216 //remove the acos, then return updated data
217 acl_remove_acos($_POST["name"], $_POST["return_value"], $_POST["selection"]);
218 echo aco_listings_xml($_POST["name"], $_POST["return_value"], $error);
224 // Returns username listings via xml message.
225 // It will also include alert if user is not joined
226 // to a group yet
227 // $err = error strings (array)
229 function username_listings_xml($err) {
230 $message = "<?xml version=\"1.0\"?>\n" .
231 "<response>\n";
232 $res = sqlStatement("select * from users where username != '' order by username");
233 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
234 $result4[$iter] = $row;
235 foreach ($result4 as $iter) {
236 $message .= "\t<user>\n" .
237 "\t\t<username>" . $iter{"username"} . "</username>\n";
238 $username_acl_groups = acl_get_group_titles($iter{"username"});
239 if (!$username_acl_groups) {
240 //not joined to any group, so send alert
241 $message .= "\t\t<alert>no membership</alert>\n";
243 $message .= "\t</user>\n";
245 if (isset($err)) {
246 foreach ($err as $value) {
247 $message .= "\t<error>" . $value . "</error>\n";
250 $message .= "</response>\n";
251 return $message;
255 // Returns user group listings(active and inactive lists)
256 // via xml message.
257 // $username = username
258 // $err = error strings (array)
260 function user_group_listings_xml($username, $err) {
261 $list_acl_groups = acl_get_group_title_list();
262 $username_acl_groups = acl_get_group_titles($username);
263 //note acl_get_group_titles() returns a 0 if user in no groups
265 $message = "<?xml version=\"1.0\"?>\n" .
266 "<response>\n" .
267 "\t<inactive>\n";
268 foreach ($list_acl_groups as $value) {
269 if ((!$username_acl_groups) || (!(in_array($value, $username_acl_groups)))) {
270 $message .= "\t\t<group>" . $value . "</group>\n";
273 $message .= "\t</inactive>\n" .
274 "\t<active>\n";
275 if ($username_acl_groups) {
276 foreach ($username_acl_groups as $value) {
277 $message .= "\t\t<group>" . $value . "</group>\n";
280 $message .= "\t</active>\n";
281 if (isset($err)) {
282 foreach ($err as $value) {
283 $message .= "\t<error>" . $value . "</error>\n";
286 $message .= "</response>\n";
287 return $message;
291 // Returns acl listings(including return value) via xml message.
292 // $err = error strings (array)
294 function acl_listings_xml($err) {
295 global $phpgacl_location;
296 include_once("$phpgacl_location/gacl_api.class.php");
297 $gacl = new gacl_api();
299 $message = "<?xml version=\"1.0\"?>\n" .
300 "<response>\n";
301 foreach (acl_get_group_title_list() as $value) {
302 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $value, FALSE, FALSE, FALSE, FALSE);
303 foreach ($acl_id as $value2) {
304 $acl = $gacl->get_acl($value2);
305 $ret = $acl["return_value"];
306 $note = $acl["note"];
307 $message .= "\t<acl>\n" .
308 "\t\t<title>" . $value . "</title>\n" .
309 "\t\t<return>" . $ret . "</return>\n" .
310 "\t\t<note>" . $note . "</note>\n" .
311 "\t</acl>\n";
314 if (isset($err)) {
315 foreach ($err as $value) {
316 $message .= "\t<error>" . $value . "</error>\n";
319 $message .= "</response>\n";
320 return $message;
324 // Return aco listings by sections(active and inactive lists)
325 // via xml message.
326 // $group = group title (string)
327 // $return_value = return value (string)
328 // $err = error strings (array)
330 function aco_listings_xml($group, $return_value, $err) {
331 global $phpgacl_location;
332 include_once("$phpgacl_location/gacl_api.class.php");
333 $gacl = new gacl_api();
335 //collect and sort all aco objects
336 $list_aco_objects = $gacl->get_objects(NULL, 0, 'ACO');
337 foreach ($list_aco_objects as $key => $value) {
338 asort($list_aco_objects[$key]);
341 //collect aco objects within the specified acl(already sorted)
342 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $group, FALSE, FALSE, FALSE, $return_value);
343 $acl = $gacl->get_acl($acl_id[0]);
344 $active_aco_objects = $acl["aco"];
346 $message = "<?xml version=\"1.0\"?>\n" .
347 "<response>\n" .
348 "\t<inactive>\n";
349 foreach ($list_aco_objects as $key => $value) {
350 $counter = 0;
351 foreach($list_aco_objects[$key] as $value2) {
352 if (!array_key_exists($key,$active_aco_objects) || !in_array($value2, $active_aco_objects[$key])) {
353 if ($counter == 0) {
354 $counter = $counter + 1;
355 $message .= "\t\t<section>\n" .
356 "\t\t\t<name>" . $key . "</name>\n";
358 $aco_id = $gacl->get_object_id($key, $value2,'ACO');
359 $aco_data = $gacl->get_object_data($aco_id, 'ACO');
360 $aco_title = $aco_data[0][3];
361 $message .= "\t\t\t<aco>\n";
362 $message .= "\t\t\t\t<title>" . $aco_title . "</title>\n";
363 $message .= "\t\t\t\t<id>" . $aco_id . "</id>\n";
364 $message .= "\t\t\t</aco>\n";
367 if ($counter != 0) {
368 $message .= "\t\t</section>\n";
371 $message .= "\t</inactive>\n" .
372 "\t<active>\n";
373 foreach ($active_aco_objects as $key => $value) {
374 $message .= "\t\t<section>\n" .
375 "\t\t\t<name>" . $key . "</name>\n";
376 foreach($active_aco_objects[$key] as $value2) {
377 $aco_id = $gacl->get_object_id($key, $value2,'ACO');
378 $aco_data = $gacl->get_object_data($aco_id, 'ACO');
379 $aco_title = $aco_data[0][3];
380 $message .= "\t\t\t<aco>\n";
381 $message .= "\t\t\t\t<title>" . $aco_title . "</title>\n";
382 $message .= "\t\t\t\t<id>" . $aco_id . "</id>\n";
383 $message .= "\t\t\t</aco>\n";
385 $message .= "\t\t</section>\n";
387 $message .= "\t</active>\n";
388 if (isset($err)) {
389 foreach ($err as $value) {
390 $message .= "\t<error>" . $value . "</error>\n";
393 $message .= "</response>\n";
394 return $message;
398 // Returns listing of all possible return values via xml message.
399 // $err = error strings (array)
401 function return_values_xml($err) {
402 global $phpgacl_location;
403 include_once("$phpgacl_location/gacl_api.class.php");
404 $gacl = new gacl_api();
405 $returns = array();
407 $message = "<?xml version=\"1.0\"?>\n" .
408 "<response>\n";
409 foreach(acl_get_group_title_list() as $value) {
410 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $value, FALSE, FALSE, FALSE, FALSE);
411 foreach($acl_id as $value2){
412 $acl = $gacl->get_acl($value2);
413 $ret = $acl["return_value"];
414 if (!in_array($ret, $returns)) {
415 $message .= "\t<return>" . $ret . "</return>\n";
416 array_push($returns, $ret);
420 if (isset($err)) {
421 foreach ($err as $value) {
422 $message .= "\t<error>" . $value . "</error>\n";
425 $message .= "</response>\n";
426 return $message;
430 // Returns error string(s) via xml
431 // $err = error (string or array)
433 function error_xml($err) {
434 $message = "<?xml version=\"1.0\"?>\n" .
435 "<response>\n";
436 if (is_array($err)){
437 foreach ($err as $value){
438 $message .= "\t<error>" . $value . "</error>\n";
441 else {
442 $message .= "\t<error>" . $err . "</error>\n";
444 $message .= "</response>\n";
445 return $message;