search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
possible security improvement (#1926)
[openemr.git] / interface / main / tabs / main.php
blob8853d01df3cbcf1fc1fef67c4b9198627aa181e7
1 <?php
2 /**
3 * main.php
4 *
5 * @package OpenEMR
6 * @link http://www.open-emr.org
7 * @author Kevin Yeh <kevin.y@integralemr.com>
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @copyright Copyright (c) 2016 Kevin Yeh <kevin.y@integralemr.com>
10 * @copyright Copyright (c) 2016 Brady Miller <brady.g.miller@gmail.com>
11 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
12 */
13
14
15 require_once('../../globals.php');
16 require_once $GLOBALS['srcdir'].'/ESign/Api.php';
17
18 use Esign\Api;
19 use OpenEMR\Core\Header;
20
21 // ensure token_main matches so this script can not be run by itself
22 if ((empty($_SESSION['token_main_php'])) ||
23 (empty($_GET['token_main'])) ||
24 ($_GET['token_main'] != $_SESSION['token_main_php'])) {
25 die(xlt('Authentication Error'));
26 }
27 // this will not allow copy/paste of the link to this main.php page or a refresh of this main.php page
28 unset($_SESSION['token_main_php']);
29
30 $esignApi = new Api();
31
32 ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
33 <html>
34 <head>
35 <title><?php echo text($openemr_name); ?></title>
36
37 <script type="text/javascript">
38 <?php require($GLOBALS['srcdir'] . "/restoreSession.php"); ?>
39
40 var isPortalEnabled = "<?php echo $GLOBALS['portal_onsite_two_enable'] == 1; ?>";
41
42 // Since this should be the parent window, this is to prevent calls to the
43 // window that opened this window. For example when a new window is opened
44 // from the Patient Flow Board or the Patient Finder.
45 window.opener = null;
46
47 // This flag indicates if another window or frame is trying to reload the login
48 // page to this top-level window. It is set by javascript returned by auth.inc
49 // and is checked by handlers of beforeunload events.
50 var timed_out = false;
51
52 // Include this variable for backward compatibility
53 var loadedFrameCount = 0;
54 var tab_mode=true;
55 function allFramesLoaded() {
56 // Stub function for backward compatibility with frame race condition mechanism
57 return true;
58 }
59
60 function goRepeaterServices(){
61 // Ensure send the skip_timeout_reset parameter to not count this as a manual entry in the
62 // timing out mechanism in OpenEMR.
63
64 // Send the skip_timeout_reset parameter to not count this as a manual entry in the
65 // timing out mechanism in OpenEMR.
66 top.restoreSession();
67 $.post("<?php echo $GLOBALS['webroot']; ?>/library/ajax/dated_reminders_counter.php",
68 {
69 skip_timeout_reset: "1",
70 csrf_token_form: "<?php echo attr(collectCsrfToken()); ?>"
71 },
72 function(data) {
73 // Go knockout.js
74 app_view_model.application_data.user().messages(data);
75 }
76 );
77 // Notify App for various portal alerts
78 if (isPortalEnabled) {
79 top.restoreSession();
80 $.post("<?php echo $GLOBALS['webroot']; ?>/library/ajax/dated_reminders_counter.php",
81 {
82 skip_timeout_reset: "1",
83 isPortal: "1",
84 csrf_token_form: "<?php echo attr(collectCsrfToken()); ?>"
85 },
86 function (counts) {
87 data = JSON.parse(counts);
88 let mail = data.mailCnt;
89 let chats = data.chatCnt;
90 let audits = data.auditCnt;
91 let total = data.total;
92 let enable = (1 * mail) + (1 * audits);
93
94 app_view_model.application_data.user().portal(enable);
95 if (enable) {
96 app_view_model.application_data.user().portalAlerts(total);
97 app_view_model.application_data.user().portalAudits(audits);
98 app_view_model.application_data.user().portalMail(mail);
99 app_view_model.application_data.user().portalChats(chats);
100 }
101 }
102 );
103 }
104
105 top.restoreSession();
106 // run background-services
107 $.post("<?php echo $GLOBALS['webroot']; ?>/library/ajax/execute_background_services.php",
108 {
109 skip_timeout_reset: "1",
110 ajax: "1",
111 csrf_token_form: "<?php echo attr(collectCsrfToken()); ?>"
112 }
113 );
114
115 // auto run this function every 60 seconds
116 var repeater = setTimeout("goRepeaterServices()", 60000);
117 }
118
119 function isEncounterLocked( encounterId ) {
120 <?php if ($esignApi->lockEncounters()) { ?>
121 // If encounter locking is enabled, make a syncronous call (async=false) to check the
122 // DB to see if the encounter is locked.
123 // Call restore session, just in case
124 top.restoreSession();
125 $.ajax({
126 type: 'POST',
127 url: '<?php echo $GLOBALS['webroot']?>/interface/esign/index.php?module=encounter&method=esign_is_encounter_locked',
128 data: { encounterId : encounterId },
129 success: function( data ) {
130 encounter_locked = data;
131 },
132 dataType: 'json',
133 async:false
134 });
135 return encounter_locked;
136 <?php } else { ?>
137 // If encounter locking isn't enabled then always return false
138 return false;
139 <?php } ?>
140 }
141 var webroot_url="<?php echo $web_root; ?>";
142 var jsLanguageDirection = "<?php echo $_SESSION["language_direction"]; ?>";
143 </script>
144
145 <?php Header::setupHeader(["knockout","tabs-theme",'jquery-ui']); ?>
146
147
148 <link rel="shortcut icon" href="<?php echo $GLOBALS['images_static_relative']; ?>/favicon.ico" />
149
150 <script type="text/javascript" src="js/custom_bindings.js?v=<?php echo $v_js_includes; ?>"></script>
151 <script type="text/javascript" src="js/user_data_view_model.js?v=<?php echo $v_js_includes; ?>"></script>
152 <script type="text/javascript" src="js/patient_data_view_model.js?v=<?php echo $v_js_includes; ?>"></script>
153 <script type="text/javascript" src="js/therapy_group_data_view_model.js?v=<?php echo $v_js_includes; ?>"></script>
154
155 <script type="text/javascript">
156 // Create translations to be used in the menuActionClick() function in below js/tabs_view_model.js script
157 var xl_strings_tabs_view_model = <?php echo json_encode(array(
158 'encounter_locked' => xla('This encounter is locked. No new forms can be added.'),
159 'must_select_patient' => $GLOBALS['enable_group_therapy'] ? xla('You must first select or add a patient or therapy group.') : xla('You must first select or add a patient.'),
160 'must_select_encounter' => xla('You must first select or create an encounter.'),
161 'new' => xla('New')
162 ));
163 ?>;
164 </script>
165 <script type="text/javascript" src="js/tabs_view_model.js?v=<?php echo $v_js_includes; ?>"></script>
166
167 <script type="text/javascript" src="js/application_view_model.js?v=<?php echo $v_js_includes; ?>"></script>
168 <script type="text/javascript" src="js/frame_proxies.js?v=<?php echo $v_js_includes; ?>"></script>
169 <script type="text/javascript" src="js/dialog_utils.js?v=<?php echo $v_js_includes; ?>"></script>
170
171 <?php
172 // Below code block is to prepare certain elements for deciding what links to show on the menu
173 //
174 // prepare newcrop globals that are used in creating the menu
175 if ($GLOBALS['erx_enable']) {
176 $newcrop_user_role_sql = sqlQuery("SELECT `newcrop_user_role` FROM `users` WHERE `username` = ?", array($_SESSION['authUser']));
177 $GLOBALS['newcrop_user_role'] = $newcrop_user_role_sql['newcrop_user_role'];
178 if ($GLOBALS['newcrop_user_role'] === 'erxadmin') {
179 $GLOBALS['newcrop_user_role_erxadmin'] = 1;
180 }
181 }
182
183 // prepare track anything to be used in creating the menu
184 $track_anything_sql = sqlQuery("SELECT `state` FROM `registry` WHERE `directory` = 'track_anything'");
185 $GLOBALS['track_anything_state'] = $track_anything_sql['state'];
186 // prepare Issues popup link global that is used in creating the menu
187 $GLOBALS['allow_issue_menu_link'] = ((acl_check('encounters', 'notes', '', 'write') || acl_check('encounters', 'notes_a', '', 'write')) &&
188 acl_check('patients', 'med', '', 'write'));
189 ?>
190
191 <?php require_once("templates/tabs_template.php"); ?>
192 <?php require_once("templates/menu_template.php"); ?>
193 <?php require_once("templates/patient_data_template.php"); ?>
194 <?php require_once("templates/therapy_group_template.php"); ?>
195 <?php require_once("templates/user_data_template.php"); ?>
196 <?php require_once("menu/menu_json.php"); ?>
197 <?php $userQuery = sqlQuery("select * from users where username = ?", array($_SESSION['authUser'])); ?>
198 <script type="text/javascript">
199 <?php if (!empty($_SESSION['frame1url']) && !empty($_SESSION['frame1target'])) { ?>
200 app_view_model.application_data.tabs.tabsList()[0].url(<?php echo json_encode("../".$_SESSION['frame1url']); ?>);
201 app_view_model.application_data.tabs.tabsList()[0].name(<?php echo json_encode($_SESSION['frame1target']); ?>);
202 <?php } ?>
203
204 <?php if (!empty($_SESSION['frame2url']) && !empty($_SESSION['frame2target'])) { ?>
205 app_view_model.application_data.tabs.tabsList()[1].url(<?php echo json_encode("../".$_SESSION['frame2url']); ?>);
206 app_view_model.application_data.tabs.tabsList()[1].name(<?php echo json_encode($_SESSION['frame2target']); ?>);
207 <?php } ?>
208
209 app_view_model.application_data.user(new user_data_view_model(<?php echo json_encode($_SESSION{"authUser"})
210 .',' . json_encode($userQuery['fname'])
211 .',' . json_encode($userQuery['lname'])
212 .',' . json_encode($_SESSION['authGroup']); ?>));
213
214 </script>
215
216 </head>
217 <body>
218 <!-- Below iframe is to support auto logout when timeout is reached -->
219 <iframe name="timeout" style="visibility:hidden; position:absolute; left:0; top:0; height:0; width:0; border:none;" src="timeout_iframe.php"></iframe>
220 <?php // mdsupport - app settings
221 $disp_mainBox = '';
222 if (isset($_SESSION['app1'])) {
223 $rs = sqlquery(
224 "SELECT title app_url FROM list_options WHERE activity=1 AND list_id=? AND option_id=?",
225 array('apps', $_SESSION['app1'])
226 );
227 if ($rs['app_url'] != "main/main_screen.php") {
228 echo '<iframe name="app1" src="../../'.attr($rs['app_url']).'"
229 style="position:absolute; left:0; top:0; height:100%; width:100%; border:none;" />';
230 $disp_mainBox = 'style="display: none;"';
231 }
232 }
233 ?>
234 <div id="mainBox" <?php echo $disp_mainBox ?>>
235 <div id="dialogDiv"></div>
236 <div class="body_top">
237 <a href="http://www.open-emr.org" title="OpenEMR <?php echo xla("Website"); ?>" target="_blank"><img class="logo" alt="openEMR small logo" border="0" src="<?php echo $GLOBALS['images_static_relative']; ?>/menu-logo.png"></a>
238 <span id="menu logo" data-bind="template: {name: 'menu-template', data: application_data} "></span>
239 <span id="userData" data-bind="template: {name: 'user-data-template', data:application_data} "></span>
240 </div>
241 <div id="attendantData" class="body_title acck" data-bind="template: {name: app_view_model.attendant_template_type, data: application_data} ">
242 </div>
243 <div class="body_title" data-bind="template: {name: 'tabs-controls', data: application_data} "> </div>
244
245 <div class="mainFrames">
246 <div id="framesDisplay" data-bind="template: {name: 'tabs-frames', data: application_data}"> </div>
247 </div>
248 </div>
249 <script>
250 $("#dialogDiv").hide();
251 ko.applyBindings(app_view_model);
252
253 $(document).ready(function() {
254 $('.dropdown-toggle').dropdown();
255 goRepeaterServices();
256 $('#patient_caret').click(function() {
257 $('#attendantData').slideToggle();
258 $('#patient_caret').toggleClass('fa-caret-down').toggleClass('fa-caret-up');
259 });
260 });
261 </script>
262 </body>
263 </html>
Mirror of official OpenEMR Sourceforge repository