| blob | 2e713cd50c1a9a900bbe0357496e9cee5ad858ed |
1 <?php
2 // php-GACL access controls are included in OpenEMR. The below
3 // function will automatically create the path where gacl.class.php
4 // can be found. Note that this path can be manually set below
5 // for users who are using an external version of php-GACL.
6 // Also note that php-GACL access controls can be turned off
7 // below.
9 $phpgacl_location = dirname(__FILE__).'/../gacl';
11 //
12 // If using an external version of phpGACL, then uncomment the following
13 // line and manually place the path below. IN THIS CASE YOU MUST ALSO
14 // COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT ABOVE, OR BACKUPS WILL
15 // NOT RESTORE PROPERLY!
16 //
17 //$phpgacl_location = "/var/www/gacl";
18 //
19 // If you want to turn off php-GACL, then uncomment the following line.
20 // IN THIS CASE YOU MUST ALSO COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT(S)
21 // ABOVE, OR BACKUPS WILL NOT RESTORE PROPERLY!
22 //
23 //unset($phpgacl_location);
24 //
26 // The following Access Control Objects (ACO) are currently supported.
27 // These are the "things to be protected":
28 //
29 // Section "admin" (Administration):
30 // super Superuser - can delete patients, encounters, issues
31 // calendar Calendar Settings
32 // database Database Reporting
33 // forms Forms Administration
34 // practice Practice Settings
35 // superbill Superbill Codes Administration
36 // users Users/Groups/Logs Administration
37 // batchcom Batch Communication Tool
38 // language Language Interface Tool
39 // drugs Pharmacy Dispensary
40 // acl ACL Administration
41 //
42 // Section "acct" (Accounting):
43 // bill Billing (write optional)
44 // disc Allowed to discount prices (in Fee Sheet or Checkout form)
45 // eob EOB Data Entry
46 // rep Financial Reporting - my encounters
47 // rep_a Financial Reporting - anything
48 //
49 // Section "patients" (Patient Information):
50 // appt Appointments (write optional)
51 // demo Demographics (write,addonly optional)
52 // med Medical Records and History (write,addonly optional)
53 // trans Transactions, e.g. referrals (write optional)
54 // docs Documents (write,addonly optional)
55 // notes Patient Notes (write,addonly optional)
56 // sign Sign Lab Results (write,addonly optional)
57 //
58 // Section "encounters" (Encounter Information):
59 // auth Authorize - my encounters
60 // auth_a Authorize - any encounters
61 // coding Coding - my encounters (write,wsome optional)
62 // coding_a Coding - any encounters (write,wsome optional)
63 // notes Notes - my encounters (write,addonly optional)
64 // notes_a Notes - any encounters (write,addonly optional)
65 // date_a Fix encounter dates - any encounters
66 // relaxed Less-private information (write,addonly optional)
67 // (e.g. the Sports Fitness encounter form)
68 //
69 // Section "squads" applies to sports team use only:
70 // acos in this section define the user-specified list of squads
71 //
72 // Section "sensitivities" (Sensitivities):
73 // normal Normal
74 // high High
75 //
76 // Section "lists" (Lists):
77 // default Default List (write,addonly optional)
78 // state State List (write,addonly optional)
79 // country Country List (write,addonly optional)
80 // language Language List (write,addonly optional)
81 // ethrace Ethnicity-Race List (write,addonly optional)
82 //
83 // Section "placeholder" (Placeholder):
84 // filler Placeholder (Maintains empty ACLs)
85 //
86 // Section "nationnotes" (Nation Notes):
87 // nn_configure Nation Notes
89 if (isset ($phpgacl_location)) {
90 include_once("$phpgacl_location/gacl.class.php");
91 $gacl_object = new gacl();
92 //DO NOT CHANGE BELOW VARIABLE
93 $section_aro_value = 'users';
94 }
96 // acl_check should return 0 if access is denied. Otherwise it may
97 // return anything that evaluates to true. In addition if any of the
98 // following types of access are applicable, then the corresponding value
99 // must be returned if and only if such access is granted (ony one may
100 // be specified):
101 //
102 // * write - the user may add or modify the ACO
103 // * wsome - the user has limited add/modify access to the ACO
104 // * addonly - the user may view and add but not modify entries
105 //
106 function acl_check($section, $value, $user = '') {
107 global $gacl_object, $phpgacl_location, $section_aro_value;
108 if (! $user) $user = $_SESSION['authUser'];
110 if ($phpgacl_location) {
111 return $gacl_object->acl_check($section, $value, $section_aro_value, $user);
112 }
114 // If no phpgacl, then apply the old static rules whereby "authorized"
115 // users (providers) can do anything, and other users can do most things.
116 // If you want custom access control but don't want to mess with phpGACL,
117 // then you could customize the code below instead.
119 if ($user == 'admin') return 'write';
120 if ($section == 'admin' && $value == 'super') return 0;
121 if ($_SESSION['userauthorized']) return 'write';
123 if ($section == 'patients') {
124 if ($value == 'med') return 1;
125 return 'write';
126 }
127 else if ($section == 'encounters') {
128 if (strpos($value, 'coding' ) === 0) return 'write';
129 if (strpos($value, 'notes' ) === 0) return 'write';
130 if ($value == 'relaxed') return 'write';
131 }
132 else if ($section != 'admin') {
133 return 'write';
134 }
136 return 0;
137 }
139 // Get the ACO name/value pairs for a designated section. Each value
140 // is an array (section_value, value, order_value, name, hidden).
141 //
142 function acl_get_section_acos($section) {
143 global $phpgacl_location;
144 if ($phpgacl_location) {
145 include_once("$phpgacl_location/gacl_api.class.php");
146 $gacl = new gacl_api();
147 $arr1 = $gacl->get_objects($section, 1, 'ACO');
148 $arr = array();
149 if (!empty($arr1[$section])) {
150 foreach ($arr1[$section] as $value) {
151 $odata = $gacl->get_object_data($gacl->get_object_id($section, $value, 'ACO'), 'ACO');
152 $arr[$value] = $odata[0];
153 }
154 }
155 return $arr;
156 }
157 return 0;
158 }
160 // Return an array keyed on squad ACO names.
161 // This is only applicable for sports team use.
162 //
163 function acl_get_squads() {
164 return acl_get_section_acos('squads');
165 }
167 // Return an array keyed on encounter sensitivity level ACO names.
168 // Sensitivities are useful when some encounter notes are not
169 // medically sensitive (e.g. a physical fitness test), and/or if
170 // some will be "for doctor's eyes only" (e.g. STD treatment).
171 //
172 // When a non-blank sensitivity value exists in the new encounter
173 // form, it names an additional ACO required for access to all forms
174 // in the encounter. If you want some encounters to be non-sensitive,
175 // then you also need some default nonblank sensitivity for normal
176 // encounters, as well as greater encounter notes permissions for
177 // those allowed to view non-sensitive encounters.
178 //
179 function acl_get_sensitivities() {
180 return acl_get_section_acos('sensitivities');
181 }
183 //
184 // Returns true if aco exist
185 // Returns false if aco doesn't exist
186 // $section_name = name of section (string)
187 // $aco_name = name of aco (string)
188 //
189 function aco_exist($section_name, $aco_name) {
190 global $phpgacl_location;
191 if (isset ($phpgacl_location)) {
192 include_once("$phpgacl_location/gacl_api.class.php");
193 $gacl = new gacl_api();
194 $aco_id = $gacl->get_object_id($section_name, $aco_name, 'ACO');
195 if ($aco_id) {
196 return true;
197 }
198 }
199 return false;
200 }
202 //
203 // Returns a sorted array of all available Group Titles.
204 //
205 function acl_get_group_title_list() {
206 global $phpgacl_location;
207 if (isset ($phpgacl_location)) {
208 include_once("$phpgacl_location/gacl_api.class.php");
209 $gacl = new gacl_api();
210 $parent_id = $gacl->get_root_group_id();
211 $arr_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
212 $arr_group_titles = array();
213 foreach ($arr_group_ids as $value) {
214 $arr_group_data = $gacl->get_group_data($value, 'ARO');
215 $arr_group_titles[$value] = $arr_group_data[3];
216 }
217 sort($arr_group_titles);
218 return $arr_group_titles;
219 }
220 return 0;
221 }
223 //
224 // Returns a sorted array of group Titles that a user belongs to.
225 // Returns 0 if does not belong to any group yet.
226 // $user_name = Username, which is login name.
227 //
228 function acl_get_group_titles($user_name) {
229 global $phpgacl_location, $section_aro_value;
230 if (isset ($phpgacl_location)) {
231 include_once("$phpgacl_location/gacl_api.class.php");
232 $gacl = new gacl_api();
233 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
234 if ($user_aro_id) {
235 $arr_group_id = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
236 if ($arr_group_id) {
237 foreach ($arr_group_id as $key => $value) {
238 $arr_group_data = $gacl->get_group_data($value, 'ARO');
239 $arr_group_titles[$key] = $arr_group_data[3];
240 }
241 sort($arr_group_titles);
242 return $arr_group_titles;
243 }
244 }
245 }
246 return 0;
247 }
249 //
250 // This will place the user aro object into selected group(s)
251 // It uses the set_user_aro() function
252 // $username = username (string)
253 // $group = title of group(s) (string or array)
254 //
255 function add_user_aros($username, $group) {
256 $current_user_groups = acl_get_group_titles($username);
257 if (!$current_user_groups) {
258 $current_user_groups = array();
259 }
260 if (is_array($group)){
261 foreach ($group as $value) {
262 if (!in_array($value, $current_user_groups)) {
263 array_push($current_user_groups, $value);
264 }
265 }
266 }
267 else {
268 if (!in_array($group, $current_user_groups)) {
269 array_push($current_user_groups, $group);
270 }
271 }
272 $user_data = mysql_fetch_array(sqlStatement("select * from users where username='" .
273 $username . "'"));
274 set_user_aro($current_user_groups, $username, $user_data["fname"],
275 $user_data["mname"], $user_data["lname"]);
276 return;
277 }
279 //
280 // This will remove the user aro object from the selected group(s)
281 // It uses the set_user_aro() function
282 // $username = username (string)
283 // $group = title of group(s) (string or array)
284 //
285 function remove_user_aros($username, $group) {
286 $current_user_groups = acl_get_group_titles($username);
287 $new_user_groups = array();
288 if (is_array($group)){
289 foreach ($current_user_groups as $value) {
290 if (!in_array($value, $group)) {
291 array_push($new_user_groups, $value);
292 }
293 }
294 }
295 else {
296 foreach ($current_user_groups as $value) {
297 if ($value != $group) {
298 array_push($new_user_groups, $value);
299 }
300 }
301 }
302 $user_data = mysql_fetch_array(sqlStatement("select * from users where username='" .
303 $username . "'"));
304 set_user_aro($new_user_groups, $username, $user_data["fname"],
305 $user_data["mname"], $user_data["lname"]);
306 return;
307 }
309 //
310 // This will either create or edit a user aro object, and then place it
311 // in the requested groups. It will not allow removal of the 'admin'
312 // user or gacl_protected users from the 'admin' group.
313 // $arr_group_titles = titles of the groups that user will be added to.
314 // $user_name = username, which is login name.
315 // $first_name = first name
316 // $middle_name = middle name
317 // $last_name = last name
318 //
319 function set_user_aro($arr_group_titles, $user_name, $first_name, $middle_name, $last_name) {
320 global $phpgacl_location, $section_aro_value;
322 if (isset ($phpgacl_location)) {
323 include_once("$phpgacl_location/gacl_api.class.php");
324 $gacl = new gacl_api();
326 //see if this user is gacl protected (ie. do not allow
327 //removal from the Administrators group)
328 require_once(dirname(__FILE__).'/user.inc');
329 require_once(dirname(__FILE__).'/calendar.inc');
330 $userNametoID = getIDfromUser($user_name);
331 if (checkUserSetting("gacl_protect","1",$userNametoID) || $user_name == "admin") {
332 $gacl_protect = true;
333 }
334 else {
335 $gacl_protect = false;
336 }
338 //get array of all available group ID numbers
339 $parent_id = $gacl->get_root_group_id();
340 $arr_all_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
342 //Cycle through ID array to find and process each selected group
343 //Create a counter since processing of first hit is unique
344 $counter = 0;
345 foreach ($arr_all_group_ids as $value) {
346 $arr_group_data = $gacl->get_group_data($value, 'ARO');
347 if ((empty($arr_group_titles)) ||
348 (in_array($arr_group_data[3], $arr_group_titles))) {
349 //We have a hit, so need to add group and increment counter
350 // because processing of first hit is unique
351 //This will also deal with an empty $arr_group_titles array
352 // removing user from all groups unless 'admin'
353 $counter = $counter + 1;
354 //create user full name field
355 if ($middle_name) {
356 $full_name = $first_name . " " . $middle_name . " " . $last_name;
357 }
358 else {
359 if ($last_name) {
360 $full_name = $first_name . " " . $last_name;
361 }
362 else {
363 $full_name = $first_name;
364 }
365 }
367 //If this is not the first group to be added, then will skip below
368 // and will be added. If this is the first group, then need to
369 // go thru several steps before adding the group.
370 if ($counter == 1) {
371 //get ID of user ARO object, if it exist
372 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
373 if ($user_aro_id) {
374 //user ARO object already exist, so will edit it
375 $gacl->edit_object($user_aro_id, $section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
377 //remove all current user ARO object group associations
378 $arr_remove_group_ids = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
379 foreach ($arr_remove_group_ids as $value2) {
380 $gacl->del_group_object($value2, $section_aro_value, $user_name, 'ARO');
381 }
382 }
383 else {
384 //user ARO object does not exist, so will create it
385 $gacl->add_object($section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
386 }
387 }
389 //place the user ARO object in the selected group (if group(s) is selected)
390 if (!empty($arr_group_titles)) {
391 $gacl->add_group_object($value, $section_aro_value, $user_name, 'ARO');
392 }
394 //
395 //Below will not allow 'admin' or gacl_protected user to be removed from 'admin' group
396 //
397 if ($gacl_protect) {
398 $boolean_admin=0;
399 $admin_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
400 $arr_admin = $gacl->get_object_groups($admin_id, 'ARO', 'NO_RECURSE');
401 foreach ($arr_admin as $value3) {
402 $arr_admin_data = $gacl->get_group_data($value3, 'ARO');
403 if (strcmp($arr_admin_data[2], 'admin') == 0) {
404 $boolean_admin=1;
405 }
406 }
407 if (!$boolean_admin) {
408 foreach ($arr_all_group_ids as $value4) {
409 $arr_temp = $gacl->get_group_data($value4, 'ARO');
410 if ($arr_temp[2] == 'admin') {
411 $gacl->add_group_object($value4, $section_aro_value, $user_name, 'ARO');
412 }
413 }
414 }
415 }
416 }
417 //if array of groups was empty, then we are done, and can break from loop
418 if (empty($arr_group_titles)) break;
419 }
420 return true;
421 }
422 return false;
423 }
425 //
426 // Returns true if acl exist
427 // Returns false if acl doesn't exist
428 // EITHER $title or $name is required(send FALSE in variable
429 // not being used). If both are sent, then only $title will be
430 // used.
431 // $return_value is required
432 // $title = title of acl (string)
433 // $name = name of acl (string)
434 // $return_value = return value of acl (string)
435 //
436 function acl_exist($title, $name, $return_value) {
437 global $phpgacl_location;
438 if (isset ($phpgacl_location)) {
439 include_once("$phpgacl_location/gacl_api.class.php");
440 $gacl = new gacl_api();
441 if (!$name) {
442 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $title, FALSE, FALSE, FALSE, $return_value);
443 }
444 else if (!$title) {
445 $group_id = $gacl->get_group_id($name, NULL, 'ARO');
446 if ($group_id) {
447 $group_data = $gacl->get_group_data($group_id, 'ARO');
448 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $group_data[3], FALSE, FALSE, FALSE, $return_value);
449 }
450 else {
451 return false;
452 }
453 }
454 else {
455 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $title, FALSE, FALSE, FALSE, $return_value);
456 }
457 if (!empty($acl)) {
458 return true;
459 }
460 else {
461 return false;
462 }
463 }
464 }
466 //
467 // This will add a new acl and group(if group doesn't yet exist)
468 // with one aco in it.
469 // $acl_title = title of acl (string)
470 // $acl_name = name of acl (string)
471 // $return_value = return value of acl (string)
472 // $note = description of acl (array)
473 //
474 function acl_add($acl_title, $acl_name, $return_value, $note) {
475 global $phpgacl_location;
476 if (isset ($phpgacl_location)) {
477 include_once("$phpgacl_location/gacl_api.class.php");
478 $gacl = new gacl_api();
479 $group_id = $gacl->get_group_id($acl_name, $acl_title, 'ARO');
480 if ($group_id) {
481 //group already exist, so just create acl
482 $gacl->add_acl(array("placeholder"=>array("filler")),
483 NULL, array($group_id), NULL, NULL, 1, 1, $return_value, $note);
484 }
485 else {
486 //create group, then create acl
487 $parent_id = $gacl->get_root_group_id();
488 $aro_id = $gacl->add_group($acl_name, $acl_title, $parent_id, 'ARO');
489 $gacl->add_acl(array("placeholder"=>array("filler")),
490 NULL, array($aro_id), NULL, NULL, 1, 1, $return_value, $note);
491 }
492 return;
493 }
494 return 0;
495 }
497 //
498 // This will remove acl. It will also remove group(if the group
499 // is no longer associated with any acl's).
500 // $acl_title = title of acl (string)
501 // $acl_name = name of acl (string)
502 // $return_value = return value of acl (string)
503 // $note = description of acl (array)
504 //
505 function acl_remove($acl_title, $return_value) {
506 global $phpgacl_location;
507 if (isset ($phpgacl_location)) {
508 include_once("$phpgacl_location/gacl_api.class.php");
509 $gacl = new gacl_api();
510 //First, delete the acl
511 $acl_id=$gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
512 $gacl->del_acl($acl_id[0]);
513 //Then, remove the group(if no more acl's are remaining)
514 $acl_search=$gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, FALSE);
515 if (empty($acl_search)){
516 $group_id=$gacl-> get_group_id(NULL, $acl_title, 'ARO');
517 $gacl->del_group($group_id, TRUE, 'ARO');
518 }
519 return;
520 }
521 return 0;
522 }
524 //
525 // This will place the aco(s) into the selected acl
526 // $acl_title = title of acl (string)
527 // $return_value = return value of acl (string)
528 // $aco_id = id of aco (array)
529 //
530 function acl_add_acos($acl_title, $return_value, $aco_id) {
531 global $phpgacl_location;
532 if (isset ($phpgacl_location)) {
533 include_once("$phpgacl_location/gacl_api.class.php");
534 $gacl = new gacl_api();
535 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
536 foreach ($aco_id as $value) {
537 $aco_data = $gacl->get_object_data($value, 'ACO');
538 $aco_section = $aco_data[0][0];
539 $aco_name = $aco_data[0][1];
540 $gacl->append_acl($acl_id[0], NULL, NULL, NULL, NULL, array($aco_section=>array($aco_name)));
541 }
542 return;
543 }
544 return 0;
545 }
547 //
548 // This will remove the aco(s) from the selected acl
549 // Note if all aco's are removed, then will place the filler-placeholder
550 // into the acl to avoid complete removal of the acl.
551 // $acl_title = title of acl (string)
552 // $return_value = return value of acl (string)
553 // $aco_id = id of aco (array)
554 //
555 function acl_remove_acos($acl_title, $return_value, $aco_id) {
556 global $phpgacl_location;
557 if (isset ($phpgacl_location)) {
558 include_once("$phpgacl_location/gacl_api.class.php");
559 $gacl = new gacl_api();
560 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
562 // Check to see if removing all acos. If removing all acos then will
563 // ensure the filler-placeholder aco in acl to avoid complete
564 // removal of the acl.
565 if (count($aco_id) == acl_count_acos($acl_title, $return_value)) {
566 //1-get the filler-placeholder aco id
567 $filler_aco_id = $gacl->get_object_id('placeholder','filler','ACO');
568 //2-add filler-placeholder aco
569 acl_add_acos($acl_title, $return_value, array($filler_aco_id));
570 //3-ensure filler-placeholder aco is not to be deleted
571 $safeListaco = remove_element($_POST["selection"],$filler_aco_id);
572 //4-prepare to safely delete the acos
573 $aco_id = $safeListaco;
574 }
576 foreach ($aco_id as $value) {
577 $aco_data = $gacl->get_object_data($value, 'ACO');
578 $aco_section = $aco_data[0][0];
579 $aco_name = $aco_data[0][1];
580 $gacl->shift_acl($acl_id[0], NULL, NULL, NULL, NULL, array($aco_section=>array($aco_name)));
581 }
582 return;
583 }
584 return 0;
585 }
587 //
588 // This will return the number of aco objects
589 // in a specified acl.
590 // $acl_title = title of acl (string)
591 // $return_value = return value of acl (string)
592 //
593 function acl_count_acos($acl_title, $return_value) {
594 global $phpgacl_location;
595 if (isset ($phpgacl_location)) {
596 include_once("$phpgacl_location/gacl_api.class.php");
597 $gacl = new gacl_api();
598 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
599 $acl_data = $gacl->get_acl($acl_id[0]);
600 $aco_count = 0;
601 foreach ($acl_data['aco'] as $key => $value) {
602 $aco_count = $aco_count + count($acl_data['aco'][$key]);
603 }
604 return $aco_count;
605 }
606 return 0;
607 }
609 //
610 // Function to remove an element from an array
611 //
612 function remove_element($arr, $val){
613 $arr2 = array();
614 foreach ($arr as $value){
615 if ($value != $val) {
616 array_push($arr2,$value);
617 }
618 }
619 return $arr2;
620 }
621 ?>