| blob | 552a686c0b9f4762322b30253b4f49684a267f04 |
1 <?php
2 //----------THINGS WE ALWAYS DO
4 require_once("{$GLOBALS['srcdir']}/log.inc");
5 require_once("{$GLOBALS['srcdir']}/sql.inc");
6 // added for the phpGACL group check -- JRM
7 require_once("{$GLOBALS['srcdir']}/acl.inc");
9 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
10 isset($_POST['authPass']) && isset($_POST['authProvider']))
11 {
12 // set the language
13 if (!empty($_POST['languageChoice'])) {
14 $_SESSION['language_choice'] = $_POST['languageChoice'];
15 }
16 else {
17 $_SESSION['language_choice'] = 1;
18 }
20 $ip=$_SERVER['REMOTE_ADDR'];
21 if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
22 {
23 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure: $ip");
24 $_SESSION['loginfailure'] = 1;
25 authLoginScreen();
26 }
27 newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success: $ip");
28 $_SESSION['loginfailure'] = null;
29 unset($_SESSION['loginfailure']);
30 //store the very first initial timestamp for timeout errors
31 $_SESSION["last_update"] = time();
32 }
33 else if ( (isset($_GET['auth'])) && ($_GET['auth'] == "logout") )
34 {
35 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
36 authCloseSession();
37 authLoginScreen();
38 }
39 else
40 {
41 if (authCheckSession())
42 {
43 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG']))
44 {
45 require_once("{$GLOBALS['srcdir']}/patient.inc");
46 $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
47 newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
48 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
49 $_SESSION['encounter']);
50 }
51 //LOG EVERYTHING
52 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
53 }
54 else {
55 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
56 authLoginScreen();
57 }
58 }
60 if (!isset($_SESSION["last_update"])) {
61 authLoginScreen();
62 } else {
63 //if page has not been updated in a given period of time, we call login screen
64 if ((time() - $_SESSION["last_update"]) > $timeout) {
65 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
66 authCloseSession();
67 authLoginScreen();
68 } else {
69 if (empty($GLOBALS['DAEMON_FLAG'])) $_SESSION["last_update"] = time();
70 }
71 }
73 //----------THINGS WE DO IF WE STILL LIKE YOU
75 function authNewSession ($user, $pass, $provider)
76 {
77 // check to see if the user belongs to *any* OpenEMR groups in phpGACL -- JRM
78 global $phpgacl_location;
79 if (isset ($phpgacl_location)) {
80 if (acl_get_group_titles($user) == 0) return false;
81 }
83 // get details about the user
84 $authDB = sqlQuery("select id, password, authorized, see_auth".
85 ", cal_ui, active ".
86 " from users where username = '$user'");
88 // if the user is NOT active, get out
89 if ($authDB['active'] != 1) { return false; }
91 // start the HTTP SESSION
92 if(!session_id()) { session_start(); }
94 // compare the submitted password with the stored password
95 if ($authDB['password'] == $pass)
96 {
97 //here, we check to see if the user is in fact a member of the correct group:
98 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'"))
99 {
100 $_SESSION['authUser'] = $user;
101 $_SESSION['authGroup'] = $authGroup['name'];
102 $_SESSION['authUserID'] = $authDB['id'];
103 $_SESSION['authPass'] = $pass;
104 $_SESSION['authProvider'] = $provider;
105 $_SESSION['authId'] = $authDB{'id'};
106 $_SESSION['cal_ui'] = $authDB['cal_ui'];
107 $_SESSION['userauthorized'] = $authDB['authorized'];
108 // Some users may be able to authorize without being providers:
109 if ($authDB['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
110 return true;
111 } else {
112 return false;
113 }
114 }
115 else
116 return false;
117 }
119 function authCheckSession ()
120 {
121 if (isset($_SESSION['authId'])) {
122 $authDB = sqlQuery("select username, password from users where id = '" .
123 $_SESSION['authId']."'");
124 if ($_SESSION['authUser'] == $authDB['username'] &&
125 $_SESSION['authPass'] == $authDB['password'])
126 {
127 return true;
128 }
129 else {
130 return false;
131 }
132 }
133 else {
134 return false;
135 }
136 }
138 function authCloseSession ()
139 {
140 ob_start();
141 session_unset();
142 // $_SESSION = array();
143 session_destroy();
144 //setcookie(session_name(),"","","/");
145 //the following does the same as the above line:
146 //if(isset($_COOKIE[session_name()])) {
147 // session_start();
148 // session_destroy();
149 unset($_COOKIE[session_name()]);
150 //}
151 }
153 function authLoginScreen()
154 {
155 //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
156 header("Location: {$GLOBALS['login_screen']}?error=1");
157 exit;
158 }
160 function addUser ($username, $password_md5, $info, $authorized = 'yes')
161 {
162 return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
163 }
165 function delUser ($id)
166 {
167 return sqlQuery("delete from users where id = '$id' limit 0,1");
168 }
170 function changePasword ($id, $new_md5)
171 {
172 return sqlQuery("update users set password = '$new_md5' where id = '$id'");
173 }
175 function getUserList ($cols = '*', $limit = 'all', $start = '0')
176 {
177 if ($limit = "all")
178 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
179 else
180 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
181 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
182 $tbl[$iter] = $row;
183 return $tbl;
184 }
186 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
187 {
188 if ($limit = "all")
189 $rez = sqlStatement("select $cols from groups order by date DESC");
190 else
191 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
192 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
193 $tbl[$iter] = $row;
194 return $tbl;
195 }
197 function addGroup ($groupname)
198 {
199 return sqlInsert("insert into groups (name) values ('$groupname')");
200 }
202 function delGroup ($group_id)
203 {
204 return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
205 }
207 /***************************************************************
208 //pennfirm
209 //Function currently user by new post calendar code to determine
210 //if a given user is in a group with another user
211 //and if so to allow editing of that users events
212 //
213 //*************************************************************/
215 function validateGroupStatus ($user_to_be_checked, $group_user) {
216 if (isset($user_to_be_checked) && isset($group_user)) {
217 if ($user_to_be_checked == $group_user) {
219 return true;
220 }
221 elseif ($_SESSION['authorizeduser'] == 1)
222 return true;
224 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
225 "AND users.username = groups.user group by groups.name";
226 $result = sqlStatement($query);
228 $usertbcGroups = array();
230 while ($row = mysql_fetch_array($result)) {
231 $usertbcGroups[] = $row[0];
232 }
234 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($group_user) . "\" " .
235 "AND users.username = groups.user group by groups.name";
236 $result = sqlStatement($query);
238 $usergGroups = array();
240 while ($row = mysql_fetch_array($result)) {
241 $usergGroups[] = $row[0];
242 }
243 foreach ($usertbcGroups as $group) {
244 if(in_array($group,$usergGroups)) {
245 return true;
246 }
247 }
249 }
251 return false;
252 }
253 ?>