| blob | 098eb5e90fb78d35270bb66e0c5a320883253878 |
1 <?php
2 //----------THINGS WE ALWAYS DO
4 require_once("{$GLOBALS['srcdir']}/log.inc");
5 require_once("{$GLOBALS['srcdir']}/sql.inc");
6 // added for the phpGACL group check -- JRM
7 require_once("{$GLOBALS['srcdir']}/acl.inc");
9 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
10 isset($_POST['authPass']) && isset($_POST['authProvider']))
11 {
12 if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
13 {
14 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure");
15 $_SESSION['loginfailure'] = 1;
16 authLoginScreen();
17 }
18 newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success");
19 $_SESSION['loginfailure'] = null;
20 unset($_SESSION['loginfailure']);
21 //store the very first initial timestamp for timeout errors
22 $_SESSION["last_update"] = time();
23 }
24 else if ( (isset($_GET['auth'])) && ($_GET['auth'] == "logout") )
25 {
26 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
27 authCloseSession();
28 authLoginScreen();
29 }
30 else
31 {
32 if (authCheckSession())
33 {
34 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG']))
35 {
36 require_once("{$GLOBALS['srcdir']}/patient.inc");
37 $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
38 newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
39 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
40 $_SESSION['encounter']);
41 }
42 //LOG EVERYTHING
43 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
44 }
45 else {
46 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
47 authLoginScreen();
48 }
49 }
51 if (!isset($_SESSION["last_update"])) {
52 authLoginScreen();
53 } else {
54 //if page has not been updated in a given period of time, we call login screen
55 if ((time() - $_SESSION["last_update"]) > $timeout) {
56 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
57 authCloseSession();
58 authLoginScreen();
59 } else {
60 if (empty($GLOBALS['DAEMON_FLAG'])) $_SESSION["last_update"] = time();
61 }
62 }
64 //----------THINGS WE DO IF WE STILL LIKE YOU
66 function authNewSession ($user, $pass, $provider)
67 {
68 // check to see if the user belongs to *any* OpenEMR groups in phpGACL -- JRM
69 global $phpgacl_location;
70 if (isset ($phpgacl_location)) {
71 if (acl_get_group_titles($user) == 0) return false;
72 }
74 //session_name("OpenEMR");
75 //session_id("81279258720".str_replace(".", "", $_SERVER['REMOTE_ADDR']));
76 if(!session_id()) { session_start(); }
78 //(CHEMED) added cal_ui to the list of fields, so we can change calendar UI for this user.
79 // Is this the right place to do it?
80 $authDB = sqlQuery("select id, password, authorized, see_auth, cal_ui from users " .
81 "where username = '$user'");
82 //echo "user is: $user pass is: $pass provider is: $provider<br />";
83 //echo "<br>auth pass: ".$authDB['password'];
84 if ($authDB['password'] == $pass)
85 {
86 //here, we check to see if the user is in fact a member of the correct group:
87 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'"))
88 {
89 $_SESSION['authUser'] = $user;
90 $_SESSION['authGroup'] = $authGroup['name'];
91 $_SESSION['authUserID'] = $authDB['id'];
92 $_SESSION['authPass'] = $pass;
93 $_SESSION['authProvider'] = $provider;
94 $_SESSION['authId'] = $authDB{'id'};
95 $_SESSION['cal_ui'] = $authDB['cal_ui'];
96 $_SESSION['userauthorized'] = $authDB['authorized'];
97 // Some users may be able to authorize without being providers:
98 if ($authDB['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
99 return true;
100 } else {
101 return false;
102 }
103 }
104 else
105 return false;
106 }
108 function authCheckSession ()
109 {
110 if (isset($_SESSION['authId'])) {
111 $authDB = sqlQuery("select username, password from users where id = '" .
112 $_SESSION['authId']."'");
113 if ($_SESSION['authUser'] == $authDB['username'] &&
114 $_SESSION['authPass'] == $authDB['password'])
115 {
116 return true;
117 }
118 else {
119 return false;
120 }
121 }
122 else {
123 return false;
124 }
125 }
127 function authCloseSession ()
128 {
129 ob_start();
130 session_unset();
131 // $_SESSION = array();
132 session_destroy();
133 //setcookie(session_name(),"","","/");
134 //the following does the same as the above line:
135 //if(isset($_COOKIE[session_name()])) {
136 // session_start();
137 // session_destroy();
138 unset($_COOKIE[session_name()]);
139 //}
140 }
142 function authLoginScreen()
143 {
144 //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
145 header("Location: {$GLOBALS['login_screen']}?error=1");
146 exit;
147 }
149 function addUser ($username, $password_md5, $info, $authorized = 'yes')
150 {
151 return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
152 }
154 function delUser ($id)
155 {
156 return sqlQuery("delete from users where id = '$id' limit 0,1");
157 }
159 function changePasword ($id, $new_md5)
160 {
161 return sqlQuery("update users set password = '$new_md5' where id = '$id'");
162 }
164 function getUserList ($cols = '*', $limit = 'all', $start = '0')
165 {
166 if ($limit = "all")
167 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
168 else
169 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
170 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
171 $tbl[$iter] = $row;
172 return $tbl;
173 }
175 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
176 {
177 if ($limit = "all")
178 $rez = sqlStatement("select $cols from groups order by date DESC");
179 else
180 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
181 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
182 $tbl[$iter] = $row;
183 return $tbl;
184 }
186 function addGroup ($groupname)
187 {
188 return sqlInsert("insert into groups (name) values ('$groupname')");
189 }
191 function delGroup ($group_id)
192 {
193 return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
194 }
196 /***************************************************************
197 //pennfirm
198 //Function currently user by new post calendar code to determine
199 //if a given user is in a group with another user
200 //and if so to allow editing of that users events
201 //
202 //*************************************************************/
204 function validateGroupStatus ($user_to_be_checked, $group_user) {
205 if (isset($user_to_be_checked) && isset($group_user)) {
206 if ($user_to_be_checked == $group_user) {
208 return true;
209 }
210 elseif ($_SESSION['authorizeduser'] == 1)
211 return true;
213 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
214 "AND users.username = groups.user group by groups.name";
215 $result = sqlStatement($query);
217 $usertbcGroups = array();
219 while ($row = mysql_fetch_array($result)) {
220 $usertbcGroups[] = $row[0];
221 }
223 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($group_user) . "\" " .
224 "AND users.username = groups.user group by groups.name";
225 $result = sqlStatement($query);
227 $usergGroups = array();
229 while ($row = mysql_fetch_array($result)) {
230 $usergGroups[] = $row[0];
231 }
232 foreach ($usertbcGroups as $group) {
233 if(in_array($group,$usergGroups)) {
234 return true;
235 }
236 }
238 }
240 return false;
241 }
242 ?>