| blob | 853e8b63ac1b1c96cfb92744e983a61fe30b3e01 |
1 <?php
2 /**
3 * library/acl.inc
4 *
5 * Functions wrapping php-GACL's functionality, to create a generic OpenEMR access control system.
6 *
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see
17 * http://www.gnu.org/licenses/licenses.html#GPL .
18 *
19 * @package OpenEMR
20 * @license http://www.gnu.org/licenses/licenses.html#GPL GNU GPL V3+
21 * @author Brady Miller <brady.g.miller@gmail.com>
22 * @author Rod Roark <rod@sunsetsystems.com>
23 * @link http://www.open-emr.org
24 */
26 // php-GACL access controls are included in OpenEMR. The below
27 // function will automatically create the path where gacl.class.php
28 // can be found. Note that this path can be manually set below
29 // for users who are using an external version of php-GACL.
30 // Also note that php-GACL access controls can be turned off
31 // below.
33 $phpgacl_location = dirname(__FILE__).'/../gacl';
35 // If using an external version of phpGACL, then uncomment the following
36 // line and manually place the path below. IN THIS CASE YOU MUST ALSO
37 // COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT ABOVE, OR BACKUPS WILL
38 // NOT RESTORE PROPERLY!
39 //
40 //$phpgacl_location = "/var/www/gacl";
41 //
42 // If you want to turn off php-GACL, then uncomment the following line.
43 // IN THIS CASE YOU MUST ALSO COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT(S)
44 // ABOVE, OR BACKUPS WILL NOT RESTORE PROPERLY!
45 //
46 //unset($phpgacl_location);
47 //
49 // The following Access Control Objects (ACO) are currently supported.
50 // These are the "things to be protected":
51 //
52 // Section "admin" (Administration):
53 // super Superuser - can delete patients, encounters, issues
54 // calendar Calendar Settings
55 // database Database Reporting
56 // forms Forms Administration
57 // practice Practice Settings
58 // superbill Superbill Codes Administration
59 // users Users/Groups/Logs Administration
60 // batchcom Batch Communication Tool
61 // language Language Interface Tool
62 // drugs Pharmacy Dispensary
63 // acl ACL Administration
64 // multipledb Multipledb
65 // menu Menu
66 //
67 // Section "acct" (Accounting):
68 // bill Billing (write optional)
69 // disc Allowed to discount prices (in Fee Sheet or Checkout form)
70 // eob EOB Data Entry
71 // rep Financial Reporting - my encounters
72 // rep_a Financial Reporting - anything
73 //
74 // Section "patients" (Patient Information):
75 // appt Appointments (write,wsome optional)
76 // demo Demographics (write,addonly optional)
77 // med Medical Records and History (write,addonly optional)
78 // trans Transactions, e.g. referrals (write optional)
79 // docs Documents (write,addonly optional)
80 // docs_rm Documents Delete
81 // notes Patient Notes (write,addonly optional)
82 // sign Sign Lab Results (write,addonly optional)
83 // reminder Patient Reminders (write,addonly optional)
84 // alert Clinical Reminders/Alerts (write,addonly optional)
85 // disclosure Disclosures (write,addonly optional)
86 // rx Prescriptions (write,addonly optional)
87 // amendment Amendments (write,addonly optional)
88 // lab Lab Results (write,addonly optional)
89 //
90 // Section "encounters" (Encounter Information):
91 // auth Authorize - my encounters
92 // auth_a Authorize - any encounters
93 // coding Coding - my encounters (write,wsome optional)
94 // coding_a Coding - any encounters (write,wsome optional)
95 // notes Notes - my encounters (write,addonly optional)
96 // notes_a Notes - any encounters (write,addonly optional)
97 // date_a Fix encounter dates - any encounters
98 // relaxed Less-private information (write,addonly optional)
99 // (e.g. the Sports Fitness encounter form)
100 //
101 // Section "squads" applies to sports team use only:
102 // acos in this section define the user-specified list of squads
103 //
104 // Section "sensitivities" (Sensitivities):
105 // normal Normal
106 // high High
107 //
108 // Section "lists" (Lists):
109 // default Default List (write,addonly optional)
110 // state State List (write,addonly optional)
111 // country Country List (write,addonly optional)
112 // language Language List (write,addonly optional)
113 // ethrace Ethnicity-Race List (write,addonly optional)
114 //
115 // Section "placeholder" (Placeholder):
116 // filler Placeholder (Maintains empty ACLs)
117 //
118 // Section "nationnotes" (Nation Notes):
119 // nn_configure Nation Notes
120 //
121 // Section "patientportal" (Patient Portal):
122 // portal Patient Portal
123 //
124 // Section "menus" (Menus):
125 // modle Module
126 //
127 // Section "groups" (Groups):
128 // gadd View/Add/Update groups
129 // gcalendar View/Create/Update groups appointment in calendar
130 // glog Group encounter log
131 // gdlog Group detailed log of appointment in patient record
132 // gm Send message from the permanent group therapist to the personal therapist
134 if (isset($phpgacl_location)) {
135 $GLOBALS['phpgacl_location_global'] = $phpgacl_location;
136 require_once("$phpgacl_location/gacl.class.php");
137 $gacl_object = new gacl();
138 //DO NOT CHANGE BELOW VARIABLE
139 $section_aro_value = 'users';
140 $GLOBALS['section_aro_value_global'] = $section_aro_value;
141 }
143 /**
144 * Check if a user has a given type or types of access to an access control object.
145 *
146 * Globals that can use are:
147 * $GLOBALS['phpgacl_location_global']
148 * $GLOBALS['section_aro_value_global']
149 *
150 * This function will check for access to the given ACO.
151 * view - The user may view but not add or modify entries
152 * write - The user may add or modify the ACO
153 * wsome - The user has limited add/modify access to the ACO
154 * addonly - The user may view and add but not modify entries
155 *
156 * @param string $section Category of ACO
157 * @param string $value Subcategory of ACO
158 * @param string $user Optional user being checked for access.
159 * @param string|array $return_value Type or types of access being requested.
160 * @return bool|array FALSE if access is denied, TRUE if allowed. An
161 * array() of bools is returned if $return_value is an
162 * array, representing results for each type of access
163 * requested.
164 */
165 function acl_check($section, $value, $user = '', $return_value = '')
166 {
167 if (! $user) {
168 $user = $_SESSION['authUser'];
169 }
171 // Superuser always gets access to everything.
172 if (($section != 'admin' || $value != 'super') && acl_check('admin', 'super', $user)) {
173 return true;
174 }
176 if ($GLOBALS['phpgacl_location_global']) {
177 // This will return all pertinent ACL's (including return_values and whether allow/deny)
178 // Walk through them to assess for access
179 global $gacl_object;
180 $acl_results = $gacl_object->acl_query($section, $value, $GLOBALS['section_aro_value_global'], $user, null, null, null, null, null, true);
181 if (empty($acl_results)) {
182 return false; //deny access
183 }
184 $access=false; //flag
185 $deny=false; //flag
186 foreach ($acl_results as $acl_result) {
187 if (empty($acl_result['acl_id'])) {
188 return false; //deny access, since this happens if no pertinent ACL's are returned
189 }
190 if (is_array($return_value)) {
191 foreach ($return_value as $single_return_value) {
192 if (empty($single_return_value)) {
193 // deal with case if not looking for specific return value
194 if ($acl_result['allow']) {
195 $access=true;
196 } else {
197 $deny=true;
198 }
199 } else { //!empty($single_return_value)
200 // deal with case if looking for specific return value
201 if ($acl_result['return_value'] == $single_return_value) {
202 if ($acl_result['allow']) {
203 $access=true;
204 } else {
205 $deny=true;
206 }
207 }
208 }
209 }
210 } else { // $return_value is not an array (either empty or with one value)
211 if (empty($return_value)) {
212 // deal with case if not looking for specific return value
213 if ($acl_result['allow']) {
214 $access=true;
215 } else {
216 $deny=true;
217 }
218 } else { //!empty($return_value)
219 // deal with case if looking for specific return value
220 if ($acl_result['return_value'] == $return_value) {
221 if ($acl_result['allow']) {
222 $access=true;
223 } else {
224 $deny=true;
225 }
226 }
227 }
228 }
229 }
231 // Now decide whether user has access
232 // (Note a denial takes precedence)
233 if (!$deny && $access) {
234 return true;
235 }
236 return false;
237 }
239 // If no phpgacl, then apply the old static rules whereby "authorized"
240 // users (providers) can do anything, and other users can do most things.
241 // If you want custom access control but don't want to mess with phpGACL,
242 // then you could customize the code below instead.
244 if ($user == 'admin') {
245 return 'write';
246 }
247 if ($section == 'admin' && $value == 'super') {
248 return 0;
249 }
250 if ($_SESSION['userauthorized']) {
251 return 'write';
252 }
254 if ($section == 'patients') {
255 if ($value == 'med') {
256 return 1;
257 }
258 return 'write';
259 } else if ($section == 'encounters') {
260 if (strpos($value, 'coding') === 0) {
261 return 'write';
262 }
263 if (strpos($value, 'notes') === 0) {
264 return 'write';
265 }
266 if ($value == 'relaxed') {
267 return 'write';
268 }
269 } else if ($section != 'admin') {
270 return 'write';
271 }
273 return 0;
274 }
276 // Get the ACO name/value pairs for a designated section. Each value
277 // is an array (section_value, value, order_value, name, hidden).
278 //
279 function acl_get_section_acos($section)
280 {
281 global $phpgacl_location;
282 if ($phpgacl_location) {
283 include_once("$phpgacl_location/gacl_api.class.php");
284 $gacl = new gacl_api();
285 $arr1 = $gacl->get_objects($section, 1, 'ACO');
286 $arr = array();
287 if (!empty($arr1[$section])) {
288 foreach ($arr1[$section] as $value) {
289 $odata = $gacl->get_object_data($gacl->get_object_id($section, $value, 'ACO'), 'ACO');
290 $arr[$value] = $odata[0];
291 }
292 }
293 return $arr;
294 }
295 return 0;
296 }
298 // Sort squads by their order value. Used only by acl_get_squads().
299 function _acl_squad_compare($a, $b)
300 {
301 if ($a[2] == $b[2]) {
302 // If order value is the same, sort by squad name.
303 if ($a[3] == $b[3]) {
304 return 0;
305 }
306 return ($a[3] < $b[3]) ? -1 : 1;
307 }
308 return ($a[2] < $b[2]) ? -1 : 1;
309 }
311 // Return an array keyed on squad ACO names.
312 // This is only applicable for sports team use.
313 //
314 function acl_get_squads()
315 {
316 $squads = acl_get_section_acos('squads');
317 uasort($squads, "_acl_squad_compare");
318 return $squads;
319 }
321 // Return an array keyed on encounter sensitivity level ACO names.
322 // Sensitivities are useful when some encounter notes are not
323 // medically sensitive (e.g. a physical fitness test), and/or if
324 // some will be "for doctor's eyes only" (e.g. STD treatment).
325 //
326 // When a non-blank sensitivity value exists in the new encounter
327 // form, it names an additional ACO required for access to all forms
328 // in the encounter. If you want some encounters to be non-sensitive,
329 // then you also need some default nonblank sensitivity for normal
330 // encounters, as well as greater encounter notes permissions for
331 // those allowed to view non-sensitive encounters.
332 //
333 function acl_get_sensitivities()
334 {
335 return acl_get_section_acos('sensitivities');
336 }
338 //
339 // Returns true if aco exist
340 // Returns false if aco doesn't exist
341 // $section_name = name of section (string)
342 // $aco_name = name of aco (string)
343 //
344 function aco_exist($section_name, $aco_name)
345 {
346 global $phpgacl_location;
347 if (isset($phpgacl_location)) {
348 include_once("$phpgacl_location/gacl_api.class.php");
349 $gacl = new gacl_api();
350 $aco_id = $gacl->get_object_id($section_name, $aco_name, 'ACO');
351 if ($aco_id) {
352 return true;
353 }
354 }
355 return false;
356 }
358 //
359 // Returns a sorted array of all available Group Titles.
360 //
361 function acl_get_group_title_list()
362 {
363 global $phpgacl_location;
364 if (isset($phpgacl_location)) {
365 include_once("$phpgacl_location/gacl_api.class.php");
366 $gacl = new gacl_api();
367 $parent_id = $gacl->get_root_group_id();
368 $arr_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
369 $arr_group_titles = array();
370 foreach ($arr_group_ids as $value) {
371 $arr_group_data = $gacl->get_group_data($value, 'ARO');
372 $arr_group_titles[$value] = $arr_group_data[3];
373 }
374 sort($arr_group_titles);
375 return $arr_group_titles;
376 }
377 return 0;
378 }
380 //
381 // Returns a sorted array of group Titles that a user belongs to.
382 // Returns 0 if does not belong to any group yet.
383 // $user_name = Username, which is login name.
384 //
385 function acl_get_group_titles($user_name)
386 {
387 global $phpgacl_location, $section_aro_value;
388 if (isset($phpgacl_location)) {
389 include_once("$phpgacl_location/gacl_api.class.php");
390 $gacl = new gacl_api();
391 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
392 if ($user_aro_id) {
393 $arr_group_id = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
394 if ($arr_group_id) {
395 foreach ($arr_group_id as $key => $value) {
396 $arr_group_data = $gacl->get_group_data($value, 'ARO');
397 $arr_group_titles[$key] = $arr_group_data[3];
398 }
399 sort($arr_group_titles);
400 return $arr_group_titles;
401 }
402 }
403 }
404 return 0;
405 }
407 //
408 // This will place the user aro object into selected group(s)
409 // It uses the set_user_aro() function
410 // $username = username (string)
411 // $group = title of group(s) (string or array)
412 //
413 function add_user_aros($username, $group)
414 {
415 $current_user_groups = acl_get_group_titles($username);
416 if (!$current_user_groups) {
417 $current_user_groups = array();
418 }
419 if (is_array($group)) {
420 foreach ($group as $value) {
421 if (!in_array($value, $current_user_groups)) {
422 array_push($current_user_groups, $value);
423 }
424 }
425 } else {
426 if (!in_array($group, $current_user_groups)) {
427 array_push($current_user_groups, $group);
428 }
429 }
430 $user_data = sqlFetchArray(sqlStatement("select * from users where username='" .
431 $username . "'"));
432 set_user_aro(
433 $current_user_groups,
434 $username,
435 $user_data["fname"],
436 $user_data["mname"],
437 $user_data["lname"]
438 );
439 return;
440 }
442 //
443 // This will remove the user aro object from the selected group(s)
444 // It uses the set_user_aro() function
445 // $username = username (string)
446 // $group = title of group(s) (string or array)
447 //
448 function remove_user_aros($username, $group)
449 {
450 $current_user_groups = acl_get_group_titles($username);
451 $new_user_groups = array();
452 if (is_array($group)) {
453 foreach ($current_user_groups as $value) {
454 if (!in_array($value, $group)) {
455 array_push($new_user_groups, $value);
456 }
457 }
458 } else {
459 foreach ($current_user_groups as $value) {
460 if ($value != $group) {
461 array_push($new_user_groups, $value);
462 }
463 }
464 }
465 $user_data = sqlFetchArray(sqlStatement("select * from users where username='" .
466 $username . "'"));
467 set_user_aro(
468 $new_user_groups,
469 $username,
470 $user_data["fname"],
471 $user_data["mname"],
472 $user_data["lname"]
473 );
474 return;
475 }
477 //
478 // This will either create or edit a user aro object, and then place it
479 // in the requested groups. It will not allow removal of the 'admin'
480 // user or gacl_protected users from the 'admin' group.
481 // $arr_group_titles = titles of the groups that user will be added to.
482 // $user_name = username, which is login name.
483 // $first_name = first name
484 // $middle_name = middle name
485 // $last_name = last name
486 //
487 function set_user_aro($arr_group_titles, $user_name, $first_name, $middle_name, $last_name)
488 {
489 global $phpgacl_location, $section_aro_value;
491 if (isset($phpgacl_location)) {
492 include_once("$phpgacl_location/gacl_api.class.php");
493 $gacl = new gacl_api();
495 //see if this user is gacl protected (ie. do not allow
496 //removal from the Administrators group)
497 require_once(dirname(__FILE__).'/user.inc');
498 require_once(dirname(__FILE__).'/calendar.inc');
499 $userNametoID = getIDfromUser($user_name);
500 if (checkUserSetting("gacl_protect", "1", $userNametoID) || $user_name == "admin") {
501 $gacl_protect = true;
502 } else {
503 $gacl_protect = false;
504 }
506 //get array of all available group ID numbers
507 $parent_id = $gacl->get_root_group_id();
508 $arr_all_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
510 //Cycle through ID array to find and process each selected group
511 //Create a counter since processing of first hit is unique
512 $counter = 0;
513 foreach ($arr_all_group_ids as $value) {
514 $arr_group_data = $gacl->get_group_data($value, 'ARO');
515 if ((empty($arr_group_titles)) ||
516 (in_array($arr_group_data[3], $arr_group_titles))) {
517 //We have a hit, so need to add group and increment counter
518 // because processing of first hit is unique
519 //This will also deal with an empty $arr_group_titles array
520 // removing user from all groups unless 'admin'
521 $counter = $counter + 1;
522 //create user full name field
523 if ($middle_name) {
524 $full_name = $first_name . " " . $middle_name . " " . $last_name;
525 } else {
526 if ($last_name) {
527 $full_name = $first_name . " " . $last_name;
528 } else {
529 $full_name = $first_name;
530 }
531 }
533 //If this is not the first group to be added, then will skip below
534 // and will be added. If this is the first group, then need to
535 // go thru several steps before adding the group.
536 if ($counter == 1) {
537 //get ID of user ARO object, if it exist
538 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
539 if ($user_aro_id) {
540 //user ARO object already exist, so will edit it
541 $gacl->edit_object($user_aro_id, $section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
543 //remove all current user ARO object group associations
544 $arr_remove_group_ids = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
545 foreach ($arr_remove_group_ids as $value2) {
546 $gacl->del_group_object($value2, $section_aro_value, $user_name, 'ARO');
547 }
548 } else {
549 //user ARO object does not exist, so will create it
550 $gacl->add_object($section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
551 }
552 }
554 //place the user ARO object in the selected group (if group(s) is selected)
555 if (!empty($arr_group_titles)) {
556 $gacl->add_group_object($value, $section_aro_value, $user_name, 'ARO');
557 }
559 //
560 //Below will not allow 'admin' or gacl_protected user to be removed from 'admin' group
561 //
562 if ($gacl_protect) {
563 $boolean_admin=0;
564 $admin_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
565 $arr_admin = $gacl->get_object_groups($admin_id, 'ARO', 'NO_RECURSE');
566 foreach ($arr_admin as $value3) {
567 $arr_admin_data = $gacl->get_group_data($value3, 'ARO');
568 if (strcmp($arr_admin_data[2], 'admin') == 0) {
569 $boolean_admin=1;
570 }
571 }
572 if (!$boolean_admin) {
573 foreach ($arr_all_group_ids as $value4) {
574 $arr_temp = $gacl->get_group_data($value4, 'ARO');
575 if ($arr_temp[2] == 'admin') {
576 $gacl->add_group_object($value4, $section_aro_value, $user_name, 'ARO');
577 }
578 }
579 }
580 }
581 }
582 //if array of groups was empty, then we are done, and can break from loop
583 if (empty($arr_group_titles)) {
584 break;
585 }
586 }
587 return true;
588 }
589 return false;
590 }
592 //
593 // Returns true if acl exist
594 // Returns false if acl doesn't exist
595 // EITHER $title or $name is required(send FALSE in variable
596 // not being used). If both are sent, then only $title will be
597 // used.
598 // $return_value is required
599 // $title = title of acl (string)
600 // $name = name of acl (string)
601 // $return_value = return value of acl (string)
602 //
603 function acl_exist($title, $name, $return_value)
604 {
605 global $phpgacl_location;
606 if (isset($phpgacl_location)) {
607 include_once("$phpgacl_location/gacl_api.class.php");
608 $gacl = new gacl_api();
609 if (!$name) {
610 $acl = $gacl->search_acl(false, false, false, false, $title, false, false, false, $return_value);
611 } else if (!$title) {
612 $group_id = $gacl->get_group_id($name, null, 'ARO');
613 if ($group_id) {
614 $group_data = $gacl->get_group_data($group_id, 'ARO');
615 $acl = $gacl->search_acl(false, false, false, false, $group_data[3], false, false, false, $return_value);
616 } else {
617 return false;
618 }
619 } else {
620 $acl = $gacl->search_acl(false, false, false, false, $title, false, false, false, $return_value);
621 }
622 if (!empty($acl)) {
623 return true;
624 } else {
625 return false;
626 }
627 }
628 }
630 //
631 // This will add a new acl and group(if group doesn't yet exist)
632 // with one aco in it.
633 // $acl_title = title of acl (string)
634 // $acl_name = name of acl (string)
635 // $return_value = return value of acl (string)
636 // $note = description of acl (array)
637 //
638 function acl_add($acl_title, $acl_name, $return_value, $note)
639 {
640 global $phpgacl_location;
641 if (isset($phpgacl_location)) {
642 include_once("$phpgacl_location/gacl_api.class.php");
643 $gacl = new gacl_api();
644 $group_id = $gacl->get_group_id($acl_name, $acl_title, 'ARO');
645 if ($group_id) {
646 //group already exist, so just create acl
647 $gacl->add_acl(
648 array("placeholder"=>array("filler")),
649 null,
650 array($group_id),
651 null,
652 null,
653 1,
654 1,
655 $return_value,
656 $note
657 );
658 } else {
659 //create group, then create acl
660 $parent_id = $gacl->get_root_group_id();
661 $aro_id = $gacl->add_group($acl_name, $acl_title, $parent_id, 'ARO');
662 $gacl->add_acl(
663 array("placeholder"=>array("filler")),
664 null,
665 array($aro_id),
666 null,
667 null,
668 1,
669 1,
670 $return_value,
671 $note
672 );
673 }
674 return;
675 }
676 return 0;
677 }
679 //
680 // This will remove acl. It will also remove group(if the group
681 // is no longer associated with any acl's).
682 // $acl_title = title of acl (string)
683 // $acl_name = name of acl (string)
684 // $return_value = return value of acl (string)
685 // $note = description of acl (array)
686 //
687 function acl_remove($acl_title, $return_value)
688 {
689 global $phpgacl_location;
690 if (isset($phpgacl_location)) {
691 include_once("$phpgacl_location/gacl_api.class.php");
692 $gacl = new gacl_api();
693 //First, delete the acl
694 $acl_id=$gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
695 $gacl->del_acl($acl_id[0]);
696 //Then, remove the group(if no more acl's are remaining)
697 $acl_search=$gacl->search_acl(false, false, false, false, $acl_title, false, false, false, false);
698 if (empty($acl_search)) {
699 $group_id=$gacl-> get_group_id(null, $acl_title, 'ARO');
700 $gacl->del_group($group_id, true, 'ARO');
701 }
702 return;
703 }
704 return 0;
705 }
707 //
708 // This will place the aco(s) into the selected acl
709 // $acl_title = title of acl (string)
710 // $return_value = return value of acl (string)
711 // $aco_id = id of aco (array)
712 //
713 function acl_add_acos($acl_title, $return_value, $aco_id)
714 {
715 global $phpgacl_location;
716 if (isset($phpgacl_location)) {
717 include_once("$phpgacl_location/gacl_api.class.php");
718 $gacl = new gacl_api();
719 $acl_id = $gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
720 foreach ($aco_id as $value) {
721 $aco_data = $gacl->get_object_data($value, 'ACO');
722 $aco_section = $aco_data[0][0];
723 $aco_name = $aco_data[0][1];
724 $gacl->append_acl($acl_id[0], null, null, null, null, array($aco_section=>array($aco_name)));
725 }
726 return;
727 }
728 return 0;
729 }
731 //
732 // This will remove the aco(s) from the selected acl
733 // Note if all aco's are removed, then will place the filler-placeholder
734 // into the acl to avoid complete removal of the acl.
735 // $acl_title = title of acl (string)
736 // $return_value = return value of acl (string)
737 // $aco_id = id of aco (array)
738 //
739 function acl_remove_acos($acl_title, $return_value, $aco_id)
740 {
741 global $phpgacl_location;
742 if (isset($phpgacl_location)) {
743 include_once("$phpgacl_location/gacl_api.class.php");
744 $gacl = new gacl_api();
745 $acl_id = $gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
747 // Check to see if removing all acos. If removing all acos then will
748 // ensure the filler-placeholder aco in acl to avoid complete
749 // removal of the acl.
750 if (count($aco_id) == acl_count_acos($acl_title, $return_value)) {
751 //1-get the filler-placeholder aco id
752 $filler_aco_id = $gacl->get_object_id('placeholder', 'filler', 'ACO');
753 //2-add filler-placeholder aco
754 acl_add_acos($acl_title, $return_value, array($filler_aco_id));
755 //3-ensure filler-placeholder aco is not to be deleted
756 $safeListaco = remove_element($_POST["selection"], $filler_aco_id);
757 //4-prepare to safely delete the acos
758 $aco_id = $safeListaco;
759 }
761 foreach ($aco_id as $value) {
762 $aco_data = $gacl->get_object_data($value, 'ACO');
763 $aco_section = $aco_data[0][0];
764 $aco_name = $aco_data[0][1];
765 $gacl->shift_acl($acl_id[0], null, null, null, null, array($aco_section=>array($aco_name)));
766 }
767 return;
768 }
769 return 0;
770 }
772 //
773 // This will return the number of aco objects
774 // in a specified acl.
775 // $acl_title = title of acl (string)
776 // $return_value = return value of acl (string)
777 //
778 function acl_count_acos($acl_title, $return_value)
779 {
780 global $phpgacl_location;
781 if (isset($phpgacl_location)) {
782 include_once("$phpgacl_location/gacl_api.class.php");
783 $gacl = new gacl_api();
784 $acl_id = $gacl->search_acl(false, false, false, false, $acl_title, false, false, false, $return_value);
785 $acl_data = $gacl->get_acl($acl_id[0]);
786 $aco_count = 0;
787 foreach ($acl_data['aco'] as $key => $value) {
788 $aco_count = $aco_count + count($acl_data['aco'][$key]);
789 }
790 return $aco_count;
791 }
792 return 0;
793 }
795 //
796 // Function to remove an element from an array
797 //
798 function remove_element($arr, $val)
799 {
800 $arr2 = array();
801 foreach ($arr as $value) {
802 if ($value != $val) {
803 array_push($arr2, $value);
804 }
805 }
806 return $arr2;
807 }
808 /**
809 * Checks ACL
810 *
811 * Same Functionality in the Zend Module
812 * for ACL Check in Zend
813 * Path openemr/interface/modules/zend_modules/module/Application/src/Application/Model/ApplicationTable
814 * Function Name zAclCheck
815 *
816 * @param String $user_id Auth user Id
817 * $param String $section_identifier ACL Section id
818 * @return boolean
819 */
820 function zh_acl_check($user_id, $section_identifier)
821 {
822 $sql_user_acl = " SELECT
823 COUNT(allowed) AS count
824 FROM
825 module_acl_user_settings AS usr_settings
826 LEFT JOIN module_acl_sections AS acl_sections
827 ON usr_settings.section_id = acl_sections.`section_id`
828 WHERE
829 acl_sections.section_identifier = ? AND usr_settings.user_id = ? AND usr_settings.allowed = ?";
830 $sql_user_group = " SELECT
831 gagp.id AS group_id
832 FROM
833 gacl_aro AS garo
834 LEFT JOIN `gacl_groups_aro_map` AS gamp
835 ON garo.id = gamp.aro_id
836 LEFT JOIN `gacl_aro_groups` AS gagp
837 ON gagp.id = gamp.group_id
838 RIGHT JOIN `users_secure` usr
839 ON usr. username = garo.value
840 WHERE
841 garo.section_value = ? AND usr. id = ?";
842 $res_groups = sqlStatement($sql_user_group, array('users',$user_id));
844 // Prepare the group queries with the placemakers and binding array for the IN part
845 $groups_sql_param = array();
846 $groupPlacemakers = "";
847 $firstFlag = true;
848 while ($row = sqlFetchArray($res_groups)) {
849 array_push($groups_sql_param, $row['group_id']);
850 if ($firstFlag) {
851 $groupPlacemakers = "?";
852 $firstFlag = false;
853 } else {
854 $groupPlacemakers .= ",?";
855 }
856 }
857 $sql_group_acl_base = " SELECT
858 COUNT(allowed) AS count
859 FROM
860 module_acl_group_settings AS group_settings
861 LEFT JOIN module_acl_sections AS acl_sections
862 ON group_settings.section_id = acl_sections.section_id
863 WHERE
864 group_settings.group_id IN (".$groupPlacemakers.") AND acl_sections.`section_identifier` = ? ";
866 $sql_group_acl_allowed = $sql_group_acl_base . " AND group_settings.allowed = '1'";
868 // Complete the group queries sql binding array
869 array_push($groups_sql_param, $section_identifier);
871 $count_group_allowed = 0;
872 $count_user_allowed = 0;
874 $res_user_allowed = sqlQuery($sql_user_acl, array($section_identifier,$user_id,1));
875 $count_user_allowed = $res_user_allowed['count'];
877 $res_group_allowed = sqlQuery($sql_group_acl_allowed, $groups_sql_param);
878 $count_group_allowed = $res_group_allowed['count'];
880 if ($count_user_allowed > 0) {
881 return true;
882 } elseif ($count_group_allowed > 0) {
883 return true;
884 } else {
885 return false;
886 }
887 }
889 // This generates an HTML options list for all ACOs.
890 // The caller inserts this between <select> and </select> tags.
891 //
892 function gen_aco_html_options($default = '')
893 {
894 $acoArray = gen_aco_array();
895 $s = '';
896 foreach ($acoArray as $section => $acos_array) {
897 $s .= "<optgroup label='" . xla($section) . "'>\n";
898 foreach ($acos_array as $aco_array) {
899 $s .= "<option value='" . attr($aco_array['value']) . "'";
900 if ($aco_array['value'] == $default) {
901 $s .= ' selected';
902 }
903 $s .= ">" . xlt($aco_array['name']) . "</option>";
904 }
905 $s .= "</optgroup>";
906 }
907 return $s;
908 }
911 // Returns array of all ACOs
912 function gen_aco_array()
913 {
914 global $phpgacl_location;
915 require_once("$phpgacl_location/gacl_api.class.php");
916 $acoArray = array();
917 $gacl = new gacl_api();
918 // collect and sort all aco objects
919 $list_aco_objects = $gacl->get_objects(null, 0, 'ACO');
920 ksort($list_aco_objects);
921 foreach ($list_aco_objects as $seckey => $dummy) {
922 if (empty($dummy)) {
923 continue;
924 }
925 asort($list_aco_objects[$seckey]);
926 $aco_section_data = $gacl->get_section_data($seckey, 'ACO');
927 $aco_section_title = $aco_section_data[3];
928 foreach ($list_aco_objects[$seckey] as $acokey) {
929 $aco_id = $gacl->get_object_id($seckey, $acokey, 'ACO');
930 $aco_data = $gacl->get_object_data($aco_id, 'ACO');
931 $aco_title = $aco_data[0][3];
932 $optkey = "$seckey|$acokey";
933 $acoArray[$aco_section_title][$aco_id]['name'] = $aco_title;
934 $acoArray[$aco_section_title][$aco_id]['value'] = $optkey;
935 }
936 }
937 return $acoArray;
938 }
941 // Permissions check for an ACO in "section|aco" format.
942 // Note $return_value may be an array of return values.
943 //
944 function acl_check_aco_spec($aco_spec, $user = '', $return_value = '')
945 {
946 if (empty($aco_spec)) {
947 return true;
948 }
949 $tmp = explode('|', $aco_spec);
950 if (!is_array($return_value)) {
951 $return_value = array($return_value);
952 }
953 foreach ($return_value as $rv) {
954 if (acl_check($tmp[0], $tmp[1], $user, $rv)) {
955 return true;
956 }
957 }
958 return false;
959 }
961 // Permissions check for a specified encounter form type.
962 // Note $return_value may be an array of return values.
963 //
964 function acl_check_form($formdir, $user = '', $return_value = '')
965 {
966 require_once(dirname(__FILE__) . '/registry.inc');
967 $tmp = getRegistryEntryByDirectory($formdir, 'aco_spec');
968 return acl_check_aco_spec($tmp['aco_spec'], $user, $return_value);
969 }
971 // Permissions check for a specified issue type.
972 // Note $return_value may be an array of return values.
973 //
974 function acl_check_issue($type, $user = '', $return_value = '')
975 {
976 require_once(dirname(__FILE__) . '/lists.inc');
977 global $ISSUE_TYPES;
978 if (empty($ISSUE_TYPES[$type][5])) {
979 return true;
980 }
981 return acl_check_aco_spec($ISSUE_TYPES[$type][5], $user, $return_value);
982 }
984 // Permissions check for a specified document category name.
985 // Note $return_value may be an array of return values.
986 //
987 function acl_check_cat_name($catname, $user = '', $return_value = '')
988 {
989 $tmp = sqlQuery(
990 "SELECT aco_spec FROM categories WHERE name = ? ORDER BY id LIMIT 1",
991 array($catname)
992 );
993 if (empty($tmp['aco_spec'])) {
994 return true;
995 }
996 return acl_check_aco_spec($tmp['aco_spec'], $user, $return_value);
997 }
999 //Fetches aco for given postcalendar category
1000 function fetchPostCalendarCategoryACO($pc_catid)
1001 {
1002 $aco = sqlQuery(
1003 "SELECT aco_spec FROM openemr_postcalendar_categories WHERE pc_catid = ? LIMIT 1",
1004 array($pc_catid)
1005 );
1006 return $aco['aco_spec'];
1007 }