portal/sign/lib/save-signature.php

   1 <?php
   2
   3 /**
   4  * Patient Portal
   5  *
   6  * @package   OpenEMR
   7  * @link      http://www.open-emr.org
   8  * @author    Jerry Padgett <sjpadgett@gmail.com>
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @copyright Copyright (c) 2016-2021 Jerry Padgett <sjpadgett@gmail.com>
  11  * @copyright Copyright (c) 2019 Brady Miller <brady.g.miller@gmail.com>
  12  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  13  */
  14
  15 //Need to unwrap data to ensure user/patient is authorized
  16 $data = (array)(json_decode(file_get_contents("php://input")));
  17 $req_pid = $data['pid'];
  18 $user = $data['user'];
  19 $signer = !empty($data['signer']) ? $data['signer'] : '';
  20 $type = $data['type'];
  21 $isPortal = $data['is_portal'];
  22 $output = urldecode($data['output']);
  23 $ignoreAuth = false;
  24
  25 // this script is used by both the patient portal and main openemr; below does authorization.
  26 if ($isPortal) {
  27     require_once(__DIR__ . "/../../../src/Common/Session/SessionUtil.php");
  28     OpenEMR\Common\Session\SessionUtil::portalSessionStart();
  29
  30     if (isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite_two'])) {
  31         // authorized by patient portal
  32         $req_pid = $_SESSION['pid'];
  33         $ignoreAuth_onsite_portal = true;
  34     } else {
  35         OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
  36         echo js_escape("error invalid session,");
  37         exit();
  38     }
  39 }
  40 require_once("../../../interface/globals.php");
  41
  42 if (!$isPortal) {
  43     $userManipulatedFlag = false;
  44     if ($user != $_SESSION['authUserID']) {
  45         $userManipulatedFlag = true;
  46     }
  47
  48     if ($userManipulatedFlag) {
  49         echo js_escape("error");
  50         exit();
  51     }
  52 }
  53
  54 if ($type === 'witness-signature') {
  55     echo(js_escape('Done'));
  56     exit();
  57 }
  58 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  59     if ($type === 'admin-signature') {
  60         $req_pid = 0;
  61     }
  62     $sig_hash = hash('sha3-512', $output);
  63     $created = time();
  64     $ip = $_SERVER['REMOTE_ADDR'];
  65     $status = 'filed';
  66     $lastmod = date('Y-m-d H:i:s');
  67     $r = sqlStatement("SELECT COUNT( DISTINCT TYPE ) x FROM onsite_signatures where pid = ? and user = ? ", array($req_pid, $user));
  68     $c = sqlFetchArray($r);
  69     $isit = $c['x'] * 1;
  70     if ($isit) {
  71         $qstr = "UPDATE onsite_signatures SET pid=?,lastmod=?,status=?, user=?, signature=?, sig_hash=?, ip=?,sig_image=? WHERE pid=? && user=?";
  72         $rcnt = sqlStatement($qstr, array($req_pid, $lastmod, $status, $user, null, $sig_hash, $ip, $output, $req_pid, $user));
  73     } else {
  74         $qstr = "INSERT INTO onsite_signatures (pid,lastmod,status,type,user,signator, signature, sig_hash, ip, created, sig_image) VALUES (?,?,?,?,?,?,?,?,?,?,?) ";
  75         sqlStatement($qstr, array($req_pid, $lastmod, $status, $type, $user, $signer, null, $sig_hash, $ip, $created, $output));
  76     }
  77
  78     echo json_encode('Done', JSON_THROW_ON_ERROR);
  79     exit();
  80 }