| blob | 0ee113b0f20f2e6f2a08cefac24d164fb7eaf602 |
1 <?php
2 //----------THINGS WE ALWAYS DO
4 require_once("{$GLOBALS['srcdir']}/log.inc");
5 require_once("{$GLOBALS['srcdir']}/sql.inc");
6 // added for the phpGACL group check -- JRM
7 require_once("{$GLOBALS['srcdir']}/acl.inc");
9 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
10 isset($_POST['authPass']) && isset($_POST['authProvider']))
11 {
12 $ip=$_SERVER['REMOTE_ADDR'];
13 if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
14 {
15 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure: $ip");
16 $_SESSION['loginfailure'] = 1;
17 authLoginScreen();
18 }
19 newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success: $ip");
20 $_SESSION['loginfailure'] = null;
21 unset($_SESSION['loginfailure']);
22 //store the very first initial timestamp for timeout errors
23 $_SESSION["last_update"] = time();
24 }
25 else if ( (isset($_GET['auth'])) && ($_GET['auth'] == "logout") )
26 {
27 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
28 authCloseSession();
29 authLoginScreen();
30 }
31 else
32 {
33 if (authCheckSession())
34 {
35 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG']))
36 {
37 require_once("{$GLOBALS['srcdir']}/patient.inc");
38 $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
39 newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
40 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
41 $_SESSION['encounter']);
42 }
43 //LOG EVERYTHING
44 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
45 }
46 else {
47 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
48 authLoginScreen();
49 }
50 }
52 if (!isset($_SESSION["last_update"])) {
53 authLoginScreen();
54 } else {
55 //if page has not been updated in a given period of time, we call login screen
56 if ((time() - $_SESSION["last_update"]) > $timeout) {
57 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
58 authCloseSession();
59 authLoginScreen();
60 } else {
61 if (empty($GLOBALS['DAEMON_FLAG'])) $_SESSION["last_update"] = time();
62 }
63 }
65 //----------THINGS WE DO IF WE STILL LIKE YOU
67 function authNewSession ($user, $pass, $provider)
68 {
69 // check to see if the user belongs to *any* OpenEMR groups in phpGACL -- JRM
70 global $phpgacl_location;
71 if (isset ($phpgacl_location)) {
72 if (acl_get_group_titles($user) == 0) return false;
73 }
75 // get details about the user
76 $authDB = sqlQuery("select id, password, authorized, see_auth".
77 ", cal_ui, active ".
78 " from users where username = '$user'");
80 // if the user is NOT active, get out
81 if ($authDB['active'] != 1) { return false; }
83 // start the HTTP SESSION
84 if(!session_id()) { session_start(); }
86 // compare the submitted password with the stored password
87 if ($authDB['password'] == $pass)
88 {
89 //here, we check to see if the user is in fact a member of the correct group:
90 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'"))
91 {
92 $_SESSION['authUser'] = $user;
93 $_SESSION['authGroup'] = $authGroup['name'];
94 $_SESSION['authUserID'] = $authDB['id'];
95 $_SESSION['authPass'] = $pass;
96 $_SESSION['authProvider'] = $provider;
97 $_SESSION['authId'] = $authDB{'id'};
98 $_SESSION['cal_ui'] = $authDB['cal_ui'];
99 $_SESSION['userauthorized'] = $authDB['authorized'];
100 // Some users may be able to authorize without being providers:
101 if ($authDB['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
102 return true;
103 } else {
104 return false;
105 }
106 }
107 else
108 return false;
109 }
111 function authCheckSession ()
112 {
113 if (isset($_SESSION['authId'])) {
114 $authDB = sqlQuery("select username, password from users where id = '" .
115 $_SESSION['authId']."'");
116 if ($_SESSION['authUser'] == $authDB['username'] &&
117 $_SESSION['authPass'] == $authDB['password'])
118 {
119 return true;
120 }
121 else {
122 return false;
123 }
124 }
125 else {
126 return false;
127 }
128 }
130 function authCloseSession ()
131 {
132 ob_start();
133 session_unset();
134 // $_SESSION = array();
135 session_destroy();
136 //setcookie(session_name(),"","","/");
137 //the following does the same as the above line:
138 //if(isset($_COOKIE[session_name()])) {
139 // session_start();
140 // session_destroy();
141 unset($_COOKIE[session_name()]);
142 //}
143 }
145 function authLoginScreen()
146 {
147 //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
148 header("Location: {$GLOBALS['login_screen']}?error=1");
149 exit;
150 }
152 function addUser ($username, $password_md5, $info, $authorized = 'yes')
153 {
154 return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
155 }
157 function delUser ($id)
158 {
159 return sqlQuery("delete from users where id = '$id' limit 0,1");
160 }
162 function changePasword ($id, $new_md5)
163 {
164 return sqlQuery("update users set password = '$new_md5' where id = '$id'");
165 }
167 function getUserList ($cols = '*', $limit = 'all', $start = '0')
168 {
169 if ($limit = "all")
170 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
171 else
172 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
173 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
174 $tbl[$iter] = $row;
175 return $tbl;
176 }
178 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
179 {
180 if ($limit = "all")
181 $rez = sqlStatement("select $cols from groups order by date DESC");
182 else
183 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
184 for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
185 $tbl[$iter] = $row;
186 return $tbl;
187 }
189 function addGroup ($groupname)
190 {
191 return sqlInsert("insert into groups (name) values ('$groupname')");
192 }
194 function delGroup ($group_id)
195 {
196 return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
197 }
199 /***************************************************************
200 //pennfirm
201 //Function currently user by new post calendar code to determine
202 //if a given user is in a group with another user
203 //and if so to allow editing of that users events
204 //
205 //*************************************************************/
207 function validateGroupStatus ($user_to_be_checked, $group_user) {
208 if (isset($user_to_be_checked) && isset($group_user)) {
209 if ($user_to_be_checked == $group_user) {
211 return true;
212 }
213 elseif ($_SESSION['authorizeduser'] == 1)
214 return true;
216 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
217 "AND users.username = groups.user group by groups.name";
218 $result = sqlStatement($query);
220 $usertbcGroups = array();
222 while ($row = mysql_fetch_array($result)) {
223 $usertbcGroups[] = $row[0];
224 }
226 $query = "SELECT groups.name FROM users,groups WHERE users.username = \"" . mysql_real_escape_string($group_user) . "\" " .
227 "AND users.username = groups.user group by groups.name";
228 $result = sqlStatement($query);
230 $usergGroups = array();
232 while ($row = mysql_fetch_array($result)) {
233 $usergGroups[] = $row[0];
234 }
235 foreach ($usertbcGroups as $group) {
236 if(in_array($group,$usergGroups)) {
237 return true;
238 }
239 }
241 }
243 return false;
244 }
245 ?>