search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
minor changes to prior commit
[openemr.git] / interface / usergroup / usergroup_admin.php
blob9ae7fa5af36329e826f1f819046808443aa8f0fe
1 <?php
2 /**
3 * This script Assign acl 'Emergency login'.
4 *
5 * @package OpenEMR
6 * @link http://www.open-emr.org
7 * @author Roberto Vasquez <robertogagliotta@gmail.com>
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @copyright Copyright (c) 2015 Roberto Vasquez <robertogagliotta@gmail.com>
10 * @copyright Copyright (c) 2017 Brady Miller <brady.g.miller@gmail.com>
11 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
12 */
13
14 require_once("../globals.php");
15 require_once("../../library/acl.inc");
16 require_once("$srcdir/auth.inc");
17
18 use OpenEMR\Core\Header;
19
20 if (!acl_check('admin', 'users')) {
21 die(xlt('Access denied'));
22 }
23
24 $alertmsg = '';
25 $bg_msg = '';
26 $set_active_msg=0;
27 $show_message=0;
28
29 /* Sending a mail to the admin when the breakglass user is activated only if $GLOBALS['Emergency_Login_email'] is set to 1 */
30 $bg_count=count($_POST['access_group']);
31 $mail_id = explode(".", $SMTP_HOST);
32 for ($i=0; $i<$bg_count; $i++) {
33 if (($_POST['access_group'][$i] == "Emergency Login") && ($_POST['active'] == 'on') && ($_POST['pre_active'] == 0)) {
34 if (($_POST['get_admin_id'] == 1) && ($_POST['admin_id'] != "")) {
35 $res = sqlStatement("select username from users where id= ? ", array($_POST["id"]));
36 $row = sqlFetchArray($res);
37 $uname=$row['username'];
38 $mail = new MyMailer();
39 $mail->From = $GLOBALS["practice_return_email_path"];
40 $mail->FromName = "Administrator OpenEMR";
41 $text_body = "Hello Security Admin,\n\n The Emergency Login user ".$uname.
42 " was activated at ".date('l jS \of F Y h:i:s A')." \n\nThanks,\nAdmin OpenEMR.";
43 $mail->Body = $text_body;
44 $mail->Subject = "Emergency Login User Activated";
45 $mail->AddAddress($_POST['admin_id']);
46 $mail->Send();
47 }
48 }
49 }
50
51 /* To refresh and save variables in mail frame */
52 if (isset($_POST["privatemode"]) && $_POST["privatemode"] =="user_admin") {
53 if ($_POST["mode"] == "update") {
54 if (isset($_POST["username"])) {
55 // $tqvar = addslashes(trim($_POST["username"]));
56 $tqvar = trim(formData('username', 'P'));
57 $user_data = sqlFetchArray(sqlStatement("select * from users where id= ? ", array($_POST["id"])));
58 sqlStatement("update users set username='$tqvar' where id= ? ", array($_POST["id"]));
59 sqlStatement("update `groups` set user='$tqvar' where user= ?", array($user_data["username"]));
60 //echo "query was: " ."update `groups` set user='$tqvar' where user='". $user_data["username"] ."'" ;
61 }
62
63 if ($_POST["taxid"]) {
64 $tqvar = formData('taxid', 'P');
65 sqlStatement("update users set federaltaxid='$tqvar' where id= ? ", array($_POST["id"]));
66 }
67
68 if ($_POST["state_license_number"]) {
69 $tqvar = formData('state_license_number', 'P');
70 sqlStatement("update users set state_license_number='$tqvar' where id= ? ", array($_POST["id"]));
71 }
72
73 if ($_POST["drugid"]) {
74 $tqvar = formData('drugid', 'P');
75 sqlStatement("update users set federaldrugid='$tqvar' where id= ? ", array($_POST["id"]));
76 }
77
78 if ($_POST["upin"]) {
79 $tqvar = formData('upin', 'P');
80 sqlStatement("update users set upin='$tqvar' where id= ? ", array($_POST["id"]));
81 }
82
83 if ($_POST["npi"]) {
84 $tqvar = formData('npi', 'P');
85 sqlStatement("update users set npi='$tqvar' where id= ? ", array($_POST["id"]));
86 }
87
88 if ($_POST["taxonomy"]) {
89 $tqvar = formData('taxonomy', 'P');
90 sqlStatement("update users set taxonomy = '$tqvar' where id= ? ", array($_POST["id"]));
91 }
92
93 if ($_POST["lname"]) {
94 $tqvar = formData('lname', 'P');
95 sqlStatement("update users set lname='$tqvar' where id= ? ", array($_POST["id"]));
96 }
97
98 if ($_POST["job"]) {
99 $tqvar = formData('job', 'P');
100 sqlStatement("update users set specialty='$tqvar' where id= ? ", array($_POST["id"]));
101 }
102
103 if ($_POST["mname"]) {
104 $tqvar = formData('mname', 'P');
105 sqlStatement("update users set mname='$tqvar' where id= ? ", array($_POST["id"]));
106 }
107
108 if ($_POST["facility_id"]) {
109 $tqvar = formData('facility_id', 'P');
110 sqlStatement("update users set facility_id = '$tqvar' where id = ? ", array($_POST["id"]));
111 //(CHEMED) Update facility name when changing the id
112 sqlStatement("UPDATE users, facility SET users.facility = facility.name WHERE facility.id = '$tqvar' AND users.id = {$_POST["id"]}");
113 //END (CHEMED)
114 }
115
116 if ($GLOBALS['restrict_user_facility'] && $_POST["schedule_facility"]) {
117 sqlStatement("delete from users_facility
118 where tablename='users'
119 and table_id= ?
120 and facility_id not in (" . implode(",", $_POST['schedule_facility']) . ")", array($_POST["id"]));
121 foreach ($_POST["schedule_facility"] as $tqvar) {
122 sqlStatement("replace into users_facility set
123 facility_id = '$tqvar',
124 tablename='users',
125 table_id = {$_POST["id"]}");
126 }
127 }
128
129 if ($_POST["fname"]) {
130 $tqvar = formData('fname', 'P');
131 sqlStatement("update users set fname='$tqvar' where id= ? ", array($_POST["id"]));
132 }
133
134 if (isset($_POST['default_warehouse'])) {
135 sqlStatement("UPDATE users SET default_warehouse = '" .
136 formData('default_warehouse', 'P') .
137 "' WHERE id = '" . formData('id', 'P') . "'");
138 }
139
140 if (isset($_POST['irnpool'])) {
141 sqlStatement("UPDATE users SET irnpool = '" .
142 formData('irnpool', 'P') .
143 "' WHERE id = '" . formData('id', 'P') . "'");
144 }
145
146 if (!empty($_POST['clear_2fa'])) {
147 sqlStatement("DELETE FROM login_mfa_registrations WHERE user_id = ?", array($_POST['id']));
148 }
149
150 if ($_POST["adminPass"] && $_POST["clearPass"]) {
151 require_once("$srcdir/authentication/password_change.php");
152 $clearAdminPass=$_POST['adminPass'];
153 $clearUserPass=$_POST['clearPass'];
154 $password_err_msg="";
155 $success=update_password($_SESSION['authId'], $_POST['id'], $clearAdminPass, $clearUserPass, $password_err_msg);
156 if (!$success) {
157 error_log($password_err_msg);
158 $alertmsg.=$password_err_msg;
159 }
160 }
161
162 $tqvar = $_POST["authorized"] ? 1 : 0;
163 $actvar = $_POST["active"] ? 1 : 0;
164 $calvar = $_POST["calendar"] ? 1 : 0;
165
166 sqlStatement("UPDATE users SET authorized = $tqvar, active = $actvar, " .
167 "calendar = $calvar, see_auth = ? WHERE " .
168 "id = ? ", array($_POST['see_auth'], $_POST["id"]));
169 //Display message when Emergency Login user was activated
170 $bg_count=count($_POST['access_group']);
171 for ($i=0; $i<$bg_count; $i++) {
172 if (($_POST['access_group'][$i] == "Emergency Login") && ($_POST['pre_active'] == 0) && ($actvar == 1)) {
173 $show_message = 1;
174 }
175 }
176
177 if (($_POST['access_group'])) {
178 for ($i=0; $i<$bg_count; $i++) {
179 if (($_POST['access_group'][$i] == "Emergency Login") && ($_POST['user_type']) == "" && ($_POST['check_acl'] == 1) && ($_POST['active']) != "") {
180 $set_active_msg=1;
181 }
182 }
183 }
184
185 if ($_POST["comments"]) {
186 $tqvar = formData('comments', 'P');
187 sqlStatement("update users set info = '$tqvar' where id = ? ", array($_POST["id"]));
188 }
189
190 $erxrole = formData('erxrole', 'P');
191 sqlStatement("update users set newcrop_user_role = '$erxrole' where id = ? ", array($_POST["id"]));
192
193 if ($_POST["physician_type"]) {
194 $physician_type = formData('physician_type');
195 sqlStatement("update users set physician_type = '$physician_type' where id = ? ", array($_POST["id"]));
196 }
197
198 if ($_POST["main_menu_role"]) {
199 $mainMenuRole = filter_input(INPUT_POST, 'main_menu_role');
200 sqlStatement("update `users` set `main_menu_role` = ? where `id` = ? ", array($mainMenuRole, $_POST["id"]));
201 }
202
203 if ($_POST["patient_menu_role"]) {
204 $patientMenuRole = filter_input(INPUT_POST, 'patient_menu_role');
205 sqlStatement("update `users` set `patient_menu_role` = ? where `id` = ? ", array($patientMenuRole, $_POST["id"]));
206 }
207
208 if ($_POST["erxprid"]) {
209 $erxprid = formData('erxprid', 'P');
210 sqlStatement("update users set weno_prov_id = '$erxprid' where id = ? ", array($_POST["id"]));
211 }
212
213 // Set the access control group of user
214 $user_data = sqlFetchArray(sqlStatement("select username from users where id= ?", array($_POST["id"])));
215 set_user_aro(
216 $_POST['access_group'],
217 $user_data["username"],
218 formData('fname', 'P'),
219 formData('mname', 'P'),
220 formData('lname', 'P')
221 );
222 }
223 }
224
225 /* To refresh and save variables in mail frame - Arb*/
226 if (isset($_POST["mode"])) {
227 if ($_POST["mode"] == "new_user") {
228 if ($_POST["authorized"] != "1") {
229 $_POST["authorized"] = 0;
230 }
231
232 // $_POST["info"] = addslashes($_POST["info"]);
233
234 $calvar = $_POST["calendar"] ? 1 : 0;
235
236 $res = sqlStatement("select distinct username from users where username != ''");
237 $doit = true;
238 while ($row = sqlFetchArray($res)) {
239 if ($doit == true && $row['username'] == trim(formData('rumple'))) {
240 $doit = false;
241 }
242 }
243
244 if ($doit == true) {
245 require_once("$srcdir/authentication/password_change.php");
246
247 //if password expiration option is enabled, calculate the expiration date of the password
248 if ($GLOBALS['password_expiration_days'] != 0) {
249 $exp_days = $GLOBALS['password_expiration_days'];
250 $exp_date = date('Y-m-d', strtotime("+$exp_days days"));
251 }
252
253 $insertUserSQL=
254 "insert into users set " .
255 "username = '" . trim(formData('rumple')) .
256 "', password = '" . 'NoLongerUsed' .
257 "', fname = '" . trim(formData('fname')) .
258 "', mname = '" . trim(formData('mname')) .
259 "', lname = '" . trim(formData('lname')) .
260 "', federaltaxid = '" . trim(formData('federaltaxid')) .
261 "', state_license_number = '" . trim(formData('state_license_number')) .
262 "', newcrop_user_role = '" . trim(formData('erxrole')) .
263 "', physician_type = '" . trim(formData('physician_type')) .
264 "', main_menu_role = '" . trim(formData('main_menu_role')) .
265 "', patient_menu_role = '" . trim(formData('patient_menu_role')) .
266 "', weno_prov_id = '" . trim(formData('erxprid')) .
267 "', authorized = '" . trim(formData('authorized')) .
268 "', info = '" . trim(formData('info')) .
269 "', federaldrugid = '" . trim(formData('federaldrugid')) .
270 "', upin = '" . trim(formData('upin')) .
271 "', npi = '" . trim(formData('npi')).
272 "', taxonomy = '" . trim(formData('taxonomy')) .
273 "', facility_id = '" . trim(formData('facility_id')) .
274 "', specialty = '" . trim(formData('specialty')) .
275 "', see_auth = '" . trim(formData('see_auth')) .
276 "', default_warehouse = '" . trim(formData('default_warehouse')) .
277 "', irnpool = '" . trim(formData('irnpool')) .
278 "', calendar = '" . $calvar .
279 "', pwd_expiration_date = '" . trim("$exp_date") .
280 "'";
281
282 $clearAdminPass=$_POST['adminPass'];
283 $clearUserPass=$_POST['stiltskin'];
284 $password_err_msg="";
285 $prov_id="";
286 $success = update_password(
287 $_SESSION['authId'],
288 0,
289 $clearAdminPass,
290 $clearUserPass,
291 $password_err_msg,
292 true,
293 $insertUserSQL,
294 trim(formData('rumple')),
295 $prov_id
296 );
297 error_log($password_err_msg);
298 $alertmsg .=$password_err_msg;
299 if ($success) {
300 //set the facility name from the selected facility_id
301 sqlStatement("UPDATE users, facility SET users.facility = facility.name WHERE facility.id = '" . trim(formData('facility_id')) . "' AND users.username = '" . trim(formData('rumple')) . "'");
302
303 sqlStatement("insert into `groups` set name = '" . trim(formData('groupname')) .
304 "', user = '" . trim(formData('rumple')) . "'");
305
306 if (trim(formData('rumple'))) {
307 // Set the access control group of user
308 set_user_aro(
309 $_POST['access_group'],
310 trim(formData('rumple')),
311 trim(formData('fname')),
312 trim(formData('mname')),
313 trim(formData('lname'))
314 );
315 }
316 }
317 } else {
318 $alertmsg .= xl('User', '', '', ' ') . trim(formData('rumple')) . xl('already exists.', '', ' ');
319 }
320
321 if ($_POST['access_group']) {
322 $bg_count=count($_POST['access_group']);
323 for ($i=0; $i<$bg_count; $i++) {
324 if ($_POST['access_group'][$i] == "Emergency Login") {
325 $set_active_msg=1;
326 }
327 }
328 }
329 } else if ($_POST["mode"] == "new_group") {
330 $res = sqlStatement("select distinct name, user from `groups`");
331 for ($iter = 0; $row = sqlFetchArray($res); $iter++) {
332 $result[$iter] = $row;
333 }
334
335 $doit = 1;
336 foreach ($result as $iter) {
337 if ($doit == 1 && $iter{"name"} == trim(formData('groupname')) && $iter{"user"} == trim(formData('rumple'))) {
338 $doit--;
339 }
340 }
341
342 if ($doit == 1) {
343 sqlStatement("insert into `groups` set name = '" . trim(formData('groupname')) .
344 "', user = '" . trim(formData('rumple')) . "'");
345 } else {
346 $alertmsg .= "User " . trim(formData('rumple')) .
347 " is already a member of group " . trim(formData('groupname')) . ". ";
348 }
349 }
350 }
351
352 if (isset($_GET["mode"])) {
353 /*******************************************************************
354 // This is the code to delete a user. Note that the link which invokes
355 // this is commented out. Somebody must have figured it was too dangerous.
356 //
357 if ($_GET["mode"] == "delete") {
358 $res = sqlStatement("select distinct username, id from users where id = '" .
359 $_GET["id"] . "'");
360 for ($iter = 0; $row = sqlFetchArray($res); $iter++)
361 $result[$iter] = $row;
362
363 // TBD: Before deleting the user, we should check all tables that
364 // reference users to make sure this user is not referenced!
365
366 foreach($result as $iter) {
367 sqlStatement("delete from `groups` where user = '" . $iter{"username"} . "'");
368 }
369 sqlStatement("delete from users where id = '" . $_GET["id"] . "'");
370 }
371 *******************************************************************/
372
373 if ($_GET["mode"] == "delete_group") {
374 $res = sqlStatement("select distinct user from `groups` where id = ?", array($_GET["id"]));
375 for ($iter = 0; $row = sqlFetchArray($res); $iter++) {
376 $result[$iter] = $row;
377 }
378
379 foreach ($result as $iter) {
380 $un = $iter{"user"};
381 }
382
383 $res = sqlStatement("select name, user from `groups` where user = '$un' " .
384 "and id != ?", array($_GET["id"]));
385
386 // Remove the user only if they are also in some other group. I.e. every
387 // user must be a member of at least one group.
388 if (sqlFetchArray($res) != false) {
389 sqlStatement("delete from `groups` where id = ?", array($_GET["id"]));
390 } else {
391 $alertmsg .= "You must add this user to some other group before " .
392 "removing them from this group. ";
393 }
394 }
395 }
396 // added for form submit's from usergroup_admin_add and user_admin.php
397 // sjp 12/29/17
398 if (isset($_REQUEST["mode"])) {
399 exit(trim($alertmsg));
400 }
401
402 $form_inactive = empty($_REQUEST['form_inactive']) ? false : true;
403
404 ?>
405 <html>
406 <head>
407 <title><?php echo xlt('User / Groups');?></title>
408
409 <?php Header::setupHeader(['common','jquery-ui']); ?>
410
411 <script type="text/javascript">
412
413 $(document).ready(function(){
414
415 tabbify();
416
417 $(".medium_modal").on('click', function(e) {
418 e.preventDefault();e.stopPropagation();
419 dlgopen('', '', 660, 450, '', '', {
420 type: 'iframe',
421 url: $(this).attr('href')
422 });
423 });
424
425 });
426
427 function authorized_clicked() {
428 var f = document.forms[0];
429 f.calendar.disabled = !f.authorized.checked;
430 f.calendar.checked = f.authorized.checked;
431 }
432
433 </script>
434
435 </head>
436 <body class="body_top">
437
438 <div class="container">
439 <div class="row">
440 <div class="col-xs-12">
441 <div class="page-title">
442 <h2><?php echo xlt('User / Groups');?></h2>
443 </div>
444 </div>
445 </div>
446 <div class="row">
447 <div class="col-xs-12">
448 <div class="btn-group">
449 <a href="usergroup_admin_add.php" class="medium_modal btn btn-default btn-add"><?php echo xlt('Add User'); ?></a>
450 <a href="facility_user.php" class="btn btn-default btn-show"><?php echo xlt('View Facility Specific User Information'); ?></a>
451 </div>
452 <form name='userlist' method='post' style="display: inline;" class="form-inline" class="pull-right" action='usergroup_admin.php' onsubmit='return top.restoreSession()'>
453 <div class="checkbox">
454 <label for="form_inactive">
455 <input type='checkbox' class="form-control" id="form_inactive" name='form_inactive' value='1' onclick='submit()' <?php echo ($form_inactive) ? 'checked ' : ''; ?>>
456 <?php echo xlt('Include inactive users'); ?>
457 </label>
458 </div>
459 </form>
460 </div>
461 </div>
462 <div class="row">
463 <div class="col-xs-12">
464 <?php
465 if ($set_active_msg == 1) {
466 echo "<div class='alert alert-danger'>".xlt('Emergency Login ACL is chosen. The user is still in active state, please de-activate the user and activate the same when required during emergency situations. Visit Administration->Users for activation or de-activation.')."</div><br>";
467 }
468
469 if ($show_message == 1) {
470 echo "<div class='alert alert-danger'>".xlt('The following Emergency Login User is activated:')." "."<b>".text($_GET['fname'])."</b>"."</div><br>";
471 echo "<div class='alert alert-danger'>".xlt('Emergency Login activation email will be circulated only if following settings in the interface/globals.php file are configured:')." \$GLOBALS['Emergency_Login_email'], \$GLOBALS['Emergency_Login_email_id']</div>";
472 }
473
474 ?>
475 <div class="table-responsive">
476 <table class="table table-striped">
477 <thead>
478 <tr>
479 <th><?php echo xlt('Username'); ?></th>
480 <th><?php echo xlt('Real Name'); ?></th>
481 <th><?php echo xlt('Additional Info'); ?></th>
482 <th><?php echo xlt('Authorized'); ?>?</th>
483 <th></th>
484 </tr>
485 <tbody>
486 <?php
487 $query = "SELECT * FROM users WHERE username != '' ";
488 if (!$form_inactive) {
489 $query .= "AND active = '1' ";
490 }
491
492 $query .= "ORDER BY username";
493 $res = sqlStatement($query);
494 for ($iter = 0; $row = sqlFetchArray($res); $iter++) {
495 $result4[$iter] = $row;
496 }
497
498 foreach ($result4 as $iter) {
499 if ($iter{"authorized"}) {
500 $iter{"authorized"} = xl('yes');
501 } else {
502 $iter{"authorized"} = "";
503 }
504
505 print "<tr>
506 <td><b><a href='user_admin.php?id=" . attr($iter{"id"}) .
507 "' class='medium_modal' onclick='top.restoreSession()'>" . text($iter{"username"}) . "</a></b>" ."&nbsp;</td>
508 <td>" . text($iter{"fname"}) . ' ' . text($iter{"lname"}) ."&nbsp;</td>
509 <td>" . text($iter{"info"}) . "&nbsp;</td>
510 <td align='left'><span>" .text($iter{"authorized"}) . "&nbsp;</td>";
511 print "<td><!--<a href='usergroup_admin.php?mode=delete&id=" . attr($iter{"id"}) .
512 "' class='link_submit'>[Delete]</a>--></td>";
513 print "</tr>\n";
514 }
515 ?>
516 </tbody>
517 </table>
518 </div>
519 <?php
520 if (empty($GLOBALS['disable_non_default_groups'])) {
521 $res = sqlStatement("select * from `groups` order by name");
522 for ($iter = 0; $row = sqlFetchArray($res); $iter++) {
523 $result5[$iter] = $row;
524 }
525
526 foreach ($result5 as $iter) {
527 $grouplist{$iter{"name"}} .= $iter{"user"} .
528 "(<a class='link_submit' href='usergroup_admin.php?mode=delete_group&id=" .
529 attr($iter{"id"}) . "' onclick='top.restoreSession()'>" . xlt('Remove') . "</a>), ";
530 }
531
532 foreach ($grouplist as $groupname => $list) {
533 print "<span class='bold'>" . text($groupname) . "</span><br>\n<span>" .
534 text(substr($list, 0, strlen($list)-2)) . "</span><br>\n";
535 }
536 }
537 ?>
538 </div>
539 </div>
540 </div>
541 <script language="JavaScript">
542 <?php
543 if ($alertmsg = trim($alertmsg)) {
544 echo "alert('$alertmsg');\n";
545 }
546 ?>
547 </script>
548 </body>
549 </html>
Mirror of official OpenEMR Sourceforge repository