| blob | cec709f1607dc9a033fe9b8ff98fb76be9dda8e4 |
1 <?php
2 /**
3 * Authorization functions.
4 *
5 * LICENSE: This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version 2
8 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License
14 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
15 *
16 * @package OpenEMR
17 * @author Rod Roark <rod@sunsetsystems.com>
18 * @author Brady Miller <brady.g.miller@gmail.com>
19 * @author Kevin Yeh <kevin.y@integralemr.com>
20 * @author ViCarePlus <visolve_emr@visolve.com>
21 * @author cfapress
22 * @link http://www.open-emr.org
23 */
25 //----------THINGS WE ALWAYS DO
27 require_once("{$GLOBALS['srcdir']}/log.inc");
28 // added for the phpGACL group check -- JRM
29 require_once("{$GLOBALS['srcdir']}/acl.inc");
30 require_once("$srcdir/authentication/login_operations.php");
32 $incoming_site_id = '';
34 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
35 isset($_POST['clearPass']) && isset($_POST['authProvider'])) {
36 $clearPass=$_POST['clearPass'];
37 // set the language
38 if (!empty($_POST['languageChoice'])) {
39 $_SESSION['language_choice'] = $_POST['languageChoice'];
40 } else {
41 $_SESSION['language_choice'] = 1;
42 }
44 // set language direction according to language choice. Later in globals.php we'll override main theme name if needed.
45 $_SESSION['language_direction'] = getLanguageDir($_SESSION['language_choice']);
47 if (!validate_user_password($_POST['authUser'], $clearPass, $_POST['authProvider']) || !verify_user_gacl_group($_POST['authUser'])) {
48 $_SESSION['loginfailure'] = 1;
49 authLoginScreen();
50 }
52 //If password expiration option is enabled call authCheckExpired() to check whether login user password is expired or not
54 if ($GLOBALS['password_expiration_days'] != 0) {
55 if (authCheckExpired($_POST['authUser'])) {
56 authLoginScreen();
57 }
58 }
60 $_SESSION['loginfailure'] = null;
61 unset($_SESSION['loginfailure']);
62 //store the very first initial timestamp for timeout errors
63 $_SESSION["last_update"] = time();
64 } else if ((isset($_GET['auth'])) && ($_GET['auth'] == "logout")) {
65 //If session has timed out / been destroyed, logout record for null user/provider will be invalid.
66 if (!empty($_SESSION['authUser']) && !empty($_SESSION['authProvider'])) {
67 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 1, "success");
68 }
69 authCloseSession();
70 authLoginScreen(true);
71 } else {
72 if (authCheckSession()) {
73 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG'])) {
74 require_once("{$GLOBALS['srcdir']}/patient.inc");
75 /**
76 $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
77 newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
78 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
79 $_SESSION['encounter']);
80 **/
81 }
83 //LOG EVERYTHING
84 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
85 } else {
86 newEvent("login", $_POST['authUser'], $_POST['authProvider'], 0, "insufficient data sent");
87 authLoginScreen();
88 }
89 }
91 if (!isset($_SESSION["last_update"])) {
92 authLoginScreen();
93 } else {
94 //if page has not been updated in a given period of time, we call login screen
95 //--Note can't perform nice logout if skip_timeout_reset is set since these are called
96 //via ajax scripts where this output is not getting sent to browser.
97 //--Note DAEMON_FLAG is ok because it is run from a frame in the browser.
98 if (((time() - $_SESSION["last_update"]) > $timeout) && empty($_REQUEST['skip_timeout_reset'])) {
99 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], 0, "timeout");
100 authCloseSession();
101 authLoginScreen(true);
102 } else {
103 // Have a mechanism to skip the timeout reset mechanism if a skip_timeout_reset parameter exists. This
104 // can be used by scripts that continually request information from the server; for example the Messages
105 // and Reminders automated intermittent requests that happen in the Messages Center script and in
106 // the left navigation menu script.
107 if (empty($GLOBALS['DAEMON_FLAG']) && empty($_REQUEST['skip_timeout_reset'])) {
108 $_SESSION["last_update"] = time();
109 }
110 }
111 }
115 //----------THINGS WE DO IF WE STILL LIKE YOU
117 function authCheckSession()
118 {
119 if (isset($_SESSION['authId'])) {
120 // If active directory was used, check a different session variable (as there is no password in database).
121 if ($GLOBALS['use_active_directory']) {
122 if ($_SESSION['active_directory_auth']) {
123 return true;
124 } else {
125 return false;
126 }
127 }
129 $authDB = privQuery("select ".implode(",", array(TBL_USERS.".".COL_ID,
130 TBL_USERS.".".COL_UNM,
131 TBL_USERS_SECURE.".".COL_PWD,
132 TBL_USERS_SECURE.".".COL_ID))
133 . " FROM ". implode(",", array(TBL_USERS,TBL_USERS_SECURE))
134 . " WHERE ". TBL_USERS.".".COL_ID." = ? "
135 . " AND ". TBL_USERS.".".COL_UNM . "=" . TBL_USERS_SECURE.".".COL_UNM
136 . " AND ". TBL_USERS.".".COL_ACTIVE . "=1", array($_SESSION['authId']));
137 if ($_SESSION['authUser'] == $authDB['username']
138 && $_SESSION['authPass'] == $authDB['password'] ) {
139 return true;
140 } else {
141 return false;
142 }
143 } else {
144 return false;
145 }
146 }
148 function authCloseSession()
149 {
150 // Before destroying the session, save its site_id so that the next
151 // login will default to that same site.
152 global $incoming_site_id;
153 $incoming_site_id = $_SESSION['site_id'];
154 ob_start();
155 session_unset();
156 session_destroy();
157 unset($_COOKIE[session_name()]);
158 }
160 function authLoginScreen($timed_out = false)
161 {
162 // See comment in authCloseSession().
163 global $incoming_site_id;
164 ?>
165 <script>
166 // Find the top level window for this instance of OpenEMR, set a flag indicating
167 // session timeout has occurred, and reload the login page into it. This is so
168 // that beforeunload event handlers will not obstruct the process in this case.
169 var w = window;
170 while (w.opener) { // in case we are in a dialog window
171 var wtmp = w;
172 w = w.opener;
173 wtmp.close();
174 }
175 <?php if ($timed_out) { ?>
176 w.top.timed_out = true;
177 <?php } ?>
178 w.top.location.href = '<?php echo "{$GLOBALS['login_screen']}?error=1&site=$incoming_site_id"; ?>';
179 </script>
180 <?php
181 exit;
182 }
184 // Check if the user's password has expired beyond the grace limit.
185 // If so, deactivate the user
186 function authCheckExpired($user)
187 {
188 $result = sqlStatement("select pwd_expiration_date from users where username = ?", array($user));
189 if ($row = sqlFetchArray($result)) {
190 $pwd_expires = $row['pwd_expiration_date'];
191 }
193 $current_date = date("Y-m-d");
194 if ($pwd_expires != "0000-00-00") {
195 $grace_time1 = date("Y-m-d", strtotime($pwd_expires . "+".$GLOBALS['password_grace_time'] ."days"));
196 }
198 if (($grace_time1 != "") && strtotime($current_date) > strtotime($grace_time1)) {
199 sqlStatement("update users set active=0 where username = ?", array($user));
200 $_SESSION['loginfailure'] = 1;
201 return true;
202 }
204 return false;
205 }
207 function getUserList($cols = '*', $limit = 'all', $start = '0')
208 {
209 if ($limit = "all") {
210 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
211 } else {
212 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
213 }
215 for ($iter = 0; $row = sqlFetchArray($rez); $iter++) {
216 $tbl[$iter] = $row;
217 }
219 return $tbl;
220 }
222 function getProviderList($cols = '*', $limit = 'all', $start = '0')
223 {
224 if ($limit = "all") {
225 $rez = sqlStatement("select $cols from `groups` order by date DESC");
226 } else {
227 $rez = sqlStatement("select $cols from `groups` order by date DESC limit $limit, $start");
228 }
230 for ($iter = 0; $row = sqlFetchArray($rez); $iter++) {
231 $tbl[$iter] = $row;
232 }
234 return $tbl;
235 }
237 function addGroup($groupname)
238 {
239 return sqlInsert("insert into `groups` (name) values (?)", array($groupname));
240 }
242 function delGroup($group_id)
243 {
244 return sqlQuery("delete from `groups` where id = ? limit 0,1", array($group_id));
245 }
247 /***************************************************************
248 //pennfirm
249 //Function currently user by new post calendar code to determine
250 //if a given user is in a group with another user
251 //and if so to allow editing of that users events
252 //
253 //*************************************************************/
255 function validateGroupStatus($user_to_be_checked, $group_user)
256 {
257 if (isset($user_to_be_checked) && isset($group_user)) {
258 if ($user_to_be_checked == $group_user) {
259 return true;
260 } elseif ($_SESSION['authorizeduser'] == 1) {
261 return true;
262 }
264 $query = "SELECT `groups`.`name` FROM `users`,`groups` WHERE users.username = ? " .
265 "AND users.username = `groups`.`user` group by `groups`.`name`";
266 $result = sqlStatement($query, array($user_to_be_checked));
268 $usertbcGroups = array();
270 while ($row = sqlFetchArray($result)) {
271 $usertbcGroups[] = $row[0];
272 }
274 $query = "SELECT `groups`.`name` FROM `users`,`groups` WHERE users.username = ? " .
275 "AND users.username = `groups`.`user` group by `groups`.`name`";
276 $result = sqlStatement($query, array($group_user));
278 $usergGroups = array();
280 while ($row = sqlFetchArray($result)) {
281 $usergGroups[] = $row[0];
282 }
284 foreach ($usertbcGroups as $group) {
285 if (in_array($group, $usergGroups)) {
286 return true;
287 }
288 }
289 }
291 return false;
292 }
295 // Attempt to update the user's password, password history, and password expiration.
296 // Verify that the new password does not match the last three passwords used.
297 // Return true if successfull, false on failure
298 function UpdatePasswordHistory($userid, $pwd)
299 {
300 $result = sqlStatement("select password, pwd_history1, pwd_history2 from users where id = ?", array($userid));
301 if ($row = sqlFetchArray($result)) {
302 $previous_pwd1=$row['password'];
303 $previous_pwd2=$row['pwd_history1'];
304 $previous_pwd3=$row['pwd_history2'];
305 }
307 if (($pwd != $previous_pwd1) && ($pwd != $previous_pwd2) && ($pwd != $previous_pwd3)) {
308 sqlStatement("update users set pwd_history2=?, pwd_history1=?,password=? where id=?", array($previous_pwd2,$previous_pwd1,$pwd,$userid));
309 if ($GLOBALS['password_expiration_days'] != 0) {
310 $exp_days=$GLOBALS['password_expiration_days'];
311 $exp_date = date('Y-m-d', strtotime("+$exp_days days"));
312 sqlStatement("update users set pwd_expiration_date=? where id=?", array($exp_date,$userid));
313 }
315 return true;
316 } else {
317 return false;
318 }
319 }
320 ?>