| blob | 7f86138f6612b9043fced0e2ebdb0a403e8bcc58 |
1 <?php
2 // php-GACL access controls are included in OpenEMR. The below
3 // function will automatically create the path where gacl.class.php
4 // can be found. Note that this path can be manually set below
5 // for users who are using an external version of php-GACL.
6 // Also note that php-GACL access controls can be turned off
7 // below.
9 $phpgacl_location = dirname(__FILE__).'/../gacl';
11 //
12 // If using an external version of phpGACL, then uncomment the following
13 // line and manually place the path below. IN THIS CASE YOU MUST ALSO
14 // COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT ABOVE, OR BACKUPS WILL
15 // NOT RESTORE PROPERLY!
16 //
17 //$phpgacl_location = "/var/www/gacl";
18 //
19 // If you want to turn off php-GACL, then uncomment the following line.
20 // IN THIS CASE YOU MUST ALSO COMMENT OUT ABOVE $phpgacl_location ASSIGNMENT(S)
21 // ABOVE, OR BACKUPS WILL NOT RESTORE PROPERLY!
22 //
23 //unset($phpgacl_location);
24 //
26 // The following Access Control Objects (ACO) are currently supported.
27 // These are the "things to be protected":
28 //
29 // Section "admin" (Administration):
30 // super Superuser - can delete patients, encounters, issues
31 // calendar Calendar Settings
32 // database Database Reporting
33 // forms Forms Administration
34 // practice Practice Settings
35 // superbill Superbill Codes Administration
36 // users Users/Groups/Logs Administration
37 // batchcom Batch Communication Tool
38 // language Language Interface Tool
39 // drugs Pharmacy Dispensary
40 // acl ACL Administration
41 //
42 // Section "acct" (Accounting):
43 // bill Billing (write optional)
44 // disc Allowed to discount prices (in Fee Sheet or Checkout form)
45 // eob EOB Data Entry
46 // rep Financial Reporting - my encounters
47 // rep_a Financial Reporting - anything
48 //
49 // Section "patients" (Patient Information):
50 // appt Appointments (write optional)
51 // demo Demographics (write,addonly optional)
52 // med Medical Records and History (write,addonly optional)
53 // trans Transactions, e.g. referrals (write optional)
54 // docs Documents (write,addonly optional)
55 // notes Patient Notes (write,addonly optional)
56 // sign Sign Lab Results (write,addonly optional)
57 //
58 // Section "encounters" (Encounter Information):
59 // auth Authorize - my encounters
60 // auth_a Authorize - any encounters
61 // coding Coding - my encounters (write,wsome optional)
62 // coding_a Coding - any encounters (write,wsome optional)
63 // notes Notes - my encounters (write,addonly optional)
64 // notes_a Notes - any encounters (write,addonly optional)
65 // date_a Fix encounter dates - any encounters
66 // relaxed Less-private information (write,addonly optional)
67 // (e.g. the Sports Fitness encounter form)
68 //
69 // Section "squads" applies to sports team use only:
70 // acos in this section define the user-specified list of squads
71 //
72 // Section "sensitivities" (Sensitivities):
73 // normal Normal
74 // high High
75 //
76 // Section "lists" (Lists):
77 // default Default List (write,addonly optional)
78 // state State List (write,addonly optional)
79 // country Country List (write,addonly optional)
80 // language Language List (write,addonly optional)
81 // ethrace Ethnicity-Race List (write,addonly optional)
82 //
83 // Section "placeholder" (Placeholder):
84 // filler Placeholder (Maintains empty ACLs)
87 if (isset ($phpgacl_location)) {
88 include_once("$phpgacl_location/gacl.class.php");
89 $gacl_object = new gacl();
90 //DO NOT CHANGE BELOW VARIABLE
91 $section_aro_value = 'users';
92 }
94 // acl_check should return 0 if access is denied. Otherwise it may
95 // return anything that evaluates to true. In addition if any of the
96 // following types of access are applicable, then the corresponding value
97 // must be returned if and only if such access is granted (ony one may
98 // be specified):
99 //
100 // * write - the user may add or modify the ACO
101 // * wsome - the user has limited add/modify access to the ACO
102 // * addonly - the user may view and add but not modify entries
103 //
104 function acl_check($section, $value, $user = '') {
105 global $gacl_object, $phpgacl_location, $section_aro_value;
106 if (! $user) $user = $_SESSION['authUser'];
108 if ($phpgacl_location) {
109 return $gacl_object->acl_check($section, $value, $section_aro_value, $user);
110 }
112 // If no phpgacl, then apply the old static rules whereby "authorized"
113 // users (providers) can do anything, and other users can do most things.
114 // If you want custom access control but don't want to mess with phpGACL,
115 // then you could customize the code below instead.
117 if ($user == 'admin') return 'write';
118 if ($section == 'admin' && $value == 'super') return 0;
119 if ($_SESSION['userauthorized']) return 'write';
121 if ($section == 'patients') {
122 if ($value == 'med') return 1;
123 return 'write';
124 }
125 else if ($section == 'encounters') {
126 if (strpos($value, 'coding' ) === 0) return 'write';
127 if (strpos($value, 'notes' ) === 0) return 'write';
128 if ($value == 'relaxed') return 'write';
129 }
130 else if ($section != 'admin') {
131 return 'write';
132 }
134 return 0;
135 }
137 // Get the ACO name/value pairs for a designated section. Each value
138 // is an array (section_value, value, order_value, name, hidden).
139 //
140 function acl_get_section_acos($section) {
141 global $phpgacl_location;
142 if ($phpgacl_location) {
143 include_once("$phpgacl_location/gacl_api.class.php");
144 $gacl = new gacl_api();
145 $arr1 = $gacl->get_objects($section, 1, 'ACO');
146 $arr = array();
147 if (!empty($arr1[$section])) {
148 foreach ($arr1[$section] as $value) {
149 $odata = $gacl->get_object_data($gacl->get_object_id($section, $value, 'ACO'), 'ACO');
150 $arr[$value] = $odata[0];
151 }
152 }
153 return $arr;
154 }
155 return 0;
156 }
158 // Return an array keyed on squad ACO names.
159 // This is only applicable for sports team use.
160 //
161 function acl_get_squads() {
162 return acl_get_section_acos('squads');
163 }
165 // Return an array keyed on encounter sensitivity level ACO names.
166 // Sensitivities are useful when some encounter notes are not
167 // medically sensitive (e.g. a physical fitness test), and/or if
168 // some will be "for doctor's eyes only" (e.g. STD treatment).
169 //
170 // When a non-blank sensitivity value exists in the new encounter
171 // form, it names an additional ACO required for access to all forms
172 // in the encounter. If you want some encounters to be non-sensitive,
173 // then you also need some default nonblank sensitivity for normal
174 // encounters, as well as greater encounter notes permissions for
175 // those allowed to view non-sensitive encounters.
176 //
177 function acl_get_sensitivities() {
178 return acl_get_section_acos('sensitivities');
179 }
181 //
182 // Returns true if aco exist
183 // Returns false if aco doesn't exist
184 // $section_name = name of section (string)
185 // $aco_name = name of aco (string)
186 //
187 function aco_exist($section_name, $aco_name) {
188 global $phpgacl_location;
189 if (isset ($phpgacl_location)) {
190 include_once("$phpgacl_location/gacl_api.class.php");
191 $gacl = new gacl_api();
192 $aco_id = $gacl->get_object_id($section_name, $aco_name, 'ACO');
193 if ($aco_id) {
194 return true;
195 }
196 }
197 return false;
198 }
200 //
201 // Returns a sorted array of all available Group Titles.
202 //
203 function acl_get_group_title_list() {
204 global $phpgacl_location;
205 if (isset ($phpgacl_location)) {
206 include_once("$phpgacl_location/gacl_api.class.php");
207 $gacl = new gacl_api();
208 $parent_id = $gacl->get_root_group_id();
209 $arr_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
210 $arr_group_titles = array();
211 foreach ($arr_group_ids as $value) {
212 $arr_group_data = $gacl->get_group_data($value, 'ARO');
213 $arr_group_titles[$value] = $arr_group_data[3];
214 }
215 sort($arr_group_titles);
216 return $arr_group_titles;
217 }
218 return 0;
219 }
221 //
222 // Returns a sorted array of group Titles that a user belongs to.
223 // Returns 0 if does not belong to any group yet.
224 // $user_name = Username, which is login name.
225 //
226 function acl_get_group_titles($user_name) {
227 global $phpgacl_location, $section_aro_value;
228 if (isset ($phpgacl_location)) {
229 include_once("$phpgacl_location/gacl_api.class.php");
230 $gacl = new gacl_api();
231 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
232 if ($user_aro_id) {
233 $arr_group_id = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
234 if ($arr_group_id) {
235 foreach ($arr_group_id as $key => $value) {
236 $arr_group_data = $gacl->get_group_data($value, 'ARO');
237 $arr_group_titles[$key] = $arr_group_data[3];
238 }
239 sort($arr_group_titles);
240 return $arr_group_titles;
241 }
242 }
243 }
244 return 0;
245 }
247 //
248 // This will place the user aro object into selected group(s)
249 // It uses the set_user_aro() function
250 // $username = username (string)
251 // $group = title of group(s) (string or array)
252 //
253 function add_user_aros($username, $group) {
254 $current_user_groups = acl_get_group_titles($username);
255 if (!$current_user_groups) {
256 $current_user_groups = array();
257 }
258 if (is_array($group)){
259 foreach ($group as $value) {
260 if (!in_array($value, $current_user_groups)) {
261 array_push($current_user_groups, $value);
262 }
263 }
264 }
265 else {
266 if (!in_array($group, $current_user_groups)) {
267 array_push($current_user_groups, $group);
268 }
269 }
270 $user_data = mysql_fetch_array(sqlStatement("select * from users where username='" .
271 $username . "'"));
272 set_user_aro($current_user_groups, $username, $user_data["fname"],
273 $user_data["mname"], $user_data["lname"]);
274 return;
275 }
277 //
278 // This will remove the user aro object from the selected group(s)
279 // It uses the set_user_aro() function
280 // $username = username (string)
281 // $group = title of group(s) (string or array)
282 //
283 function remove_user_aros($username, $group) {
284 $current_user_groups = acl_get_group_titles($username);
285 $new_user_groups = array();
286 if (is_array($group)){
287 foreach ($current_user_groups as $value) {
288 if (!in_array($value, $group)) {
289 array_push($new_user_groups, $value);
290 }
291 }
292 }
293 else {
294 foreach ($current_user_groups as $value) {
295 if ($value != $group) {
296 array_push($new_user_groups, $value);
297 }
298 }
299 }
300 $user_data = mysql_fetch_array(sqlStatement("select * from users where username='" .
301 $username . "'"));
302 set_user_aro($new_user_groups, $username, $user_data["fname"],
303 $user_data["mname"], $user_data["lname"]);
304 return;
305 }
307 //
308 // This will either create or edit a user aro object, and then place it
309 // in the requested groups. It will not allow removal of the 'admin'
310 // user or gacl_protected users from the 'admin' group.
311 // $arr_group_titles = titles of the groups that user will be added to.
312 // $user_name = username, which is login name.
313 // $first_name = first name
314 // $middle_name = middle name
315 // $last_name = last name
316 //
317 function set_user_aro($arr_group_titles, $user_name, $first_name, $middle_name, $last_name) {
318 global $phpgacl_location, $section_aro_value;
320 if (isset ($phpgacl_location)) {
321 include_once("$phpgacl_location/gacl_api.class.php");
322 $gacl = new gacl_api();
324 //see if this user is gacl protected (ie. do not allow
325 //removal from the Administrators group)
326 require_once(dirname(__FILE__).'/user.inc');
327 require_once(dirname(__FILE__).'/calendar.inc');
328 $userNametoID = getIDfromUser($user_name);
329 if (checkUserSetting("gacl_protect","1",$userNametoID) || $user_name == "admin") {
330 $gacl_protect = true;
331 }
332 else {
333 $gacl_protect = false;
334 }
336 //get array of all available group ID numbers
337 $parent_id = $gacl->get_root_group_id();
338 $arr_all_group_ids = $gacl->get_group_children($parent_id, 'ARO', 'RECURSE');
340 //Cycle through ID array to find and process each selected group
341 //Create a counter since processing of first hit is unique
342 $counter = 0;
343 foreach ($arr_all_group_ids as $value) {
344 $arr_group_data = $gacl->get_group_data($value, 'ARO');
345 if ((empty($arr_group_titles)) ||
346 (in_array($arr_group_data[3], $arr_group_titles))) {
347 //We have a hit, so need to add group and increment counter
348 // because processing of first hit is unique
349 //This will also deal with an empty $arr_group_titles array
350 // removing user from all groups unless 'admin'
351 $counter = $counter + 1;
352 //create user full name field
353 if ($middle_name) {
354 $full_name = $first_name . " " . $middle_name . " " . $last_name;
355 }
356 else {
357 if ($last_name) {
358 $full_name = $first_name . " " . $last_name;
359 }
360 else {
361 $full_name = $first_name;
362 }
363 }
365 //If this is not the first group to be added, then will skip below
366 // and will be added. If this is the first group, then need to
367 // go thru several steps before adding the group.
368 if ($counter == 1) {
369 //get ID of user ARO object, if it exist
370 $user_aro_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
371 if ($user_aro_id) {
372 //user ARO object already exist, so will edit it
373 $gacl->edit_object($user_aro_id, $section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
375 //remove all current user ARO object group associations
376 $arr_remove_group_ids = $gacl->get_object_groups($user_aro_id, 'ARO', 'NO_RECURSE');
377 foreach ($arr_remove_group_ids as $value2) {
378 $gacl->del_group_object($value2, $section_aro_value, $user_name, 'ARO');
379 }
380 }
381 else {
382 //user ARO object does not exist, so will create it
383 $gacl->add_object($section_aro_value, $full_name, $user_name, 10, 0, 'ARO');
384 }
385 }
387 //place the user ARO object in the selected group (if group(s) is selected)
388 if (!empty($arr_group_titles)) {
389 $gacl->add_group_object($value, $section_aro_value, $user_name, 'ARO');
390 }
392 //
393 //Below will not allow 'admin' or gacl_protected user to be removed from 'admin' group
394 //
395 if ($gacl_protect) {
396 $boolean_admin=0;
397 $admin_id = $gacl->get_object_id($section_aro_value, $user_name, 'ARO');
398 $arr_admin = $gacl->get_object_groups($admin_id, 'ARO', 'NO_RECURSE');
399 foreach ($arr_admin as $value3) {
400 $arr_admin_data = $gacl->get_group_data($value3, 'ARO');
401 if (strcmp($arr_admin_data[2], 'admin') == 0) {
402 $boolean_admin=1;
403 }
404 }
405 if (!$boolean_admin) {
406 foreach ($arr_all_group_ids as $value4) {
407 $arr_temp = $gacl->get_group_data($value4, 'ARO');
408 if ($arr_temp[2] == 'admin') {
409 $gacl->add_group_object($value4, $section_aro_value, $user_name, 'ARO');
410 }
411 }
412 }
413 }
414 }
415 //if array of groups was empty, then we are done, and can break from loop
416 if (empty($arr_group_titles)) break;
417 }
418 return true;
419 }
420 return false;
421 }
423 //
424 // Returns true if acl exist
425 // Returns false if acl doesn't exist
426 // EITHER $title or $name is required(send FALSE in variable
427 // not being used). If both are sent, then only $title will be
428 // used.
429 // $return_value is required
430 // $title = title of acl (string)
431 // $name = name of acl (string)
432 // $return_value = return value of acl (string)
433 //
434 function acl_exist($title, $name, $return_value) {
435 global $phpgacl_location;
436 if (isset ($phpgacl_location)) {
437 include_once("$phpgacl_location/gacl_api.class.php");
438 $gacl = new gacl_api();
439 if (!$name) {
440 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $title, FALSE, FALSE, FALSE, $return_value);
441 }
442 else if (!$title) {
443 $group_id = $gacl->get_group_id($name, NULL, 'ARO');
444 if ($group_id) {
445 $group_data = $gacl->get_group_data($group_id, 'ARO');
446 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $group_data[3], FALSE, FALSE, FALSE, $return_value);
447 }
448 else {
449 return false;
450 }
451 }
452 else {
453 $acl = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $title, FALSE, FALSE, FALSE, $return_value);
454 }
455 if (!empty($acl)) {
456 return true;
457 }
458 else {
459 return false;
460 }
461 }
462 }
464 //
465 // This will add a new acl and group(if group doesn't yet exist)
466 // with one aco in it.
467 // $acl_title = title of acl (string)
468 // $acl_name = name of acl (string)
469 // $return_value = return value of acl (string)
470 // $note = description of acl (array)
471 //
472 function acl_add($acl_title, $acl_name, $return_value, $note) {
473 global $phpgacl_location;
474 if (isset ($phpgacl_location)) {
475 include_once("$phpgacl_location/gacl_api.class.php");
476 $gacl = new gacl_api();
477 $group_id = $gacl->get_group_id($acl_name, $acl_title, 'ARO');
478 if ($group_id) {
479 //group already exist, so just create acl
480 $gacl->add_acl(array("placeholder"=>array("filler")),
481 NULL, array($group_id), NULL, NULL, 1, 1, $return_value, $note);
482 }
483 else {
484 //create group, then create acl
485 $parent_id = $gacl->get_root_group_id();
486 $aro_id = $gacl->add_group($acl_name, $acl_title, $parent_id, 'ARO');
487 $gacl->add_acl(array("placeholder"=>array("filler")),
488 NULL, array($aro_id), NULL, NULL, 1, 1, $return_value, $note);
489 }
490 return;
491 }
492 return 0;
493 }
495 //
496 // This will remove acl. It will also remove group(if the group
497 // is no longer associated with any acl's).
498 // $acl_title = title of acl (string)
499 // $acl_name = name of acl (string)
500 // $return_value = return value of acl (string)
501 // $note = description of acl (array)
502 //
503 function acl_remove($acl_title, $return_value) {
504 global $phpgacl_location;
505 if (isset ($phpgacl_location)) {
506 include_once("$phpgacl_location/gacl_api.class.php");
507 $gacl = new gacl_api();
508 //First, delete the acl
509 $acl_id=$gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
510 $gacl->del_acl($acl_id[0]);
511 //Then, remove the group(if no more acl's are remaining)
512 $acl_search=$gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, FALSE);
513 if (empty($acl_search)){
514 $group_id=$gacl-> get_group_id(NULL, $acl_title, 'ARO');
515 $gacl->del_group($group_id, TRUE, 'ARO');
516 }
517 return;
518 }
519 return 0;
520 }
522 //
523 // This will place the aco(s) into the selected acl
524 // $acl_title = title of acl (string)
525 // $return_value = return value of acl (string)
526 // $aco_id = id of aco (array)
527 //
528 function acl_add_acos($acl_title, $return_value, $aco_id) {
529 global $phpgacl_location;
530 if (isset ($phpgacl_location)) {
531 include_once("$phpgacl_location/gacl_api.class.php");
532 $gacl = new gacl_api();
533 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
534 foreach ($aco_id as $value) {
535 $aco_data = $gacl->get_object_data($value, 'ACO');
536 $aco_section = $aco_data[0][0];
537 $aco_name = $aco_data[0][1];
538 $gacl->append_acl($acl_id[0], NULL, NULL, NULL, NULL, array($aco_section=>array($aco_name)));
539 }
540 return;
541 }
542 return 0;
543 }
545 //
546 // This will remove the aco(s) from the selected acl
547 // Note if all aco's are removed, then will place the filler-placeholder
548 // into the acl to avoid complete removal of the acl.
549 // $acl_title = title of acl (string)
550 // $return_value = return value of acl (string)
551 // $aco_id = id of aco (array)
552 //
553 function acl_remove_acos($acl_title, $return_value, $aco_id) {
554 global $phpgacl_location;
555 if (isset ($phpgacl_location)) {
556 include_once("$phpgacl_location/gacl_api.class.php");
557 $gacl = new gacl_api();
558 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
560 // Check to see if removing all acos. If removing all acos then will
561 // ensure the filler-placeholder aco in acl to avoid complete
562 // removal of the acl.
563 if (count($aco_id) == acl_count_acos($acl_title, $return_value)) {
564 //1-get the filler-placeholder aco id
565 $filler_aco_id = $gacl->get_object_id('placeholder','filler','ACO');
566 //2-add filler-placeholder aco
567 acl_add_acos($acl_title, $return_value, array($filler_aco_id));
568 //3-ensure filler-placeholder aco is not to be deleted
569 $safeListaco = remove_element($_POST["selection"],$filler_aco_id);
570 //4-prepare to safely delete the acos
571 $aco_id = $safeListaco;
572 }
574 foreach ($aco_id as $value) {
575 $aco_data = $gacl->get_object_data($value, 'ACO');
576 $aco_section = $aco_data[0][0];
577 $aco_name = $aco_data[0][1];
578 $gacl->shift_acl($acl_id[0], NULL, NULL, NULL, NULL, array($aco_section=>array($aco_name)));
579 }
580 return;
581 }
582 return 0;
583 }
585 //
586 // This will return the number of aco objects
587 // in a specified acl.
588 // $acl_title = title of acl (string)
589 // $return_value = return value of acl (string)
590 //
591 function acl_count_acos($acl_title, $return_value) {
592 global $phpgacl_location;
593 if (isset ($phpgacl_location)) {
594 include_once("$phpgacl_location/gacl_api.class.php");
595 $gacl = new gacl_api();
596 $acl_id = $gacl->search_acl(FALSE, FALSE, FALSE, FALSE, $acl_title, FALSE, FALSE, FALSE, $return_value);
597 $acl_data = $gacl->get_acl($acl_id[0]);
598 $aco_count = 0;
599 foreach ($acl_data['aco'] as $key => $value) {
600 $aco_count = $aco_count + count($acl_data['aco'][$key]);
601 }
602 return $aco_count;
603 }
604 return 0;
605 }
607 //
608 // Function to remove an element from an array
609 //
610 function remove_element($arr, $val){
611 $arr2 = array();
612 foreach ($arr as $value){
613 if ($value != $val) {
614 array_push($arr2,$value);
615 }
616 }
617 return $arr2;
618 }
619 ?>