Manual written by Emily Killian
[openemr.git] / library / auth.inc
blob418455613c9927f5c06ad17bdbe82fa84c092d37
1 <?php
2 //----------THINGS WE ALWAYS DO
4 require_once("{$GLOBALS['srcdir']}/log.inc");
5 require_once("{$GLOBALS['srcdir']}/sql.inc");
7 if ($_GET['auth'] == "login" && isset($_POST['authUser']) && isset($_POST['authPass']) && isset($_POST['authProvider']))
10         if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
11         {
13                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure");
14                 authLoginScreen();
16         }
17         newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success");
18         $_SESSION["last_update"] = time(); //store the very first initial timestamp for timeout errors
19 }elseif ($_GET['auth'] == "logout")
21         newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
22         authCloseSession();
23         authLoginScreen();
24 }else
27     if (authCheckSession()) {
28                 
29                 if (isset($_SESSION['pid']))
30                 {
31                         require_once("{$GLOBALS['srcdir']}/patient.inc");
32                         $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
33                         newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter ".$_SESSION['encounter']);
34                 }
35                 //LOG EVERYTHING
36                 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
37         }
38         else {
39                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
40                 authLoginScreen();
41         }
44 if (!isset($_SESSION["last_update"])) {
45         authLoginScreen();
46 } else {
47          //if page has not been updated in a given period of time, we call login screen
48         if ((time()-$_SESSION["last_update"])>$timeout) {
49                 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
50                 authCloseSession();
51                 authLoginScreen();
52         } else {
53                 $_SESSION["last_update"] = time();
54         }
59 //----------THINGS WE DO IF WE STILL LIKE YOU
61 function authNewSession ($user, $pass, $provider)
63         //session_name("OpenEMR");
64         //session_id("81279258720".str_replace(".", "", $_SERVER['REMOTE_ADDR']));
65         if(!session_id()) {
66           session_start();
67         }
68         //echo "user is: $user pass is: $pass provider is: $provider<br />";
69         $authDB = sqlQuery("select id, password, authorized from users where username = '$user'");
70         //echo "<br>auth pass: ".$authDB['password'];
71         if ($authDB['password'] == $pass)
72         {
73         //here, we check to see if the user is in fact a member of the correct group:
74                 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'")) {
75                         $_SESSION['authUser'] = $user;
76                         $_SESSION['authGroup'] = $authGroup['name'];
77                         $_SESSION['authUserID'] = $authDB['id'];
78                         $_SESSION['authPass'] = $pass;
79                         $_SESSION['authProvider'] = $provider;
80                         $_SESSION['authId'] = $authDB{'id'};
81                         $_SESSION['userauthorized'] = $authDB['authorized'];
82                         return true;
83                 } else {
84                         return false;
85                 }
86         }
87         else
88                 return false;
91 function authCheckSession ()
93         if (isset($_SESSION['authId'])) {
94                 
95                 $authDB = sqlQuery("select username, password from users where id = '".$_SESSION['authId']."'");
96                 if ($_SESSION['authUser'] == $authDB['username'] && $_SESSION['authPass'] == $authDB['password']) {
97                         return true;
98                 }
99                 else {
100                         return false;
101                 }
102         }
103         else {
104                 return false;
105         }
108 function authCloseSession ()
110         ob_start();
111         session_unset();
112 //      $_SESSION = array();
113         session_destroy();
114         //setcookie(session_name(),"","","/");
115         //the following does the same as the above line:
116         //if(isset($_COOKIE[session_name()])) {
117         //      session_start();
118         //      session_destroy();
119                 unset($_COOKIE[session_name()]);
120         //}
123 function authLoginScreen()
125         //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
126         header("Location: {$GLOBALS['login_screen']}");
127         exit;
130 function addUser ($username, $password_md5, $info, $authorized = 'yes')
132         return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
135 function delUser ($id)
137         return sqlQuery("delete from users where id = '$id' limit 0,1");
140 function changePasword ($id, $new_md5)
142         return sqlQuery("update users set password = '$new_md5' where id = '$id'");
145 function getUserList ($cols = '*', $limit = 'all', $start = '0')
147         if ($limit = "all")
148                 $rez = sqlStatement("select $cols from users order by date DESC");
149         else
150                 $rez = sqlStatement("select $cols from users order by date DESC limit $limit, $start");
151         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
152                 $tbl[$iter] = $row;
153         return $tbl;
156 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
158         if ($limit = "all")
159                 $rez = sqlStatement("select $cols from groups order by date DESC");
160         else
161                 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
162         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
163                 $tbl[$iter] = $row;
164         return $tbl;
167 function addGroup ($groupname)
169         return sqlInsert("insert into groups (name) values ('$groupname')");
172 function delGroup ($group_id)
174         return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
177 /***************************************************************
178 //pennfirm
179 //Function currently user by new post calendar code to determine
180 //if a given user is in a group with another user
181 //and if so to allow editing of that users events
183 //*************************************************************/
185 function validateGroupStatus ($user_to_be_checked, $group_user) {
186         if (isset($user_to_be_checked) && isset($group_user)) {
187                 if ($user_to_be_checked == $group_user) {
189                         return true;
190                 }
191                 elseif ($_SESSION['authorizeduser'] == 1)
192                         return true;
194                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
195                                  "AND users.username = groups.user group by groups.name";
196                 $result = sqlStatement($query);
198                 $usertbcGroups = array();
200                 while ($row = mysql_fetch_array($result)) {
201                         $usertbcGroups[] = $row[0];
202                 }
204                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($group_user) . "\" " .
205                                  "AND users.username = groups.user group by groups.name";
206                 $result = sqlStatement($query);
208                 $usergGroups = array();
210                 while ($row = mysql_fetch_array($result)) {
211                         $usergGroups[] = $row[0];
212                 }
213                 foreach ($usertbcGroups as $group) {
214                         if(in_array($group,$usergGroups)) {
215                           return true;
216                         }
217                 }
219         }
221         return false;