library/auth.inc

   1 <?php
   2 //----------THINGS WE ALWAYS DO
   3
   4 require_once("{$GLOBALS['srcdir']}/log.inc");
   5 require_once("{$GLOBALS['srcdir']}/sql.inc");
   6
   7 if ($_GET['auth'] == "login" && isset($_POST['authUser']) && isset($_POST['authPass']) && isset($_POST['authProvider']))
   8 {
   9
  10         if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
  11         {
  12
  13                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure");
  14                 authLoginScreen();
  15
  16         }
  17         newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success");
  18         $_SESSION["last_update"] = time(); //store the very first initial timestamp for timeout errors
  19 }elseif ($_GET['auth'] == "logout")
  20 {
  21         newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
  22         authCloseSession();
  23         authLoginScreen();
  24 }else
  25 {
  26
  27     if (authCheckSession()) {
  28
  29                 if (isset($_SESSION['pid']))
  30                 {
  31                         require_once("{$GLOBALS['srcdir']}/patient.inc");
  32                         $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
  33                         newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter ".$_SESSION['encounter']);
  34                 }
  35                 //LOG EVERYTHING
  36                 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
  37         }
  38         else {
  39                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
  40                 authLoginScreen();
  41         }
  42 }
  43
  44 if (!isset($_SESSION["last_update"])) {
  45         authLoginScreen();
  46 } else {
  47          //if page has not been updated in a given period of time, we call login screen
  48         if ((time()-$_SESSION["last_update"])>$timeout) {
  49                 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
  50                 authCloseSession();
  51                 authLoginScreen();
  52         } else {
  53                 $_SESSION["last_update"] = time();
  54         }
  55 }
  56
  57
  58
  59 //----------THINGS WE DO IF WE STILL LIKE YOU
  60
  61 function authNewSession ($user, $pass, $provider)
  62 {
  63         //session_name("OpenEMR");
  64         //session_id("81279258720".str_replace(".", "", $_SERVER['REMOTE_ADDR']));
  65         if(!session_id()) {
  66           session_start();
  67         }
  68         //echo "user is: $user pass is: $pass provider is: $provider<br />";
  69         $authDB = sqlQuery("select id, password, authorized from users where username = '$user'");
  70         //echo "<br>auth pass: ".$authDB['password'];
  71         if ($authDB['password'] == $pass)
  72         {
  73         //here, we check to see if the user is in fact a member of the correct group:
  74                 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'")) {
  75                         $_SESSION['authUser'] = $user;
  76                         $_SESSION['authGroup'] = $authGroup['name'];
  77                         $_SESSION['authUserID'] = $authDB['id'];
  78                         $_SESSION['authPass'] = $pass;
  79                         $_SESSION['authProvider'] = $provider;
  80                         $_SESSION['authId'] = $authDB{'id'};
  81                         $_SESSION['userauthorized'] = $authDB['authorized'];
  82                         return true;
  83                 } else {
  84                         return false;
  85                 }
  86         }
  87         else
  88                 return false;
  89 }
  90
  91 function authCheckSession ()
  92 {
  93         if (isset($_SESSION['authId'])) {
  94
  95                 $authDB = sqlQuery("select username, password from users where id = '".$_SESSION['authId']."'");
  96                 if ($_SESSION['authUser'] == $authDB['username'] && $_SESSION['authPass'] == $authDB['password']) {
  97                         return true;
  98                 }
  99                 else {
 100                         return false;
 101                 }
 102         }
 103         else {
 104                 return false;
 105         }
 106 }
 107
 108 function authCloseSession ()
 109 {
 110         ob_start();
 111         session_unset();
 112 //      $_SESSION = array();
 113         session_destroy();
 114         //setcookie(session_name(),"","","/");
 115         //the following does the same as the above line:
 116         //if(isset($_COOKIE[session_name()])) {
 117         //      session_start();
 118         //      session_destroy();
 119                 unset($_COOKIE[session_name()]);
 120         //}
 121 }
 122
 123 function authLoginScreen()
 124 {
 125         //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
 126         header("Location: {$GLOBALS['login_screen']}");
 127         exit;
 128 }
 129
 130 function addUser ($username, $password_md5, $info, $authorized = 'yes')
 131 {
 132         return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
 133 }
 134
 135 function delUser ($id)
 136 {
 137         return sqlQuery("delete from users where id = '$id' limit 0,1");
 138 }
 139
 140 function changePasword ($id, $new_md5)
 141 {
 142         return sqlQuery("update users set password = '$new_md5' where id = '$id'");
 143 }
 144
 145 function getUserList ($cols = '*', $limit = 'all', $start = '0')
 146 {
 147         if ($limit = "all")
 148                 $rez = sqlStatement("select $cols from users order by date DESC");
 149         else
 150                 $rez = sqlStatement("select $cols from users order by date DESC limit $limit, $start");
 151         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
 152                 $tbl[$iter] = $row;
 153         return $tbl;
 154 }
 155
 156 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
 157 {
 158         if ($limit = "all")
 159                 $rez = sqlStatement("select $cols from groups order by date DESC");
 160         else
 161                 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
 162         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
 163                 $tbl[$iter] = $row;
 164         return $tbl;
 165 }
 166
 167 function addGroup ($groupname)
 168 {
 169         return sqlInsert("insert into groups (name) values ('$groupname')");
 170 }
 171
 172 function delGroup ($group_id)
 173 {
 174         return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
 175 }
 176
 177 /***************************************************************
 178 //pennfirm
 179 //Function currently user by new post calendar code to determine
 180 //if a given user is in a group with another user
 181 //and if so to allow editing of that users events
 182 //
 183 //*************************************************************/
 184
 185 function validateGroupStatus ($user_to_be_checked, $group_user) {
 186         if (isset($user_to_be_checked) && isset($group_user)) {
 187                 if ($user_to_be_checked == $group_user) {
 188
 189                         return true;
 190                 }
 191                 elseif ($_SESSION['authorizeduser'] == 1)
 192                         return true;
 193
 194                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
 195                                  "AND users.username = groups.user group by groups.name";
 196                 $result = sqlStatement($query);
 197
 198                 $usertbcGroups = array();
 199
 200                 while ($row = mysql_fetch_array($result)) {
 201                         $usertbcGroups[] = $row[0];
 202                 }
 203
 204                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($group_user) . "\" " .
 205                                  "AND users.username = groups.user group by groups.name";
 206                 $result = sqlStatement($query);
 207
 208                 $usergGroups = array();
 209
 210                 while ($row = mysql_fetch_array($result)) {
 211                         $usergGroups[] = $row[0];
 212                 }
 213                 foreach ($usertbcGroups as $group) {
 214                         if(in_array($group,$usergGroups)) {
 215                           return true;
 216                         }
 217                 }
 218
 219         }
 220
 221         return false;
 222 }
 223
 224
 225 ?>