portal/messaging/handle_note.php

   1 <?php
   2
   3 /**
   4  * handle_note.php
   5  *
   6  * @package   OpenEMR
   7  * @link      https://www.open-emr.org
   8  * @author    Jerry Padgett <sjpadgett@gmail.com>
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @copyright Copyright (c) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
  11  * @copyright Copyright (c) 2019 Brady Miller <brady.g.miller@gmail.com>
  12  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  13  */
  14
  15 // Will start the (patient) portal OpenEMR session/cookie.
  16 require_once(dirname(__FILE__) . "/../../src/Common/Session/SessionUtil.php");
  17 OpenEMR\Common\Session\SessionUtil::portalSessionStart();
  18
  19 if (isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite_two'])) {
  20     // ensure patient is bootstrapped (if sent)
  21     if (!empty($_POST['pid'])) {
  22         if ($_POST['pid'] != $_SESSION['pid']) {
  23             echo "illegal Action";
  24             OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
  25             exit;
  26         }
  27     }
  28     $ignoreAuth_onsite_portal = true;
  29     require_once(dirname(__FILE__) . "/../../interface/globals.php");
  30     if (empty($_SESSION['portal_username'])) {
  31         echo xlt("illegal Action");
  32         OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
  33         exit;
  34     }
  35     // owner is the patient portal_username
  36     $owner = $_SESSION['portal_username'];
  37
  38     // ensure the owner is bootstrapped to the $_POST['sender_id'] and
  39     //   $_POST['sender_name'], if applicable
  40     if (empty($_POST['sender_id']) && !empty($_POST['sender_name'])) {
  41         echo xlt("illegal Action");
  42         OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
  43         exit;
  44     }
  45     if (!empty($_POST['sender_id'])) {
  46         if ($_POST['sender_id'] != $owner) {
  47             echo xlt("illegal Action");
  48             OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
  49             exit;
  50         }
  51     }
  52     if (!empty($_POST['sender_name'])) {
  53         $nameCheck = sqlQuery("SELECT `fname`, `lname` FROM `patient_data` WHERE `pid` = ?", [$_SESSION['pid']]);
  54         if (empty($nameCheck) || ($_POST['sender_name'] != ($nameCheck['fname'] . " " . $nameCheck['lname']))) {
  55             echo xlt("illegal Action");
  56             OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
  57             exit;
  58         }
  59     }
  60 } else {
  61     OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
  62     $ignoreAuth = false;
  63     require_once(dirname(__FILE__) . "/../../interface/globals.php");
  64     if (!isset($_SESSION['authUserID']) || empty($_SESSION['authUser'])) {
  65         $landingpage = "index.php";
  66         header('Location: ' . $landingpage);
  67         exit();
  68     }
  69     //owner is the user authUser
  70     $owner = $_SESSION['authUser'];
  71 }
  72
  73 require_once(dirname(__FILE__) . "/../lib/portal_mail.inc.php");
  74 require_once("$srcdir/pnotes.inc.php");
  75
  76 use OpenEMR\Common\Csrf\CsrfUtils;
  77
  78 if (!(isset($GLOBALS['portal_onsite_two_enable'])) || !($GLOBALS['portal_onsite_two_enable'])) {
  79     echo xlt('Patient Portal is turned off');
  80     exit;
  81 }
  82 // confirm csrf (from both portal and core)
  83 if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'messages-portal')) {
  84     CsrfUtils::csrfNotVerified();
  85 }
  86
  87 if (empty($owner)) {
  88     echo xlt('Critical error, so exiting');
  89     exit;
  90 }
  91
  92 $task = $_POST['task'];
  93 if (! $task) {
  94     return 'no task';
  95 }
  96
  97 $noteid = ($_POST['noteid'] ?? null) ?: 0;
  98 $notejson = ($_POST['notejson'] ?? null) ? json_decode($_POST['notejson'], true) : 0;
  99 $reply_noteid = $_POST['replyid'] ?? null ?: 0;
 100 $note = $_POST['inputBody'] ?? null;
 101 $title = $_POST['title'] ?? null;
 102 $sid = $_POST['sender_id'] ?? null;
 103 $sn = $_POST['sender_name'] ?? null;
 104 $rid = $_POST['recipient_id'] ?? null;
 105 $rn = $_POST['recipient_name'] ?? null;
 106 $header = '';
 107
 108 switch ($task) {
 109     case "forward":
 110         $pid = isset($_POST['pid']) ? $_POST['pid'] : 0;
 111         addPnote($pid, $note, 1, 1, $title, $sid, '', 'New');
 112         updatePortalMailMessageStatus($noteid, 'Sent', $owner);
 113         if (empty($_POST["submit"])) {
 114             echo 'ok';
 115         }
 116
 117         break;
 118     case "add":
 119         // each user has their own copy of message
 120         sendMail($owner, $note, $title, $header, $noteid, $sid, $sn, $rid, $rn, 'New');
 121         sendMail($rid, $note, $title, $header, $noteid, $sid, $sn, $rid, $rn, 'New', $reply_noteid);
 122         if (empty($_POST["submit"])) {
 123             echo 'ok';
 124         }
 125         break;
 126     case "reply":
 127         sendMail($owner, $note, $title, $header, $noteid, $sid, $sn, $rid, $rn, 'Reply', '');
 128         sendMail($rid, $note, $title, $header, $noteid, $sid, $sn, $rid, $rn, 'New', $reply_noteid);
 129         if (empty($_POST["submit"])) {
 130             echo 'ok';
 131         }
 132         break;
 133     case "delete":
 134         updatePortalMailMessageStatus($noteid, 'Delete', $owner);
 135         if (empty($_POST["submit"])) {
 136             echo 'ok';
 137         }
 138         break;
 139     case "massdelete":
 140         foreach ($notejson as $deleteid) {
 141             updatePortalMailMessageStatus($deleteid, 'Delete', $owner);
 142             if (empty($_POST["submit"])) {
 143                 echo 'ok';
 144             }
 145         }
 146         break;
 147     case "setread":
 148         if ($noteid > 0) {
 149             updatePortalMailMessageStatus($noteid, 'Read', $owner);
 150             if (empty($_POST["submit"])) {
 151                 echo 'ok';
 152             }
 153         } else {
 154             echo 'missing note id';
 155         }
 156         break;
 157     case "getinbox":
 158         if ($owner) {
 159             $result = getMails($owner, 'inbox', '', '');
 160             echo json_encode($result);
 161         } else {
 162             echo 'error';
 163         }
 164         break;
 165     case "getsent":
 166         if ($owner) {
 167             $result = getMails($owner, 'sent', '', '');
 168             echo json_encode($result);
 169         } else {
 170             echo 'error';
 171         }
 172         break;
 173     case "getall":
 174         if ($owner) {
 175             $result = getMails($owner, 'all', '', '');
 176             echo json_encode($result);
 177         } else {
 178             echo 'error';
 179         }
 180         break;
 181     case "getdeleted":
 182         if ($owner) {
 183             $result = getMails($owner, 'deleted', '', '');
 184             echo json_encode($result);
 185         } else {
 186             echo 'error';
 187         }
 188         break;
 189     default:
 190         echo 'failed';
 191         break;
 192 }
 193
 194 if (!empty($_POST["submit"])) {
 195     $url = $_POST["submit"];
 196     header("Location: " . $url);
 197     exit();
 198 }