3 * This script Assign acl 'Emergency login'.
5 * Copyright (C) 2015 Roberto Vasquez <robertogagliotta@gmail.com>
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
19 * @author Roberto Vasquez <robertogagliotta@gmail.com>
20 * @link http://www.open-emr.org
23 require_once("../globals.php");
24 require_once("../../library/acl.inc");
25 require_once("$srcdir/sql.inc");
26 require_once("$srcdir/auth.inc");
27 require_once("$srcdir/formdata.inc.php");
28 require_once ($GLOBALS['srcdir'] . "/classes/postmaster.php");
36 /* Sending a mail to the admin when the breakglass user is activated only if $GLOBALS['Emergency_Login_email'] is set to 1 */
37 $bg_count=count($access_group);
38 $mail_id = explode(".",$SMTP_HOST);
39 for($i=0;$i<$bg_count;$i++
){
40 if(($_POST['access_group'][$i] == "Emergency Login") && ($_POST['active'] == 'on') && ($_POST['pre_active'] == 0)){
41 if(($_POST['get_admin_id'] == 1) && ($_POST['admin_id'] != "")){
42 $res = sqlStatement("select username from users where id= ? ", array($_POST["id"]));
43 $row = sqlFetchArray($res);
44 $uname=$row['username'];
45 $mail = new MyMailer();
46 $mail->From
= $GLOBALS["practice_return_email_path"];
47 $mail->FromName
= "Administrator OpenEMR";
48 $text_body = "Hello Security Admin,\n\n The Emergency Login user ".$uname.
49 " was activated at ".date('l jS \of F Y h:i:s A')." \n\nThanks,\nAdmin OpenEMR.";
50 $mail->Body
= $text_body;
51 $mail->Subject
= "Emergency Login User Activated";
52 $mail->AddAddress($_POST['admin_id']);
57 /* To refresh and save variables in mail frame */
58 if (isset($_POST["privatemode"]) && $_POST["privatemode"] =="user_admin") {
59 if ($_POST["mode"] == "update") {
60 if (isset($_POST["username"])) {
61 // $tqvar = addslashes(trim($_POST["username"]));
62 $tqvar = trim(formData('username','P'));
63 $user_data = sqlFetchArray(sqlStatement("select * from users where id= ? ", array($_POST["id"])));
64 sqlStatement("update users set username='$tqvar' where id= ? ", array($_POST["id"]));
65 sqlStatement("update groups set user='$tqvar' where user= ?", array($user_data["username"]));
66 //echo "query was: " ."update groups set user='$tqvar' where user='". $user_data["username"] ."'" ;
68 if ($_POST["taxid"]) {
69 $tqvar = formData('taxid','P');
70 sqlStatement("update users set federaltaxid='$tqvar' where id= ? ", array($_POST["id"]));
72 if ($_POST["state_license_number"]) {
73 $tqvar = formData('state_license_number','P');
74 sqlStatement("update users set state_license_number='$tqvar' where id= ? ", array($_POST["id"]));
76 if ($_POST["drugid"]) {
77 $tqvar = formData('drugid','P');
78 sqlStatement("update users set federaldrugid='$tqvar' where id= ? ", array($_POST["id"]));
81 $tqvar = formData('upin','P');
82 sqlStatement("update users set upin='$tqvar' where id= ? ", array($_POST["id"]));
85 $tqvar = formData('npi','P');
86 sqlStatement("update users set npi='$tqvar' where id= ? ", array($_POST["id"]));
88 if ($_POST["taxonomy"]) {
89 $tqvar = formData('taxonomy','P');
90 sqlStatement("update users set taxonomy = '$tqvar' where id= ? ", array($_POST["id"]));
92 if ($_POST["lname"]) {
93 $tqvar = formData('lname','P');
94 sqlStatement("update users set lname='$tqvar' where id= ? ", array($_POST["id"]));
97 $tqvar = formData('job','P');
98 sqlStatement("update users set specialty='$tqvar' where id= ? ", array($_POST["id"]));
100 if ($_POST["mname"]) {
101 $tqvar = formData('mname','P');
102 sqlStatement("update users set mname='$tqvar' where id= ? ", array($_POST["id"]));
104 if ($_POST["facility_id"]) {
105 $tqvar = formData('facility_id','P');
106 sqlStatement("update users set facility_id = '$tqvar' where id = ? ", array($_POST["id"]));
107 //(CHEMED) Update facility name when changing the id
108 sqlStatement("UPDATE users, facility SET users.facility = facility.name WHERE facility.id = '$tqvar' AND users.id = {$_POST["id
"]}");
111 if ($GLOBALS['restrict_user_facility'] && $_POST["schedule_facility"]) {
112 sqlStatement("delete from users_facility
113 where tablename='users'
115 and facility_id not in (" . implode(",", $_POST['schedule_facility']) . ")", array($_POST["id"]));
116 foreach($_POST["schedule_facility"] as $tqvar) {
117 sqlStatement("replace into users_facility set
118 facility_id = '$tqvar',
120 table_id = {$_POST["id
"]}");
123 if ($_POST["fname"]) {
124 $tqvar = formData('fname','P');
125 sqlStatement("update users set fname='$tqvar' where id= ? ", array($_POST["id"]));
128 //(CHEMED) Calendar UI preference
129 if ($_POST["cal_ui"]) {
130 $tqvar = formData('cal_ui','P');
131 sqlStatement("update users set cal_ui = '$tqvar' where id = ? ", array($_POST["id"]));
133 // added by bgm to set this session variable if the current user has edited
134 // their own settings
135 if ($_SESSION['authId'] == $_POST["id"]) {
136 $_SESSION['cal_ui'] = $tqvar;
139 //END (CHEMED) Calendar UI preference
141 if (isset($_POST['default_warehouse'])) {
142 sqlStatement("UPDATE users SET default_warehouse = '" .
143 formData('default_warehouse','P') .
144 "' WHERE id = '" . formData('id','P') . "'");
147 if (isset($_POST['irnpool'])) {
148 sqlStatement("UPDATE users SET irnpool = '" .
149 formData('irnpool','P') .
150 "' WHERE id = '" . formData('id','P') . "'");
153 if ($_POST["adminPass"] && $_POST["clearPass"]) {
154 require_once("$srcdir/authentication/password_change.php");
155 $clearAdminPass=$_POST['adminPass'];
156 $clearUserPass=$_POST['clearPass'];
157 $password_err_msg="";
158 $success=update_password($_SESSION['authId'],$_POST['id'],$clearAdminPass,$clearUserPass,$password_err_msg);
161 error_log($password_err_msg);
162 $alertmsg.=$password_err_msg;
166 $tqvar = $_POST["authorized"] ?
1 : 0;
167 $actvar = $_POST["active"] ?
1 : 0;
168 $calvar = $_POST["calendar"] ?
1 : 0;
170 sqlStatement("UPDATE users SET authorized = $tqvar, active = $actvar, " .
171 "calendar = $calvar, see_auth = ? WHERE " .
172 "id = ? ", array($_POST['see_auth'], $_POST["id"]));
173 //Display message when Emergency Login user was activated
174 $bg_count=count($_POST['access_group']);
175 for($i=0;$i<$bg_count;$i++
){
176 if(($_POST['access_group'][$i] == "Emergency Login") && ($_POST['pre_active'] == 0) && ($actvar == 1)){
180 if(($_POST['access_group'])){
181 for($i=0;$i<$bg_count;$i++
){
182 if(($_POST['access_group'][$i] == "Emergency Login") && ($_POST['user_type']) == "" && ($_POST['check_acl'] == 1) && ($_POST['active']) != ""){
187 if ($_POST["comments"]) {
188 $tqvar = formData('comments','P');
189 sqlStatement("update users set info = '$tqvar' where id = ? ", array($_POST["id"]));
191 $erxrole = formData('erxrole','P');
192 sqlStatement("update users set newcrop_user_role = '$erxrole' where id = ? ", array($_POST["id"]));
194 if ($_POST["physician_type"]) {
195 $physician_type = formData('physician_type');
196 sqlStatement("update users set physician_type = '$physician_type' where id = ? ", array($_POST["id"]));
199 if (isset($phpgacl_location) && acl_check('admin', 'acl')) {
200 // Set the access control group of user
201 $user_data = sqlFetchArray(sqlStatement("select username from users where id= ?", array($_POST["id"])));
202 set_user_aro($_POST['access_group'], $user_data["username"],
203 formData('fname','P'), formData('mname','P'), formData('lname','P'));
208 /* To refresh and save variables in mail frame - Arb*/
209 if (isset($_POST["mode"])) {
210 if ($_POST["mode"] == "new_user") {
211 if ($_POST["authorized"] != "1") {
212 $_POST["authorized"] = 0;
214 // $_POST["info"] = addslashes($_POST["info"]);
216 $calvar = $_POST["calendar"] ?
1 : 0;
218 $res = sqlStatement("select distinct username from users where username != ''");
220 while ($row = sqlFetchArray($res)) {
221 if ($doit == true && $row['username'] == trim(formData('rumple'))) {
227 require_once("$srcdir/authentication/password_change.php");
229 //if password expiration option is enabled, calculate the expiration date of the password
230 if($GLOBALS['password_expiration_days'] != 0){
231 $exp_days = $GLOBALS['password_expiration_days'];
232 $exp_date = date('Y-m-d', strtotime("+$exp_days days"));
236 "insert into users set " .
237 "username = '" . trim(formData('rumple' )) .
238 "', password = '" . 'NoLongerUsed' .
239 "', fname = '" . trim(formData('fname' )) .
240 "', mname = '" . trim(formData('mname' )) .
241 "', lname = '" . trim(formData('lname' )) .
242 "', federaltaxid = '" . trim(formData('federaltaxid' )) .
243 "', state_license_number = '" . trim(formData('state_license_number' )) .
244 "', newcrop_user_role = '" . trim(formData('erxrole' )) .
245 "', physician_type = '" . trim(formData('physician_type' )) .
246 "', authorized = '" . trim(formData('authorized' )) .
247 "', info = '" . trim(formData('info' )) .
248 "', federaldrugid = '" . trim(formData('federaldrugid')) .
249 "', upin = '" . trim(formData('upin' )) .
250 "', npi = '" . trim(formData('npi' )).
251 "', taxonomy = '" . trim(formData('taxonomy' )) .
252 "', facility_id = '" . trim(formData('facility_id' )) .
253 "', specialty = '" . trim(formData('specialty' )) .
254 "', see_auth = '" . trim(formData('see_auth' )) .
255 "', cal_ui = '" . trim(formData('cal_ui' )) .
256 "', default_warehouse = '" . trim(formData('default_warehouse')) .
257 "', irnpool = '" . trim(formData('irnpool' )) .
258 "', calendar = '" . $calvar .
259 "', pwd_expiration_date = '" . trim("$exp_date") .
262 $clearAdminPass=$_POST['adminPass'];
263 $clearUserPass=$_POST['stiltskin'];
264 $password_err_msg="";
266 $success = update_password($_SESSION['authId'], 0, $clearAdminPass, $clearUserPass,
267 $password_err_msg, true, $insertUserSQL, trim(formData('rumple')), $prov_id);
268 error_log($password_err_msg);
269 $alertmsg .=$password_err_msg;
272 //set the facility name from the selected facility_id
273 sqlStatement("UPDATE users, facility SET users.facility = facility.name WHERE facility.id = '" . trim(formData('facility_id')) . "' AND users.username = '" . trim(formData('rumple')) . "'");
275 sqlStatement("insert into groups set name = '" . trim(formData('groupname')) .
276 "', user = '" . trim(formData('rumple')) . "'");
278 if (isset($phpgacl_location) && acl_check('admin', 'acl') && trim(formData('rumple'))) {
279 // Set the access control group of user
280 set_user_aro($_POST['access_group'], trim(formData('rumple')),
281 trim(formData('fname')), trim(formData('mname')), trim(formData('lname')));
288 $alertmsg .= xl('User','','',' ') . trim(formData('rumple')) . xl('already exists.','',' ');
290 if($_POST['access_group']){
291 $bg_count=count($_POST['access_group']);
292 for($i=0;$i<$bg_count;$i++
){
293 if($_POST['access_group'][$i] == "Emergency Login"){
299 else if ($_POST["mode"] == "new_group") {
300 $res = sqlStatement("select distinct name, user from groups");
301 for ($iter = 0; $row = sqlFetchArray($res); $iter++
)
302 $result[$iter] = $row;
304 foreach ($result as $iter) {
305 if ($doit == 1 && $iter{"name"} == trim(formData('groupname')) && $iter{"user"} == trim(formData('rumple')))
309 sqlStatement("insert into groups set name = '" . trim(formData('groupname')) .
310 "', user = '" . trim(formData('rumple')) . "'");
312 $alertmsg .= "User " . trim(formData('rumple')) .
313 " is already a member of group " . trim(formData('groupname')) . ". ";
318 if (isset($_GET["mode"])) {
320 /*******************************************************************
321 // This is the code to delete a user. Note that the link which invokes
322 // this is commented out. Somebody must have figured it was too dangerous.
324 if ($_GET["mode"] == "delete") {
325 $res = sqlStatement("select distinct username, id from users where id = '" .
327 for ($iter = 0; $row = sqlFetchArray($res); $iter++)
328 $result[$iter] = $row;
330 // TBD: Before deleting the user, we should check all tables that
331 // reference users to make sure this user is not referenced!
333 foreach($result as $iter) {
334 sqlStatement("delete from groups where user = '" . $iter{"username"} . "'");
336 sqlStatement("delete from users where id = '" . $_GET["id"] . "'");
338 *******************************************************************/
340 if ($_GET["mode"] == "delete_group") {
341 $res = sqlStatement("select distinct user from groups where id = ?", array($_GET["id"]));
342 for ($iter = 0; $row = sqlFetchArray($res); $iter++
)
343 $result[$iter] = $row;
344 foreach($result as $iter)
346 $res = sqlStatement("select name, user from groups where user = '$un' " .
347 "and id != ?", array($_GET["id"]));
349 // Remove the user only if they are also in some other group. I.e. every
350 // user must be a member of at least one group.
351 if (sqlFetchArray($res) != FALSE) {
352 sqlStatement("delete from groups where id = ?", array($_GET["id"]));
354 $alertmsg .= "You must add this user to some other group before " .
355 "removing them from this group. ";
360 $form_inactive = empty($_REQUEST['form_inactive']) ?
false : true;
366 <link rel
="stylesheet" href
="<?php echo $css_header;?>" type
="text/css">
367 <link rel
="stylesheet" href
="<?php echo $css_header;?>" type
="text/css">
368 <link rel
="stylesheet" type
="text/css" href
="<?php echo $GLOBALS['webroot'] ?>/library/js/fancybox/jquery.fancybox-1.2.6.css" media
="screen" />
369 <script type
="text/javascript" src
="<?php echo $GLOBALS['webroot'] ?>/library/dialog.js?v=<?php echo $v_js_includes; ?>"></script
>
370 <script type
="text/javascript" src
="<?php echo $GLOBALS['assets_static_relative']; ?>/jquery-min-1-3-2/index.js"></script
>
371 <script type
="text/javascript" src
="<?php echo $GLOBALS['webroot'] ?>/library/js/common.js"></script
>
372 <script type
="text/javascript" src
="<?php echo $GLOBALS['webroot'] ?>/library/js/fancybox/jquery.fancybox-1.2.6.js"></script
>
373 <script type
="text/javascript" src
="<?php echo $GLOBALS['webroot'] ?>/library/js/jquery-ui.js"></script
>
374 <script type
="text/javascript" src
="<?php echo $GLOBALS['webroot'] ?>/library/js/jquery.easydrag.handler.beta2.js"></script
>
375 <script type
="text/javascript">
377 $
(document
).ready(function(){
385 $
(".iframe_medium").fancybox( {
386 'overlayOpacity' : 0.0,
387 'showCloseButton' : true,
393 // add drag and drop functionality to fancybox
394 $
("#fancy_outer").easydrag();
399 <script language
="JavaScript">
401 function authorized_clicked() {
402 var f
= document
.forms
[0];
403 f
.calendar
.disabled
= !f
.authorized
.checked
;
404 f
.calendar
.checked
= f
.authorized
.checked
;
410 <body
class="body_top">
416 <td
><b
><?php
xl('User / Groups','e'); ?
></b
></td
>
417 <td
><a href
="usergroup_admin_add.php" class="iframe_medium css_button"><span
><?php
xl('Add User','e'); ?
></span
></a
>
419 <td
><a href
="facility_user.php" class="css_button"><span
><?php
xl('View Facility Specific User Information','e'); ?
></span
></a
>
424 <div style
="width:650px;">
427 <form name
='userlist' method
='post' action
='usergroup_admin.php' onsubmit
='return top.restoreSession()'>
428 <input type
='checkbox' name
='form_inactive' value
='1' onclick
='submit()' <?php
if ($form_inactive) echo 'checked '; ?
>/>
429 <span
class='text' style
= "margin-left:-3px"> <?php
xl('Include inactive users','e'); ?
> </span
>
432 if($set_active_msg == 1){
433 echo "<font class='alert'>".xl('Emergency Login ACL is chosen. The user is still in active state, please de-activate the user and activate the same when required during emergency situations. Visit Administration->Users for activation or de-activation.')."</font><br>";
435 if ($show_message == 1){
436 echo "<font class='alert'>".xl('The following Emergency Login User is activated:')." "."<b>".$_GET['fname']."</b>"."</font><br>";
437 echo "<font class='alert'>".xl('Emergency Login activation email will be circulated only if following settings in the interface/globals.php file are configured:')." \$GLOBALS['Emergency_Login_email'], \$GLOBALS['Emergency_Login_email_id']</font>";
441 <table cellpadding
="1" cellspacing
="0" class="showborder">
442 <tbody
><tr height
="22" class="showborder_head">
443 <th width
="180px"><b
><?php
xl('Username','e'); ?
></b
></th
>
444 <th width
="270px"><b
><?php
xl('Real Name','e'); ?
></b
></th
>
445 <th width
="320px"><b
><span
class="bold"><?php
xl('Additional Info','e'); ?
></span
></b
></th
>
446 <th
><b
><?php
xl('Authorized','e'); ?
>?
</b
></th
>
449 $query = "SELECT * FROM users WHERE username != '' ";
450 if (!$form_inactive) $query .= "AND active = '1' ";
451 $query .= "ORDER BY username";
452 $res = sqlStatement($query);
453 for ($iter = 0;$row = sqlFetchArray($res);$iter++
)
454 $result4[$iter] = $row;
455 foreach ($result4 as $iter) {
456 if ($iter{"authorized"}) {
457 $iter{"authorized"} = xl('yes');
459 $iter{"authorized"} = "";
461 print "<tr height=20 class='text' style='border-bottom: 1px dashed;'>
462 <td class='text'><b><a href='user_admin.php?id=" . $iter{"id"} .
463 "' class='iframe_medium' onclick='top.restoreSession()'><span>" . $iter{"username"} . "</span></a></b>" ." </td>
464 <td><span class='text'>" . attr($iter{"fname"}) . ' ' . attr($iter{"lname"}) ."</span> </td>
465 <td><span class='text'>" . attr($iter{"info"}) . "</span> </td>
466 <td align='left'><span class='text'>" .$iter{"authorized"} . "</span> </td>";
467 print "<td><!--<a href='usergroup_admin.php?mode=delete&id=" . $iter{"id"} .
468 "' class='link_submit'>[Delete]</a>--></td>";
474 if (empty($GLOBALS['disable_non_default_groups'])) {
475 $res = sqlStatement("select * from groups order by name");
476 for ($iter = 0;$row = sqlFetchArray($res);$iter++
)
477 $result5[$iter] = $row;
479 foreach ($result5 as $iter) {
480 $grouplist{$iter{"name"}} .= $iter{"user"} .
481 "(<a class='link_submit' href='usergroup_admin.php?mode=delete_group&id=" .
482 $iter{"id"} . "' onclick='top.restoreSession()'>Remove</a>), ";
485 foreach ($grouplist as $groupname => $list) {
486 print "<span class='bold'>" . $groupname . "</span><br>\n<span class='text'>" .
487 substr($list,0,strlen($list)-2) . "</span><br>\n";
496 <script language
="JavaScript">
498 if ($alertmsg = trim($alertmsg)) {
499 echo "alert('$alertmsg');\n";