library/auth.inc

   1 <?php
   2 //----------THINGS WE ALWAYS DO
   3
   4 require_once("{$GLOBALS['srcdir']}/log.inc");
   5 require_once("{$GLOBALS['srcdir']}/sql.inc");
   6
   7 if (isset($_GET['auth']) && ($_GET['auth'] == "login") && isset($_POST['authUser']) &&
   8         isset($_POST['authPass']) && isset($_POST['authProvider']))
   9 {
  10         if (!authNewSession($_POST['authUser'], $_POST['authPass'], $_POST['authProvider']))
  11         {
  12                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "failure");
  13                 authLoginScreen();
  14         }
  15         newEvent("login", $_POST['authUser'], $_POST['authProvider'], "success");
  16         //store the very first initial timestamp for timeout errors
  17         $_SESSION["last_update"] = time();
  18 }
  19 else if ( (isset($_GET['auth'])) && ($_GET['auth'] == "logout") )
  20 {
  21         newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "success");
  22         authCloseSession();
  23         authLoginScreen();
  24 }
  25 else
  26 {
  27         if (authCheckSession())
  28         {
  29                 if (isset($_SESSION['pid']) && empty($GLOBALS['DAEMON_FLAG']))
  30                 {
  31                         require_once("{$GLOBALS['srcdir']}/patient.inc");
  32                         $logpatient = getPatientData($_SESSION['pid'], "lname, fname, mname");
  33                         newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'],
  34                                 "{$logpatient['lname']}, {$logpatient['fname']} {$logpatient['mname']} :: encounter " .
  35                                 $_SESSION['encounter']);
  36                 }
  37                 //LOG EVERYTHING
  38                 //newEvent("view", $_SESSION['authUser'], $_SESSION['authProvider'], $_SERVER['REQUEST_URI']);
  39         }
  40         else {
  41                 newEvent("login",$_POST['authUser'], $_POST['authProvider'], "insufficient data sent");
  42                 authLoginScreen();
  43         }
  44 }
  45
  46 if (!isset($_SESSION["last_update"])) {
  47         authLoginScreen();
  48 } else {
  49          //if page has not been updated in a given period of time, we call login screen
  50         if ((time() - $_SESSION["last_update"]) > $timeout) {
  51                 newEvent("logout", $_SESSION['authUser'], $_SESSION['authProvider'], "timeout");
  52                 authCloseSession();
  53                 authLoginScreen();
  54         } else {
  55                 if (empty($GLOBALS['DAEMON_FLAG'])) $_SESSION["last_update"] = time();
  56         }
  57 }
  58
  59 //----------THINGS WE DO IF WE STILL LIKE YOU
  60
  61 function authNewSession ($user, $pass, $provider)
  62 {
  63         //session_name("OpenEMR");
  64         //session_id("81279258720".str_replace(".", "", $_SERVER['REMOTE_ADDR']));
  65         if(!session_id()) {
  66           session_start();
  67         }
  68         //echo "user is: $user pass is: $pass provider is: $provider<br />";
  69         $authDB = sqlQuery("select id, password, authorized, see_auth from users " .
  70                 "where username = '$user'");
  71         //echo "<br>auth pass: ".$authDB['password'];
  72         if ($authDB['password'] == $pass)
  73         {
  74         //here, we check to see if the user is in fact a member of the correct group:
  75                 if ($authGroup = sqlQuery("select * from groups where user='$user' and name='$provider'")) {
  76                         $_SESSION['authUser'] = $user;
  77                         $_SESSION['authGroup'] = $authGroup['name'];
  78                         $_SESSION['authUserID'] = $authDB['id'];
  79                         $_SESSION['authPass'] = $pass;
  80                         $_SESSION['authProvider'] = $provider;
  81                         $_SESSION['authId'] = $authDB{'id'};
  82                         $_SESSION['userauthorized'] = $authDB['authorized'];
  83                         // Some users may be able to authorize without being providers:
  84                         if ($authDB['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
  85                         return true;
  86                 } else {
  87                         return false;
  88                 }
  89         }
  90         else
  91                 return false;
  92 }
  93
  94 function authCheckSession ()
  95 {
  96         if (isset($_SESSION['authId'])) {
  97                 $authDB = sqlQuery("select username, password from users where id = '" .
  98                         $_SESSION['authId']."'");
  99                 if ($_SESSION['authUser'] == $authDB['username'] &&
 100                         $_SESSION['authPass'] == $authDB['password'])
 101                 {
 102                         return true;
 103                 }
 104                 else {
 105                         return false;
 106                 }
 107         }
 108         else {
 109                 return false;
 110         }
 111 }
 112
 113 function authCloseSession ()
 114 {
 115         ob_start();
 116         session_unset();
 117 //      $_SESSION = array();
 118         session_destroy();
 119         //setcookie(session_name(),"","","/");
 120         //the following does the same as the above line:
 121         //if(isset($_COOKIE[session_name()])) {
 122         // session_start();
 123         // session_destroy();
 124         unset($_COOKIE[session_name()]);
 125         //}
 126 }
 127
 128 function authLoginScreen()
 129 {
 130         //header("Location: https://{$_SERVER['HTTP_HOST']}{$GLOBALS['login_screen']}");
 131         header("Location: {$GLOBALS['login_screen']}");
 132         exit;
 133 }
 134
 135 function addUser ($username, $password_md5, $info, $authorized = 'yes')
 136 {
 137         return sqlInsert("insert into users (username, password, info, authorized) values ('$username', '$password_md5', '$info', '$authorized')");
 138 }
 139
 140 function delUser ($id)
 141 {
 142         return sqlQuery("delete from users where id = '$id' limit 0,1");
 143 }
 144
 145 function changePasword ($id, $new_md5)
 146 {
 147         return sqlQuery("update users set password = '$new_md5' where id = '$id'");
 148 }
 149
 150 function getUserList ($cols = '*', $limit = 'all', $start = '0')
 151 {
 152         if ($limit = "all")
 153                 $rez = sqlStatement("select $cols from users where username != '' order by date DESC");
 154         else
 155                 $rez = sqlStatement("select $cols from users where username != '' order by date DESC limit $limit, $start");
 156         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
 157                 $tbl[$iter] = $row;
 158         return $tbl;
 159 }
 160
 161 function getProviderList ($cols = '*', $limit= 'all', $start = '0')
 162 {
 163         if ($limit = "all")
 164                 $rez = sqlStatement("select $cols from groups order by date DESC");
 165         else
 166                 $rez = sqlStatement("select $cols from groups order by date DESC limit $limit, $start");
 167         for ($iter = 0; $row = sqlFetchArray($rez); $iter++)
 168                 $tbl[$iter] = $row;
 169         return $tbl;
 170 }
 171
 172 function addGroup ($groupname)
 173 {
 174         return sqlInsert("insert into groups (name) values ('$groupname')");
 175 }
 176
 177 function delGroup ($group_id)
 178 {
 179         return sqlQuery("delete from groups where id = '$group_id' limit 0,1");
 180 }
 181
 182 /***************************************************************
 183 //pennfirm
 184 //Function currently user by new post calendar code to determine
 185 //if a given user is in a group with another user
 186 //and if so to allow editing of that users events
 187 //
 188 //*************************************************************/
 189
 190 function validateGroupStatus ($user_to_be_checked, $group_user) {
 191         if (isset($user_to_be_checked) && isset($group_user)) {
 192                 if ($user_to_be_checked == $group_user) {
 193
 194                         return true;
 195                 }
 196                 elseif ($_SESSION['authorizeduser'] == 1)
 197                         return true;
 198
 199                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($user_to_be_checked) . "\" " .
 200                                  "AND users.username = groups.user group by groups.name";
 201                 $result = sqlStatement($query);
 202
 203                 $usertbcGroups = array();
 204
 205                 while ($row = mysql_fetch_array($result)) {
 206                         $usertbcGroups[] = $row[0];
 207                 }
 208
 209                 $query = "SELECT groups.name FROM users,groups WHERE users.username =  \"" . mysql_real_escape_string($group_user) . "\" " .
 210                                  "AND users.username = groups.user group by groups.name";
 211                 $result = sqlStatement($query);
 212
 213                 $usergGroups = array();
 214
 215                 while ($row = mysql_fetch_array($result)) {
 216                         $usergGroups[] = $row[0];
 217                 }
 218                 foreach ($usertbcGroups as $group) {
 219                         if(in_array($group,$usergGroups)) {
 220                           return true;
 221                         }
 222                 }
 223
 224         }
 225
 226         return false;
 227 }
 228 ?>