Security vulnerability fix
[openemr.git] / gacl / admin / edit_objects.php
blob87ab45019552d045632b7629cad78ac098704ce3
1 <?php
2 //First make sure user has access
3 include_once("../../interface/globals.php");
4 include_once("$srcdir/acl.inc");
5 //ensure user has proper access
6 if (!acl_check('admin', 'acl')) {
7 echo xl('ACL Administration Not Authorized');
8 exit;
10 //ensure php is installed
11 if (!isset($phpgacl_location)) {
12 echo xl('php-GACL access controls are turned off');
13 exit;
16 require_once("gacl_admin.inc.php");
18 //GET takes precedence.
19 if ($_GET['object_type'] != '') {
20 $object_type = $_GET['object_type'];
21 } else {
22 $object_type = $_POST['object_type'];
25 switch(strtolower(trim($object_type))) {
26 case 'aco':
27 $object_type = 'aco';
28 $object_table = $gacl_api->_db_table_prefix . 'aco';
29 $object_sections_table = $gacl_api->_db_table_prefix . 'aco_sections';
30 break;
31 case 'aro':
32 $object_type = 'aro';
33 $object_table = $gacl_api->_db_table_prefix . 'aro';
34 $object_sections_table = $gacl_api->_db_table_prefix . 'aro_sections';
35 break;
36 case 'axo':
37 $object_type = 'axo';
38 $object_table = $gacl_api->_db_table_prefix . 'axo';
39 $object_sections_table = $gacl_api->_db_table_prefix . 'axo_sections';
40 break;
41 default:
42 echo "ERROR: Must select an object type<br>\n";
43 exit();
44 break;
47 switch ($_POST['action']) {
48 case 'Delete':
50 if (count($_POST['delete_object']) > 0) {
51 foreach($_POST['delete_object'] as $id) {
52 $gacl_api->del_object($id, $object_type, TRUE);
56 //Return page.
57 $gacl_api->return_page($_POST['return_page']);
59 break;
60 case 'Submit':
61 $gacl_api->debug_text("Submit!!");
63 //Update objects
64 while (list(,$row) = @each($_POST['objects'])) {
65 list($id, $value, $order, $name) = $row;
66 $gacl_api->edit_object($id, $_POST['section_value'], $name, $value, $order, 0, $object_type);
68 unset($id);
69 unset($section_value);
70 unset($value);
71 unset($order);
72 unset($name);
74 //Insert new sections
75 while (list(,$row) = @each($_POST['new_objects'])) {
76 list($value, $order, $name) = $row;
78 if (!empty($value) AND !empty($name)) {
79 $object_id= $gacl_api->add_object($_POST['section_value'], $name, $value, $order, 0, $object_type);
82 $gacl_api->debug_text("return_page: ". $_POST['return_page']);
83 $gacl_api->return_page($_POST['return_page']);
85 break;
86 default:
87 //Grab section name
88 $query = "select name from $object_sections_table where value = '". $_GET['section_value'] ."'";
89 $section_name = $db->GetOne($query);
91 $query = "select
92 id,
93 section_value,
94 value,
95 order_value,
96 name
97 from $object_table
98 where section_value='". $_GET['section_value'] ."'
99 order by order_value";
100 $rs = $db->pageexecute($query, $gacl_api->_items_per_page, $_GET['page']);
101 $rows = $rs->GetRows();
103 while (list(,$row) = @each($rows)) {
104 list($id, $section_value, $value, $order_value, $name) = $row;
106 $objects[] = array(
107 'id' => $id,
108 'section_value' => $section_value,
109 'value' => $value,
110 'order' => $order_value,
111 'name' => $name
115 for($i=0; $i < 5; $i++) {
116 $new_objects[] = array(
117 'id' => $i,
118 'section_value' => NULL,
119 'value' => NULL,
120 'order' => NULL,
121 'name' => NULL
125 $smarty->assign('objects', $objects);
126 $smarty->assign('new_objects', $new_objects);
128 $smarty->assign("paging_data", $gacl_api->get_paging_data($rs));
130 break;
133 $smarty->assign('section_value', stripslashes($_GET['section_value']));
134 $smarty->assign('section_name', $section_name);
135 $smarty->assign('object_type', $object_type);
136 $smarty->assign('return_page', $_SERVER['REQUEST_URI']);
138 $smarty->assign('current','edit_'. $object_type .'s');
139 $smarty->assign('page_title', 'Edit '. strtoupper($object_type) .' Objects');
141 $smarty->assign("phpgacl_version", $gacl_api->get_version() );
142 $smarty->assign("phpgacl_schema_version", $gacl_api->get_schema_version() );
144 $smarty->display('phpgacl/edit_objects.tpl');