search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Sanitize input for lang_definition values
[openemr.git] / interface / usergroup / usergroup_admin.php
blob6587ac95bbe04484108814d3b5a0cdddf5404799
1 <?
2 include_once("../globals.php");
3 include_once("$srcdir/md5.js");
4 include_once("$srcdir/sql.inc");
5 require_once(dirname(__FILE__) . "/../../library/classes/WSProvider.class.php");
6
7 $alertmsg = '';
8
9 if (isset($_POST["mode"])) {
10 if ($_POST["mode"] == "facility")
11 {
12 sqlStatement("insert into facility set
13 name='{$_POST['facility']}',
14 phone='{$_POST['phone']}',
15 fax='{$_POST['fax']}',
16 street='{$_POST['street']}',
17 city='{$_POST['city']}',
18 state='{$_POST['state']}',
19 postal_code='{$_POST['postal_code']}',
20 country_code='{$_POST['country_code']}',
21 federal_ein='{$_POST['federal_ein']}',
22 facility_npi='{$_POST['facility_npi']}'");
23 } elseif ($_POST["mode"] == "new_user") {
24 if ($_POST["authorized"] != "1") {
25 $_POST["authorized"] = 0;
26 }
27 $_POST["info"] = addslashes($_POST["info"]);
28
29 $res = sqlStatement("select distinct username from users where username != ''");
30 $doit = true;
31 while ($row = mysql_fetch_array($res)) {
32 if ($doit == true && $row['username'] == $_POST["username"]) {
33 $doit = false;
34 }
35 }
36
37 if ($doit == true) {
38 $prov_id = idSqlStatement("insert into users set " .
39 "username = '" . $_POST["username"] .
40 "', password = '" . $_POST["newauthPass"] .
41 "', fname = '" . $_POST["fname"] .
42 "', mname = '" . $_POST["mname"] .
43 "', lname = '" . $_POST["lname"] .
44 "', federaltaxid = '" . $_POST["federaltaxid"] .
45 "', authorized = '" . $_POST["authorized"] .
46 "', info = '" . $_POST["info"] .
47 "', federaldrugid = '" . $_POST["federaldrugid"] .
48 "', upin = '" . $_POST["upin"] .
49 "', npi = '" . $_POST["npi"].
50 "', facility = '" . $_POST["facility"] .
51 "', see_auth = '" . $_POST["see_auth"] .
52 "'");
53 sqlStatement("insert into groups set name = '" . $_POST["groupname"] .
54 "', user = '" . $_POST["username"] . "'");
55 $ws = new WSProvider($prov_id);
56 } else {
57 $alertmsg .= "User " . $_POST["username"] . " already exists. ";
58 }
59 }
60 elseif ($_POST["mode"] == "new_group") {
61 $res = sqlStatement("select distinct name, user from groups");
62 for ($iter = 0; $row = sqlFetchArray($res); $iter++)
63 $result[$iter] = $row;
64 $doit = 1;
65 foreach ($result as $iter) {
66 if ($doit == 1 && $iter{"name"} == $_POST["groupname"] && $iter{"user"} == $_POST["username"])
67 $doit--;
68 }
69 if ($doit == 1) {
70 sqlStatement("insert into groups set name = '" . $_POST["groupname"] .
71 "', user = '" . $_POST["username"] . "'");
72 } else {
73 $alertmsg .= "User " . $_POST["username"] .
74 " is already a member of group " . $_POST["groupname"] . ". ";
75 }
76 }
77 }
78
79 if (isset($_GET["mode"])) {
80
81 // This is the code to delete a user. Note that the link which invokes
82 // this is commented out. Somebody must have figured it was too dangerous.
83 //
84 if ($_GET["mode"] == "delete") {
85 $res = sqlStatement("select distinct username, id from users where id = '" .
86 $_GET["id"] . "'");
87 for ($iter = 0; $row = sqlFetchArray($res); $iter++)
88 $result[$iter] = $row;
89
90 // TBD: Before deleting the user, we should check all tables that
91 // reference users to make sure this user is not referenced!
92
93 foreach($result as $iter) {
94 sqlStatement("delete from groups where user = '" . $iter{"username"} . "'");
95 }
96 sqlStatement("delete from users where id = '" . $_GET["id"] . "'");
97 }
98
99 elseif ($_GET["mode"] == "delete_group") {
100 $res = sqlStatement("select distinct user from groups where id = '" .
101 $_GET["id"] . "'");
102 for ($iter = 0; $row = sqlFetchArray($res); $iter++)
103 $result[$iter] = $row;
104 foreach($result as $iter)
105 $un = $iter{"user"};
106 // $res = sqlStatement("select name,user from groups where user = '" .
107 // $iter{"user"} . "' and id != {$_GET["id"]}\n");
108 $res = sqlStatement("select name, user from groups where user = '$un' " .
109 "and id != '" . $_GET["id"] . "'");
110
111 // Remove the user only if they are also in some other group. I.e. every
112 // user must be a member of at least one group.
113 if (sqlFetchArray($res) != FALSE) {
114 sqlStatement("delete from groups where id = '" . $_GET["id"] . "'");
115 } else {
116 $alertmsg .= "You must add this user to some other group before " .
117 "removing them from this group. ";
118 }
119 }
120 }
121 ?>
122 <html>
123 <head>
124
125 <link rel=stylesheet href="<?echo $css_header;?>" type="text/css">
126
127 </head>
128 <body <?echo $top_bg_line;?> topmargin=0 rightmargin=0 leftmargin=2 bottommargin=0 marginwidth=2 marginheight=0>
129
130 <span class="title"><? xl('User & Group Administration','e'); ?></span>
131
132 <br><br>
133
134 <table width=100%>
135 <tr>
136
137 <td valign=top>
138
139 <form name='facility' method='post' action="usergroup_admin.php">
140 <input type=hidden name=mode value="facility">
141 <span class=bold><? xl('New Facility Information','e'); ?>: </span>
142 </td><td>
143
144 <table border=0 cellpadding=0 cellspacing=0>
145 <tr>
146 <td><span class=text><? xl('Name','e'); ?>: </span></td><td><input type=entry name=facility size=20 value=""></td>
147 <td><span class=text><? xl('Phone','e'); ?>: </span></td><td><input type=entry name=phone size=20 value=""></td>
148 </tr>
149 <tr>
150 <td>&nbsp;</td><td>&nbsp;</td>
151 <td><span class=text><? xl('Fax','e'); ?>: </span></td><td><input type=entry name=fax size=20 value=""></td>
152 </tr>
153 <tr>
154 <td><span class=text><? xl('Address','e'); ?>: </span></td><td><input type=entry size=20 name=street value=""></td>
155 <td><span class=text><? xl('City','e'); ?>: </span></td><td><input type=entry size=20 name=city value=""></td>
156 </tr>
157 <tr>
158 <td><span class=text><? xl('State','e'); ?>: </span></td><td><input type=entry size=20 name=state value=""></td>
159 <td><span class=text><? xl('Zip Code','e'); ?>: </span></td><td><input type=entry size=20 name=postal_code value=""></td>
160 </tr>
161 <tr>
162 <td height="22"><span class=text><? xl('Country','e'); ?>: </span></td>
163 <td><input type=entry size=20 name=country_code value=""></td>
164 <td><span class=text><? xl('Federal EIN','e'); ?>: </span></td><td><input type=entry size=20 name=federal_ein value=""></td>
165 </tr>
166 <tr>
167 <td>&nbsp;</td><td>&nbsp;</td>
168
169 <td><span class=text><? xl('Facility NPI','e'); ?>: </span></td><td><input type=entry size=20 name=facility_npi value=""></td>
170 </tr>
171 <tr>
172 <td>&nbsp;</td><td>&nbsp;</td>
173 <td>&nbsp;</td><td><input type="submit" value=<? xl('Add Facility','e'); ?>></td>
174 </tr>
175 </table>
176 </form>
177 <br><br>
178 </tr>
179 <tr>
180 <td valign=top>
181
182 <form name='facility' method='post' action="usergroup_admin.php">
183 <input type=hidden name=mode value=<? xl('facility','e'); ?>>
184 <span class=bold><? xl('Edit Facilities','e'); ?>: </span>
185 </td><td valign=top>
186 <?
187 $fres = 0;
188 $fres = sqlStatement("select * from facility order by name");
189 if ($fres) {
190 $result2 = array();
191 for ($iter3 = 0;$frow = sqlFetchArray($fres);$iter3++)
192 $result2[$iter3] = $frow;
193 foreach($result2 as $iter3) {
194 ?>
195 <span class=text><?echo $iter3{name};?></span><a href="facility_admin.php?fid=<?echo $iter3{id};?>" class=link_submit>(Edit)</a><br>
196 <?
197 }
198 }
199 ?>
200
201 </td>
202 </tr>
203 <tr><td valign=top>
204 <form name='new_user' method='post' action="usergroup_admin.php">
205 <input type=hidden name=mode value=new_user>
206 <span class=bold><? xl('New User','e'); ?>:</span>
207 </td><td>
208 <table border=0 cellpadding=0 cellspacing=0>
209 <tr>
210 <td><span class=text><? xl('Username','e'); ?>: </span></td><td><input type=entry name=username size=20> &nbsp;</td>
211 <td><span class=text><? xl('Password','e'); ?>: </span></td><td><input type="password" size=20 name=clearPass></td>
212 </tr>
213 <tr>
214 <td><span class=text><? xl('Groupname','e'); ?>: </span></td><td>
215 <select name=groupname>
216 <?
217 $res = sqlStatement("select distinct name from groups");
218 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
219 $result2[$iter] = $row;
220 foreach ($result2 as $iter) {
221 print "<option value='".$iter{"name"}."'>" . $iter{"name"} . "</option>\n";
222 }
223 ?>
224 </select></td>
225 <td><span class=text><? xl('Authorized','e'); ?>: </span></td><td><input type=checkbox name='authorized' value="1"></td>
226 </tr>
227 <tr>
228 <td><span class=text><? xl('First Name','e'); ?>: </span></td><td><input type=entry name='fname' size=20></td>
229 <td><span class=text><? xl('Middle Name','e'); ?>: </span></td><td><input type=entry name='mname' size=20></td>
230 </tr>
231 <tr>
232 <td><span class=text><? xl('Last Name','e'); ?>: </span></td><td><input type=entry name='lname' size=20></td>
233 <td><span class=text><? xl('Default Facility','e'); ?>: </span></td><td><select name=facility>
234 <?
235 $fres = sqlStatement("select * from facility order by name");
236 if ($fres) {
237 for ($iter = 0;$frow = sqlFetchArray($fres);$iter++)
238 $result[$iter] = $frow;
239 foreach($result as $iter) {
240 ?>
241 <option value="<?echo $iter{name};?>"><?echo $iter{name};?></option>
242 <?
243 }
244 }
245 ?>
246 </select></td>
247 </tr>
248 <tr>
249 <td><span class=text><? xl('Federal Tax ID','e'); ?>: </span></td><td><input type=entry name='federaltaxid' size=20></td>
250 <td><span class=text><? xl('Federal Drug ID','e'); ?>: </span></td><td><input type=entry name='federaldrugid' size=20></td>
251 </tr>
252 <tr>
253 <td><span class="text"><? xl('UPIN','e'); ?>: </span></td><td><input type="entry" name="upin" size="20"></td>
254 <td class='text'><? xl('See Authorizations','e'); ?>: </td>
255 <td><select name="see_auth">
256 <?php
257 foreach (array(1 => xl('None'), 2 => xl('Only Mine'), 3 => xl('All')) as $key => $value)
258 {
259 echo " <option value='$key'";
260 echo ">$value</option>\n";
261 }
262 ?>
263 </select></td>
264
265 <tr>
266 <td><span class="text"><? xl('NPI','e'); ?>: </span></td><td><input type="entry" name="npi" size="20"></td>
267 </tr>
268 </table>
269 <span class=text><? xl('Additional Info','e'); ?>: </span><br>
270 <textarea name=info cols=40 rows=4 wrap=auto></textarea>
271 <br><input type="hidden" name="newauthPass">
272 <input type="submit" onClick="javascript:this.form.newauthPass.value=MD5(this.form.clearPass.value);this.form.clearPass.value='';" value=<? xl('Add User','e'); ?>>
273 </form>
274 </td>
275
276 </tr><tr>
277
278 <td valign=top>
279 <form name=new_group method=post action="usergroup_admin.php">
280 <input type=hidden name=mode value=new_group>
281 <span class=bold><? xl('New Group','e'); ?>:</span>
282 </td><td>
283 <span class=text><? xl('Groupname','e'); ?>: </span><input type=entry name=groupname size=10>
284 &nbsp;&nbsp;&nbsp;
285 <span class=text><? xl('Initial User','e'); ?>: </span>
286 <select name=username>
287 <?
288 $res = sqlStatement("select distinct username from users where username != ''");
289 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
290 $result[$iter] = $row;
291 foreach ($result as $iter) {
292 print "<option value='".$iter{"username"}."'>" . $iter{"username"} . "</option>\n";
293 }
294 ?>
295 </select>
296 &nbsp;&nbsp;&nbsp;
297 <input type="submit" value=<? xl('Add Group','e'); ?>>
298 </form>
299 </td>
300
301 </tr><tr>
302
303 <td valign=top>
304 <form name=new_group method=post action="usergroup_admin.php">
305 <input type=hidden name=mode value=new_group>
306 <span class=bold><? xl('Add User To Group','e'); ?>:</span>
307 </td><td>
308 <span class=text>
309 <? xl('User','e'); ?>
310 : </span>
311 <select name=username>
312 <?
313 $res = sqlStatement("select distinct username from users where username != ''");
314 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
315 $result3[$iter] = $row;
316 foreach ($result3 as $iter) {
317 print "<option value='".$iter{"username"}."'>" . $iter{"username"} . "</option>\n";
318 }
319 ?>
320 </select>
321 &nbsp;&nbsp;&nbsp;
322 <span class=text><? xl('Groupname','e'); ?>: </span>
323 <select name=groupname>
324 <?
325 $res = sqlStatement("select distinct name from groups");
326 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
327 $result2[$iter] = $row;
328 foreach ($result2 as $iter) {
329 print "<option value='".$iter{"name"}."'>" . $iter{"name"} . "</option>\n";
330 }
331 ?>
332 </select>
333 &nbsp;&nbsp;&nbsp;
334 <input type="submit" value=<? xl('Add User To Group','e'); ?>>
335 </form>
336 </td>
337
338 </tr>
339 </table>
340
341 <hr>
342
343 <table border=0 cellpadding=1 cellspacing=2>
344 <tr><td><span class=bold><? xl('Username','e'); ?></span></td><td><span class=bold><? xl('Real Name','e'); ?></span></td><td><span class=bold><? xl('Info','e'); ?></span></td><td><span class=bold><? xl('Authorized','e'); ?>?</span></td></tr>
345 <?
346 $res = sqlStatement("select * from users where username != '' order by username");
347 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
348 $result4[$iter] = $row;
349 foreach ($result4 as $iter) {
350 if ($iter{"authorized"}) {
351 $iter{"authorized"} = xl('yes');
352 } else {
353 $iter{"authorized"} = "";
354 }
355
356 print "<tr><td><span class=text>" . $iter{"username"} .
357 "</span><a href='user_admin.php?id=" . $iter{"id"} .
358 "' class=link_submit>(Edit)</a></td><td><span class=text>" .
359 $iter{"fname"} . ' ' . $iter{"lname"}."</span></td><td><span class=text>" .
360 $iter{"info"} . "</span></td><td align='center'><span class=text>" .
361 $iter{"authorized"} . "</span></td>";
362 print "<td><!--<a href='usergroup_admin.php?mode=delete&id=" . $iter{"id"} .
363 "' class=link_submit>[Delete]</a>--></td>";
364 print "</tr>\n";
365 }
366 ?>
367
368 </table>
369
370 <hr>
371
372 <?
373 $res = sqlStatement("select * from groups order by name");
374 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
375 $result5[$iter] = $row;
376
377 foreach ($result5 as $iter) {
378 $grouplist{$iter{"name"}} .= $iter{"user"} .
379 "(<a class=link_submit href='usergroup_admin.php?mode=delete_group&id=" .
380 $iter{"id"} . "'>Remove</a>), ";
381 }
382
383 foreach ($grouplist as $groupname => $list) {
384 print "<span class=bold>" . $groupname . "</span><br>\n<span class=text>" .
385 substr($list,0,strlen($list)-2) . "</span><br>\n";
386 }
387 ?>
388
389 <script language="JavaScript">
390 <?
391 if ($alertmsg = trim($alertmsg)) {
392 echo "alert('$alertmsg');\n";
393 }
394 ?>
395 </script>
396
397 </body>
398 </html>
Mirror of official OpenEMR Sourceforge repository