interface/super/manage_document_templates.php

   1 <?php
   2 /**
   3  * Document Template Management Module.
   4  *
   5  * @package   OpenEMR
   6  * @link      http://www.open-emr.org
   7  * @author    Rod Roark <rod@sunsetsystems.com>
   8  * @author    Brady Miller <brady.g.miller@gmail.com>
   9  * @copyright Copyright (c) 2013-2014 Rod Roark <rod@sunsetsystems.com>
  10  * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
  11  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  12  */
  13
  14
  15 require_once('../globals.php');
  16 require_once($GLOBALS['srcdir'].'/acl.inc');
  17
  18 use OpenEMR\Common\Crypto\CryptoGen;
  19
  20 if (!acl_check('admin', 'super')) {
  21     die(xlt('Not authorized'));
  22 }
  23
  24 // Set up crypto object
  25 $cryptoGen = new CryptoGen();
  26
  27 $form_filename = convert_safe_file_dir_name($_REQUEST['form_filename']);
  28
  29 $templatedir = "$OE_SITE_DIR/documents/doctemplates";
  30
  31 // If downloading a file, do the download and nothing else.
  32 // Thus the current browser page should remain displayed.
  33 //
  34 if (!empty($_POST['bn_download'])) {
  35     //verify csrf
  36     if (!verifyCsrfToken($_POST["csrf_token_form"])) {
  37         csrfNotVerified();
  38     }
  39
  40     $templatepath = "$templatedir/$form_filename";
  41
  42     // Place file in variable
  43     $fileData = file_get_contents($templatepath);
  44
  45     // Decrypt file, if applicable
  46     if ($cryptoGen->cryptCheckStandard($fileData)) {
  47         $fileData = $cryptoGen->decryptStandard($fileData, null, 'database');
  48     }
  49
  50     header('Content-Description: File Transfer');
  51     header('Content-Transfer-Encoding: binary');
  52     header('Expires: 0');
  53     header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
  54     header('Pragma: public');
  55     // attachment, not inline
  56     header("Content-Disposition: attachment; filename=\"$form_filename\"");
  57     // Note we avoid providing a mime type that suggests opening the file.
  58     header("Content-Type: application/octet-stream");
  59     header("Content-Length: " . strlen($fileData));
  60     echo $fileData;
  61     exit;
  62 }
  63
  64 if (!empty($_POST['bn_delete'])) {
  65     //verify csrf
  66     if (!verifyCsrfToken($_POST["csrf_token_form"])) {
  67         csrfNotVerified();
  68     }
  69
  70     $templatepath = "$templatedir/$form_filename";
  71     if (is_file($templatepath)) {
  72         unlink($templatepath);
  73     }
  74 }
  75
  76 if (!empty($_POST['bn_upload'])) {
  77     //verify csrf
  78     if (!verifyCsrfToken($_POST["csrf_token_form"])) {
  79         csrfNotVerified();
  80     }
  81
  82     // Handle uploads.
  83     $tmp_name = $_FILES['form_file']['tmp_name'];
  84     if (is_uploaded_file($tmp_name) && $_FILES['form_file']['size']) {
  85         // Choose the destination path/filename.
  86         $form_dest_filename = $_POST['form_dest_filename'];
  87         if ($form_dest_filename == '') {
  88             $form_dest_filename = $_FILES['form_file']['name'];
  89         }
  90
  91         $form_dest_filename = convert_safe_file_dir_name(basename($form_dest_filename));
  92         if ($form_dest_filename == '') {
  93             die(xlt('Cannot determine a destination filename'));
  94         }
  95         $path_parts = pathinfo($form_dest_filename);
  96         if (!in_array(strtolower($path_parts['extension']), array('odt', 'txt', 'docx', 'zip'))) {
  97             die(text(strtolower($path_parts['extension'])) . ' ' . xlt('filetype is not accepted'));
  98         }
  99
 100         $templatepath = "$templatedir/$form_dest_filename";
 101         // If the site's template directory does not yet exist, create it.
 102         if (!is_dir($templatedir)) {
 103             mkdir($templatedir);
 104         }
 105
 106         // If the target file already exists, delete it.
 107         if (is_file($templatepath)) {
 108             unlink($templatepath);
 109         }
 110
 111         // Place uploaded file in variable.
 112         $fileData = file_get_contents($tmp_name);
 113
 114         // Encrypt uploaded file, if applicable.
 115         if ($GLOBALS['drive_encryption']) {
 116             $storedData = $cryptoGen->encryptStandard($fileData, null, 'database');
 117         } else {
 118             $storedData = $fileData;
 119         }
 120
 121         // Store the uploaded file.
 122         if (file_put_contents($templatepath, $storedData) === false) {
 123             die(xlt('Unable to create') . " '" . text($templatepath) . "'");
 124         }
 125     }
 126 }
 127
 128 ?>
 129 <html>
 130
 131 <head>
 132 <title><?php echo xlt('Document Template Management'); ?></title>
 133 <link rel="stylesheet" href='<?php echo $css_header ?>' type='text/css'>
 134
 135 <style type="text/css">
 136  .dehead { color:#000000; font-family:sans-serif; font-size:10pt; font-weight:bold }
 137  .detail { color:#000000; font-family:sans-serif; font-size:10pt; font-weight:normal }
 138 </style>
 139
 140 </head>
 141
 142 <body class="body_top">
 143 <form method='post' action='manage_document_templates.php' enctype='multipart/form-data'
 144  onsubmit='return top.restoreSession()'>
 145 <input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
 146
 147 <center>
 148
 149 <h2><?php echo xlt('Document Template Management'); ?></h2>
 150
 151 <p>
 152 <table border='1' width='95%'>
 153
 154  <tr bgcolor='#dddddd' class='dehead'>
 155   <td align='center'><?php echo xlt('Upload a Template'); ?></td>
 156  </tr>
 157
 158  <tr>
 159   <td valign='top' class='detail' style='padding:10pt;' nowrap>
 160     <?php echo xlt('Source File'); ?>:
 161    <input type="hidden" name="MAX_FILE_SIZE" value="250000000" />
 162    <input type="file" name="form_file" size="40" />&nbsp;
 163     <?php echo xlt('Destination Filename'); ?>:
 164    <input type='text' name='form_dest_filename' size='30' />
 165    &nbsp;
 166    <input type='submit' name='bn_upload' value='<?php echo xla('Upload') ?>' />
 167   </td>
 168  </tr>
 169
 170 </table>
 171 </p>
 172
 173 <p>
 174 <table border='1' width='95%'>
 175
 176  <tr bgcolor='#dddddd' class='dehead'>
 177   <td align='center'><?php echo xlt('Download or Delete a Template'); ?></td>
 178  </tr>
 179
 180  <tr>
 181   <td valign='top' class='detail' style='padding:10pt;' nowrap>
 182    <select name='form_filename'>
 183 <?php
 184 // Generate an <option> for each existing file.
 185 if (file_exists($templatedir)) {
 186     $dh = opendir($templatedir);
 187 } else {
 188     $dh = false;
 189 }
 190 if ($dh) {
 191     $templateslist = array();
 192     while (false !== ($sfname = readdir($dh))) {
 193         if (substr($sfname, 0, 1) == '.') {
 194             continue;
 195         }
 196
 197         $templateslist[$sfname] = $sfname;
 198     }
 199
 200     closedir($dh);
 201     ksort($templateslist);
 202     foreach ($templateslist as $sfname) {
 203         echo "    <option value='" . attr($sfname) . "'";
 204         echo ">" . text($sfname) . "</option>\n";
 205     }
 206 }
 207 ?>
 208    </select>
 209    &nbsp;
 210    <input type='submit' name='bn_download' value='<?php echo xla('Download') ?>' />
 211    &nbsp;
 212    <input type='submit' name='bn_delete' value='<?php echo xla('Delete') ?>' />
 213   </td>
 214  </tr>
 215
 216 </table>
 217 </p>
 218
 219 </center>
 220
 221 </form>
 222 </body>
 223 </html>