portal/get_patient_info.php

   1 <?php
   2 /**
   3  *
   4  * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
   5  * Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 3
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author Cassian LUP <cassi.lup@gmail.com>
  20  * @author Jerry Padgett <sjpadgett@gmail.com>
  21  * @link http://www.open-emr.org
  22  *
  23  */
  24 // starting the PHP session (also regenerating the session id to avoid session fixation attacks)
  25 session_start();
  26 session_regenerate_id(true);
  27 //
  28
  29 // landing page definition -- where to go if something goes wrong
  30 $landingpage = "index.php?site=" . $_SESSION['site_id'];
  31 //
  32
  33 // checking whether the request comes from index.php
  34 if (! isset($_SESSION['itsme'])) {
  35     session_destroy();
  36     header('Location: ' . $landingpage . '&w');
  37     exit();
  38 }
  39
  40 // some validation
  41 if (! isset($_POST['uname']) || empty($_POST['uname'])) {
  42     session_destroy();
  43     header('Location: ' . $landingpage . '&w&c');
  44     exit();
  45 }
  46
  47 if (! isset($_POST['pass']) || empty($_POST['pass'])) {
  48     session_destroy();
  49     header('Location: ' . $landingpage . '&w&c');
  50     exit();
  51 }
  52
  53 // set the language
  54 if (! empty($_POST['languageChoice'])) {
  55     $_SESSION['language_choice'] = (int) $_POST['languageChoice'];
  56 } else if (empty($_SESSION['language_choice'])) {
  57     // just in case both are empty, then use english
  58     $_SESSION['language_choice'] = 1;
  59 } else {
  60     // keep the current session language token
  61 }
  62
  63 // Settings that will override globals.php
  64 $ignoreAuth = 1;
  65 //
  66
  67 // Authentication
  68 require_once('../interface/globals.php');
  69 require_once(dirname(__FILE__) . "/lib/appsql.class.php");
  70 $logit = new ApplicationTable();
  71 require_once("$srcdir/authentication/common_operations.php");
  72 require_once("$srcdir/user.inc");
  73 $password_update = isset($_SESSION['password_update']);
  74 unset($_SESSION['password_update']);
  75 $plain_code = $_POST['pass'];
  76
  77 $authorizedPortal = false; // flag
  78 DEFINE("TBL_PAT_ACC_ON", "patient_access_onsite");
  79 DEFINE("COL_PID", "pid");
  80 DEFINE("COL_POR_PWD", "portal_pwd");
  81 DEFINE("COL_POR_USER", "portal_username");
  82 DEFINE("COL_POR_SALT", "portal_salt");
  83 DEFINE("COL_POR_PWD_STAT", "portal_pwd_status");
  84 $sql = "SELECT " . implode(",", array(
  85     COL_ID,
  86     COL_PID,
  87     COL_POR_PWD,
  88     COL_POR_SALT,
  89     COL_POR_PWD_STAT
  90 )) . " FROM " . TBL_PAT_ACC_ON . " WHERE " . COL_POR_USER . "=?";
  91 $auth = privQuery($sql, array(
  92     $_POST['uname']
  93 ));
  94 if ($auth === false) {
  95     $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid username'), '', '0');
  96     session_destroy();
  97     header('Location: ' . $landingpage . '&w&u');
  98     exit();
  99 }
 100
 101 if (empty($auth[COL_POR_SALT])) {
 102     if (SHA1($plain_code) != $auth[COL_POR_PWD]) {
 103         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':pass not salted'), '', '0');
 104         session_destroy();
 105         header('Location: ' . $landingpage . '&w&p');
 106         exit();
 107     }
 108
 109     $new_salt = oemr_password_salt();
 110     $new_hash = oemr_password_hash($plain_code, $new_salt);
 111     $sqlUpdatePwd = " UPDATE " . TBL_PAT_ACC_ON . " SET " . COL_POR_PWD . "=?, " . COL_POR_SALT . "=? " . " WHERE " . COL_ID . "=?";
 112     privStatement($sqlUpdatePwd, array(
 113         $new_hash,
 114         $new_salt,
 115         $auth[COL_ID]
 116     ));
 117 } else {
 118     $tmp = oemr_password_hash($plain_code, $auth[COL_POR_SALT]);
 119     if ($tmp != $auth[COL_POR_PWD]) {
 120         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid password'), '', '0');
 121         session_destroy();
 122         header('Location: ' . $landingpage . '&w&p');
 123         exit();
 124     }
 125 }
 126
 127 $_SESSION['portal_username'] = $_POST['uname'];
 128 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
 129
 130 if ($userData = sqlQuery($sql, array(
 131     $auth['pid']
 132 ))) { // if query gets executed
 133
 134     if (empty($userData)) {
 135         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':not active patient'), '', '0');
 136         session_destroy();
 137         header('Location: ' . $landingpage . '&w');
 138         exit();
 139     }
 140
 141     if ($userData['email'] != $_POST['passaddon']) {
 142         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':invalid email'), '', '0');
 143         session_destroy();
 144         header('Location: ' . $landingpage . '&w');
 145         exit();
 146     }
 147
 148     if ($userData['allow_patient_portal'] != "YES") {
 149         // Patient has not authorized portal, so escape
 150         $logit->portalLog('login attempt', '', ($_POST['uname'] . ':allow portal turned off'), '', '0');
 151         session_destroy();
 152         header('Location: ' . $landingpage . '&w');
 153         exit();
 154     }
 155
 156     if ($auth['pid'] != $userData['pid']) {
 157         // Not sure if this is even possible, but should escape if this happens
 158         session_destroy();
 159         header('Location: ' . $landingpage . '&w');
 160         exit();
 161     }
 162
 163     if ($password_update) {
 164         $code_new = $_POST['pass_new'];
 165         $code_new_confirm = $_POST['pass_new_confirm'];
 166         if (! (empty($_POST['pass_new'])) && ! (empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
 167             $new_salt = oemr_password_salt();
 168             $new_hash = oemr_password_hash($code_new, $new_salt);
 169
 170             // Update the password and continue (patient is authorized)
 171             privStatement(
 172                 "UPDATE " . TBL_PAT_ACC_ON . "  SET " . COL_POR_PWD . "=?," . COL_POR_SALT . "=?," . COL_POR_PWD_STAT . "=1 WHERE id=?",
 173                 array(
 174                         $new_hash,
 175                         $new_salt,
 176                         $auth['id']
 177                 )
 178             );
 179             $authorizedPortal = true;
 180             $logit->portalLog(
 181                 'password update',
 182                 $auth['pid'],
 183                 ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success')
 184             );
 185         }
 186     }
 187
 188     if ($auth['portal_pwd_status'] == 0) {
 189         if (! $authorizedPortal) {
 190             // Need to enter a new password in the index.php script
 191             $_SESSION['password_update'] = 1;
 192             header('Location: ' . $landingpage);
 193             exit();
 194         }
 195     }
 196
 197     if ($auth['portal_pwd_status'] == 1) {
 198         // continue (patient is authorized)
 199         $authorizedPortal = true;
 200     }
 201
 202     if ($authorizedPortal) {
 203         // patient is authorized (prepare the session variables)
 204         unset($_SESSION['password_update']); // just being safe
 205         unset($_SESSION['itsme']); // just being safe
 206         $_SESSION['pid'] = $auth['pid'];
 207         $_SESSION['patient_portal_onsite_two'] = 1;
 208
 209         $tmp = getUserIDInfo($userData['providerID']);
 210         $_SESSION['providerName'] = $tmp['fname'] . ' ' . $tmp['lname'];
 211         $_SESSION['providerUName'] = $tmp['username'];
 212         $_SESSION['sessionUser'] = '-patient-'; // $_POST['uname'];
 213         $_SESSION['providerId'] = $userData['providerID'] ? $userData['providerID'] : 'undefined';
 214         $_SESSION['ptName'] = $userData['fname'] . ' ' . $userData['lname'];
 215
 216         $logit->portalLog('login', $_SESSION['pid'], ($_SESSION['portal_username'] . ': ' . $_SESSION['ptName'] . ':success'));
 217     } else {
 218         $logit->portalLog('login', '', ($_POST['uname'] . ':not authorized'), '', '0');
 219         session_destroy();
 220         header('Location: ' . $landingpage . '&w');
 221         exit();
 222     }
 223 } else { // problem with query
 224     session_destroy();
 225     header('Location: ' . $landingpage . '&w');
 226     exit();
 227 }
 228 header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
 229 header("Cache-Control: no-cache");
 230 header("Pragma: no-cache");
 231 header('Location: ./home.php');
 232 exit();