From 5bddd2af27e6a973b21b122556d8b0400bbfcc42 Mon Sep 17 00:00:00 2001 From: bradymiller Date: Sat, 7 Feb 2009 02:07:11 +0000 Subject: [PATCH] Embedding phpGACL. --- Documentation/README.phpgacl | 57 +++++++------ INSTALL | 29 +++---- acl_setup.php | 32 +++---- acl_upgrade.php | 4 +- interface/globals.php | 2 +- interface/main/backup.php | 2 +- interface/usergroup/adminacl.php | 2 +- library/acl.inc | 36 ++++++-- setup.php | 138 ++++++++++++++++++++++++++++--- 9 files changed, 220 insertions(+), 82 deletions(-) diff --git a/Documentation/README.phpgacl b/Documentation/README.phpgacl index 49829aaa8f1..4632a142bd5 100644 --- a/Documentation/README.phpgacl +++ b/Documentation/README.phpgacl @@ -1,12 +1,41 @@ Hints for Using phpGACL with OpenEMR by Rod Roark +Installation Instructions -OpenEMR by default does not use or require phpGACL, though it is -highly recommended. Setting it up takes some careful study, planning -and a bit of time. If you don't have the time then you should hire -an experienced person to set things up for you. Helpful installation -and configuration instructions can be found on the wiki at the +phpGACL access controls are embedded and installed by default in OpenEMR +versions 2.9.0.3 or later. The administration of the access controls is +within OpenEMR in the admin->acl menu. The library/acl.inc file can be +easily modified to turn off phpGACL or to use an external version. + + +Upgrading Instructions + +After you have upgraded to a new version of OpenEMR, you should +run the acl_upgrade.php program using your web browser +(e.g. http://openemr.location/acl_upgrade.php). This will ensure your +phpGACL database contains all the required OpenEMR Access Control +Objects. + + +For Developers + +If you add a new Access Control Object to the OpenEMR codebase, then +also add it to the following three sites: +1. Header notes of the library/acl.inc file +2. acl_setup.php file +3. acl_upgrade.php file + + +Miscellaneous Information (the below information is only applicable +to OpenEMR versions less than 2.9.0.3 or to users who choose to +install an external version of phpGACL) + +If you are using an OpenEMR version previous to 2.9.0.3, then phpGACL +has not been automatically installed. Setting it up takes some careful +study, planning and a bit of time. If you don't have the time then you +should hire an experienced person to set things up for you. Helpful +installation and configuration instructions can be found on the wiki at the www.oemr.org site. Alternatively, it's possible to set up your own access rules without @@ -90,21 +119,3 @@ Then if "write" or "wsome" or "addonly" access applies, key in that as the return value, otherwise a return value is not required. Then click the Submit button to save that particular access rule. Repeat until all your ACL rules are defined. - - -Upgrading Instructions - -After you have upgraded to a new version of OpenEMR, you should -consider running the acl_upgrade.php program using your web browser -(e.g. http://openemr.location/acl_upgrade.php). This will ensure your -phpGACL database contains all the required OpenEMR Access Control -Objects. - - -For Developers - -If you add a new Access Control Object to the OpenEMR codebase, then -also add it to the following three sites: -1. Header notes of the library/acl.inc file -2. acl_setup.php file -3. acl_upgrade.php file diff --git a/INSTALL b/INSTALL index 1cb1711efcd..5055e9d2fa5 100644 --- a/INSTALL +++ b/INSTALL @@ -118,9 +118,10 @@ something more secure (such as chmod 644) before actively using OpenEMR. Should anything fail during step 3, you may have to remove the existing database or tables before you can try again. -Step 4 is very much like step 3, except the only thing taking place is the -writing of SQL configuration to disk. Should it fail due to permissions or any -other reason, you may click the reload button to try again. +Step 4 is the writing of SQL configuration to disk and the +installation/configuration of the phpGACL access controls. Should it display +errors related to file writing priviledges you may click the back button to +try again (after fixing file permission). Once setup is completed, one last thing must be done before OpenEMR can be used. The file openemr/interface/globals.php must be edited by hand to reflect the @@ -160,16 +161,12 @@ and custom/faxcover.txt; it also requires the following utilities: IV. Setting Up Access Control -You can either choose to install phpGACL, which is very powerful access control -software, or you can use the default OpenEMR access controls, which are very -limited. If you choose to install phpGACL (see http://phpgacl.sourceforge.net/), -recommend reading the phpGACL manual, the /openemr/Documentation/README.phpgacl -file, and the online wiki at www.oemr.org for installation and configuration -instructions. Also recommend reading the comments in /openemr/library/acl.inc -and also modifying that file to point to your phpGACL installation directory. - -It is reasonable to first get a basic OpenEMR installation working and then add -these extended access controls later. +Since OpenEMR version 2.9.0.3, phpGACL access control software is installed +and configured automatically during OpenEMR setup. This is very powerful +access control software. To learn more about phpGACL +(see http://phpgacl.sourceforge.net/), recommend reading the phpGACL manual, +the /openemr/Documentation/README.phpgacl file, and the online wiki at +www.oemr.org. Also recommend reading the comments in /openemr/library/acl.inc. V. Upgrading @@ -197,6 +194,6 @@ management (normally you should), run the sl_convert.php script (e.g. http://openemr.location/sl_convert.php). Note this script may run for several minutes or longer. -If phpGACL is installed, then you should also upgrade your Access Controls -by running the acl_upgrade.php program using your web browser -(e.g. http://openemr.location/acl_upgrade.php). +If phpGACL is installed (automatically installed since OpenEMR version 2.9.0.3), +then you should upgrade your Access Controls by running the acl_upgrade.php +program using your web browser (e.g. http://openemr.location/acl_upgrade.php). diff --git a/acl_setup.php b/acl_setup.php index f5c1d59bfb5..9ed91ba9668 100644 --- a/acl_setup.php +++ b/acl_setup.php @@ -6,9 +6,9 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. // - // This program may be run after phpGACL has been installed, and will - // create the Access Control Objects and their sections as required - // by OpenEMR. See openemr/library/acl.inc file for the list of + // This program is run by the OpenEMR setup.php script to install phpGACL + // and creates the Access Control Objects and their sections. + // See openemr/library/acl.inc file for the list of // currently supported Access Control Objects(ACO), which this // script will install. This script also creates several // ARO groups, an "admin" ARO, and some reasonable ACL entries for @@ -21,10 +21,10 @@ // Accounting // // Upgrade Howto - // If you have previously installed phpGACL, and have since upgraded - // to a new version of OpenEMR, then should consider upgrading - // the phpGACL database with the acl_upgrade.php script to ensure - // the database includes all the required Access Control Objects(ACO). + // When upgrading to a new version of OpenEMR, run the acl_upgrade.php + // script to update the phpGACL access controls. This is required to + // ensure the database includes all the required Access Control + // Objects(ACO). // include_once('library/acl.inc'); @@ -38,11 +38,8 @@ // Create the ACO sections. Every ACO must have a section. // if ($gacl->add_object_section('Accounting', 'acct', 10, 0, 'ACO') === FALSE) { - die("
This is not working. Make sure you have:
" . - "* Set the correct phpgacl database name, user and password in gacl.ini.php
" . - "* Done the same in gacl.class.php
" . - "* Run setup.php from the phpGACL distribution
" . - "* Not already run this script successfully
"); + echo "Unable to create the access controls for OpenEMR. You have likely already run this script (acl_setup.php) successfully.
Other possible problems include php-GACL configuration file errors (gacl.ini.php or gacl.class.php).
"; + return; } $gacl->add_object_section('Administration', 'admin' , 10, 0, 'ACO'); $gacl->add_object_section('Encounters' , 'encounters' , 10, 0, 'ACO'); @@ -195,13 +192,8 @@ -OpenEMR ACL Setup -

- - -All done! - - - +OpenEMR ACL Setup +
+All done configuring and installing access controls (php-GACL)! diff --git a/acl_upgrade.php b/acl_upgrade.php index 93e0eeb1a48..65feb4ef8e8 100644 --- a/acl_upgrade.php +++ b/acl_upgrade.php @@ -6,9 +6,7 @@ // // This script will update the phpGACL database, which include // Access Control Objects(ACO), Groups(ARO), and Access Control -// Lists(ACL) created by the the acl_setup.php(2.8.1 onward) -// program, to the most recent version. -// (this assumes phpGACL has been previously installed) +// Lists(ACL) to the most recent version. // It will display whether each update already exist // or if it was updated succesfully. // diff --git a/interface/globals.php b/interface/globals.php index bfdfd588a2d..6953f485118 100644 --- a/interface/globals.php +++ b/interface/globals.php @@ -170,7 +170,7 @@ $v_major = '2'; $v_minor = '9'; $v_patch = '0'; -$tag = '.2'; // minor revision number, should be empty for production releases +$tag = '.3'; // minor revision number, should be empty for production releases // This name appears on the login page and in the title bar of most windows. // It's nice to customize this to be the name of your clinic. diff --git a/interface/main/backup.php b/interface/main/backup.php index 84bd6784746..a09d9435cfe 100644 --- a/interface/main/backup.php +++ b/interface/main/backup.php @@ -123,7 +123,7 @@ $cmd = "cd $webserver_root; tar --same-owner --ignore-failed-read -zcphf $BACKUP_DIR/openemr.tar.gz ."; } if ($form_step == 5) { - if (!empty($phpgacl_location)) { + if ((!empty($phpgacl_location)) && ($phpgacl_location != $GLOBALS['fileroot']."/gacl")) { $form_status .= "Dumping phpGACL web directory tree ...
"; echo nl2br($form_status); $cmd = "cd $phpgacl_location; tar --same-owner --ignore-failed-read -zcphf $BACKUP_DIR/phpgacl.tar.gz ."; diff --git a/interface/usergroup/adminacl.php b/interface/usergroup/adminacl.php index 4261ca2af3d..94afc914715 100644 --- a/interface/usergroup/adminacl.php +++ b/interface/usergroup/adminacl.php @@ -508,7 +508,7 @@ function generic_click(cthis) { - +  (Advanced)

diff --git a/library/acl.inc b/library/acl.inc index 0c2f611a8d0..f666f7f519e 100644 --- a/library/acl.inc +++ b/library/acl.inc @@ -1,10 +1,27 @@ @@ -70,9 +77,6 @@ There's much information and many extra tools bundled within the OpenEMR installation directory. Please refer to openemr/Documentation.
Many forms and other useful scripts can be found at openemr/contrib. -
OpenEMR now comes with optional GACL support, a fine grained access control -system. Please refer to openemr/Documentation/README.phpgacl for -easy- -installation.

Reading openemr/includes/config.php and openemr/interface/globals.php is a good @@ -325,6 +329,8 @@ + +
\n

\n"; @@ -333,14 +339,36 @@ case 4: echo "Step $state

\n"; -echo "Writing SQL Configuration to disk...\n"; +echo "Writing SQL Configuration to disk and configuring access controls (php-GACL)...

"; + +//ensure required files and directories are writable before moving on +$errorWritable = 0; +foreach ($writableFileList as $tempFile) { + if (!(is_writable($tempFile))) { + echo "ERROR. Could not open config file '$tempFile' for writing.
"; + echo "(ensure '$tempFile' is world-writeable, then go back in browser and try again).

"; + flush(); + $errorWritable = 1; + } +} + +foreach ($writableDirList as $tempDir) { + if (!(is_writable($tempDir))) { + echo "ERROR. Could not open directory '$tempDir' for writing.
"; + echo "(ensure '$tempDir' is world-writeable, then go back in browser and try again).

"; + flush(); + $errorWritable = 1; + } +} +if ($errorWritable) { + break; +} + +//passed all file tests, now can write sql configuration and configure php-GACL + +echo "Writing SQL Configuration...
"; @touch($conffile); // php bug $fd = @fopen($conffile, 'w'); -if ($fd == FALSE) { - echo "ERROR. Could not open config file '$conffile' for writing.\n"; - flush(); - break; -} $string = "\nPlease restore secure permissions on the 'library/sqlconf.php' file now.\n

\n +echo "Successfully wrote SQL configuration.
"; +echo "PLEASE restore secure permissions on the 'library/sqlconf.php' file.


"; + +echo "Installing and Configuring Access Controls (php-GACL)
"; + +//first, edit two gacl config files +// edit gacl.ini.php +$data = file($gaclConfigFile1) or die("Could not read ".$gaclConfigFile1." file."); +$finalData = ""; +foreach ($data as $line) { + $isHit = 0; + if ((strpos($line,"db_host")) === false) { + } + else { + $isHit = 1; + $finalData .= "db_host = \"${host}\"\n"; + } + if ((strpos($line,"db_user")) === false) { + } + else { + $isHit = 1; + $finalData .= "db_user = \"${login}\"\n"; + } + if ((strpos($line,"db_password")) === false) { + } + else { + $isHit = 1; + $finalData .= "db_password = \"${pass}\"\n"; + } + if ((strpos($line,"db_name")) === false) { + } + else { + $isHit = 1; + $finalData .= "db_name = \"${dbname}\"\n"; + } + if (!$isHit) { + $finalData .= $line; + } +} +$fd = @fopen($gaclConfigFile1, 'w') or die("Could not open ".$gaclConfigFile1." file."); +fwrite($fd, $finalData); +fclose($fd); + +// edit gacl.class.php +$data = file($gaclConfigFile2) or die("Could not read ".$gaclConfigFile2." file."); +$finalData = ""; +foreach ($data as $line) { + $isHit = 0; + if ((strpos($line,"var \$_db_host = ")) === false) { + } + else { + $isHit = 1; + $finalData .= "var \$_db_host = '$host';\n"; + } + if ((strpos($line,"var \$_db_user = ")) === false) { + } + else { + $isHit = 1; + $finalData .= "var \$_db_user = '$login';\n"; + } + if ((strpos($line,"var \$_db_password = ")) === false) { + } + else { + $isHit = 1; + $finalData .= "var \$_db_password = '$pass';\n"; + } + if ((strpos($line,"var \$_db_name = ")) === false) { + } + else { + $isHit = 1; + $finalData .= "var \$_db_name = '$dbname';\n"; + } + if (!$isHit) { + $finalData .= $line; + } +} +$fd = @fopen($gaclConfigFile2, 'w') or die("Could not open ".$gaclConfigFile2." file."); +fwrite($fd, $finalData); +fclose($fd); + +//second, run gacl config scripts +require $gaclSetupScript1; +require $gaclSetupScript2; +echo "
"; + +//third, give the administrator user admin priviledges +$groupArray = array("Administrators"); +set_user_aro($groupArray,$iuser,$iuname,"",""); +echo "Gave the '$iuser' user (password is 'pass') administrator access.
"; + +echo "
\n \n
\n

\n";