d2 and d3 for onc 2015 (openemr#3964)

interface/forms/eye_mag/php/eye_mag_functions.php

@@ -3707,7 +3707,7 @@ function document_engine($pid)
  from
  categories, documents,categories_to_documents
  where documents.foreign_id=? and documents.id=categories_to_documents.document_id and
- categories_to_documents.category_id=categories.id ORDER BY categories.name";
+ categories_to_documents.category_id=categories.id and documents.deleted = 0 ORDER BY categories.name";
  $sql2 = sqlStatement($query, array($pid));
  while ($row2 = sqlFetchArray($sql2)) {
  //the document may not be created on the same day as the encounter, use encounter date first

interface/forms/eye_mag/php/taskman_functions.php

@@ -38,7 +38,7 @@ function make_task($ajax_req)
  $to_data = sqlQuery($query, array($to_id));
  $filename = "Fax_" . $encounter . "_" . $to_data['lname'] . ".pdf";
 
- $query = "SELECT * FROM documents where encounter_id=? and foreign_id=? and url like ?";
+ $query = "SELECT * FROM documents where encounter_id=? and foreign_id=? and url like ? and deleted = 0";
  $doc = sqlQuery($query, array($encounter,$pid,'%' . $filename . '%' ));
 
 

interface/logview/logview.php

@@ -323,6 +323,11 @@ function setpatient(pid, lname, fname, dob) {
  $cryptoGen = new CryptoGen();
 
  while ($iter = sqlFetchArray($ret)) {
+ if (empty($iter['id'])) {
+ //skip empty log items (this means they were deleted and will show up as deleted in the audit log tamper script)
+ continue;
+ }
+
  //translate comments
  $patterns = array ('/^success/','/^failure/','/ encounter/');
  $replace = array ( xl('success'), xl('failure'), xl('encounter', '', ' '));

interface/main/backup.php

@@ -199,7 +199,7 @@ function gzopen($filename, $mode, $use_include_path = 0)
  echo " <td>" . xlt('Create Eventlog Backup') . "</td>\n";
  echo " </tr>\n";
  echo " <tr>\n";
- echo " <td></td><td class='text'><strong>" . xlt('Note') . "</strong>&nbsp;" . xlt('Please refer to') . '&nbsp;README-Log-Backup.txt&nbsp;' . xlt('file in the Documentation directory to learn how to automate the process of creating log backups') . "</td>\n";
+ echo " <td></td><td class='text'>" . xlt('Note that the Eventlog Backup is currently set to save in the following folder:') . " " . text($GLOBALS['backup_log_dir']) . " . " . xlt('Recommend setting the Path for Event Log Backup in Globals settings in the Miscellaneous section to something other than your tmp/temp directory.') . " " . xlt('Please refer to') . ' README-Log-Backup.txt ' . xlt('file in the Documentation directory to learn how to automate the process of creating log backups') . ".</td>\n";
  echo " </tr>\n";
  echo "</table>\n";
 }
@@ -558,7 +558,7 @@ function gzopen($filename, $mode, $use_include_path = 0)
 # Get the Current Timestamp, to attach with the log backup file
  $backuptime = date("Ymd_His");
 # Eventlog backup directory
- $BACKUP_EVENTLOG_DIR = $GLOBALS['backup_log_dir'] . "/emr_eventlog_backup";
+ $BACKUP_EVENTLOG_DIR = $GLOBALS['backup_log_dir'];
 
 # Check if Eventlog Backup directory exists, if not create it with Write permission
  if (!file_exists($BACKUP_EVENTLOG_DIR)) {

interface/patient_file/deleter.php

@@ -174,32 +174,15 @@ function form_delete($formdir, $formid, $patient_id, $encounter_id)
  }
 }
 
-// Delete a specified document including its associated relations and file.
+// Delete a specified document including its associated relations.
+// Note the specific file is not deleted (instead flagged as deleted), since required to keep file for
+// ONC 2015 certification purposes.
 //
 function delete_document($document)
 {
- $trow = sqlQuery("SELECT url, thumb_url, storagemethod, couch_docid, couch_revid FROM documents WHERE id = ?", array($document));
- $url = $trow['url'];
- $thumb_url = $trow['thumb_url'];
+ sqlStatement("UPDATE `documents` SET `deleted` = 1 WHERE id = ?", [$document]);
  row_delete("categories_to_documents", "document_id = '" . add_escape_custom($document) . "'");
- row_delete("documents", "id = '" . add_escape_custom($document) . "'");
  row_delete("gprelations", "type1 = 1 AND id1 = '" . add_escape_custom($document) . "'");
-
- switch ((int)$trow['storagemethod']) {
- //for hard disk store
- case 0:
- @unlink(substr($url, 7));
-
- if (!is_null($thumb_url)) {
- @unlink(substr($thumb_url, 7));
- }
- break;
- //for CouchDB store
- case 1:
- $couchDB = new CouchDB();
- $couchDB->DeleteDoc($trow['couch_docid'], $trow['couch_revid']);
- break;
- }
 }
 ?>
 <html>
@@ -259,7 +242,7 @@ function popup_close() {
  row_delete("forms", "pid = '" . add_escape_custom($patient) . "'");
 
  // Delete all documents for the patient.
- $res = sqlStatement("SELECT id FROM documents WHERE foreign_id = ?", array($patient));
+ $res = sqlStatement("SELECT id FROM documents WHERE foreign_id = ? AND deleted = 0", array($patient));
  while ($row = sqlFetchArray($res)) {
  delete_document($row['id']);
  }

interface/patient_file/report/patient_report.php

@@ -524,7 +524,7 @@ function show_date_fun(){
  $sql = "SELECT d.id, d.url, d.name as document_name, c.name, c.aco_spec FROM documents AS d " .
  "LEFT JOIN categories_to_documents AS ctd ON d.id=ctd.document_id " .
  "LEFT JOIN categories AS c ON c.id = ctd.category_id WHERE " .
- "d.foreign_id = ?";
+ "d.foreign_id = ? AND d.deleted = 0";
  $result = $db->Execute($sql, array($pid));
  if ($db->ErrorMsg()) {
  echo $db->ErrorMsg();

interface/patient_file/summary/advancedirectives.php

@@ -118,7 +118,7 @@ function validate(f) {
  "INNER JOIN categories_to_documents " .
  "ON categories_to_documents.document_id=documents.id " .
  "WHERE categories_to_documents.category_id=? " .
- "AND documents.foreign_id=? " .
+ "AND documents.foreign_id=? AND documents.deleted = 0" .
  "ORDER BY documents.date DESC";
  $resNew2 = sqlStatement($query, array($categoryId, $pid));
  $counterFlag = false; //flag used to check for empty categories

interface/patient_file/summary/demographics.php

@@ -106,7 +106,7 @@ function pic_array($pid, $picture_directory)
  $sql_query = "select documents.id from documents join categories_to_documents " .
  "on documents.id = categories_to_documents.document_id " .
  "join categories on categories.id = categories_to_documents.category_id " .
- "where categories.name like ? and documents.foreign_id = ?";
+ "where categories.name like ? and documents.foreign_id = ? and documents.deleted = 0";
  if ($query = sqlStatement($sql_query, array($picture_directory, $pid))) {
  while ($results = sqlFetchArray($query)) {
  array_push($pics, $results['id']);
@@ -1453,7 +1453,7 @@ function setMyPatient() {
  "INNER JOIN categories_to_documents " .
  "ON categories_to_documents.document_id=documents.id " .
  "WHERE categories_to_documents.category_id=? " .
- "AND documents.foreign_id=? " .
+ "AND documents.foreign_id=? AND documents.deleted = 0" .
  "ORDER BY documents.date DESC";
  $resNew2 = sqlStatement($query, array($categoryId, $pid));
  $limitCounter = 0; // limit to one entry per category

interface/reports/audit_log_tamper_report.php

@@ -216,6 +216,12 @@ function setpatient(pid, lname, fname, dob) {
  $cryptoGen = new CryptoGen();
 
  while ($iter = sqlFetchArray($ret)) {
+ if (empty($iter["id"])) {
+ // Log item is missing; it has been deleted.
+ echo "<tr><td colspan='6' class='text tamperColor''>" . xlt("The log entry with following id has been deleted") . ": " . $iter['log_id_hash'] . "</td></tr>";
+ continue;
+ }
+
  //translate comments
  $patterns = array ('/^success/','/^failure/','/ encounter/');
  $replace = array ( xl('success'), xl('failure'), xl('encounter', '', ' '));

library/ajax/adminacl_ajax.php

@@ -21,6 +21,7 @@
 use OpenEMR\Common\Acl\AclExtended;
 use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Logging\EventAuditLogger;
 
 header("Content-type: text/xml");
 header("Cache-Control: no-cache");
@@ -71,8 +72,9 @@
  exit;
  }
 
- //add the group, then return updated membership data
+ //add the group, then log it, then return updated membership data
  AclExtended::addUserAros($_POST["name"], $_POST["selection"]);
+ EventAuditLogger::instance()->newEvent("security-administration-update", $_SESSION['authUser'], $_SESSION['authProvider'], 1, "Added " . $_POST["name"] . " to following access group(s): " . implode(', ', $_POST["selection"]));
  echo user_group_listings_xml($_POST["name"], $error);
  }
 
@@ -101,8 +103,9 @@
  exit;
  }
 
- //remove the group(s), then return updated membership data
+ //remove the group(s), then log it, then return updated membership data
  AclExtended::removeUserAros($_POST["name"], $_POST["selection"]);
+ EventAuditLogger::instance()->newEvent("security-administration-update", $_SESSION['authUser'], $_SESSION['authProvider'], 1, "Removed " . $_POST["name"] . " from following access group(s): " . implode(', ', $_POST["selection"]));
  echo user_group_listings_xml($_POST["name"], $error);
  }
 }

library/classes/CategoryTree.class.php

@@ -24,7 +24,7 @@ function _get_categories_array($patient_id, $user = '')
  $sql = "SELECT c.id, c.name, c.aco_spec, d.id AS document_id, d.name AS document_name, d.type, d.url, d.docdate"
  . " FROM categories AS c, documents AS d, categories_to_documents AS c2d"
  . " WHERE c.id = c2d.category_id"
- . " AND c2d.document_id = d.id";
+ . " AND c2d.document_id = d.id AND d.deleted = 0";
 
  if (is_numeric($patient_id)) {
  if ($patient_id == "00") {

library/globals.inc.php

@@ -2739,7 +2739,7 @@ function gblTimeZones()
  'audit_events_query' => array(
  xl('Audit Logging SELECT Query'),
  'bool', // data type
- '0', // default
+ '1', // default
  xl('Enable logging of all SQL SELECT queries.') . ' (' . xl('Note that Audit Logging needs to be enabled above') . ')'
  ),
 
@@ -2827,7 +2827,7 @@ function gblTimeZones()
  '1' => xl('Hide print feature'),
  '2' => xl('Log entire document'),
  ),
- '0', // default
+ '2', // default
  xl('Individual pages can override 2nd and 3rd options by implementing a log message.')
  ),
 

library/sql.inc

@@ -455,7 +455,7 @@ function getSqlLastErrorNo()
 function sqlListFields($table)
 {
  $sql = "SHOW COLUMNS FROM " . add_escape_custom($table);
- $resource = sqlQ($sql);
+ $resource = sqlStatementNoLog($sql);
  $field_list = array();
  while ($row = sqlFetchArray($resource)) {
  $field_list[] = $row['Field'];

portal/get_patient_documents.php

@@ -25,7 +25,7 @@
  // get the temporary folder
  $tmp = $GLOBALS['temporary_files_dir'];
  // get all the documents of the patient
- $sql = "SELECT url, id, mimetype, `name` FROM `documents` WHERE `foreign_id` = ?";
+ $sql = "SELECT url, id, mimetype, `name` FROM `documents` WHERE `foreign_id` = ? AND `deleted` = 0";
  $fres = sqlStatement($sql, array($pid));
 
  // for every document

portal/report/portal_patient_report.php

@@ -612,7 +612,7 @@ function show_date_fun(){
 $sql = "SELECT d.id, d.url, d.name as document_name, c.name FROM documents AS d " .
  "LEFT JOIN categories_to_documents AS ctd ON d.id=ctd.document_id " .
  "LEFT JOIN categories AS c ON c.id = ctd.category_id WHERE " .
- "d.foreign_id = ?";
+ "d.foreign_id = ? AND d.deleted = 0";
 $result = $db->Execute($sql, [$pid]);
 if ($db->ErrorMsg()) {
  echo $db->ErrorMsg();

sql/5_0_2-to-6_0_0_upgrade.sql

@@ -2258,3 +2258,6 @@ ALTER TABLE `form_prior_auth` ADD `date_from` date DEFAULT NULL;
 ALTER TABLE `form_prior_auth` ADD `date_to` date DEFAULT NULL;
 #EndIf
 
+#IfMissingColumn documents deleted
+ALTER TABLE `documents` ADD `deleted` tinyint(1) NOT NULL DEFAULT '0',
+#EndIf

sql/database.sql

@@ -1216,6 +1216,7 @@ CREATE TABLE `documents` (
  `documentationOf` varchar(255) DEFAULT NULL,
  `encrypted` TINYINT(4) NOT NULL DEFAULT '0' COMMENT '0->No,1->Yes',
  `document_data` MEDIUMTEXT,
+ `deleted` tinyint(1) NOT NULL DEFAULT '0',
  PRIMARY KEY (`id`),
  UNIQUE KEY `drive_uuid` (`drive_uuid`),
  KEY `revision` (`revision`),

src/Common/Logging/EventAuditLogger.php

@@ -183,7 +183,7 @@ public function getEvents($params)
  {
  // parse the parameters
  $cols = "DISTINCT l.`date`, l.`event`, l.`category`, l.`user`, l.`groupname`, l.`patient_id`, l.`success`, l.`comments`, l.`user_notes`, l.`crt_user`, l.`log_from`, l.`menu_item_id`, l.`ccda_doc_id`, l.`id`,
- el.`encrypt`, el.`checksum`, el.`checksum_api`, el.`version`,
+ el.`encrypt`, el.`checksum`, el.`checksum_api`, el.`version`, el.`log_id` as `log_id_hash`,
  al.`log_id` as log_id_api, al.`user_id`, al.`patient_id` as patient_id_api, al.`ip_address`, al.`method`, al.`request`, al.`request_url`, al.`request_body`, al.`response`, al.`created_time` ";
  if (isset($params['cols']) && $params['cols'] != "") {
  $cols = $params['cols'];
@@ -280,7 +280,7 @@ public function getEvents($params)
  } else {
  // do the query
  $sqlBindArray = array();
- $sql = "SELECT $cols FROM `log` as l LEFT OUTER JOIN `log_comment_encrypt` as el ON l.`id` = el.`log_id` LEFT OUTER JOIN `api_log` as al ON l.`id` = al.`log_id` WHERE l.`date` >= ? AND l.`date` <= ?";
+ $sql = "SELECT $cols FROM `log_comment_encrypt` as el LEFT OUTER JOIN `log` as l ON el.`log_id` = l.`id` LEFT OUTER JOIN `api_log` as al ON el.`log_id` = al.`log_id` WHERE (l.`date` >= ? AND l.`date` <= ?) OR (l.`date` IS NULL OR l.`date` = '')";
  array_push($sqlBindArray, $date1, $date2);
 
  if ($user != "") {
@@ -306,7 +306,7 @@ public function getEvents($params)
  if ($sortby != "") {
  $sql .= " ORDER BY `" . escape_sql_column_name($sortby, array('log')) . "` " . escape_sort_order($direction); // descending order
  } else {
- $sql .= " ORDER BY l.`date` DESC";
+ $sql .= " ORDER BY el.`log_id` DESC";
  }
 
  $sql .= " LIMIT 5000";

src/Services/DocumentService.php

@@ -79,7 +79,7 @@ public function getAllAtPath($pid, $path)
  $documentsSql = " SELECT doc.url, doc.id, doc.mimetype, doc.docdate";
  $documentsSql .= " FROM documents doc";
  $documentsSql .= " JOIN categories_to_documents ctd on ctd.document_id = doc.id";
- $documentsSql .= " WHERE ctd.category_id = ? and doc.foreign_id = ?";
+ $documentsSql .= " WHERE ctd.category_id = ? and doc.foreign_id = ? and doc.deleted = 0";
 
  $documentResults = sqlStatement($documentsSql, array($categoryId, $pid));
 
@@ -132,7 +132,7 @@ public function insertAtPath($pid, $path, $fileData)
 
  public function getFile($pid, $did)
  {
- $filenameSql = sqlQuery("SELECT `url`, `mimetype` FROM `documents` WHERE `id` = ? AND `foreign_id` = ?", [$did, $pid]);
+ $filenameSql = sqlQuery("SELECT `url`, `mimetype` FROM `documents` WHERE `id` = ? AND `foreign_id` = ? AND `deleted` = 0", [$did, $pid]);
 
  if (empty(basename($filenameSql['url']))) {
  $filename = "unknownName";

version.php

@@ -28,7 +28,7 @@
 // is a database change in the course of development. It is used
 // internally to determine when a database upgrade is needed.
 //
-$v_database = 361;
+$v_database = 362;
 
 // Access control version identifier, this is to be incremented whenever there
 // is a access control change in the course of development. It is used