bug: fix bug (openemr#7231)

* bug: fix bug * fix bugs * fix bug
stephenwaite · Mar 20, 2024 · d038097 · d038097
1 parent dc1e6ee
commit d038097
Show file tree

Hide file tree

Showing 11 changed files with 53 additions and 14 deletions.
diff --git a/ccr/createCCR.php b/ccr/createCCR.php
@@ -30,6 +30,13 @@
  header('Location: ' . $landingpage . '?w');
  exit;
  }
+} else {
+ // Check authorization.
+ $thisauth = AclMain::aclCheckCore('patients', 'pat_rep');
+ if (!$thisauth) {
+ echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Create CCR")]);
+ exit;
+ }
 }
 
 require_once(dirname(__FILE__) . "/../interface/globals.php");

diff --git a/interface/modules/zend_modules/module/Acl/view/acl/acl/acl.phtml b/interface/modules/zend_modules/module/Acl/view/acl/acl/acl.phtml
@@ -10,6 +10,12 @@
  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
 
+// Control access
+if (!OpenEMR\Common\Acl\AclMain::aclCheckCore('admin', 'manage_modules')) {
+ echo xlt('Not Authorized');
+ exit;
+}
+
 ?>
 <script>
  ajax_path = "<?php echo $GLOBALS['webroot'];?>/interface/modules/zend_modules/public/acl/ajax";

diff --git a/...es/module/Carecoordination/src/Carecoordination/Controller/EncountermanagerController.php b/...es/module/Carecoordination/src/Carecoordination/Controller/EncountermanagerController.php
@@ -225,7 +225,7 @@ public function previewDocumentAction()
  if (!$document->can_access()) {
  echo $twig->getTwig()->render("templates/error/400.html.twig", ['statusCode' => 401, 'errorMessage' => 'Access Denied']);
  exit;
- } else if ($document->is_deleted()) {
+ } elseif ($document->is_deleted()) {
  echo $twig->getTwig()->render("templates/error/404.html.twig");
  exit;
  }

diff --git a/...nd_modules/module/Carecoordination/src/Carecoordination/Listener/CCDAEventsSubscriber.php b/...nd_modules/module/Carecoordination/src/Carecoordination/Listener/CCDAEventsSubscriber.php
@@ -138,7 +138,7 @@ public function onCCDAViewEvent(PatientDocumentViewCCDAEvent $event)
  // from original ccr/display.php code
  if ($type == 'CCR') {
  $stylesheet .= "ccr.xsl";
- } else if ($type == "CCD") {
+ } elseif ($type == "CCD") {
  $stylesheet .= "cda.xsl";
  }
  if (!file_exists($stylesheet)) {

diff --git a/...s/module/Carecoordination/src/Carecoordination/Model/CcdaServiceRequestModelGenerator.php b/...s/module/Carecoordination/src/Carecoordination/Model/CcdaServiceRequestModelGenerator.php
@@ -76,7 +76,7 @@ private function getServiceStartDates($pid, $encounter, $document_type, $date_op
  $end = date('YmdHisO', $end);
  }
  }
- } else if ($document_type == 'ccd' || $document_type == 'toc') {
+ } elseif ($document_type == 'ccd' || $document_type == 'toc') {
  if (empty($end)) {
  $end = date('YmdHisO'); // current date
  }

diff --git a/.../zend_modules/module/Carecoordination/view/carecoordination/carecoordination/upload.phtml b/.../zend_modules/module/Carecoordination/view/carecoordination/carecoordination/upload.phtml
@@ -10,6 +10,12 @@
  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
 
+// Control access
+if (!OpenEMR\Common\Acl\AclMain::aclCheckCore('admin', 'super')) {
+ echo xlt('Not Authorized');
+ exit;
+}
+
 echo $this->headLink()->prependStylesheet($this->basePath() . '/css/autosuggest/autosuggest.css');
 echo $this->headScript()->prependFile($this->basePath() . '/js/autosuggest/autosuggest.js');
 ?>

diff --git a/...face/modules/zend_modules/module/Carecoordination/view/carecoordination/setup/index.phtml b/...face/modules/zend_modules/module/Carecoordination/view/carecoordination/setup/index.phtml
@@ -8,7 +8,15 @@
  * @copyright Copyright (c) 2014 Z&H Consultancy Services Private Limited <[email protected]>
  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  */
+
+// Control access
+if (!OpenEMR\Common\Acl\AclMain::aclCheckCore('admin', 'manage_modules')) {
+ echo xlt('Not Authorized');
+ exit;
+}
+
 ?>
+
 <?php echo $this->headScript()->prependFile($this->basePath() . '/js/application/sendTo.js')
  ->prependFile($this->basePath() . '/js/lib/jquery-ui.js')
 ?>

diff --git a/...modules/zend_modules/module/CodeTypes/src/CodeTypes/Listener/CodeTypeEventsSubscriber.php b/...modules/zend_modules/module/CodeTypes/src/CodeTypes/Listener/CodeTypeEventsSubscriber.php
@@ -117,7 +117,7 @@ public function onSqlUpgradeEvent(SQLUpgradeEvent $event)
  } else {
  $logger("Skipping Section #updateCPT4Mappings");
  }
- } else if ($this->isSnomedCodeType($record['ct_key'])) {
+ } elseif ($this->isSnomedCodeType($record['ct_key'])) {
  if ($this->shouldUpdateSNOMEDMappings()) {
  $logger("Updating " . $record['ct_key'] . " Mappings");
  $this->updateSNOMEDCTMappings($logger);
@@ -133,7 +133,7 @@ public function onCodeTypeInstalledEvent(CodeTypeInstalledEvent $event)
  if ($event->getCodeType() == "SNOMED") {
  // check if we have SNOMED codes installed and update our list options
  $this->updateSNOMEDCTMappings();
- } else if ($event->getCodeType() == "CPT4" && $this->shouldUpdateCPT4Mappings()) {
+ } elseif ($event->getCodeType() == "CPT4" && $this->shouldUpdateCPT4Mappings()) {
  // check if we have CPT4 codes installed and update our list options
  $this->updateCPT4Mappings();
  }

diff --git a/interface/usergroup/facilities_add.php b/interface/usergroup/facilities_add.php
@@ -18,6 +18,12 @@
 use OpenEMR\Services\FacilityService;
 use OpenEMR\Common\Twig\TwigContainer;
 
+// Ensure authorized
+if (!AclMain::aclCheckCore('admin', 'users')) {
+ echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Facility Add")]);
+ exit;
+}
+
 $facilityService = new FacilityService();
 
 $alertmsg = '';

diff --git a/interface/usergroup/facility_admin.php b/interface/usergroup/facility_admin.php
@@ -18,6 +18,12 @@
 use OpenEMR\Core\Header;
 use OpenEMR\Services\FacilityService;
 
+// Ensure authorized
+if (!AclMain::aclCheckCore('admin', 'users')) {
+ echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Facility Admin")]);
+ exit;
+}
+
 $facilityService = new FacilityService();
 
 $alertmsg = '';

diff --git a/portal/add_edit_event_user.php b/portal/add_edit_event_user.php
@@ -56,7 +56,7 @@
 
 // did someone tamper with eid?
 $checkEidInAppt = false;
-$patient_appointments = fetchAppointments('1970-01-01', '2382-12-31', $_SESSION['pid']);
+$patient_appointments = fetchAppointments('1970-01-01', '2382-12-31', $pid);
 $checkEidInAppt = array_search($eid, array_column($patient_appointments, 'pc_eid'));
 
 if (!empty($eid) && !$checkEidInAppt) {
@@ -65,7 +65,7 @@
 }
 
 if (!empty($_POST['form_pid'])) {
- if ($_POST['form_pid'] != $_SESSION['pid']) {
+ if ($_POST['form_pid'] != $pid) {
  echo js_escape("error");
  exit();
  }
@@ -323,7 +323,7 @@
  "'" . add_escape_custom($_POST['form_category']) . "', " .
  "'" . add_escape_custom($row['pc_multiple']) . "', " .
  "'" . add_escape_custom($to_be_inserted) . "', " .
- "'" . add_escape_custom($_SESSION['pid']) . "', " .
+ "'" . add_escape_custom($pid) . "', " .
  "'" . add_escape_custom($_POST['form_title']) . "', " .
  "NOW(), " .
  "'" . add_escape_custom($_POST['form_comments']) . "', " .
@@ -350,7 +350,7 @@
  foreach ($_POST['form_provider_ae'] as $provider) {
  sqlStatement("UPDATE openemr_postcalendar_events SET " .
  "pc_catid = '" . add_escape_custom($_POST['form_category']) . "', " .
- "pc_pid = '" . add_escape_custom($_SESSION['pid']) . "', " .
+ "pc_pid = '" . add_escape_custom($pid) . "', " .
  "pc_title = '" . add_escape_custom($_POST['form_title']) . "', " .
  "pc_time = NOW(), " .
  "pc_hometext = '" . add_escape_custom($_POST['form_comments']) . "', " .
@@ -383,7 +383,7 @@
  sqlStatement("UPDATE openemr_postcalendar_events SET " .
  "pc_catid = '" . add_escape_custom($_POST['form_category']) . "', " .
  "pc_aid = '" . add_escape_custom($prov) . "', " .
- "pc_pid = '" . add_escape_custom($_SESSION['pid']) . "', " .
+ "pc_pid = '" . add_escape_custom($pid) . "', " .
  "pc_title = '" . add_escape_custom($_POST['form_title']) . "', " .
  "pc_time = NOW(), " .
  "pc_hometext = '" . add_escape_custom($_POST['form_comments']) . "', " .
@@ -434,7 +434,7 @@
  "'" . add_escape_custom($_POST['form_category']) . "', " .
  "'" . add_escape_custom($new_multiple_value) . "', " .
  "'" . add_escape_custom($provider) . "', " .
- "'" . add_escape_custom($_SESSION['pid']) . "', " .
+ "'" . add_escape_custom($pid) . "', " .
  "'" . add_escape_custom($_POST['form_title']) . "', " .
  "NOW(), " .
  "'" . add_escape_custom($_POST['form_comments']) . "', " .
@@ -464,7 +464,7 @@
  ") VALUES ( " .
  "'" . add_escape_custom($_POST['form_category']) . "', " .
  "'" . add_escape_custom($_POST['form_provider_ae']) . "', " .
- "'" . add_escape_custom($_SESSION['pid']) . "', " .
+ "'" . add_escape_custom($pid) . "', " .
  "'" . add_escape_custom($_POST['form_title']) . "', " .
  "NOW(), " .
  "'" . add_escape_custom($_POST['form_comments']) . "', " .
@@ -514,7 +514,7 @@
  $note .= ". " . xl("Use Portal Dashboard to confirm with patient.");
  $title = xl("Patient Reminders");
  $user = sqlQueryNoLog("SELECT users.username FROM users WHERE authorized = 1 And id = ?", array($_POST['form_provider_ae']));
- $rtn = addPnote($_SESSION['pid'], $note, 1, 1, $title, $user['username'], '', 'New');
+ $rtn = addPnote($pid, $note, 1, 1, $title, $user['username'], '', 'New');
 
  $_SESSION['whereto'] = '#appointmentcard';
  header('Location:./home.php');
@@ -570,7 +570,7 @@
  $hometext = substr($hometext, 6);
  }
 } else {
- $patientid = $_GET['pid'];
+ $patientid = $pid;
 }
 
 // If we have a patient ID, get the name and phone numbers to display.