Skip to content
Permalink
Browse files Browse the repository at this point in the history
bug fix 2
  • Loading branch information
bradymiller committed Oct 25, 2022
1 parent 2e7678d commit 953cb84
Show file tree
Hide file tree
Showing 8 changed files with 72 additions and 9 deletions.
49 changes: 47 additions & 2 deletions controllers/C_Document.class.php
Expand Up @@ -16,6 +16,7 @@
use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Crypto\CryptoGen;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Common\Logging\SystemLogger;
use OpenEMR\Common\Twig\TwigContainer;
use OpenEMR\Services\FacilityService;
use OpenEMR\Services\PatientService;
Expand All @@ -33,6 +34,7 @@ class C_Document extends Controller
public $_last_node;
private $Document;
private $cryptoGen;
private bool $skip_acl_check = false;

public function __construct($template_mod = "general")
{
Expand Down Expand Up @@ -202,6 +204,8 @@ public function upload_action_process()

if (is_numeric($_POST['category_id'])) {
$category_id = $_POST['category_id'];
} else {
$category_id = 1;
}

$patient_id = 0;
Expand All @@ -211,7 +215,18 @@ public function upload_action_process()
$patient_id = $_POST['patient_id'];
}

if (!empty($_FILES['dicom_folder']['name'][0])) {
// ensure user has access to the category that is being uploaded to
$skipUpload = false;
if (!$this->isSkipAclCheck()) {
$acoSpec = sqlQuery("SELECT `aco_spec` from `categories` WHERE `id` = ?", [$category_id])['aco_spec'];
if (AclMain::aclCheckAcoSpec($acoSpec) === false) {
$error = xl("Not authorized to upload to the selected category.\n");
$skipUpload = true;
(new SystemLogger())->debug("An attempt was made to upload a document to an unauthorized category", ['user-id' => $_SESSION['authUserID'], 'patient-id' => $patient_id, 'category-id' => $category_id]);
}
}

if (!$skipUpload && !empty($_FILES['dicom_folder']['name'][0])) {
// let's zip um up then pass along new zip
$study_name = $_POST['destination'] ? (trim($_POST['destination']) . ".zip") : 'DicomStudy.zip';
$study_name = preg_replace('/\s+/', '_', $study_name);
Expand All @@ -225,7 +240,7 @@ public function upload_action_process()
}

$sentUploadStatus = array();
if (count($_FILES['file']['name']) > 0) {
if (!$skipUpload && count($_FILES['file']['name']) > 0) {
$upl_inc = 0;

foreach ($_FILES['file']['name'] as $key => $value) {
Expand Down Expand Up @@ -611,6 +626,22 @@ public function retrieve_action(string $patient_id = null, $document_id, $as_fil
}

$d = new Document($document_id);

// ensure user/patient has access
if (isset($_SESSION['patient_portal_onsite_two']) && isset($_SESSION['pid'])) {
// ensure patient has access (called from patient portal)
if (!$d->can_patient_access($_SESSION['pid'])) {
(new SystemLogger())->debug("An attempt was made by a patient to download a document from an unauthorized category", ['patient-id' => $_SESSION['pid'], 'document-id' => $document_id]);
die(xlt("Not authorized to view requested file"));
}
} else {
// ensure user has access
if (!$d->can_access()) {
(new SystemLogger())->debug("An attempt was made by a user to download a document from an unauthorized category", ['user-id' => $_SESSION['authUserID'], 'patient-id' => $patient_id, 'document-id' => $document_id]);
die(xlt("Not authorized to view requested file"));
}
}

$url = $d->get_url();
$th_url = $d->get_thumb_url();

Expand Down Expand Up @@ -1375,4 +1406,18 @@ public function clear_encounter_tag_action(string $patient_id = null, $document_
}
return $this->view_action($patient_id, $document_id);
}

// this will set flag to skip acl check
// this is needed for when uploading via services that piggyback on any user (ie. the background services) or via cron/cli
public function skipAclCheck(): void
{
$this->skip_acl_check = true;
}

// this will check if flag has been set to skip the acl check
// this is needed for when uploading via services that piggyback on any user (ie. the background services) or via cron/cli
public function isSkipAclCheck(): bool
{
return $this->skip_acl_check;
}
}
1 change: 1 addition & 0 deletions custom/zutil.cli.doc_import.php
Expand Up @@ -151,6 +151,7 @@
'category_id' => '1',
'higher_level_path' => '',
'path_depth' => '1',
'skip_acl_check' => true
);
$new_doc = call_user_func_array('addNewDocument', $doc_params);
printf('%s - %s%s', text($doc_pathname), (isset($new_doc) ? text($new_doc->get_url()) : xlt('Documents setup error')), "\n");
Expand Down
2 changes: 1 addition & 1 deletion interface/forms/eye_mag/php/taskman_functions.php
Expand Up @@ -593,7 +593,7 @@ function make_document($task)

$type = "application/pdf";
$size = filesize($temp_filename);
$return = addNewDocument($filename, $type, $temp_filename, 0, $size, $task['FROM_ID'], $task['PATIENT_ID'], $category_id);
$return = addNewDocument($filename, $type, $temp_filename, 0, $size, $task['FROM_ID'], $task['PATIENT_ID'], $category_id, '', 1, true);
unlink($temp_filename);

$task['DOC_ID'] = $return['doc_id'];
Expand Down
2 changes: 1 addition & 1 deletion library/classes/Document.class.php
Expand Up @@ -264,7 +264,7 @@ public function get_categories()
. "WHERE `ctd`.`document_id` = ? ";
$resultSet = sqlStatement($categories, [$this->get_id()]);
$categories = [];
while ($category = sqlGetAssoc($resultSet)) {
while ($category = sqlFetchArray($resultSet)) {
$categories[] = $category;
}
return $categories;
Expand Down
2 changes: 1 addition & 1 deletion library/direct_message_check.inc
Expand Up @@ -644,7 +644,7 @@ function phimail_store($name, $mime_type, $fn)
// Import the document
$phimail_direct_message_check_allowed_mimetype = $mime_type;
$filesize = filesize($fn);
$return = addNewDocument($name, $mime_type, $fn, 0, $filesize, $user, 'direct');
$return = addNewDocument($name, $mime_type, $fn, 0, $filesize, $user, 'direct', 1, '', 1, true);
if (is_array($return)) {
$return['filesize'] = $filesize;
}
Expand Down
6 changes: 5 additions & 1 deletion library/documents.php
Expand Up @@ -36,9 +36,10 @@
* @param int $category_id Document category id
* @param string $higher_level_path Can set a higher level path here (and then place the path depth in $path_depth)
* @param int $path_depth Path depth when using the $higher_level_path feature
* @param boolean $skip_acl_check This needs to be set to true for when uploading via services that piggyback on any user (ie. the background services) or uses cron/cli
* @return array/boolean Array(doc_id,url) of the file as stored in documents table, false = failure
*/
function addNewDocument($name, $type, $tmp_name, $error, $size, $owner = '', $patient_id_or_simple_directory = "00", $category_id = '1', $higher_level_path = '', $path_depth = '1')
function addNewDocument($name, $type, $tmp_name, $error, $size, $owner = '', $patient_id_or_simple_directory = "00", $category_id = '1', $higher_level_path = '', $path_depth = '1', $skip_acl_check = false)
{

if (empty($owner)) {
Expand Down Expand Up @@ -67,6 +68,9 @@ function addNewDocument($name, $type, $tmp_name, $error, $size, $owner = '', $pa
// Add the Document and return the newly added document id
$cd = new C_Document();
$cd->manual_set_owner = $owner;
if ($skip_acl_check) {
$cd->skipAclCheck();
}
$cd->upload_action_process();
$v = $cd->get_template_vars("file");
if (!isset($v) || !$v) {
Expand Down
6 changes: 3 additions & 3 deletions sql/database.sql
Expand Up @@ -298,13 +298,13 @@ CREATE TABLE `categories` (
INSERT INTO `categories` VALUES (1, 'Categories', '', 0, 0, 59, 'patients|docs', '');
INSERT INTO `categories` VALUES (2, 'Lab Report', '', 1, 1, 2, 'patients|docs', '');
INSERT INTO `categories` VALUES (3, 'Medical Record', '', 1, 3, 4, 'patients|docs', '');
INSERT INTO `categories` VALUES (4, 'Patient Information', '', 1, 5, 10, 'patients|docs', '');
INSERT INTO `categories` VALUES (5, 'Patient ID card', '', 4, 6, 7, 'patients|docs', '');
INSERT INTO `categories` VALUES (4, 'Patient Information', '', 1, 5, 10, 'patients|demo', '');
INSERT INTO `categories` VALUES (5, 'Patient ID card', '', 4, 6, 7, 'patients|demo', '');
INSERT INTO `categories` VALUES (6, 'Advance Directive', '', 1, 11, 18, 'patients|docs','LOINC:LP173418-7');
INSERT INTO `categories` VALUES (7, 'Do Not Resuscitate Order', '', 6, 12, 13, 'patients|docs', '');
INSERT INTO `categories` VALUES (8, 'Durable Power of Attorney', '', 6, 14, 15, 'patients|docs', '');
INSERT INTO `categories` VALUES (9, 'Living Will', '', 6, 16, 17, 'patients|docs', '');
INSERT INTO `categories` VALUES (10, 'Patient Photograph', '', 4, 8, 9, 'patients|docs', '');
INSERT INTO `categories` VALUES (10, 'Patient Photograph', '', 4, 8, 9, 'patients|demo', '');
INSERT INTO `categories` VALUES (11, 'CCR', '', 1, 19, 20, 'patients|docs', '');
INSERT INTO `categories` VALUES (12, 'CCD', '', 1, 21, 22, 'patients|docs', 'LOINC:34133-9');
INSERT INTO `categories` VALUES (13, 'CCDA', '', 1, 23, 24, 'patients|docs', '');
Expand Down
13 changes: 13 additions & 0 deletions sql/patch.sql
Expand Up @@ -153,3 +153,16 @@ ALTER TABLE `form_questionnaire_assessments` CHANGE `code_type` `questionnaire_i
#IfNotRow2D list_options list_id Document_Template_Categories option_id questionnaire
INSERT INTO `list_options` (`list_id`, `option_id`, `title`, `seq`, `is_default`, `option_value`, `mapping`, `notes`, `codes`, `toggle_setting_1`, `toggle_setting_2`, `activity`) VALUES ('Document_Template_Categories','questionnaire','Questionnaires',10,0,0,'','','',0,0,1);
#EndIf

#IfRow2D categories aco_spec patients|docs name Patient Information
UPDATE `categories` SET `aco_spec` = 'patients|demo' WHERE `name` = 'Patient Information';
#EndIf

#IfRow2D categories aco_spec patients|docs name Patient ID card
UPDATE `categories` SET `aco_spec` = 'patients|demo' WHERE `name` = 'Patient ID card';
#EndIf

#IfRow2D categories aco_spec patients|docs name Patient Photograph
UPDATE `categories` SET `aco_spec` = 'patients|demo' WHERE `name` = 'Patient Photograph';
#EndIf

0 comments on commit 953cb84

Please sign in to comment.