Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PP2 Update #1758

Merged
merged 2 commits into from Jul 10, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion portal/account/account.php
Expand Up @@ -10,7 +10,7 @@
*/

session_start();
if ($_SESSION['patient_portal_onsite_two'] && $_SESSION['pid']) {
if ($_SESSION['register'] === true && isset($_SESSION['pid'])) {
$ignoreAuth_onsite_portal_two = true;
}

Expand Down
1 change: 0 additions & 1 deletion portal/account/register.php
Expand Up @@ -13,7 +13,6 @@
session_regenerate_id(true);

unset($_SESSION['itsme']);
$_SESSION['patient_portal_onsite_two'] = true;
$_SESSION['authUser'] = 'portal-user';
$_SESSION['pid'] = true;
$_SESSION['register'] = true;
Expand Down
12 changes: 6 additions & 6 deletions portal/add_edit_event_user.php
Expand Up @@ -118,21 +118,21 @@
$facility = sqlQuery("SELECT pc_facility, pc_multiple, pc_aid, facility.name
FROM openemr_postcalendar_events
LEFT JOIN facility ON (openemr_postcalendar_events.pc_facility = facility.id)
WHERE pc_eid = $eid");
WHERE pc_eid = ?", array($eid));
if (!$facility['pc_facility']) {
$qmin = sqlQuery("SELECT facility_id as minId, facility FROM users WHERE id = ".$facility['pc_aid']);
$qmin = sqlQuery("SELECT facility_id as minId, facility FROM users WHERE id = ?", array($facility['pc_aid']));
$min = $qmin['minId'];
$min_name = $qmin['facility'];

// multiple providers case
if ($GLOBALS['select_multi_providers']) {
$mul = $facility['pc_multiple'];
sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = $min WHERE pc_multiple = $mul");
sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = ? WHERE pc_multiple = ?", array($min, $mul));
}

// EOS multiple

sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = $min WHERE pc_eid = $eid");
sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = ? WHERE pc_eid = ?", array($min, $eid));
$e2f = $min;
$e2f_name = $min_name;
} else {
Expand Down Expand Up @@ -615,7 +615,7 @@
// If we have a patient ID, get the name and phone numbers to display.
if ($patientid) {
$prow = sqlQuery("SELECT lname, fname, phone_home, phone_biz, DOB " .
"FROM patient_data WHERE pid = '" . $patientid . "'");
"FROM patient_data WHERE pid = ?", array($patientid));
$patientname = $prow['lname'] . ", " . $prow['fname'];
if ($prow['phone_home']) {
$patienttitle .= " H=" . $prow['phone_home'];
Expand All @@ -634,7 +634,7 @@
//(CHEMED)
//Set default facility for a new event based on the given 'userid'
if ($userid) {
$pref_facility = sqlFetchArray(sqlStatement("SELECT facility_id, facility FROM users WHERE id = $userid"));
$pref_facility = sqlFetchArray(sqlStatement("SELECT facility_id, facility FROM users WHERE id = ?", array($userid)));
$e2f = $pref_facility['facility_id'];
$e2f_name = $pref_facility['facility'];
}
Expand Down
14 changes: 7 additions & 7 deletions portal/find_appt_popup_user.php
Expand Up @@ -103,7 +103,7 @@ function doOneDay($catid, $udate, $starttime, $duration, $prefcatid)

$catslots = 1;
if ($input_catid) {
$srow = sqlQuery("SELECT pc_duration FROM openemr_postcalendar_categories WHERE pc_catid = '$input_catid'");
$srow = sqlQuery("SELECT pc_duration FROM openemr_postcalendar_categories WHERE pc_catid = ?", array($input_catid));
if ($srow['pc_duration']) {
$catslots = ceil($srow['pc_duration'] / $slotsecs);
}
Expand Down Expand Up @@ -162,12 +162,12 @@ function doOneDay($catid, $udate, $starttime, $duration, $prefcatid)
// Note there is no need to sort the query results.
// echo $sdate." -- ".$edate;
$query = "SELECT pc_eventDate, pc_endDate, pc_startTime, pc_duration, " .
"pc_recurrtype, pc_recurrspec, pc_alldayevent, pc_catid, pc_prefcatid, pc_title " .
"FROM openemr_postcalendar_events " .
"WHERE pc_aid = '$providerid' AND " .
"((pc_endDate >= '$sdate' AND pc_eventDate < '$edate') OR " .
"(pc_endDate = '0000-00-00' AND pc_eventDate >= '$sdate' AND pc_eventDate < '$edate'))";
$res = sqlStatement($query);
"pc_recurrtype, pc_recurrspec, pc_alldayevent, pc_catid, pc_prefcatid, pc_title " .
"FROM openemr_postcalendar_events " .
"WHERE pc_aid = ? AND " .
"((pc_endDate >= ? AND pc_eventDate < ?) OR " .
"(pc_endDate = '0000-00-00' AND pc_eventDate >= ? AND pc_eventDate < ?))";
$res = sqlStatement($query, array($providerid, $sdate, $edate, $sdate, $edate));
// print_r($res);

while ($row = sqlFetchArray($res)) {
Expand Down
62 changes: 48 additions & 14 deletions portal/import_template.php
Expand Up @@ -25,24 +25,40 @@
require_once("../interface/globals.php");

if ($_POST['mode'] == 'get') {
echo file_get_contents($_POST['docid']);
exit;
if (validateFile($_POST['docid'])) {
echo file_get_contents($_POST['docid']);
exit();
} else {
die(xlt('Invalid File'));
}
} else if ($_POST['mode'] == 'save') {
file_put_contents($_POST['docid'], $_POST['content']);
exit(true);
if (validateFile($_POST['docid'])) {
if (stripos($_POST['content'], "<?php") !== false) {
file_put_contents($_POST['docid'], $_POST['content']);
exit(true);
} else {
die(xlt('Invalid Content'));
}
} else {
die(xlt('Invalid File'));
}
} else if ($_POST['mode'] == 'delete') {
unlink($_POST['docid']);
exit(true);
if (validateFile($_POST['docid'])) {
unlink($_POST['docid']);
exit(true);
} else {
die(xlt('Invalid File'));
}
}

// so it is an import
if (!isset($_POST['up_dir'])) {
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
} else {
if ($_POST['up_dir'] > 0) {
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/'. $_POST['up_dir'] . '/');
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/' . $_POST['up_dir'] . '/');
} else {
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
}
}

Expand All @@ -51,29 +67,47 @@

if ($tplFile["error"] !== UPLOAD_ERR_OK) {
header("refresh:2;url= import_template_ui.php");
echo "<p>". xlt("An error occurred: Missing file to upload: Use back button!") . "</p>";
echo "<p>" . xlt("An error occurred: Missing file to upload: Use back button!") . "</p>";
exit;
}

// ensure a safe filename
$name = preg_replace("/[^A-Z0-9._-]/i", "_", $tplFile["name"]);
if (preg_match("/(.*)\.(php|php3|php4|php5|php7)$/i", $name) !== 0) {
die(xlt('Executables not allowed'));
}
$parts = pathinfo($name);
$name = $parts["filename"].'.tpl';
$name = $parts["filename"] . '.tpl';
// don't overwrite an existing file
while (file_exists(UPLOAD_DIR . $name)) {
$i = rand(0, 128);
$newname = $parts["filename"] . "-" . $i . "." . $parts["extension"].".replaced";
rename(UPLOAD_DIR .$name, UPLOAD_DIR .$newname);
$newname = $parts["filename"] . "-" . $i . "." . $parts["extension"] . ".replaced";
rename(UPLOAD_DIR . $name, UPLOAD_DIR . $newname);
}

// preserve file from temporary directory
$success = move_uploaded_file($tplFile["tmp_name"], UPLOAD_DIR . $name);
if (!$success) {
echo "<p>". xlt("Unable to save file: Use back button!") . "</p>";
echo "<p>" . xlt("Unable to save file: Use back button!") . "</p>";
exit;
}

// set proper permissions on the new file
chmod(UPLOAD_DIR . $name, 0644);
header("location: " . $_SERVER['HTTP_REFERER']);
}

function validateFile($filename = '')
{
$valid = false;
$filePath = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates';
if (stripos($filename, $filePath) === false) {
return false;
}
if (preg_match("/(.*)\.(php|php3|php4|php5|php7)$/i", $filename) === 0) {
if (preg_match("/(.*)\.(tpl)$/i", $filename) === 1) {
$valid = true;
}
}
return $valid;
}
8 changes: 3 additions & 5 deletions portal/import_template_ui.php
Expand Up @@ -20,8 +20,6 @@
* @author Jerry Padgett <sjpadgett@gmail.com>
* @link http://www.open-emr.org
*/
//$ignoreAuth = true;


require_once("../interface/globals.php");
$getdir = isset($_POST['sel_pt']) ? $_POST['sel_pt'] : 0;
Expand Down Expand Up @@ -174,7 +172,7 @@ function getDocument(docname, mode, content){
</script>
<style>
.modal.modal-wide .modal-dialog {
width: 75%;
width: 55%;
}
.modal-wide .modal-body {
overflow-y: auto;
Expand Down Expand Up @@ -262,8 +260,8 @@ function getDocument(docname, mode, content){
<div class="edittpl" id="templatecontent"></div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-danger btn-sm" data-dismiss="modal"><?php echo xlt('Dismiss'); ?></button>
<button type="button" class="btn btn-success" data-dismiss="modal" onclick="tsave()"><?php echo xlt('Save'); ?></button>
<button type="button" class="btn btn-danger btn-xs" data-dismiss="modal"><?php echo xlt('Dismiss'); ?></button>
<button type="button" class="btn btn-success btn-xs" data-dismiss="modal" onclick="tsave()"><?php echo xlt('Save'); ?></button>
</div>
</div>
</div>
Expand Down
8 changes: 4 additions & 4 deletions portal/patient/_machine_config.php
Expand Up @@ -16,8 +16,8 @@
*/
/* */

session_start();
if (isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite_two'])) {
session_start();
if (isset($_SESSION['pid']) && (isset($_SESSION['patient_portal_onsite_two']) || $_SESSION['register'] === true)) {
$pid = $_SESSION['pid'];
$ignoreAuth = true;
GlobalConfig::$PORTAL = true;
Expand All @@ -27,9 +27,9 @@
GlobalConfig::$PORTAL = false;
$ignoreAuth = false;
require_once(dirname(__FILE__) . "/../../interface/globals.php");
if (! isset($_SESSION['authUserID'])) {
if (!isset($_SESSION['authUserID'])) {
$landingpage = "index.php";
header('Location: '.$landingpage);
header('Location: ' . $landingpage);
exit;
}
}
Expand Down