Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PP2 Update #1758

Merged
merged 2 commits into from Jul 10, 2018
Merged

PP2 Update #1758

Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -10,7 +10,7 @@
*/

session_start();
if ($_SESSION['patient_portal_onsite_two'] && $_SESSION['pid']) {
if ($_SESSION['register'] === true && isset($_SESSION['pid'])) {
$ignoreAuth_onsite_portal_two = true;
}

@@ -13,7 +13,6 @@
session_regenerate_id(true);

unset($_SESSION['itsme']);
$_SESSION['patient_portal_onsite_two'] = true;
$_SESSION['authUser'] = 'portal-user';
$_SESSION['pid'] = true;
$_SESSION['register'] = true;
@@ -118,21 +118,21 @@
$facility = sqlQuery("SELECT pc_facility, pc_multiple, pc_aid, facility.name
FROM openemr_postcalendar_events
LEFT JOIN facility ON (openemr_postcalendar_events.pc_facility = facility.id)
WHERE pc_eid = $eid");
WHERE pc_eid = ?", array($eid));
if (!$facility['pc_facility']) {
$qmin = sqlQuery("SELECT facility_id as minId, facility FROM users WHERE id = ".$facility['pc_aid']);
$qmin = sqlQuery("SELECT facility_id as minId, facility FROM users WHERE id = ?", array($facility['pc_aid']));
$min = $qmin['minId'];
$min_name = $qmin['facility'];

// multiple providers case
if ($GLOBALS['select_multi_providers']) {
$mul = $facility['pc_multiple'];
sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = $min WHERE pc_multiple = $mul");
sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = ? WHERE pc_multiple = ?", array($min, $mul));
}

// EOS multiple

sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = $min WHERE pc_eid = $eid");
sqlStatement("UPDATE openemr_postcalendar_events SET pc_facility = ? WHERE pc_eid = ?", array($min, $eid));
$e2f = $min;
$e2f_name = $min_name;
} else {
@@ -615,7 +615,7 @@
// If we have a patient ID, get the name and phone numbers to display.
if ($patientid) {
$prow = sqlQuery("SELECT lname, fname, phone_home, phone_biz, DOB " .
"FROM patient_data WHERE pid = '" . $patientid . "'");
"FROM patient_data WHERE pid = ?", array($patientid));
$patientname = $prow['lname'] . ", " . $prow['fname'];
if ($prow['phone_home']) {
$patienttitle .= " H=" . $prow['phone_home'];
@@ -634,7 +634,7 @@
//(CHEMED)
//Set default facility for a new event based on the given 'userid'
if ($userid) {
$pref_facility = sqlFetchArray(sqlStatement("SELECT facility_id, facility FROM users WHERE id = $userid"));
$pref_facility = sqlFetchArray(sqlStatement("SELECT facility_id, facility FROM users WHERE id = ?", array($userid)));
$e2f = $pref_facility['facility_id'];
$e2f_name = $pref_facility['facility'];
}
@@ -103,7 +103,7 @@ function doOneDay($catid, $udate, $starttime, $duration, $prefcatid)

$catslots = 1;
if ($input_catid) {
$srow = sqlQuery("SELECT pc_duration FROM openemr_postcalendar_categories WHERE pc_catid = '$input_catid'");
$srow = sqlQuery("SELECT pc_duration FROM openemr_postcalendar_categories WHERE pc_catid = ?", array($input_catid));
if ($srow['pc_duration']) {
$catslots = ceil($srow['pc_duration'] / $slotsecs);
}
@@ -162,12 +162,12 @@ function doOneDay($catid, $udate, $starttime, $duration, $prefcatid)
// Note there is no need to sort the query results.
// echo $sdate." -- ".$edate;
$query = "SELECT pc_eventDate, pc_endDate, pc_startTime, pc_duration, " .
"pc_recurrtype, pc_recurrspec, pc_alldayevent, pc_catid, pc_prefcatid, pc_title " .
"FROM openemr_postcalendar_events " .
"WHERE pc_aid = '$providerid' AND " .
"((pc_endDate >= '$sdate' AND pc_eventDate < '$edate') OR " .
"(pc_endDate = '0000-00-00' AND pc_eventDate >= '$sdate' AND pc_eventDate < '$edate'))";
$res = sqlStatement($query);
"pc_recurrtype, pc_recurrspec, pc_alldayevent, pc_catid, pc_prefcatid, pc_title " .
"FROM openemr_postcalendar_events " .
"WHERE pc_aid = ? AND " .
"((pc_endDate >= ? AND pc_eventDate < ?) OR " .
"(pc_endDate = '0000-00-00' AND pc_eventDate >= ? AND pc_eventDate < ?))";
$res = sqlStatement($query, array($providerid, $sdate, $edate, $sdate, $edate));
// print_r($res);

while ($row = sqlFetchArray($res)) {
@@ -25,24 +25,40 @@
require_once("../interface/globals.php");

if ($_POST['mode'] == 'get') {
echo file_get_contents($_POST['docid']);
exit;
if (validateFile($_POST['docid'])) {
echo file_get_contents($_POST['docid']);
exit();
} else {
die(xlt('Invalid File'));
}
} else if ($_POST['mode'] == 'save') {
file_put_contents($_POST['docid'], $_POST['content']);
exit(true);
if (validateFile($_POST['docid'])) {
if (stripos($_POST['content'], "<?php") !== false) {
file_put_contents($_POST['docid'], $_POST['content']);
exit(true);
} else {
die(xlt('Invalid Content'));
}
} else {
die(xlt('Invalid File'));
}
} else if ($_POST['mode'] == 'delete') {
unlink($_POST['docid']);
exit(true);
if (validateFile($_POST['docid'])) {
unlink($_POST['docid']);
exit(true);
} else {
die(xlt('Invalid File'));
}
}

// so it is an import
if (!isset($_POST['up_dir'])) {
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
} else {
if ($_POST['up_dir'] > 0) {
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/'. $_POST['up_dir'] . '/');
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/' . $_POST['up_dir'] . '/');
} else {
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
}
}

@@ -51,29 +67,47 @@

if ($tplFile["error"] !== UPLOAD_ERR_OK) {
header("refresh:2;url= import_template_ui.php");
echo "<p>". xlt("An error occurred: Missing file to upload: Use back button!") . "</p>";
echo "<p>" . xlt("An error occurred: Missing file to upload: Use back button!") . "</p>";
exit;
}

// ensure a safe filename
$name = preg_replace("/[^A-Z0-9._-]/i", "_", $tplFile["name"]);
if (preg_match("/(.*)\.(php|php3|php4|php5|php7)$/i", $name) !== 0) {
die(xlt('Executables not allowed'));
}
$parts = pathinfo($name);
$name = $parts["filename"].'.tpl';
$name = $parts["filename"] . '.tpl';
// don't overwrite an existing file
while (file_exists(UPLOAD_DIR . $name)) {
$i = rand(0, 128);
$newname = $parts["filename"] . "-" . $i . "." . $parts["extension"].".replaced";
rename(UPLOAD_DIR .$name, UPLOAD_DIR .$newname);
$newname = $parts["filename"] . "-" . $i . "." . $parts["extension"] . ".replaced";
rename(UPLOAD_DIR . $name, UPLOAD_DIR . $newname);
}

// preserve file from temporary directory
$success = move_uploaded_file($tplFile["tmp_name"], UPLOAD_DIR . $name);
if (!$success) {
echo "<p>". xlt("Unable to save file: Use back button!") . "</p>";
echo "<p>" . xlt("Unable to save file: Use back button!") . "</p>";
exit;
}

// set proper permissions on the new file
chmod(UPLOAD_DIR . $name, 0644);
header("location: " . $_SERVER['HTTP_REFERER']);
}

function validateFile($filename = '')
{
$valid = false;
$filePath = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates';
if (stripos($filename, $filePath) === false) {
return false;
}
if (preg_match("/(.*)\.(php|php3|php4|php5|php7)$/i", $filename) === 0) {
if (preg_match("/(.*)\.(tpl)$/i", $filename) === 1) {
$valid = true;
}
}
return $valid;
}
@@ -20,8 +20,6 @@
* @author Jerry Padgett <sjpadgett@gmail.com>
* @link http://www.open-emr.org
*/
//$ignoreAuth = true;


require_once("../interface/globals.php");
$getdir = isset($_POST['sel_pt']) ? $_POST['sel_pt'] : 0;
@@ -174,7 +172,7 @@ function getDocument(docname, mode, content){
</script>
<style>
.modal.modal-wide .modal-dialog {
width: 75%;
width: 55%;
}
.modal-wide .modal-body {
overflow-y: auto;
@@ -262,8 +260,8 @@ function getDocument(docname, mode, content){
<div class="edittpl" id="templatecontent"></div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-danger btn-sm" data-dismiss="modal"><?php echo xlt('Dismiss'); ?></button>
<button type="button" class="btn btn-success" data-dismiss="modal" onclick="tsave()"><?php echo xlt('Save'); ?></button>
<button type="button" class="btn btn-danger btn-xs" data-dismiss="modal"><?php echo xlt('Dismiss'); ?></button>
<button type="button" class="btn btn-success btn-xs" data-dismiss="modal" onclick="tsave()"><?php echo xlt('Save'); ?></button>
</div>
</div>
</div>
@@ -16,8 +16,8 @@
*/
/* */

session_start();
if (isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite_two'])) {
session_start();
if (isset($_SESSION['pid']) && (isset($_SESSION['patient_portal_onsite_two']) || $_SESSION['register'] === true)) {
$pid = $_SESSION['pid'];
$ignoreAuth = true;
GlobalConfig::$PORTAL = true;
@@ -27,9 +27,9 @@
GlobalConfig::$PORTAL = false;
$ignoreAuth = false;
require_once(dirname(__FILE__) . "/../../interface/globals.php");
if (! isset($_SESSION['authUserID'])) {
if (!isset($_SESSION['authUserID'])) {
$landingpage = "index.php";
header('Location: '.$landingpage);
header('Location: ' . $landingpage);
exit;
}
}
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.