Added access control

diff --git a/access.json b/access.json
new file mode 100644 (file)
index 0000000..380c1a1
--- /dev/null
+++ b/access.json
@@ -0,0 +1,130 @@
+{
+    "info": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "all",
+        "lab": "all",
+        "clerk": "view"
+    },
+    "diagnosis": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "summary": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "admission": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "all",
+        "lab": "view",
+        "clerk": "all"
+    },
+    "attachments": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "all",
+        "lab": "all",
+        "clerk": "view"
+    },
+    "death": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "discharge": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "history": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "laboratory": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "all",
+        "lab": "all",
+        "clerk": "view"
+    },
+    "nursing": {
+        "admin": "all",
+        "visiting": "view",
+        "resident": "view",
+        "nursing": "all",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "physician": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "print-discharge": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "report": {
+        "admin": "all",
+        "visiting": "view",
+        "resident": "view",
+        "nursing": "view",
+        "lab": "all",
+        "clerk": "view"
+    },
+    "requisition": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "all",
+        "lab": "all",
+        "clerk": "view"
+    },
+    "treatment": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "view",
+        "lab": "view",
+        "clerk": "view"
+    },
+    "view": {
+        "admin": "all",
+        "visiting": "all",
+        "resident": "all",
+        "nursing": "all",
+        "lab": "all",
+        "clerk": "view"
+    }
+}

diff --git a/adduser b/adduser
index fb4c6b50e83b9c06b2a5da1a1d0ce439f18cf709..f878e2996a5066b2b1dd744568cf37c91170a368 100755 (executable)
--- a/adduser
+++ b/adduser
@@ -1,24 +1,27 @@
 #! /usr/bin/env php
 <?php
 $db=new SQLite3("data/data.db");
-if(!empty($_SERVER["argv"][1]) && !empty($_SERVER["argv"][2]) && !empty($_SERVER["argv"][3])){
+if(!empty($_SERVER["argv"][1]) && !empty($_SERVER["argv"][2]) && !empty($_SERVER["argv"][3]) && !empty($_SERVER["argv"][4])){
   $stmt=$db->prepare("SELECT * FROM users WHERE user=:user");
   $stmt->bindValue(":user",$_SERVER["argv"][1]);
   if($stmt->execute()->fetchArray()){
-    $stmt=$db->prepare("UPDATE users SET usergroup=:usergroup,hash=:hash WHERE user=:user");
+    $stmt=$db->prepare("UPDATE users SET usergroup=:usergroup,department=:department,hash=:hash WHERE user=:user");
     $stmt->bindValue(":user", $_SERVER["argv"][1]);
-    $stmt->bindValue(":hash", password_hash($_SERVER["argv"][3], PASSWORD_DEFAULT));
+    $stmt->bindValue(":usergroup", $_SERVER["argv"][2]);
+    $stmt->bindValue(":department", $_SERVER["argv"][3]);
+    $stmt->bindValue(":hash", password_hash($_SERVER["argv"][4], PASSWORD_DEFAULT));
     $stmt->execute();
   }
   else{
-    $stmt=$db->prepare("INSERT INTO users (user,usergroup,hash) VALUES (:user,:usergroup,:hash)");
+    $stmt=$db->prepare("INSERT INTO users (user,usergroup,department,hash) VALUES (:user,:usergroup,:department,:hash)");
     $stmt->bindValue(":user", $_SERVER["argv"][1]);
     $stmt->bindValue(":usergroup", $_SERVER["argv"][2]);
-    $stmt->bindValue(":hash", password_hash($_SERVER["argv"][3], PASSWORD_DEFAULT));
+    $stmt->bindValue(":department", $_SERVER["argv"][3]);
+    $stmt->bindValue(":hash", password_hash($_SERVER["argv"][4], PASSWORD_DEFAULT));
     $stmt->execute();
   }
 }
 else{
-  echo "Plese enter an username and password for entry into the DB\n";
+  echo basename(__FILE__)." [username] [usergroup] [department] [password]\n";
 }
 ?>

diff --git a/admission.php b/admission.php
index 6864344722cc376f91aba7186f0773221e9ab431..e1d5fc5290716ad3b2cc5d8b3884bca230e2dae9 100644 (file)
--- a/admission.php
+++ b/admission.php
@@ -1,14 +1,7 @@
 <?php
-require("lib/functions.php");
-require("lib/db.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
+require("lib/require.php");
+if(checkAccess("admission")!="all"){
+  header("Location: error.php");
   exit();
 }
 if(!empty($_POST["pid"]) && !empty($_POST["name"])){
@@ -17,7 +10,11 @@ if(!empty($_POST["pid"]) && !empty($_POST["name"])){
   //exit();
 }
 if(!empty($_GET["pid"])){
-  $form=schema2form("forms/admission.schema.json", $_GET["pid"]);
+  $pid=$_GET["pid"];
+  if(!empty($_POST["diagnosis"]) || !empty($_POST["summary"])){
+    $db->editCase($pid, $_POST["diagnosis"], $_POST["summary"]);
+  }
+  $form=schema2form("forms/admission.schema.json", $pid);
 }
 else{
   $form=schema2form("forms/admission.schema.json");
@@ -33,7 +30,14 @@ else{
     <div class="container">
       <div class="card">
         <div class="card-body">
-          <h4 class="card-title">New Patient Information</h4>
+          <h4 class="card-title">Patient Information</h4>
+          <form method="post" class="mb-4" <?php echo checkAccess("history", "form");?>>
+            <label for="case-diagnosis">Diagnosis</label>
+            <input type="text" class="form-control" name="diagnosis" id="case-diagnosis" value="<?php if(!empty($pid)) echo $db->getDiagnosis($pid)->fetchArray()["diagnosis"];?>">
+            <label for="case-summary">Summary</label>
+            <textarea type="text" class="form-control" name="summary" id="case-summary"><?php if(!empty($pid)) echo $db->getSummary($pid)->fetchArray()["summary"];?></textarea>
+            <button class="btn btn-primary mt-3" type="submit">Save</button>
+          </form>
           <?php echo $form;?>
         </div>
       </div>

diff --git a/attachments.php b/attachments.php
index 2007734f1b6048d5ccbefce478dea1979c733abe..000e11851c2e746f68261030a69b801dd04cb24a 100644 (file)
--- a/attachments.php
+++ b/attachments.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 $error="<p>";
 $imgs="<div class='card mb-3 w-100'><div class='card-body'><div class='row'>";
 $pdfs="<div class='card mb-3'><div class='card-body'>";
@@ -47,7 +41,7 @@ $error=$error."</p>";
   <body>
     <div class="container">
       <?php echo getInfo($pid);?>
-      <form class="mt-3 mb-3" method="post" enctype="multipart/form-data">
+      <form class="mt-3 mb-3" method="post" enctype="multipart/form-data" <?php echo checkAccess("attachments", "form");?>>
         <label for="upload">Select file to upload. JPG, PNG, GIF and PDF files are supported. Size limit: <span id="size-limit"><?php echo str_replace("M", "MB", ini_get("upload_max_filesize"));?></span><span id="upload-error"></span></label>
         <input type="file" name="upload" id="upload" class="form-control">
         <input type="submit" value="Upload" class="mt-2 btn btn-primary">

diff --git a/death.php b/death.php
index 45b43af0ac1e20369832e8a66cf0e67e9f3eab60..29844f0221b4e5f0c2cfb565b467790169339d8f 100644 (file)
--- a/death.php
+++ b/death.php
@@ -1,9 +1,7 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
+require("lib/require.php");
+if(checkAccess("death")!="all"){
+  header("Location: error.php");
   exit();
 }
 if(!empty($_GET["pid"])){

diff --git a/discharge.php b/discharge.php
index a7d6e9b427fcb4fe783fd763522b01412bbc5f10..d147c690c19739b46b5e9bc4e63962bb63377d12 100644 (file)
--- a/discharge.php
+++ b/discharge.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 if(!empty($_GET["pid"])){
   $pid=$_GET["pid"];
   if(!empty($_POST["delete"])){
@@ -19,6 +13,7 @@ if(!empty($_GET["pid"])){
   $view=$view."<table class='table'>";
   $view=$view."<tr><th>Drug</th><th>Dose</th><th>Route</th><th>Frequency</th><th>Duration</th><th>Note</th></tr>";
   while($drug=$list->fetchArray()){
+    var_dump($drug);
     $view=$view."<tr><td>".$drug["drug"]."</td><td>".$drug["dose"]."</td><td>".$drug["route"]."</td><td>".$drug["frequency"]."</td><td>".$drug["duration"]."</td><td>".$drug["addl"]."</td><td><button class='btn btn-warning' name='delete' value='".$drug["rowid"]."' form='delete'>Delete</button></td></tr>";
   }
   $view=$view."</table>";
@@ -39,8 +34,10 @@ if(!empty($_GET["pid"])){
           <?php echo $view;?>
         </div>
       </div>
-      <?php echo $form;?>
-      <form method="post" action="print-discharge.php?pid=<?php echo $pid;?>" class="mt-4">
+      <div <?php echo checkAccess("discharge", "form");?>>
+        <?php echo $form;?>
+      </div>
+      <form method="post" action="print-discharge.php?pid=<?php echo $pid;?>" class="mt-4" <?php echo checkAccess("discharge", "form");?>>
         <textarea class="form-control mb-2" id="discharge-note" name="discharge-note"></textarea>
         <button type="submit" class="btn btn-danger">Discharge Patient</button>
       </form>

diff --git a/error.php b/error.php
new file mode 100644 (file)
index 0000000..6597e48
--- /dev/null
+++ b/error.php
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Error Encountered</title>
+  </head>
+  <body>
+    <p>Your account does not have access to this page</p>
+  </body>
+</html>

diff --git a/forms/admission.schema.json b/forms/admission.schema.json
index f2d76f5deb68926e5ca7fa7572eed6a11b2b7c6e..8b32425d72a7eb751b62aa8cec65bf7bd8b8117f 100644 (file)
--- a/forms/admission.schema.json
+++ b/forms/admission.schema.json
@@ -51,15 +51,6 @@
         "bed": {
             "description": "Bed Number",
             "type": "string"
-        },
-        "diagnosis": {
-            "description": "Diagnosis",
-            "type": "string"
-        },
-        "summary": {
-            "description": "Summary",
-            "type": "string",
-            "format": "textarea"
         }
     },
     "required": ["pid", "name", "age", "sex", "date"]

diff --git a/history.php b/history.php
index 982b91b1390bc3d250f6d830340594fa50d0858a..22c73200538b07b1b1e0b2a78798e6152db45931 100644 (file)
--- a/history.php
+++ b/history.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 if(!empty($_GET["pid"])){
   $pid=$_GET["pid"];
   if(!empty($_POST["cc"])){
@@ -30,7 +24,9 @@ else{
   <body>
     <div class="container">
       <?php echo getInfo($pid);?>
-      <?php echo $form;?>
+      <div <?php echo checkAccess("history", "form");?>>
+        <?php echo $form;?>
+      </div>
     </div>
     <?php include("lib/foot.php");?>
   </body>

diff --git a/index.php b/index.php
index 94632b15845bfeda38c290ae935eb95bf25f6362..f030dd57d44ba83779b813b8936aa86c9674bb90 100644 (file)
--- a/index.php
+++ b/index.php
@@ -1,12 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-var_dump($_SESSION);
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 $list=$db->getPatientList();
 $showList="";
 while($arr=$list->fetchArray()){

diff --git a/laboratory.php b/laboratory.php
index 6462ec79a31e06a2bbb9a1346228b2413078a3c3..c619e8e22fcb138c62c644b6cad46a54eb9eb7f6 100644 (file)
--- a/laboratory.php
+++ b/laboratory.php
@@ -1,10 +1,5 @@
 <?php
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 $list="";
 if(isSet($_GET["pid"])){
   foreach(glob("forms/report*.json") as $file){

diff --git a/lib/access.php b/lib/access.php
new file mode 100644 (file)
index 0000000..5a99b63
--- /dev/null
+++ b/lib/access.php
@@ -0,0 +1,39 @@
+<?php
+function checkAccess($target, $type="page"){
+  $registry=json_decode(file_get_contents("access.json"));
+  $access="none";
+  if(!empty($_SESSION["group"])){
+    $group=$_SESSION["group"];
+    if(!empty($registry->$target->$group)){
+      $access=$registry->$target->$group;
+    }
+  }
+  if($type=="form"){
+    if($access=="all"){
+      return "";
+    }
+    else{
+      return "style='display:none'";
+    }
+  }
+  if($type=="dbSet"){
+    if($access=="all"){
+      return true;
+    }
+    else{
+      return false;
+    }
+  }
+  if($type=="dbGet"){
+    if($access=="all" || $access=="view"){
+      return true;
+    }
+    else{
+      return false;
+    }
+  }
+  else{
+    return $access;
+  }
+}
+?>

diff --git a/lib/db.php b/lib/db.php
index 50d1c084274c809055aa1b9ee2545275b8c23912..55f5a55f094fb4556727c8c84685c15c3ca2f3bf 100644 (file)
--- a/lib/db.php
+++ b/lib/db.php
@@ -15,15 +15,28 @@ class DB extends SQLite3 {
       return(false);
     }
   }
+  function getGroup($username){
+    $stmt=$this->prepare("SELECT usergroup FROM users WHERE user=:user");
+    $stmt->bindValue(":user", $username);
+    $result=$stmt->execute();
+    return($result);
+  }
+  function getDepartment($username){
+    $stmt=$this->prepare("SELECT department FROM users WHERE user=:user");
+    $stmt->bindValue(":user", $username);
+    $result=$stmt->execute();
+    return($result);
+  }
   function admit($post){
-    $quer=$this->prepare("SELECT count(rowid) FROM patients WHERE pid=:pid");
-    $quer->bindValue(":pid", $post["pid"]);
-    $exist=$quer->execute();
+    if(!checkAccess("admission", "dbSet")) return false;
+    $query=$this->prepare("SELECT count(rowid) FROM patients WHERE pid=:pid");
+    $query->bindValue(":pid", $post["pid"]);
+    $exist=$query->execute();
     if($exist->fetchArray()[0]==0){
-      $stmt=$this->prepare("INSERT INTO patients (pid,name,age,sex,status,summary,ward,bed,diagnosis,data) VALUES (:pid,:name,:age,:sex,'admitted',:summary,:ward,:bed,:diagnosis,:data);");
+      $stmt=$this->prepare("INSERT INTO patients (pid,name,age,sex,status,vp,ward,bed,data) VALUES (:pid,:name,:age,:sex,:status,:vp,:ward,:bed,:data);");
     }
     else{
-      $stmt=$this->prepare("UPDATE patients SET name=:name,age=:age,sex=:sex,ward=:ward,bed=:bed,diagnosis=:diagnosis,summary=:summary,data=:data WHERE pid=:pid;");
+      $stmt=$this->prepare("UPDATE patients SET name=:name,age=:age,sex=:sex,ward=:ward,bed=:bed,vp=:vp,data=:data WHERE pid=:pid;");
     }
     $stmt->bindValue(":pid", $post["pid"]);
     $stmt->bindValue(":name", $post["name"]);
@@ -32,18 +45,27 @@ class DB extends SQLite3 {
     $stmt->bindValue(":status", "admitted");
     $stmt->bindValue(":ward", $post["ward"]);
     $stmt->bindValue(":bed", $post["bed"]);
-    $stmt->bindValue(":diagnosis", $post["diagnosis"]);
-    $stmt->bindValue(":summary", $post["summary"]);
+    $stmt->bindValue(":vp", $post["vp"]);
     $stmt->bindValue(":data", json_encode($post));
     $stmt->execute();
   }
+  function editCase($pid, $diagnosis, $summary){
+    if(!checkAccess("history", "dbSet")) return false;
+    $stmt=$this->prepare("UPDATE patients SET diagnosis=:diagnosis,summary=:summary WHERE pid=:pid;");
+    $stmt->bindValue(":pid", $pid);
+    $stmt->bindValue(":diagnosis", $diagnosis);
+    $stmt->bindValue(":summary", $summary);
+    $stmt->execute();
+  }
   function updateHistory($post, $pid){
+    if(!checkAccess("history", "dbSet:")) return false;
     $stmt=$this->prepare("UPDATE patients SET history=:history WHERE pid=:pid;");
     $stmt->bindValue(":history", json_encode($post));
     $stmt->bindValue(":pid", $pid);
     $stmt->execute();
   }
   function addPhysician($post, $pid){
+    if(!checkAccess("physician", "dbSet")) return false;
     $stmt=$this->prepare("INSERT INTO physician (pid, time, data) VALUES (:pid, :time, :data);");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":time", strtotime($post["date"].$post["time"]));
@@ -51,6 +73,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function editPhysician($post, $pid, $id){
+    if(!checkAccess("physician", "dbSet")) return false;
     $stmt=$this->prepare("UPDATE physician SET time=:time,data=:data WHERE pid=:pid AND rowid=:id;");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":id", $id);
@@ -59,6 +82,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function addNursing($post, $pid){
+    if(!checkAccess("nursing", "dbSet")) return false;
     $stmt=$this->prepare("INSERT INTO nursing (pid, time, data) VALUES (:pid, :time, :data);");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":time", strtotime($post["date"].$post["time"]));
@@ -66,6 +90,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function editNursing($post, $pid, $id){
+    if(!checkAccess("nursing", "dbSet")) return false;
     $stmt=$this->prepare("UPDATE nursing SET time=:time,data=:data WHERE pid=:pid AND rowid=:id;");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":id", $id);
@@ -74,6 +99,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function addReport($post, $pid, $form){
+    if(!checkAccess("report", "dbSet")) return false;
     $stmt=$this->prepare("INSERT INTO reports (pid, time, form, data) VALUES (:pid, :time, :form, :data);");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":time", strtotime($post["date"].$post["time"]));
@@ -82,6 +108,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function editReport($post, $pid, $id, $form){
+    if(!checkAccess("report", "dbSet")) return false;
     $stmt=$this->prepare("UPDATE reports SET time=:time,data=:data WHERE pid=:pid AND rowid=:id;");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":id", $id);
@@ -90,6 +117,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function addDrug($pid, $drug, $dose, $route, $frequency, $date, $time, $duration, $addl){
+    if(!checkAccess("treatment", "dbSet")) return false;
     $stmt=$this->prepare("INSERT INTO treatment (pid, drug, dose, route, frequency, start, duration, omit, addl) VALUES (:pid, :drug, :dose, :route, :frequency, :start, :duration, :omit, :addl);");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":drug", $drug);
@@ -103,6 +131,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function omitDrug($id){
+    if(!checkAccess("treatment", "dbSet")) return false;
     $stmt=$this->prepare("UPDATE treatment SET end=:end,omit=:omit WHERE rowid=:id;");
     $stmt->bindValue(":end", time());
     $stmt->bindValue(":omit", true);
@@ -110,6 +139,7 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function addRequisition($pid, $test, $date, $time, $room, $form){
+    if(!checkAccess("requisition", "dbSet")) return false;
     $stmt=$this->prepare("INSERT INTO requisition (pid, test, time, room, form, status) VALUES (:pid, :test, :time, :room, :form, :status);");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":test", $test);
@@ -120,12 +150,14 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function omitRequisition($id){
+    if(!checkAccess("requisition", "dbSet")) return false;
     $stmt=$this->prepare("UPDATE requisition SET status=:status WHERE rowid=:id;");
     $stmt->bindValue(":status", "done");
     $stmt->bindValue(":id", $id);
     $stmt->execute();
   }
   function addAdvice($pid, $name, $dose, $route, $frequency, $duration, $addl){
+    if(!checkAccess("discharge", "dbSet")) return false;
     $stmt=$this->prepare("INSERT INTO discharge (pid, name, dose, route, frequency, duration, addl) VALUES (:pid, :name, :dose, :route, :frequency, :duration, :addl);");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":name", $name);
@@ -137,17 +169,20 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function deleteAdvice($id){
+    if(!checkAccess("discharge", "dbSet")) return false;
     $stmt=$this->prepare("DELETE FROM discharge WHERE rowid=:id;");
     $stmt->bindValue(":id", $id);
     $stmt->execute();
   }
   function setDischarged($pid){
+    if(!checkAccess("discharge", "dbSet")) return false;
     $stmt=$this->prepare("UPDATE patients SET status=:discharged WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":discharged", "discharged");
     $stmt->execute();
   }
   function setDead($pid, $post){
+    if(!checkAccess("death", "dbSet")) return false;
     $stmt=$this->prepare("INSERT INTO death (pid, time, data) VALUES (:pid, :time, :data);");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":time", strtotime($post["date"].$post["time"]));
@@ -158,12 +193,14 @@ class DB extends SQLite3 {
     $stmt->execute();
   }
   function getDrugs($pid){
+    if(!checkAccess("treatment", "dbGet")) return false;
     $stmt=$this->prepare("SELECT rowid,* FROM treatment WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getRequisitions($pid){
+    if(!checkAccess("requisition", "dbGet")) return false;
     $stmt=$this->prepare("SELECT rowid,* FROM requisition WHERE pid=:pid AND status=:status;");
     $stmt->bindValue(":pid", $pid);
     $stmt->bindValue(":status", "active");
@@ -171,106 +208,125 @@ class DB extends SQLite3 {
     return($result);
   }
   function getAdvice($pid){
+    if(!checkAccess("discharge", "dbGet")) return false;
     $stmt=$this->prepare("SELECT rowid,* FROM discharge WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getName($pid){
+    if(!checkAccess("info", "dbGet")) return false;
     $stmt=$this->prepare("SELECT name FROM patients WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getAge($pid){
+    if(!checkAccess("info", "dbGet")) return false;
     $stmt=$this->prepare("SELECT age FROM patients WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getSex($pid){
+    if(!checkAccess("info", "dbGet")) return false;
     $stmt=$this->prepare("SELECT sex FROM patients WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getWard($pid){
+    if(!checkAccess("info", "dbGet")) return false;
     $stmt=$this->prepare("SELECT ward FROM patients WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getBed($pid){
+    if(!checkAccess("info", "dbGet")) return false;
     $stmt=$this->prepare("SELECT bed FROM patients WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getStatus($pid){
+    if(!checkAccess("info", "dbGet")) return false;
     $stmt=$this->prepare("SELECT status FROM patients WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getDiagnosis($pid){
+    if(!checkAccess("diagnosis", "dbGet")) return false;
     $stmt=$this->prepare("SELECT diagnosis FROM patients WHERE pid=:pid;");
     $stmt->bindValue(":pid", $pid);
     $result=$stmt->execute();
     return($result);
   }
   function getPatientList(){
+    if(!checkAccess("info", "dbGet")) return false;
     $stmt=$this->prepare("SELECT pid,ward,bed,name,diagnosis FROM patients;");
     $result=$stmt->execute();
     return($result);
   }
   function getRequisitionList(){
+    if(!checkAccess("requisition", "dbGet")) return false;
     $stmt=$this->prepare("SELECT rowid,pid,test,room,time,form FROM requisition WHERE status=:active;");
     $stmt->bindValue(":active", "active");
     $result=$stmt->execute();
     return($result);
   }
   function getForm($id){
-      $stmt=$this->prepare("SELECT form FROM reports WHERE rowid=:id;");
-      $stmt->bindValue(":id", $id);
-      $result=$stmt->execute();
-      return($result);
+    if(!checkAccess("report", "dbGet")) return false;
+    $stmt=$this->prepare("SELECT form FROM reports WHERE rowid=:id;");
+    $stmt->bindValue(":id", $id);
+    $result=$stmt->execute();
+    return($result);
   }
   function getAdmission($pid){
-      $stmt=$this->prepare("SELECT admission FROM patients WHERE pid=:pid;");
-      $stmt->bindValue(":pid", $pid);
-      $result=$stmt->execute();
-      return($result);
+    if(!checkAccess("admission", "dbGet")) return false;
+    $stmt=$this->prepare("SELECT admission FROM patients WHERE pid=:pid;");
+    $stmt->bindValue(":pid", $pid);
+    $result=$stmt->execute();
+    return($result);
   }
   function getAdmissionData($pid){
-      $stmt=$this->prepare("SELECT data FROM patients WHERE pid=:pid;");
-      $stmt->bindValue(":pid", $pid);
-      $result=$stmt->execute();
-      return($result);
+    if(!checkAccess("admission", "dbGet")) return false;
+    $stmt=$this->prepare("SELECT data FROM patients WHERE pid=:pid;");
+    $stmt->bindValue(":pid", $pid);
+    $result=$stmt->execute();
+    return($result);
   }
   function getDeparture($pid){
-      $stmt=$this->prepare("SELECT departure FROM patients WHERE pid=:pid;");
-      $stmt->bindValue(":pid", $pid);
-      $result=$stmt->execute();
-      return($result);
+    if(!checkAccess("admission", "dbGet")) return false;
+    $stmt=$this->prepare("SELECT departure FROM patients WHERE pid=:pid;");
+    $stmt->bindValue(":pid", $pid);
+    $result=$stmt->execute();
+    return($result);
   }
   function getSummary($pid){
-      $stmt=$this->prepare("SELECT summary FROM patients WHERE pid=:pid;");
-      $stmt->bindValue(":pid", $pid);
-      $result=$stmt->execute();
-      return($result);
+    if(!checkAccess("summary", "dbGet")) return false;
+    $stmt=$this->prepare("SELECT summary FROM patients WHERE pid=:pid;");
+    $stmt->bindValue(":pid", $pid);
+    $result=$stmt->execute();
+    return($result);
   }
   function getHistory($pid){
-      $stmt=$this->prepare("SELECT history FROM patients WHERE pid=:pid;");
-      $stmt->bindValue(":pid", $pid);
-      $result=$stmt->execute();
-      return($result);
+    if(!checkAccess("history", "dbGet")) return false;
+    $stmt=$this->prepare("SELECT history FROM patients WHERE pid=:pid;");
+    $stmt->bindValue(":pid", $pid);
+    $result=$stmt->execute();
+    return($result);
   }
   function getData($pid, $id, $cat){
     if($cat=="physician"){
+      if(!checkAccess("physician", "dbGet")) return false;
       $stmt=$this->prepare("SELECT data FROM physician WHERE pid=:pid AND rowid=:id;");
     } elseif($cat=="nursing"){
+      if(!checkAccess("nursing", "dbGet")) return false;
       $stmt=$this->prepare("SELECT data FROM nursing WHERE pid=:pid AND rowid=:id;");
     } elseif($cat=="reports"){
+      if(!checkAccess("report", "dbGet")) return false;
       $stmt=$this->prepare("SELECT data FROM reports WHERE pid=:pid AND rowid=:id;");
     } else{
       return(false);
@@ -282,14 +338,19 @@ class DB extends SQLite3 {
   }
   function getAllData($pid, $cat){
     if($cat=="physician"){
+      if(!checkAccess("physician", "dbGet")) return false;
       $stmt=$this->prepare("SELECT rowid,data FROM physician WHERE pid=:pid;");
     } elseif($cat=="nursing"){
+      if(!checkAccess("nursing", "dbGet")) return false;
       $stmt=$this->prepare("SELECT rowid,data FROM nursing WHERE pid=:pid;");
     } elseif($cat=="reports"){
+      if(!checkAccess("report", "dbGet")) return false;
       $stmt=$this->prepare("SELECT rowid,data FROM reports WHERE pid=:pid;");
     } elseif($cat=="info"){
+      if(!checkAccess("info", "dbGet")) return false;
       $stmt=$this->prepare("SELECT rowid,data FROM patients WHERE pid=:pid;");
     } elseif($cat=="history"){
+      if(!checkAccess("history", "dbGet")) return false;
       $stmt=$this->prepare("SELECT rowid,history FROM patients WHERE pid=:pid;");
     } else{
       return(false);

diff --git a/lib/functions.php b/lib/functions.php
index 51c3cb3e130be5e04ea9b8cdb64d2be3b33b719c..434ca81752166b855fdec4cad372ed6e7d4ec6c7 100644 (file)
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -8,7 +8,7 @@ function schema2form($file, $pid=null, $id=null, $cat=null, $data=null){
     $data=json_decode($db->getData($pid, $id, $cat)->fetchArray()["data"]);
   }
   elseif(!empty($pid) && $file=="forms/admission.schema.json"){
-    $data=json_decode($db->getAdmission($pid)->fetchArray()["data"]);
+    $data=json_decode($db->getAdmissionData($pid)->fetchArray()["data"]);
     $lockpid="readonly";
   }
   elseif(!empty($pid) && $file=="forms/history.schema.json"){

diff --git a/lib/require.php b/lib/require.php
new file mode 100644 (file)
index 0000000..f2f5f85
--- /dev/null
+++ b/lib/require.php
@@ -0,0 +1,18 @@
+<?php
+require("lib/access.php");
+require("lib/db.php");
+require("lib/functions.php");
+session_start();
+$page=basename($_SERVER["PHP_SELF"]);
+if($page!="login.php" && $page!="index.php"){
+  if(empty($_SESSION["user"])){
+    header("Location: login.php");
+    exit();
+  }
+  $access=checkAccess(basename($_SERVER["PHP_SELF"], ".php"));
+  if($access!="all" && $access!="view"){
+    header("Location: error.php");
+    exit();
+  }
+}
+?>

diff --git a/login.php b/login.php
index 4a4fde56ba2d2daec5ed6528029972ede44ac2fd..c8d037dd95a13a48eef77c46251adf05b7cc954a 100644 (file)
--- a/login.php
+++ b/login.php
@@ -1,14 +1,15 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
+require("lib/require.php");
 $error="";
 if(!empty($_GET["action"]) && $_GET["action"]=="logout"){
   $_SESSION["user"]=null;
+  $_SESSION["group"]=null;
 }
 if(!empty($_POST["username"]) && !empty($_POST["password"])){
   if($db->checkUser($_POST["username"], $_POST["password"])){
     $_SESSION["user"]=$_POST["username"];
+    $_SESSION["group"]=$db->getGroup($_SESSION["user"])->fetchArray()["usergroup"];
+    $_SESSION["department"]=$db->getDepartment($_SESSION["user"])->fetchArray()["department"];
     header("Location: index.php");
     exit();
   }

diff --git a/nursing.php b/nursing.php
index 8955a19303f9a4a11545f37f7b7dfc1c36fd8838..c7a0ff751ac19c9fc2459fd6d3633c6e3eecd424 100644 (file)
--- a/nursing.php
+++ b/nursing.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 if(!empty($_GET["pid"])){
   $pid=$_GET["pid"];
   if(!empty($_POST["date"]) && !empty($_POST["time"])){
@@ -19,7 +13,7 @@ if(!empty($_GET["pid"])){
     //exit();
   }
   if(isSet($_GET["id"])){
-    $form=schema2form("forms/nursing.schema.json", $pid, $_GET["id"], "clinical");
+    $form=schema2form("forms/nursing.schema.json", $pid, $_GET["id"], "nursing");
   }
   else{
     $form=schema2form("forms/nursing.schema.json");
@@ -35,7 +29,9 @@ if(!empty($_GET["pid"])){
   <body>
     <div class="container">
       <?php echo getInfo($pid);?>
-      <?php echo $form;?>
+      <div <?php echo checkAccess("nursing", "form");?>>
+        <?php echo $form;?>
+      </div>
     </div>
     <?php include("lib/foot.php");?>
   </body>

diff --git a/physician.php b/physician.php
index 941c16d9508efdd1fe4699f75e75e6a2d359f562..8113d6588adf3f736d057d8a0e0cb17c75de60d8 100644 (file)
--- a/physician.php
+++ b/physician.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 if(!empty($_GET["pid"])){
   $pid=$_GET["pid"];
   if(!empty($_POST["date"]) && !empty($_POST["time"])){
@@ -19,7 +13,7 @@ if(!empty($_GET["pid"])){
     //exit();
   }
   if(isSet($_GET["id"])){
-    $form=schema2form("forms/physician.schema.json", $pid, $_GET["id"], "clinical");
+    $form=schema2form("forms/physician.schema.json", $pid, $_GET["id"], "physician");
   }
   else{
     $form=schema2form("forms/physician.schema.json");
@@ -35,7 +29,9 @@ if(!empty($_GET["pid"])){
   <body>
     <div class="container">
       <?php echo getInfo($pid);?>
-      <?php echo $form;?>
+      <div <?php echo checkAccess("physician", "form");?>>
+        <?php echo $form;?>
+      </div>
     </div>
     <?php include("lib/foot.php");?>
   </body>

diff --git a/print-discharge.php b/print-discharge.php
index e3e041c04d384263d9a8aa6b984386c300b9df91..54068edbed7e5ae0a72d2968fb640625e309650f 100644 (file)
--- a/print-discharge.php
+++ b/print-discharge.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 function json2tex($data){
     $data=json_decode($data);
     if(!empty($data->form)){

diff --git a/report.php b/report.php
index 571edab313ffcc909af86f7043d0283afda47104..3bb59124dcdd6ea3541d1cc51b158490191835e1 100644 (file)
--- a/report.php
+++ b/report.php
@@ -1,9 +1,7 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
+require("lib/require.php");
+if(checkAccess("report")!="all"){
+  header("Location: error.php");
   exit();
 }
 if(!empty($_GET["pid"]) && !empty($_GET["form"])){

diff --git a/requisition.php b/requisition.php
index 723059c54f2e17a63b7793fb98b0036ef1d1f12f..1382f5c76ac4c018c54d13d6c5f4586f24ef8ee9 100644 (file)
--- a/requisition.php
+++ b/requisition.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 if(isSet($_GET["pid"])){
   $pid=$_GET["pid"];
   if(!empty($_POST["del"])){
@@ -40,7 +34,7 @@ if(isSet($_GET["pid"])){
   $reqList=$db->getRequisitions($pid);
   $list="";
   while($req=$reqList->fetchArray()){
-    $list=$list."<tr><td>".$req["test"]."</td><td>".$req["room"]."</td><td>".date("M j, Y", $req["time"])."</td><td><button type='submit' class='btn btn-secondary' name='del' value='".$req["rowid"]."' form='delete'>Delete</button></td></tr>";
+    $list=$list."<tr><td>".$req["test"]."</td><td>".$req["room"]."</td><td>".date("M j, Y", $req["time"])."</td><td><button type='submit' class='btn btn-secondary' name='del' value='".$req["rowid"]."' form='delete' ".checkAccess("requisition","form").">Delete</button></td></tr>";
   }
 }
 ?>
@@ -60,7 +54,7 @@ if(isSet($_GET["pid"])){
             <tr><th>Test Name</th><th>Destination</th><th>Date</th><th></th></tr>
             <?php echo $list;?>
           </table>
-          <form method="post">
+          <form method="post" <?php echo checkAccess("requisition", "form");?>>
             <div class="row">
               <div class="col">
             <select name="test">

diff --git a/schema.sql b/schema.sql
index b570d58cd142189a9da9be8bef19d4ea17e0ac94..51883e5773bf3413310696486c31b5a1fdd05e93 100644 (file)
--- a/schema.sql
+++ b/schema.sql
@@ -6,7 +6,7 @@ data text
 );
 CREATE TABLE discharge(
 pid int,
-name text,
+drug text,
 dose text,
 route text,
 frequency text,
@@ -24,6 +24,7 @@ name text,
 age int,
 sex text,
 status text,
+vp text,
 diagnosis text,
 summary text,
 admission int,
@@ -68,6 +69,7 @@ addl text
 CREATE TABLE users(
 user text unique,
 usergroup text,
+department text,
 hash text,
 change boolean,
 last int

diff --git a/treatment.php b/treatment.php
index 2b8c29ddea38909701085bb4a4a7cad0aac65bf8..b75f235222df7df8c60ee9827c6414de70e50e2b 100644 (file)
--- a/treatment.php
+++ b/treatment.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 if(!empty($_GET["pid"])){
   $pid=$_GET["pid"];
   if(!empty($_POST["omit"])){
@@ -29,7 +23,7 @@ if(!empty($_GET["pid"])){
         }
       } catch(TypeError $e){}
     }
-    $view=$view."<tr class='".$omit."'><td>".$drug["drug"]."</td><td>".$drug["dose"]."</td><td>".$drug["route"]."</td><td>".$drug["frequency"]."</td><td>".date("M j", $drug["start"])."</td><td>".$drug["duration"]."</td><td>".$drug["addl"]."</td><td><button type='submit' class='btn btn-warning' name='omit' value='".$drug["rowid"]."' form='omitter' ".$omit.">Omit</button></td></tr>";
+    $view=$view."<tr class='".$omit."'><td>".$drug["drug"]."</td><td>".$drug["dose"]."</td><td>".$drug["route"]."</td><td>".$drug["frequency"]."</td><td>".date("M j", $drug["start"])."</td><td>".$drug["duration"]."</td><td>".$drug["addl"]."</td><td><button type='submit' class='btn btn-warning' name='omit' value='".$drug["rowid"]."' form='omitter' ".$omit." ".checkAccess("treatment", "form").">Omit</button></td></tr>";
   }
   $view=$view."</table>";
   $form=schema2form("forms/drugs.schema.json");
@@ -53,7 +47,9 @@ if(!empty($_GET["pid"])){
           </table>
         </div>
       </div>
-      <?php echo $form;?>
+      <div <?php echo checkAccess("treatment","form");?>>
+        <?php echo $form;?>
+      </div>
     </div>
     <?php include("lib/foot.php");?>
   </body>

diff --git a/view.php b/view.php
index be6888983853f82d95b8ff484699e3c2d8074e56..e1525075df08e59b3fbca53a470c52aaa6ef2a75 100644 (file)
--- a/view.php
+++ b/view.php
@@ -1,11 +1,5 @@
 <?php
-require("lib/db.php");
-require("lib/functions.php");
-session_start();
-if(empty($_SESSION["user"])){
-  header("Location: login.php");
-  exit();
-}
+require("lib/require.php");
 $info="";
 $physician=[];
 $nursing=[];