From 2973592bc7b1f4996738a6fd27d1e277e33676b6 Mon Sep 17 00:00:00 2001
From: Brady Miller <brady.g.miller@gmail.com>
Date: Sun, 24 Jul 2022 16:51:09 -0700
Subject: [PATCH] bug fix e4

---
 .../summary/add_edit_amendments.php           | 23 +++++++++++++++----
 .../patient_file/summary/demographics.php     |  8 +++----
 .../patient_file/summary/list_amendments.php  |  7 ++++++
 .../patient_file/summary/print_amendments.php |  8 +++++++
 4 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/interface/patient_file/summary/add_edit_amendments.php b/interface/patient_file/summary/add_edit_amendments.php
index a3f5bb674ca..a07223230ad 100644
--- a/interface/patient_file/summary/add_edit_amendments.php
+++ b/interface/patient_file/summary/add_edit_amendments.php
@@ -17,8 +17,18 @@
 
 use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+
+//ensure user has proper access
+if (!AclMain::aclCheckCore('patients', 'amendment')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Amendments")]);
+    exit;
+}
+$editAccess = AclMain::aclCheckCore('patients', 'amendment', '', 'write');
+$addAccess = ($editAccess || AclMain::aclCheckCore('patients', 'amendment', '', 'addonly'));
+
 if (isset($_POST['mode'])) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();
@@ -28,6 +38,10 @@
     $created_time = date('Y-m-d H:i');
     if ($_POST["amendment_id"] == "") {
         // New. Insert
+        if (!$addAccess) {
+            echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Amendment Add")]);
+            exit;
+        }
         $query = "INSERT INTO amendments SET
 			amendment_date = ?,
 			amendment_by = ?,
@@ -50,6 +64,10 @@
     } else {
         $amendment_id = $_POST['amendment_id'];
         // Existing. Update
+        if (!$editAccess) {
+            echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Amendment Edit")]);
+            exit;
+        }
         $query = "UPDATE amendments SET
 			amendment_date = ?,
 			amendment_by = ?,
@@ -102,12 +120,9 @@
     $resultSet = sqlStatement($query, array($amendment_id));
 }
 
-// Check the ACL
-$haveAccess = AclMain::aclCheckCore('patients', 'trans');
-$onlyRead = ( $haveAccess ) ? 0 : 1;
+$onlyRead = ( $editAccess || ($addAccess && empty($amendment_id)) ) ? 0 : 1;
 $onlyRead = ( $onlyRead || (!empty($amendment_status)) ) ? 1 : 0;
 $customAttributes = ( $onlyRead ) ? array("disabled" => "true") : null;
-
 ?>
 
 <html>
diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php
index faeeecfb42c..ecb24873ca6 100644
--- a/interface/patient_file/summary/demographics.php
+++ b/interface/patient_file/summary/demographics.php
@@ -852,7 +852,7 @@ function setMyPatient() {
         }
 
         <?php
-        if (!empty($GLOBALS['right_justify_labels_demographics']) && ($_SESSION['language_direction'] == 'ltr')) { ?> 
+        if (!empty($GLOBALS['right_justify_labels_demographics']) && ($_SESSION['language_direction'] == 'ltr')) { ?>
         div.tab td.label_custom, div.label_custom {
             text-align: right !important;
         }
@@ -863,7 +863,7 @@ function setMyPatient() {
         }
             <?php
         } ?>
-        
+
         <?php
         // This is for layout font size override.
         $grparr = array();
@@ -881,7 +881,7 @@ function setMyPatient() {
         #DEM .label {
             font-size: <?php echo attr($FONTSIZE); ?>rem;
         }
-    
+
         #DEM .data {
             font-size: <?php echo attr($FONTSIZE); ?>rem;
         }
@@ -1218,7 +1218,7 @@ function setMyPatient() {
                             'btnCLass' => '',
                             'linkMethod' => 'html',
                             'bodyClass' => 'notab collapse show',
-                            'auth' => AclMain::aclCheckCore('patients', 'amendment', '', 'write'),
+                            'auth' => AclMain::aclCheckCore('patients', 'amendment', '', ['write', 'addonly']),
                             'amendments' => $amendments,
                             'prependedInjection' => $dispatchResult->getPrependedInjection(),
                             'appendedInjection' => $dispatchResult->getAppendedInjection(),
diff --git a/interface/patient_file/summary/list_amendments.php b/interface/patient_file/summary/list_amendments.php
index 06905eaa41c..a95d61ab793 100644
--- a/interface/patient_file/summary/list_amendments.php
+++ b/interface/patient_file/summary/list_amendments.php
@@ -15,8 +15,15 @@
 require_once("../../globals.php");
 require_once("$srcdir/options.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+//ensure user has proper access
+if (!AclMain::aclCheckCore('patients', 'amendment')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Amendment List")]);
+    exit;
+}
 ?>
 
 <html>
diff --git a/interface/patient_file/summary/print_amendments.php b/interface/patient_file/summary/print_amendments.php
index 17b19bfdbd2..2f73ec82962 100644
--- a/interface/patient_file/summary/print_amendments.php
+++ b/interface/patient_file/summary/print_amendments.php
@@ -15,8 +15,16 @@
 require_once("../../globals.php");
 require_once("$srcdir/options.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+//ensure user has proper access
+if (!AclMain::aclCheckCore('patients', 'amendment')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Amendment Print")]);
+    exit;
+}
+
 $amendments = $_REQUEST["ids"];
 $amendments = rtrim($amendments, ",");
 $amendmentsList = explode(",", $amendments);