Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
bug fix c3
  • Loading branch information
bradymiller committed May 11, 2022
1 parent 2379502 commit 81ffc72
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 44 deletions.
32 changes: 6 additions & 26 deletions portal/lib/portal_mail.inc
Expand Up @@ -133,7 +133,7 @@ function getPortalPatientNotes($owner = '', $limit = '', $offset = 0, $search =
p.reply_mail_chain
FROM
onsite_mail AS p
WHERE p.deleted != 1 AND p.owner = ? AND p.recipient_id = ?
WHERE p.deleted != 1 AND p.owner = ? AND p.recipient_id = ?
$search
ORDER BY `date` desc
$limit
Expand Down Expand Up @@ -233,18 +233,18 @@ function getPortalPatientSentNotes($owner = '', $limit = '', $offset = 0, $searc
return $all;
}

function updatePortalMailMessageStatus($id, $message_status)
function updatePortalMailMessageStatus($id, $message_status, $owner)
{
if ($message_status == "Done") {
sqlStatement("update onsite_mail set message_status = ?, activity = '0' where id = ?", array($message_status, $id));
sqlStatement("update onsite_mail set message_status = ?, activity = '0' where id = ? and `owner` = ?", array($message_status, $id, $owner));
} elseif ($message_status == "Delete") {
sqlStatement("update onsite_mail set message_status = ?, activity = '1', deleted = '1',delete_date = ? where mail_chain = ? OR id = ?", array($message_status, date('Y-m-d H:i:s'), $id, $id));
sqlStatement("update onsite_mail set message_status = ?, activity = '1', deleted = '1',delete_date = ? where (mail_chain = ? OR id = ?) and `owner` = ?", array($message_status, date('Y-m-d H:i:s'), $id, $id, $owner));
} else {
sqlStatement("update onsite_mail set message_status = ?, activity = '1' where id = ?", array($message_status, $id));
sqlStatement("update onsite_mail set message_status = ?, activity = '1' where id = ? and `owner` = ?", array($message_status, $id, $owner));
}

if ($message_status == "Delete") {
$stats = sqlQuery("Select * From onsite_mail Where id = ?", array($id));
$stats = sqlQuery("Select * From onsite_mail Where id = ? AND `owner` = ?", array($id, $owner));
$by = $_SESSION['authUser'] ? $_SESSION['authUser'] : $_SESSION['ptName'];
$loguser = $_SESSION['authUser'] ? $_SESSION['authUser'] : $_SESSION['portal_username'];
$evt = "secure message soft delete by " . $by . " msg id: $id from " . $stats['sender_name'] . " to recipient: " . $stats['recipient_name'];
Expand Down Expand Up @@ -298,20 +298,6 @@ function getMails($owner, $dotype, $nsrch, $nfsrch)
}
}

function getMailDetails($id, $owner = '')
{
if ($owner) {
$result = getMailById($id);
if ($result['owner'] == $owner && $result['message_status'] == 'New') {
updatePortalMailMessageStatus($id, 'Read');
}

return $result;
} else {
return 'failed';
}
}

function sendMail($owner, $note, string $title = null, $to, $noteid, $sid, $sn, $rid, $rn, $status = 'New', $replyid = '')
{
if (!$title) {
Expand All @@ -324,9 +310,3 @@ function sendMail($owner, $note, string $title = null, $to, $noteid, $sid, $sn,
return 'failed';
}
}

function updateStatus($id, $status)
{
updatePortalMailMessageStatus($id, $status);
return 1;
}
44 changes: 38 additions & 6 deletions portal/messaging/handle_note.php
Expand Up @@ -17,22 +17,55 @@
OpenEMR\Common\Session\SessionUtil::portalSessionStart();

if (isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite_two'])) {
// ensure patient is bootstrapped (if sent)
if (!empty($_POST['pid'])) {
if ($_POST['pid'] != $_SESSION['pid']) {
echo "illegal Action";
OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
exit;
}
}
$ignoreAuth_onsite_portal = true;
require_once(dirname(__FILE__) . "/../../interface/globals.php");
if (empty($_SESSION['portal_username'])) {
echo xlt("illegal Action");
OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
exit;
}
// owner is the patient portal_username
$owner = $_SESSION['portal_username'];
} else {
OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
$ignoreAuth = false;
require_once(dirname(__FILE__) . "/../../interface/globals.php");
if (! isset($_SESSION['authUserID'])) {
if (!isset($_SESSION['authUserID']) || empty($_SESSION['authUser'])) {
$landingpage = "index.php";
header('Location: ' . $landingpage);
exit();
}
//owner is the user authUser
$owner = $_SESSION['authUser'];
}

require_once(dirname(__FILE__) . "/../lib/portal_mail.inc");
require_once("$srcdir/pnotes.inc");

use OpenEMR\Common\Csrf\CsrfUtils;

if (!(isset($GLOBALS['portal_onsite_two_enable'])) || !($GLOBALS['portal_onsite_two_enable'])) {
echo xlt('Patient Portal is turned off');
exit;
}
// confirm csrf (from both portal and core)
if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'messages-portal')) {
CsrfUtils::csrfNotVerified();
}

if (empty($owner)) {
echo xlt('Critical error, so exiting');
exit;
}

$task = $_POST['task'];
if (! $task) {
return 'no task';
Expand All @@ -41,7 +74,6 @@
$noteid = ($_POST['noteid'] ?? null) ?: 0;
$notejson = ($_POST['notejson'] ?? null) ? json_decode($_POST['notejson'], true) : 0;
$reply_noteid = $_POST['replyid'] ?? null ?: 0;
$owner = $_POST['owner'] ?? $_SESSION['pid'];
$note = $_POST['inputBody'] ?? null;
$title = $_POST['title'] ?? null;
$sid = $_POST['sender_id'] ?? null;
Expand All @@ -54,7 +86,7 @@
case "forward":
$pid = isset($_POST['pid']) ? $_POST['pid'] : 0;
addPnote($pid, $note, 1, 1, $title, $sid, '', 'New');
updatePortalMailMessageStatus($noteid, 'Sent');
updatePortalMailMessageStatus($noteid, 'Sent', $owner);
if (empty($_POST["submit"])) {
echo 'ok';
}
Expand All @@ -76,22 +108,22 @@
}
break;
case "delete":
updatePortalMailMessageStatus($noteid, 'Delete');
updatePortalMailMessageStatus($noteid, 'Delete', $owner);
if (empty($_POST["submit"])) {
echo 'ok';
}
break;
case "massdelete":
foreach ($notejson as $deleteid) {
updatePortalMailMessageStatus($deleteid, 'Delete');
updatePortalMailMessageStatus($deleteid, 'Delete', $owner);
if (empty($_POST["submit"])) {
echo 'ok';
}
}
break;
case "setread":
if ($noteid > 0) {
updatePortalMailMessageStatus($noteid, 'Read');
updatePortalMailMessageStatus($noteid, 'Read', $owner);
if (empty($_POST["submit"])) {
echo 'ok';
}
Expand Down
27 changes: 17 additions & 10 deletions portal/messaging/messages.php
Expand Up @@ -43,8 +43,14 @@
require_once("$srcdir/classes/Document.class.php");
require_once("./../lib/portal_mail.inc");

use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Core\Header;

if (!(isset($GLOBALS['portal_onsite_two_enable'])) || !($GLOBALS['portal_onsite_two_enable'])) {
echo xlt('Patient Portal is turned off');
exit;
}

$docid = empty($_REQUEST['docid']) ? 0 : (int)$_REQUEST['docid'];
$orderid = empty($_REQUEST['orderid']) ? 0 : (int)$_REQUEST['orderid'];

Expand Down Expand Up @@ -130,6 +136,7 @@ function getAuthPortalUsers()
$scope.xLate.confirm.one = <?php echo xlj('Confirm to Delete Current Thread?'); ?>;
$scope.xLate.confirm.all = <?php echo xlj('Confirm to Delete Selected?'); ?>;
$scope.xLate.confirm.err = <?php echo xlj('You are sending to yourself!'); ?>; // I think I got rid of this ability - look into..
$scope.csrf = <?php echo js_escape(CsrfUtils::collectCsrfToken('messages-portal')); ?>;

$scope.init = function () {
$http.defaults.headers.post["Content-Type"] = "application/x-www-form-urlencoded";
Expand Down Expand Up @@ -225,7 +232,7 @@ function getAuthPortalUsers()
itemToDelete.push($scope.items[i.indexOf(o)].id);
}
})
$http.post('handle_note.php', $.param({'task': 'massdelete', 'notejson': JSON.stringify(itemToDelete)})).then(function successCallback(response) {
$http.post('handle_note.php', $.param({'task': 'massdelete', 'notejson': JSON.stringify(itemToDelete), 'csrf_token_form': $scope.csrf})).then(function successCallback(response) {
$window.location.reload();
}, function errorCallback(response) {
alert(response.data);
Expand All @@ -234,7 +241,7 @@ function getAuthPortalUsers()
};

$scope.deleteMessage = function (id) {
$http.post('handle_note.php', $.param({'task': 'delete', 'noteid': id})).then(function successCallback(response) {
$http.post('handle_note.php', $.param({'task': 'delete', 'noteid': id, 'csrf_token_form': $scope.csrf})).then(function successCallback(response) {
return true;
}, function errorCallback(response) {
alert(response.data);
Expand Down Expand Up @@ -286,7 +293,7 @@ function getAuthPortalUsers()

$scope.readMessage = function (idx) {
if ($scope.items[idx].message_status == 'New') { // mark mail read else ignore
$http.post('handle_note.php', $.param({'task': 'setread', 'noteid': $scope.items[idx].id})).then(function successCallback(response) {
$http.post('handle_note.php', $.param({'task': 'setread', 'noteid': $scope.items[idx].id, 'csrf_token_form': $scope.csrf})).then(function successCallback(response) {
$scope.items[idx].message_status = 'Read';
$scope.selected.message_status = 'Read';
}, function errorCallback(response) {
Expand Down Expand Up @@ -326,7 +333,7 @@ function getAuthPortalUsers()
};

$scope.getInbox = function () {
$http.post('handle_note.php', $.param({'task': 'getinbox', 'owner': $scope.cUserId})).then(function successCallback(response) {
$http.post('handle_note.php', $.param({'task': 'getinbox', 'csrf_token_form': $scope.csrf})).then(function successCallback(response) {
if (response.data) {
$scope.inboxItems = angular.copy(response.data);
} else alert(response.data);
Expand All @@ -336,7 +343,7 @@ function getAuthPortalUsers()
};

$scope.getAllMessages = function () {
$http.post('handle_note.php', $.param({'task': 'getall', 'owner': $scope.cUserId})).then(function successCallback(response) {
$http.post('handle_note.php', $.param({'task': 'getall', 'csrf_token_form': $scope.csrf})).then(function successCallback(response) {
if (response.data) {
$scope.allItems = angular.copy(response.data);
} else alert(response.data);
Expand All @@ -346,7 +353,7 @@ function getAuthPortalUsers()
};

$scope.getDeletedMessages = function () {
$http.post('handle_note.php', $.param({'task': 'getdeleted', 'owner': $scope.cUserId})).then(function successCallback(response) {
$http.post('handle_note.php', $.param({'task': 'getdeleted', 'csrf_token_form': $scope.csrf})).then(function successCallback(response) {
if (response.data) {
$scope.deletedItems = [];
$scope.deletedItems = angular.copy(response.data);
Expand All @@ -357,7 +364,7 @@ function getAuthPortalUsers()
};

$scope.getSentMessages = function () {
$http.post('handle_note.php', $.param({'task': 'getsent', 'owner': $scope.cUserId})).then(function successCallback(response) {
$http.post('handle_note.php', $.param({'task': 'getsent', 'csrf_token_form': $scope.csrf})).then(function successCallback(response) {
$scope.sentItems = [];
$scope.sentItems = angular.copy(response.data);
}, function errorCallback(response) {
Expand All @@ -371,10 +378,10 @@ function getAuthPortalUsers()
$("#title").prop("disabled", false);
$("#selSendto").prop("disabled", false);

compose.owner = $scope.cUserId;
compose.csrf_token_form = $scope.csrf;
compose.sender_id = $scope.cUserId;
compose.sender_name = $scope.userproper;
if ($scope.selrecip == compose.owner) {
if ($scope.selrecip == $scope.cUserId) {
if (!confirm($scope.xLate.confirm.err))
return false;
}
Expand Down Expand Up @@ -727,9 +734,9 @@ class="float-right glyphicon glyphicon-warning-sign text-danger"></span></span>
<div class="col-12" id="inputBody" ng-hide="compose.task == 'forward'" ng-model="compose.inputBody"></div>
<textarea class="col-12" id="finputBody" rows="8" ng-hide="compose.task != 'forward'" ng-model="compose.inputBody"></textarea>
</fieldset>
<input type="hidden" name="csrf_token_form" id="csrf_token_form" ng-value="compose.csrf_token_form" />
<input type='hidden' name='noteid' id='noteid' ng-value="compose.noteid" />
<input type='hidden' name='replyid' id='replyid' ng-value='selected.reply_mail_chain' />
<input type='hidden' name='owner' ng-value='compose.owner' />
<input type='hidden' name='recipient_id' ng-value='compose.selrecip' />
<input type='hidden' name='recipient_name' ng-value='compose.recipient_name' />
<input type='hidden' name='sender_id' ng-value='compose.sender_id' />
Expand Down
4 changes: 2 additions & 2 deletions portal/portal_payment.php
Expand Up @@ -46,6 +46,7 @@

use OpenEMR\Billing\BillingUtilities;
use OpenEMR\Common\Crypto\CryptoGen;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\PaymentProcessing\Sphere\SpherePayment;

$cryptoGen = new CryptoGen();
Expand Down Expand Up @@ -449,16 +450,15 @@ function notifyPatient() {
let pid = <?php echo js_escape($pid); ?>;
let note = $('#pop_receipt').html();
let formURL = './messaging/handle_note.php';
let owner = <?php echo js_escape($adminUser['recip_id']); ?>;
let sn = <?php echo js_escape($adminUser['username']); ?>;
let rid = <?php echo js_escape($portalPatient['recip_id']); ?>;
let rn = <?php echo js_escape($portalPatient['username']); ?>;
$.ajax({
url: formURL,
type: "POST",
data: {
'csrf_token_form': <?php echo js_escape(CsrfUtils::collectCsrfToken('messages-portal')); ?>,
'task': 'add',
'owner': owner,
'pid': pid,
'inputBody': note,
'title': 'Bill/Collect',
Expand Down

0 comments on commit 81ffc72

Please sign in to comment.