From 8f8a97724c0e8fcc4096b4b30af9aaf064ada45a Mon Sep 17 00:00:00 2001
From: Brady Miller <brady.g.miller@gmail.com>
Date: Wed, 20 Apr 2022 01:30:51 -0700
Subject: [PATCH] bug fix (#5207)

---
 .../patient_file/summary/demographics.php     |  4 ++-
 .../patient_file/summary/disclosure_full.php  | 32 +++++++++++++++++--
 .../summary/record_disclosure.php             | 13 ++++++++
 3 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php
index 361295d0b40..c2c44eb2b66 100644
--- a/interface/patient_file/summary/demographics.php
+++ b/interface/patient_file/summary/demographics.php
@@ -1111,6 +1111,8 @@ function setMyPatient() {
                     endif; //end if prw is activated
 
                     if (AclMain::aclCheckCore('patients', 'disclosure')) :
+                        $authWriteDisclosure = AclMain::aclCheckCore('patients', 'disclosure', '', 'write');
+                        $authAddonlyDisclosure = AclMain::aclCheckCore('patients', 'disclosure', '', 'addonly');
                         $dispatchResult = $ed->dispatch(CardRenderEvent::EVENT_HANDLE, new CardRenderEvent('disclosure'));
                         // disclosures expand collapse widget
                         $id = "disclosures_ps_expand";
@@ -1122,7 +1124,7 @@ function setMyPatient() {
                             'btnLink' => 'disclosure_full.php',
                             'linkMethod' => 'html',
                             'bodyClass' => 'notab collapse show',
-                            'auth' => AclMain::aclCheckCore('patients', 'disclosure', '', 'write'),
+                            'auth' => ($authWriteDisclosure || $authAddonlyDisclosure),
                             'prependedInjection' => $dispatchResult->getPrependedInjection(),
                             'appendedInjection' => $dispatchResult->getAppendedInjection(),
                         ];
diff --git a/interface/patient_file/summary/disclosure_full.php b/interface/patient_file/summary/disclosure_full.php
index 6eaad479494..5ff57189872 100644
--- a/interface/patient_file/summary/disclosure_full.php
+++ b/interface/patient_file/summary/disclosure_full.php
@@ -15,10 +15,19 @@
 require_once("../../globals.php");
 require_once("$srcdir/options.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
 use OpenEMR\Common\Logging\EventAuditLogger;
 use OpenEMR\Core\Header;
 
+// Control access
+if (!AclMain::aclCheckCore('patients', 'disclosure')) {
+    echo xlt('Not Authorized');
+    exit;
+}
+$authWrite = AclMain::aclCheckCore('patients', 'disclosure', '', 'write');
+$authAddonly = AclMain::aclCheckCore('patients', 'disclosure', '', 'addonly');
+
 //retrieve the user name
 $res = sqlQuery("select username from users where username=?", array($_SESSION["authUser"]));
 $uname = $res["username"];
@@ -34,9 +43,17 @@
     $disclosure_desc = trim($_POST['desc_disc']);
     $disclosure_id = trim($_POST['disclosure_id'] ?? '');
     if (isset($_POST["updatemode"]) and $_POST["updatemode"] == "disclosure_update") {
+        if (!$authWrite) {
+            echo xlt('Not Authorized');
+            exit;
+        }
         //update the recorded disclosure in the extended_log table.
         EventAuditLogger::instance()->updateRecordedDisclosure($dates, $event, $recipient_name, $disclosure_desc, $disclosure_id);
     } else {
+        if (!$authWrite && !$authAddonly) {
+            echo xlt('Not Authorized');
+            exit;
+        }
         //insert the disclosure records in the extended_log table.
         EventAuditLogger::instance()->recordDisclosure($dates, $event, $pid, $recipient_name, $disclosure_desc, $uname);
     }
@@ -49,6 +66,11 @@
         CsrfUtils::csrfNotVerified();
     }
 
+    if (!$authWrite) {
+        echo xlt('Not Authorized');
+        exit;
+    }
+
     $deletelid = $_GET['deletelid'];
     //function to delete the recorded disclosures
     EventAuditLogger::instance()->deleteDisclosure($deletelid);
@@ -75,7 +97,9 @@
             </h2>
         </div>
         <div class="col-12">
-            <a href="record_disclosure.php" class="btn btn-primary iframe" onclick="top.restoreSession()"><?php echo xlt('Record'); ?></a>
+            <?php if ($authWrite || $authAddonly) { ?>
+                <a href="record_disclosure.php" class="btn btn-primary iframe" onclick="top.restoreSession()"><?php echo xlt('Record'); ?></a>
+            <?php } ?>
             <a href="demographics.php" class="btn btn-primary" onclick="top.restoreSession()"> <?php echo xlt('View Patient') ?></a>
         </div>
         <div class="col-12 jumbotron mt-3 p-4">
@@ -125,8 +149,10 @@
                         <tr class="noterow" height='25'>
                             <!--buttons for edit and delete.-->
                             <td class="align-top text-nowrap">
-                                <a href='record_disclosure.php?editlid=<?php echo attr_url($iter['id']); ?>' class='btn btn-primary btn-sm btn-edit iframe' onclick='top.restoreSession()'><?php echo xlt('Edit');?></a>
-                                <a href='#' class='deletenote btn btn-danger btn-delete btn-sm' id='<?php echo attr($iter['id']); ?>' onclick='top.restoreSession()'><?php echo xlt('Delete');?></a>
+                                <?php if ($authWrite) { ?>
+                                    <a href='record_disclosure.php?editlid=<?php echo attr_url($iter['id']); ?>' class='btn btn-primary btn-sm btn-edit iframe' onclick='top.restoreSession()'><?php echo xlt('Edit');?></a>
+                                    <a href='#' class='deletenote btn btn-danger btn-delete btn-sm' id='<?php echo attr($iter['id']); ?>' onclick='top.restoreSession()'><?php echo xlt('Delete');?></a>
+                                <?php } ?>
                             </td>
                             <td class="align-top" valign='top'><?php echo text($iter['recipient']);?>&nbsp;</td>
                             <td class='align-top' valign='top'><?php echo text(getListItemTitle('disclosure_type', $iter['event'])); ?>&nbsp;</td>
diff --git a/interface/patient_file/summary/record_disclosure.php b/interface/patient_file/summary/record_disclosure.php
index 0ed1cb0f51a..67cfe4ac085 100644
--- a/interface/patient_file/summary/record_disclosure.php
+++ b/interface/patient_file/summary/record_disclosure.php
@@ -15,11 +15,24 @@
 require_once("../../globals.php");
 require_once("$srcdir/options.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
 use OpenEMR\Core\Header;
 
+// Control access
+$authWrite = AclMain::aclCheckCore('patients', 'disclosure', '', 'write');
+$authAddonly = AclMain::aclCheckCore('patients', 'disclosure', '', 'addonly');
+if (!$authWrite && !$authAddonly) {
+    echo xlt('Not Authorized');
+    exit;
+}
+
 //if the edit button for editing disclosure is set.
 if (isset($_GET['editlid'])) {
+    if (!$authWrite) {
+        echo xlt('Not Authorized');
+        exit;
+    }
     $editlid = $_GET['editlid'];
 }
 ?>