Skip to content

Commit

Permalink
bug fix c1
Browse files Browse the repository at this point in the history
  • Loading branch information
@bradymiller
bradymiller committed May 11, 2022
1 parent 38814ee commit f255da6
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 13 deletions.
37 changes: 36 additions & 1 deletion portal/import_template.php
View file
Expand Up @@ -12,9 +12,18 @@

require_once("../interface/globals.php");

use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Core\Header;
use OpenEMR\Services\DocumentTemplates\DocumentTemplateService;

if (!(isset($GLOBALS['portal_onsite_two_enable'])) || !($GLOBALS['portal_onsite_two_enable'])) {
echo xlt('Patient Portal is turned off');
exit;
}

$authUploadTemplates = AclMain::aclCheckCore('admin', 'forms');

$templateService = new DocumentTemplateService();

$patient = json_decode($_POST['upload_pid'] ?? '');
Expand Down Expand Up @@ -102,6 +111,12 @@
}

if (($_POST['mode'] ?? null) === 'save') {
if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'import-template-save')) {
CsrfUtils::csrfNotVerified();
}
if (!$authUploadTemplates) {
die(xlt('Not authorized to edit template'));
}
if ($_POST['docid']) {
if (stripos($_POST['content'], "<?php") === false) {
$template = $templateService->updateTemplateContent($_POST['docid'], $_POST['content']);
Expand All @@ -115,6 +130,12 @@
die(xlt('Invalid File'));
}
} elseif (($_POST['mode'] ?? null) === 'delete') {
if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'import-template-delete')) {
CsrfUtils::csrfNotVerified();
}
if (!$authUploadTemplates) {
die(xlt('Not authorized to delete template'));
}
if ($_POST['docid']) {
$template = $templateService->deleteTemplate($_POST['docid'], ($_POST['template'] ?? null));
exit($template);
Expand All @@ -128,6 +149,13 @@
}
die(xlt('Invalid Request Parameters'));
} elseif (!empty($_FILES["template_files"])) {
if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'import-template-upload')) {
CsrfUtils::csrfNotVerified();
}
if (!$authUploadTemplates) {
xlt("Not Authorized to Upload Templates");
exit;
}
// so it is a template file import. create record(s).
$import_files = $_FILES["template_files"];
$total = count($_FILES['template_files']['name']);
Expand Down Expand Up @@ -183,6 +211,8 @@
*/
function renderEditorHtml($template_id, $content)
{
global $authUploadTemplates;

$lists = [
'{ParseAsHTML}', '{SignaturesRequired}', '{TextInput}', '{sizedTextInput:120px}', '{smTextInput}', '{TextBox:03x080}', '{CheckMark}', '{ynRadioGroup}', '{TrueFalseRadioGroup}', '{DatePicker}', '{DateTimePicker}', '{StandardDatePicker}', '{CurrentDate:"global"}', '{CurrentTime}', '{DOS}', '{ReferringDOC}', '{PatientID}', '{PatientName}', '{PatientSex}', '{PatientDOB}', '{PatientPhone}', '{Address}', '{City}', '{State}', '{Zip}', '{PatientSignature}', '{AdminSignature}', '{WitnessSignature}', '{AcknowledgePdf:pdf name or id:title}', '{EncounterForm:LBF}', '{Medications}', '{ProblemList}', '{Allergies}', '{ChiefComplaint}', '{DEM: }', '{HIS: }', '{LBF: }', '{GRP}{/GRP}'
];
Expand Down Expand Up @@ -213,13 +243,18 @@ function renderEditorHtml($template_id, $content)
<div class="row">
<div class="col-10 px-1 sticky-top">
<form class="sticky-top" action='./import_template.php' method='post'>
<input type="hidden" name="csrf_token_form" id="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken('import-template-save')); ?>" />
<input type="hidden" name="docid" value="<?php echo attr($template_id) ?>">
<input type='hidden' name='mode' value="save">
<input type='hidden' name='service' value='window'>
<textarea cols='80' rows='10' id='templateContent' name='content'><?php echo text($content) ?></textarea>
<div class="row btn-group mt-1 float-right">
<div class='col btn-group mt-1 float-right'>
<button type="submit" class="btn btn-sm btn-primary"><?php echo xlt("Save"); ?></button>
<?php if ($authUploadTemplates) { ?>
<button type="submit" class="btn btn-sm btn-primary"><?php echo xlt("Save"); ?></button>
<?php } else { ?>
<button disabled title="<?php echo xla("Not Authorized to Edit Templates") ?>" type="submit" class="btn btn-sm btn-primary"><?php echo xlt("Save"); ?></button>
<?php } ?>
<button type='button' class='btn btn-sm btn-secondary' onclick='parent.window.close() || parent.dlgclose()'><?php echo xlt('Cancel'); ?></button>
</div>
</div>
Expand Down
41 changes: 30 additions & 11 deletions portal/import_template_ui.php
View file
Expand Up @@ -14,9 +14,18 @@

require_once("../interface/globals.php");

use OpenEMR\Common\Acl\AclMain;
use OpenEMR\Common\Csrf\CsrfUtils;
use OpenEMR\Core\Header;
use OpenEMR\Services\DocumentTemplates\DocumentTemplateService;

if (!(isset($GLOBALS['portal_onsite_two_enable'])) || !($GLOBALS['portal_onsite_two_enable'])) {
echo xlt('Patient Portal is turned off');
exit;
}

$authUploadTemplates = AclMain::aclCheckCore('admin', 'forms');

$templateService = new DocumentTemplateService();
$from_demo_pid = $_GET['from_demo_pid'] ?? '0';
$patient = $_REQUEST['selected_patients'] ?? null;
Expand Down Expand Up @@ -55,7 +64,7 @@
let delok = confirm(<?php echo xlj('You are about to delete a template'); ?> +
": " + "\n" + <?php echo xlj('Is this Okay?'); ?>);
if (delok === true) {
handleTemplate(id, 'delete', '', false, template)
handleTemplate(id, 'delete', '', false, template, <?php echo js_escape(CsrfUtils::collectCsrfToken('import-template-delete')); ?>)
}
return false;
};
Expand Down Expand Up @@ -157,7 +166,7 @@ function sendProfiles() {
});
}

function handleTemplate(id, mode, content = '', isDocument = '', template = '') {
function handleTemplate(id, mode, content = '', isDocument = '', template = '', csrf = '') {
top.restoreSession();
let libUrl = 'import_template.php';
let renderUrl = 'import_template.php?mode=editor_render_html&docid=' + id;
Expand Down Expand Up @@ -187,7 +196,7 @@ function handleTemplate(id, mode, content = '', isDocument = '', template = '')
$.ajax({
type: "POST",
url: libUrl,
data: {docid: id, mode: mode, content: content, template: template},
data: {docid: id, mode: mode, content: content, template: template, csrf_token_form: csrf},
error: function (qXHR, textStatus, errorThrow) {
console.log("There was an error");
alert(<?php echo xlj("File Error") ?> +"\n" + id)
Expand Down Expand Up @@ -412,6 +421,7 @@ function popGroupsDialog() {
<!-- Upload -->
<nav class="collapse my-2 <?php echo attr($_REQUEST['upload-nav-value'] ?? '') ?>" id="upload-nav">
<div class='col col-12'>
<?php if ($authUploadTemplates) { ?>
<form id='form_upload' class='form-inline row' action='import_template.php' method='post' enctype='multipart/form-data'>
<hr />
<div class='col'>
Expand All @@ -420,13 +430,17 @@ function popGroupsDialog() {
</div>
<div class='form-group col'>
<div class='form-group'>
<input type="hidden" name="csrf_token_form" id="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken('import-template-upload')); ?>" />
<input type='file' class='btn btn-outline-info' id="fetch_files" name='template_files[]' multiple />
<button class='btn btn-outline-success d-none' type='submit' name='upload_submit' id='upload_submit'><i class='fa fa-upload' aria-hidden='true'></i></button>
</div>
</div>
<input type='hidden' name='upload_pid' value='<?php echo attr(json_encode([-1])); ?>' />
<input type='hidden' name="template_category" value='<?php echo attr($category); ?>' />
</form>
<?php } else { ?>
<div class="alert alert-danger"><?php echo xlt("Not Authorized to Upload Templates") ?></div>
<?php } ?>
</div>
</nav>
<hr />
Expand Down Expand Up @@ -494,10 +508,13 @@ function popGroupsDialog() {
echo '<td>' .
'<button id="templateEdit' . attr($template_id) .
'" class="btn btn-sm btn-outline-primary" onclick="templateEdit(' . attr_js($template_id) . ',' . attr_js($notify_flag) . ')" type="button">' . text($file['template_name']) .
'</button>' .
'<button id="templateDelete' . attr($template_id) .
'" class="btn btn-sm btn-outline-danger float-right" onclick="templateDelete(' . attr_js($template_id) . ',' . attr_js($file['template_name']) . ')" type="button">' . xlt("Delete") .
'</button></td>';
'</button>';
if ($authUploadTemplates) {
echo '<button id="templateDelete' . attr($template_id) .
'" class="btn btn-sm btn-outline-danger float-right" onclick="templateDelete(' . attr_js($template_id) . ',' . attr_js($file['template_name']) . ')" type="button">' . xlt("Delete") .
'</button>';
}
echo "</td>";
echo "<td>" . text($file['size']) . "</td>";
echo "<td>" . text(date('m/d/Y H:i:s', strtotime($file['modified_date']))) . "</td>";
echo "</tr>";
Expand Down Expand Up @@ -609,9 +626,11 @@ function popGroupsDialog() {
/*echo "<td><input type='checkbox' class='form-check-inline' id='send' name='send' value='" . attr($template_id) . "' /></td>";*/
echo '<td>' . text(ucwords($cat)) . '</td><td>';
echo '<button id="templateEdit' . attr($template_id) .
'" class="btn btn-sm btn-outline-primary" onclick="templateEdit(' . attr_js($template_id) . ')" type="button">' . text($file['template_name']) . '</button>' .
'<button id="templateDelete' . attr($template_id) .
'" class="btn btn-sm btn-outline-danger" onclick="templateDelete(' . attr_js($template_id) . ')" type="button">' . xlt('Delete') . '</button>';
'" class="btn btn-sm btn-outline-primary" onclick="templateEdit(' . attr_js($template_id) . ')" type="button">' . text($file['template_name']) . '</button>';
if ($authUploadTemplates) {
echo '<button id="templateDelete' . attr($template_id) .
'" class="btn btn-sm btn-outline-danger" onclick="templateDelete(' . attr_js($template_id) . ')" type="button">' . xlt('Delete') . '</button>';
}
echo '<td>' . text($file['size']) . '</td>';
echo '<td>' . text(date('m/d/Y H:i:s', strtotime($file['modified_date']))) . '</td>';
echo '</tr>';
Expand Down Expand Up @@ -723,7 +742,7 @@ function popGroupsDialog() {
'<button type="button" id="patientEdit' . attr($template_id) .
'" class="btn btn-sm btn-outline-primary" onclick="templateEdit(' . attr_js($template_id) . ')">' .
text($file['template_name']) . "</button>\n";
if (empty($file['member_of']) && !empty($file['status'])) {
if ($authUploadTemplates && empty($file['member_of']) && !empty($file['status'])) {
echo '<button type="button" id="patientDelete' . attr($template_id) .
'" class="btn btn-sm btn-outline-danger" onclick="templateDelete(' . attr_js($template_id) . ')">' . xlt('Delete') . "</button></td>\n";
}
Expand Down
6 changes: 5 additions & 1 deletion portal/lib/download_template.php
View file
Expand Up @@ -464,8 +464,12 @@ function doSubs($s)
));
}
$template = $templateService->fetchTemplate($form_id);

$edata = $template['template_content'];

// purify html (and remove js)
$edata = (new \HTMLPurifier(\HTMLPurifier_Config::createDefault()))->purify($edata);

// do the substitutions (ie. magic)
$edata = doSubs($edata);

if ($html_flag) { // return raw minified html template
Expand Down

0 comments on commit f255da6

Please sign in to comment.