Acl_check

dgold123 wrote on Monday, May 23, 2011:

Am I looking at this wrong or does acl_check return 0 or 1?

In demographics_fulI.php, if I do a echo “$thisauth” I get a 1, but why does it compare it to ‘write’?

What am I missing?

bradymiller wrote on Tuesday, May 24, 2011:

Hi,

Thanks for the bug report. This is a very good observation.
It was reported as a bug awhile back:
http://sourceforge.net/tracker/?func=detail&aid=3020259&group_id=60081&atid=493001

Fix will likely happen after next release cycle, since the fix will likely unmask a number of bugs.

-brady

dgold123 wrote on Friday, June 08, 2012:

I noticed the ticket hasn’t been updated, so I am kind of concerned about security.  Do the built-in user types use the ACL functionality?

bradymiller wrote on Saturday, June 09, 2012:

Hi,

Just updated the ticket:
Fixed several months ago:
http://github.com/openemr/openemr/commit/64acb0961e5493b58865afdce73be1de51f8f8ec

(has not been included in a 4.1.0 patch, but will be included in the 4.1.1 release and will be included in the next 4.1.0 patch)

Can you clarify a bit on the built-in user types?

-brady
OpenEMR

sunsetsystems wrote on Saturday, June 09, 2012:

Discussion re the acl_check fix is here:

https://sourceforge.net/projects/openemr/forums/forum/202506/topic/5115924

Rod
www.sunsetsystems.com

dgold123 wrote on Tuesday, June 12, 2012:

Thanks.  As far as the built-in user types, I was referring to using Front Office or Clinician for Access Control when creating a new user.  Without the fix, will these users be restricted as appropriate or are they affected by the issue?

bradymiller wrote on Tuesday, June 12, 2012:

Hi,

This bug was pretty specific to only certain ACOs (where a write vs addonly access was given in the different ACL(ie. access groups)). So, if look at the controls in Administration->ACL->Groups and Access Controls sections. The bug was really only affecting the ACO that were only in the addonly section(the bug would actually treat it as a write). (and as you’ll note the only group that even has addonly items in the Clinician group).

That being said, in regards to “restricted as appropriate”, my opinion is that there is still work that needs to be done to fully secure/granularize items for each role (for example, many of the Reports are not secured by roles).

-brady
OpenEMR Project