I am in need of some assistance, please. We have lost admin access to our EMR after working on the ACL settings. I have been reviewing the forums all night but cannot find the answer to the following problem; let me recap the steps that led to this problem:
Created all the steps in Edit/ACL admin, etc. without problems.
Set permissions as laid out, no problems yet.
Noticed a misspelling in our setup and then hit “delete” option to start over. No apparent problem yet.
All of the sudden, an ACL error message came up, AND NOW WE HAVE LOST ACCESS TO THE ADMIN PANEL in the navigation menu.
All other functions in EMR are working, but we can no longer access the administrative settings.
Some observations: My login is set as “clinician, accounting, and administrator,” and I can log in without problem. I then tried to log in with the back-up administrator account “admin” and the login no longer works. I know there is no incorrect password issue since the database file shows the password hashed correctly, and I know the admin password. The log file for the admin account now shows “user not in any phpGACL groups. (bad username?).”
What seems to have happened is that the admin category is gone from the ACL section. How can we fix this?
Steps taken:
I looked at database but cannot find a modification of any files/tables related to the time stamp of the error. I also looked at the log file; there is no entry that would shed light on anything.
Now, before you suggest backup…… We backup daily but when I looked at our backup vendor…… - the backups have failed for the last few months…. UGH!!!
If needed, I think you can decouple the php-gacl gui from openemr authentication (it will then require no login to access the scripts) by removing the following code in the pertinent phpgacl gui scripts which will allow you to debug and fix (before mucking around with this, would recommend a backup though). For example, to open the acl_admin.php gui script, removing this code should open it up(all the phpgacl gui scripts use this same code block):
To compare what the setting in the phpgacl should like like, can compare to one of the online demos(Administration->ACL->Addvanced).
Thanks, Brady. I will try this later. Do you know where the Administration->ACL->Addvanced equivalent settings can be found in the data base? I have looked at the “gacl” tables in our SQL database, but as I had mentioned before, those have not been changed according to the windows file information.
First, any deletion in ACL Admin will wipe out ACL from Administration in left navigation.
Second, because Disallowed had not been configured yet, Administration in the menu was broken.
Would suggest the following:
reinstall OE.
copy 4 default folders & import sqldump to 1.
The pitfall of automated backup is a false sense of security. One does not know how good the backup until there is a reason to restore. With manual backup, the user will be aware of a problem contemporaneously, if the backup is tended.
It is not a snap to test the fidelity of emr_backup.tar because a reinstall of OE is a prerequisite. Windows users have an advantage in this regard because they can verify CVerk’s backup immediately from the backup medium.
When testing ACL changes, I found it helpful to create a system image first. It does not take much to trigger white screens, but it does take a great deal of effort to troubleshoot. Less stressful just to restore the system image.
The Wiki article definitely needs updating with additional warnings.
An update: So, it seems that the “administration” menu is still present in the left menu because other users in the office, for example our billing manger, show the admin menu. However, they show the proper “limited” admin menu without access to setting such as globals, etc.
Also, I lost the ability to conduct any other “admin” right related tasks. For example, I am in charge of deleting duplicate encounters when the front desk accidentally checks in patients twice. Now, the delete button is no longer available to me either
I have been looking through all files in the database but cannot see where this information is stored.
Another thought: There is a an older backup available; perhaps certain files can be replaced from this set? We haven’t made any other changes to our EMR (i.e., new users or other ACL related tasks) in a very long time, so I hope there is something that can be done?
One more update to this situation: Our clinicians used to be able to send patient notes/messages to “administrator” in the respective drop-down box; that administator “user” has disappeared, so I believe this all has to do with the admin account being gone, thoughts?
Make a backup copy of /openemr…You can leave out the /sites/default/documents directory if it is like huge or something.
Try using Grep, or Grep for windows to
Search for:
acl_check('admin
Replace with
acl_check('patients
You could also possibly change your database version number in the config file /sites/default/sqlconf.php, then go to openemr/admin.php (hopefully you removed this previously or can only access it from localhost/) and try upgrading the database from the earliest version possible. You could also just try http://localhost/openemr/acl_upgrade.php and see if that does anything.
OpenEMR stores all the acl stuff in the gacl tables. Still not clear what is going on. From above, you stated your account is still set in the Administrators group. Are you able to get to Administration-ACL from your account. Also, is the username of your administrator account ‘admin’ or something else.
From your post above:
"
What seems to have happened is that the admin category is gone from the ACL section. How can we fix this?
"
If this is indeed the case, then make a script in main openemr directory with following code and run it from your browser to see if this fixes it(again, as above, ensure you have backed things up before doing things like this or better yet, try it on a backed up instance):
<?php
require_once(dirname(__FILE__).'/library/acl.inc');
if (! $phpgacl_location) die("You must first set up library/acl.inc to use phpGACL!");
require_once("$phpgacl_location/gacl_api.class.php");
$gacl = new gacl_api();
// Add back the missing admin ACO sections.
//
if ($gacl->add_object('admin', 'Superuser', 'super', 10, 0, 'ACO') === FALSE) {
echo "admin aco already exists";
}
else {
echo "congrats, the admin aco was added back";
}
?>
And if above shows the admin aco does exist, then you could add a command to add it to the Administration ACL.
I tried above script, and it always says “congrats, the admin aco was added back”, so not helpful…
but it’s a good starting point to query your acl structures and fix the issue. For example, the following script should show:
"
‘Administrators’ group ‘write’ ACL is present.
admin_write is: Array ( [0] => 10 )
"
<?php
require_once(dirname(__FILE__).'/library/acl.inc');
require_once(dirname(__FILE__).'/library/acl_upgrade_fx.php');
if (! $phpgacl_location) die("You must first set up library/acl.inc to use phpGACL!");
require_once("$phpgacl_location/gacl_api.class.php");
$gacl = new gacl_api();
$admin_write = getAclIdNumber('Administrators', 'write');
echo "admin_write is: " . print_r($admin_write,TRUE);
?>
And this script now has access to all the functions used in acl_upgrade.php in addition to the php-gacl admin api.
