julialongtin wrote on Thursday, December 06, 2012:
As part of an API cleanup surrounding the ‘Notes’ API, I have been finding ‘dead’ files in OpenEMR. these files are not reachable from the user interface, but still present information in violation of ACL checking. Its possible for users to get access to information for which they are not authorized by pasting a ‘deep URL’ into another tab of their web browser.
How should this be handled? I’m making a list (and checking it twice) here locally…
sunsetsystems wrote on Thursday, December 06, 2012:
Hi Julia, you can post up the list here and we’ll remove them for the next release.
julialongtin wrote on Friday, December 07, 2012:
To start with, I recomend the removal of /interface/patient_file/report/full_report.php immediately. It doesn’t respect ACLs, is made redundant by other functionality, and isn’t reachable from the interface.
yehster wrote on Friday, December 07, 2012:
The link to full_report.php was commented out in March of 2009. It should be pretty safe to remove the file.
https://github.com/yehster/openemr/commit/40f1b0c69f9ec654fef2c7fd840e2e4308f18686