zhhealthcare wrote on Sunday, May 30, 2010:
>Comment By: bradymiller (bradymiller)
Date: 2010-05-29 10:54
Message:
hey,
Put this proposal in a forum thread, so other developers can weigh in
(only few read these trackers, if not directed in the forums).
-brady
Comment By: ZH Healthcare (zhhealthcare)
Date: 2010-05-29 02:42
- Hide quoted text -
Message:
There are around 75 links in the left side. In some pages the acl checks
are already there like demographics and administration pages. Putting the
acl checks
at the top of each script will affect this all pages and that will make
the process complex.Can’t we have any common page in which this can be
written.
What I did
In the last line of the page
\interface\globals.php
i coded like below
echo $_SERVER;
I Clicked on every link.
Expect one link(Administration->Other->Database) all showed the file name
path according to the written command.
Isn’t it a break through, and with little bit of coding, can’t we
centralize the access control per link.In this way we can control access to
individual links.
Action Plan to centralize the access control
1)Store all link’s destination page in an array.
2)Another one to associate the page with my newly created ACOs.
3)We call “acl_check(‘links’, ‘reports’)”, this key combination(‘links’,
‘reports’) I added through the ACL admin screen.
4)If true we check the comming page is in our array against ‘reports’, and
if got we allow him to see the page.
The last 2 steps continues with other link values.Finally if we reach the
end, the user is not authorized.
To generalize it, we may think about pulling datas from database
table.This way we may avoid the above arrays.Presently
\interface\main\left_nav.php page stores the page names.Pushing them to new
table will have little bit coding in the page.
We would like to hear from you.
Please bear with me if I proposed a stupid plan.
Thanks,
Paul
Comment By: bradymiller (bradymiller)
Date: 2010-05-28 23:26
- Hide quoted text -
Message:
Put the acl checks also at the top of each script that you are securing.
For adding access controls, see this:
http://www.openmedsoftware.org/wiki/Development_Policies#Access_Control_Objects
Giving access permission per link.
Aim
To have a user view only the reports.
What we did
By default there is no access control per link in OpenEMR. ACL screen is used to add controls, user group & give access.
An ACL Group “Report Viewers” is created. Section “Links” is added followed by the addition of the 5 first level links. The necessary links are given access to all the User Groups. A user is created under “Report Viewers”. To have the effect of these controls, a little bit coding is done.
Our Issue
We prevented the link from being displayed in the left side by using the “acl_check()” function.But what if some body directly takes the URL.Should we add check in each page.Can we do the check in the globals.Please help.