OpenEMR API

system · February 10, 2014, 7:45am

medmasterpro wrote on Monday, February 10, 2014:

Hi Brady,

Can you please start the review process once again? Please share your plan/thoughts with us. Looking forward to your positive response.

Thanks,
MedMaster

system · February 14, 2014, 6:16am

bradymiller wrote on Friday, February 14, 2014:

Hi MedMaster,

If only I had 40 hours in each day
Sorry, but the MU2 Meaningful Use stuff, security and admin issues are sucking away all my OpenEMR time at this moment. When I get some time, will continue the review. Will have some input also on the new user credential code you have after I look at it in more depth. If anybody is interested in reviewing the code, please go for it:
http://www.open-emr.org/wiki/index.php/Medmasterpro_API_Review#Overview

-brady
OpenEMR

system · February 16, 2014, 1:42pm

deanha wrote on Sunday, February 16, 2014:

Hello All.
I’m new here, but I have a question.
I’m trying to open the OpenEMR with a specific patient.
something that may look like this:

http://demo.open-emr.org:2107/openemr/interface/main/main_screen.php?auth=login&site=default&Patient_id=4

This example doesn’t work, but I don’t know what does.
But the main issue is that I’m not LOGGED IN. I use is as an external link that opens a new browser directly to the patient information.

Any ideas how to do it and if it’s even possible?

Thanks,
Me.

system · February 16, 2014, 1:53pm

anonymous wrote on Sunday, February 16, 2014:

That doesn’t sound very secure. What is to prevent an unauthorized person from using the direct link to gain access to protected health information? A credentialed user must log in to prove they are the owner of that data. I don’t think there is any way of bypassing that process.

system · February 17, 2014, 5:55am

tmccormi wrote on Monday, February 17, 2014:

… And there never will be. The API being discussed here requires full user authentication to be passed to the API before accessing any data.

system · February 17, 2014, 9:30am

deanha wrote on Monday, February 17, 2014:

First thank you for your reply.
Second, I know the user MUST log in before accessing.
But usually if you try to connect to a webpage that requires auth - you are directed to the login page, where you have to login and after that you are redirected to the page you wanted.

system · February 17, 2014, 10:12am

bradymiller wrote on Monday, February 17, 2014:

Hi,

That would be a nice feature that I do not think yet exists. Try to use pid rather than Patient_id and see what happens. If does not yet exist, would not be too tough (ie. minimal resources) to get that working.

-brady
OpenEMR

system · February 17, 2014, 12:08pm

yehster wrote on Monday, February 17, 2014:

Direct links is IMHO not a good idea as it encourages behavior that makes one more vulnerable to XSS attacks.

system · February 18, 2014, 6:04am

deanha wrote on Tuesday, February 18, 2014:

Hi Brady.

I tried using URL parameters (such as pid, patient_id etc.)
The problem is that the window is made of frames. setting the pid is in the middle frame.
If only I knew there’s a parameter in the main window/frameset that can set the patient id it would have worked…

Thanks,
Dean.

system · February 21, 2014, 10:22am

bradymiller wrote on Friday, February 21, 2014:

Hi,

Just takes a little coding.

Can leverage mechanism used by Patients/Clients->Patients script, which passes a post parameter entitled patientID that is caught by the interface/main/main_screen.php script.

It’s not very pretty, but this does the trick by drilling the get parameter through the frame and avoids the need to set a session variable:

You can get it to work by placing following at end of the login web address:
&patientID=2
(note you need to refresh the login frame with this full address)

Note that this is not an uncommon feature, so it is valid to consider supporting something like this (it allows hyperlinking between different software packages; for example, MU2 requires that the radiology program that OpenEMR links itself supports this). Note authentication is still needed.

-brady
OpenEMR

system · February 23, 2014, 8:11am

deanha wrote on Sunday, February 23, 2014:

Hi.

I’ll try that. Thanks a lot!!

Dean.

system · February 23, 2014, 9:55am

bradymiller wrote on Sunday, February 23, 2014:

Hi,

Here’s a more refined commit for this, which I am proposing to commit into the main codebase:
https://github.com/bradymiller/openemr/commit/ace3ad71df8839417d80e4e13c17c701e6c6a04a
Two options:
patientID parameter will match to the patient pid
external_patientID parameter will match to the patient pubpid
(if no match, then will just go to the default openemr display after login)

I am requesting a official code review on this, especially considering some security issues were brought up by Kevin above. Also wondering if this is the most ideal approach to take.

thanks,
-brady
OpenEMR

system · February 23, 2014, 12:19pm

yehster wrote on Sunday, February 23, 2014:

I disagree with adding this features, because it because it encourages behavior that makes an OpenEMR system more vulnerable to phishing and other social engineering attacks.

Example. I email you a link to click. However, that link hits a website which looks like a the correct OpenEMR login, but then forwards you through this newly added direct patient access feature. When you type your login credential in, they get captured, but since you get forwarded to the correct patient page on the real OpenEMR site, you wouldn’t detect the problem.

There are ways to make it very hard to realize that such a link isn’t genuine.

There is a trade-off between convenience and security with the the introduction of this feature.

system · February 23, 2014, 10:18pm

bradymiller wrote on Sunday, February 23, 2014:

Hi Kevin,

That doesn’t make much sense at all regarding the phishing or social engineering. What is the exact difference between a typical login to see the calender/message frames vs. patient specific frames? If a user is clicking non-genuine links from an email or other sources, they are a target for phishing no matter where they go into OpenEMR.

The reason I am trying to get this into the codebase is because there are real life use cases where having this feature is vital. I am actually surprised that this issue has not come up yet. It essentially allows seamless use of different patient centric tools (ie. openemr, billing if not in openemr, imaging and any other third party tools) without needing to do a patient search when log into each tool.

I suppose we could place the control of it under a global that is off by default…

-brady
OpenEMR

system · February 26, 2014, 8:41am

bradymiller wrote on Wednesday, February 26, 2014:

Hi,

Any additional input on this. Would it be acceptable if this were controlled by a global (Would be in Admin->Globals->Features->“Allow Patient Selection on Login”) that is turned off by default ?

thanks,
-brady
OpenEMR

system · June 24, 2014, 3:31pm

taniossoliman wrote on Tuesday, June 24, 2014:

Hi need help please, when I am trying to lunch getallpatients.php I get this:

"
-1

Please check the REST API server settings in Administration/Globals/Connectors

"

So what is the problem and how to solve it because i don’t think it is really related to some settings inside Administrators/Globals/Connectors?

please i need your reply as soon as possible

Thank you so much