drbowen wrote on Wednesday, May 13, 2009:
I am upgrading at last.
Linux Gentoo current
Apache 2.2.9-r1
MySQL 5.0.70-r1
PHP 5.2.8-r1
OpenEMR 2.8.2-dev upgrading to 2.8.2
Most of my OpenEMR functions are normal but my staff members cannot edit (add, change or discontinue) medications. I don’t see “lists” in my ACLs on phpGACL. I think this is an ACL permission prroblem.
phpGACL is outside the webroot.
Any thoughts or ideas?
Sam Bowen
bradymiller wrote on Wednesday, May 13, 2009:
hey,
I don’t think there is a ‘lists’ control (aco). I pasted the current patient controls and what’s been upgraded since 2.8.2 . Are you able to edit the medications? If you can’t modify meds, is it throwing a php error to the log. If still not sure, then may need to got through code to see if and what aco is protecting it. Once you get to 2.8.3 you should be able to make the jump to 3.0.1 (successful on appliance and others in the forums here)
-brady
// Create ACOs for patients.
//
$gacl->add_object(‘patients’, ‘Appointments (write optional)’ , ‘appt’ , 10, 0, ‘ACO’);
$gacl->add_object(‘patients’, ‘Demographics (write,addonly optional)’ , ‘demo’ , 10, 0, ‘ACO’);
$gacl->add_object(‘patients’, ‘Medical/History (write,addonly optional)’, ‘med’ , 10, 0, ‘ACO’);
$gacl->add_object(‘patients’, ‘Transactions (write optional)’ , ‘trans’, 10, 0, ‘ACO’);
$gacl->add_object(‘patients’, ‘Documents (write,addonly optional)’ , ‘docs’ , 10, 0, ‘ACO’);
$gacl->add_object(‘patients’, ‘Patient Notes (write,addonly optional)’ , ‘notes’, 10, 0, ‘ACO’);
// Updates included:
// 2.8.2
// Section “sensitivities” (Sensitivities):
// ADD normal Normal (Administrators, Physicians, Clinicians(addonly))
// ADD high High (Administrators, Physicians)
// Section “admin” (Administration):
// ADD super Superuser (Administrators)
// 2.8.4
// Section “admin” (Administration):
// ADD drugs Pharmacy Dispensary (Administrators, Physicians, Clinicians(write))
// ADD acl ACL Administration (Administrators)
// Section “sensitivities” (Sensitivities):
// EDIT high High (ensure the order variable is ‘20’)
// Section “acct” (Accounting):
// ADD disc Price Discounting (Administrators, Physicians, Accounting(write))
drbowen wrote on Wednesday, May 13, 2009:
On the ‘summary’ page of a patients chart there is a a problem list of Problems, Medications, Allergies, Surgeries. The links are as follows:
http://vader/openemr/interface/patient_file/summary/stats_full.php?active=all
I can then click on individual medicines, allergies etc. I add an expiration date. The medication in no longer visible in the ‘summary’ list.
The table that holds these values is ‘lists’.
There ACOs called:
1. Appointments (write optional)
2. Demographics (write,addonly optional)
3. Documents (write,addonly optional)
4. Medical/History (write,addonly optional)
5. Patient Notes (write,addonly optional)
6. Transactions (write optional)
I do not see an ACO for the "~/patient_file/summary/stats_full.php?active=all"
As the initial user I can modify these lists but no one else can.
Sam Bowen
drbowen wrote on Wednesday, May 13, 2009:
The non-authorized users cannot activate the links. There are no reported errors in the PHP error log.
Sam Bowen
bradymiller wrote on Thursday, May 14, 2009:
hey,
I’ve got demos for 2.8.2 here to help out (near bottom of page), whoever would of thought these would of been useful:
http://bradymd.com/appliance/demos.html
Feel free to test anything, ie unauthorizing users etc. It refreshes back to original every morning.
to you get a any “this user is not authorized to …” messages:
All below just looks protected by the ‘med’ aco for files:
1) patient_summary.php (bottom left)
2) stats.php (list the issues and has the ‘add issues’ button)
3) add_edit_issue.php (editing the issues)
where is it breaking in above?
-brady
drbowen wrote on Thursday, May 14, 2009:
I believe this is allowed for all users:
1) patient_summary.php (bottom left)
Not sure but i think this is allowed:
2) stats.php (list the issues and has the ‘add issues’ button)
This is not allowed for the "non-authorized users":
3) add_edit_issue.php (editing the issues)
The non-authorized can open the list of "issues" and see the contents but cannot add new issues and cannot edit already existing issues. So I am not sure whether #2 above is allowed or not.
Sam Bowen
bradymiller wrote on Thursday, May 14, 2009:
hey,
Assumptions:
If they can open the list of issues (this is the stats.php page), I am assuming they see a ‘Add Issues’ button. What happens when they click on ‘Add Issues’ button? I am assuming nothing with no error logged. If this isn’t the case let me know.
Thoughts:
The 2.8.2 demo works for non-authorized users as long as they have the ‘med’ aco (so you do appear to have a bug). Following statements protect add_edit_issue.php:
$thisauth = acl_check(‘patients’, ‘med’);
if ($issue && $thisauth != ‘write’) die(“Edit is not authorized!”);
if ($thisauth != ‘write’ && $thisauth != ‘addonly’) die(“Add is not authorized!”);
It would be interesting to see if your users get beyond this when they click ‘Add Issues’ button. Could eval for this by placing following above and below these statements:
error_log(“Attempting acl”, 0);
…
error_log(“Passed acl”, 0);
If you make it through then can rule out gacl stuff at least.
Other questions:
Did you keep any files around from your old version (anything, config files etc., cutomizations etc.)
If you substitute your old add_edit_issue.php file does it work.
You can also directly compare your acl in phpgacl with that of the demo to ensure identical (especially the return values):
https://opensourceemr.com:2085/phpgacl/admin/acl_list.php?return_page=acl_list.php
user:admin pass:admin
-brady
drbowen wrote on Thursday, May 14, 2009:
They can open the list of issues. They can see the add issue button. When they click on the button it opens and their is a message that "Add is not authorized".
When they try to change a medication because it miss spelled, change of frequency, or needs to be discontinued they get an "I" shaped text icon and no active link.
When a authorized user does the same thing the user has an "arrow" pointer icon and can open the medication for modification.
I do not a "med" ACO.
Yes, I have all the old files. I backed up everything I could think of at least three different ways.
What is the path to "add_edit_issue.php"
Sam Bowen
bradymiller wrote on Thursday, May 14, 2009:
hey,
I’m definitely thinking this is an acl issue secondary to your “Add is not authorized” message, which come from top of file openemr/interface/patient_file/summary/add_edit_issue.php :
if ($thisauth != ‘write’ && $thisauth != ‘addonly’) die(“Add is not authorized!”);
If you don’t have a “med” aco (titled Medical/History under Patients in php-gacl), that would be strange because your staff then wouldn’t be able to see the listings from openemr/interface/patient_file/summary/stats.php file, which they do see. Let me know if it’s really not there, then get to add manually via php-gacl, a total pain.
I’m wondering what your using as your ‘Return Values’ for all your acl’s at (you could just copy/paste the entire page here):
phpgacl/admin/acl_list.php
As I recall, authorized users got special treatment back in the old days, which is why an authorized users can do more stuff.
-brady
drbowen wrote on Thursday, May 14, 2009:
* Accounting
1. Billing (write optional)
2. EOB Data Entry
3. Financial Reporting - my encounters
4. Financial Reporting - anything
* Administration
1. Batch Communication Tool
2. Calendar Settings
3. Database Reporting
4. Forms Administration
5. Language Interface Tool
6. Practice Settings
7. Superbill Codes Administration
8. Users/Groups/Logs Administration
* Encounters
1. Authorize - any encounters
2. Coding - any encounters (write,wsome optional)
3. Fix encounter dates - any encounters
4. Notes - any encounters (write,addonly optional)
* Patients
1. Appointments (write optional)
2. Demographics (write,addonly optional)
3. Documents (write,addonly optional)
4. Medical/History (write,addonly optional)
5. Patient Notes (write,addonly optional)
6. Transactions (write optional)
Groups
1. Administrators
ALLOW Yes [ Edit ]
Return Value: write System
Note: Administrators can do anything 04-Jul-2006 20:21:06
11
* Accounting
1. Financial Reporting - my encounters
* Encounters
1. Authorize - any encounters
2. Coding - any encounters (write,wsome optional)
3. Fix encounter dates - any encounters
4. Notes - any encounters (write,addonly optional)
* Patients
1. Appointments (write optional)
2. Demographics (write,addonly optional)
3. Documents (write,addonly optional)
4. Medical/History (write,addonly optional)
5. Patient Notes (write,addonly optional)
6. Transactions (write optional)
Groups
1. Physicians
ALLOW Yes [ Edit ]
Return Value: write System
Note: Things that physicians can read and modify 04-Jul-2006 20:21:06
12
* Encounters
1. Less-private information (write,addonly optional)
Groups
1. Clinicians
ALLOW Yes [ Edit ]
Return Value: addonly System
Note: Things that clinicians can read and enter but not modify 05-Jul-2006 10:47:49
13
* Encounters
1. Fix encounter dates - any encounters
2. Notes - any encounters (write,addonly optional)
3. Less-private information (write,addonly optional)
* Patients
1. Appointments (write optional)
2. Demographics (write,addonly optional)
3. Documents (write,addonly optional)
4. Medical/History (write,addonly optional)
5. Patient Notes (write,addonly optional)
Groups
1. Clinicians
ALLOW Yes [ Edit ]
Return Value: write System
Note: Things that clinicians can read and modify 19-Sep-2006 05:17:28
14
* Encounters
1. Notes - any encounters (write,addonly optional)
2. Less-private information (write,addonly optional)
* Patients
1. Appointments (write optional)
2. Demographics (write,addonly optional)
3. Documents (write,addonly optional)
4. Medical/History (write,addonly optional)
5. Patient Notes (write,addonly optional)
6. Transactions (write optional)
Groups
1. Front Office
ALLOW Yes [ Edit ]
Return Value: write System
Note: Things that front office can read and modify 05-Jul-2006 06:09:08
15
* Accounting
1. Billing (write optional)
2. EOB Data Entry
3. Financial Reporting - my encounters
4. Financial Reporting - anything
* Administration
1. Practice Settings
2. Superbill Codes Administration
* Encounters
1. Authorize - any encounters
2. Coding - any encounters (write,wsome optional)
3. Fix encounter dates - any encounters
* Patients
1. Appointments (write optional)
2. Demographics (write,addonly optional)
bradymiller wrote on Thursday, May 14, 2009:
hey,
I’m assuming your users are joined to the clinicians group, which is linked to the clinician acl’s. The problem may be you have redundant aco’s in the clinician groups (one sends a write and one sends an add), which is possibly causing the strange behavior. Check out the demo acl_list page, you’ll note there are no repeats of aco in these separate clinician acl lists. Be interesting to see what you get if put following log line within acl stuff ini openemr/interface/patient_file/summary/add_edit_issue.php:
$thisauth = acl_check(‘patients’, ‘med’);
error_log(“ACL return value :”. $thisauth, 0);
if ($issue && $thisauth != ‘write’) die(“Edit is not authorized!”);
if ($thisauth != ‘write’ && $thisauth != ‘addonly’) die(“Add is not authorized!”);
Another thing to note while your upgrading is that your also missing some aco’s that won’t be brought in by acl_upgrade.php (I’m assuming you listed them all in above top list):
super
auth_a_
coding_a
notes_a
date_a
relaxed
If that is the case, after upgrading to 3.0.1 I’d suggest not migrating your external phpgacl into embedded version (this can be set in openemr/library/acl.inc). Then after upgrade, I’d clear your phpgacl data via a gacl command(scarily, this only requires a simple gacl-admin command in a one line php script), and run acl_setup to pick up all of your lost aco’s and fix your acl structures. Then as ‘admin’ user you can go in and easily add users to groups and modify groups as needed in the acl->admin menu.
-brady
bradymiller wrote on Thursday, May 14, 2009:
Actuall, to further simplify, if your gonna end up clearing the gacl database, then you don’t even have to really clear the gacl or worry about gacl migration. After upgrading to 3.0.1 just run openemr/gacl/setup.php and openemr/acl_setup.php in browser, then can login as ‘admin’ into openemr and set up all your users in gacl via admin->acl menu (you can also modify your groups here); it’s very quick, check out a recent demo for how it works. You should never have to touch the php-gacl interface anymore. If your original issue is a gacl issue, then perhaps it’s time to just do the upgrade to 2.8.3, then to 3.0.1 (perhaps try on a developer server first) because the gacl’s will be magically fixed in the process anyways.
-brady
bo2999 wrote on Thursday, May 14, 2009:
I just upgraded to 3.0.1 from 2.8.2.dev. I had to reset all the GACL data base to use embedded function (no more separate database). What I found out was that in order to avoid reentering all user information, you need to
1) Change your admin password to ‘pass’. So that when you turn GACL back on you don’t get lock out.
2) Disable the GACL by uncommenting the following line in /openemr/library/acl.inc
//unset($phpgacl_location);
3) Upgrading as Brady suggested above : -)
4) Enable GACL. Reverse step 2 above.
5) Go into ‘user’ menu. Click to edit each user, change each user to appropriate permission scheme, i.e. ‘front office’ , ‘billing’, or ‘clinician’ etc. and SAVE. Do not change anything else to keep everything the same.
6) Change your admin password. That’s it.
Bo,
bradymiller wrote on Thursday, May 14, 2009:
hey,
php-GACL doesn’t care about passwords, you just have to make sure you have a ‘admin’ user to ensure you don’t get locked out of the embedded gacl (if this happens, there is a way out of this), so shouldn’t need steps 1 and 6. You also shouldn’t need steps 2 and 4, since your never logging into openemr during step 3. And for step 5, it’s more straighforward to add your users to groups in the acl->admin menu. There is also a way to avoid needing to rebuild the gacl database, but in Sam’s case his ACL stuff is pretty much not worth saving. It worked for you though, Bo, which is most important.
I posted a set of generic upgrade instructions when going from 2.8.2.dev below. The following instructions below avoid needing to have to re-build the gacl stuff. However in Sam’s case he should rebuild the gacl by substituting steps 6-8 with just running the openemr/gacl/setup.php and openemr/acl_setup.php scripts in browser. Then after done with step 11, Sam can login as admin and add his user’s to gacl groups at admin->acl menu.
To upgrade openemr <3.0 to > 3.0 with external php-gacl installed and sql-ledger NOT installed:
1) Move old openemr directory to a backup directory
2) Move new version into openemr directory
3) Copy openemr/library/sqlconf.php file from old version into the new version
4) Edit openemr/interface/globals.php (set $webserver_root and $web_root to be same as old version)
5) Open up you openemr/library/sqlconf.php file and note the variables for host, login, pass, and dbase variables (I’d suggest writing these on a piece of paper in the order listed). Then place these values (with above ordering) in the corresponding blank variables found in openemr/gacl/gacl.ini.php (host, user, password, name) and openemr/gacl/gacl.class.php (db_host, db_user, db_password, db_name).
6) Place the gacl_ prefix on all tables in your php-gacl database (I put a link to a php hack that will do this at bottom of this message)
7) Save your modified php-gacl database to a mysql backup file (use ‘mysqldump’ command)
8) Restore the gacl database backup file into your openemr database (use ‘mysql’ command) (thus you have now combined the gacl and openemr databases)
9) Open sql_upgrade.php in browser and follow instructions (this will upgrade your sql database)
10) Open openemr/acl_upgrade.php in browser (this will upgrade your gacl)
11) Configure optional settings in interface/globals.php and includes/config.php files
Here’s the link to the custom php hack that will put prefix on your gacl tables:
http://bradymd.com/prefixMod.tar.gz
Unpackage, then place on your server and run it through your browser. For ‘Enter New Prefix’ ensure you put ‘gacl’. And again your gonna put your gacl database name for ‘Enter database name:’. Remember to remove this script when you are done.
Other useful links that you should read through to help out:
Joe’s instructions for windows upgrading:
http://www.oemr.org/modules/wiwimod/index.php?page=UpgradeWindowsOne
full upgrade in linux which gives good overview of steps:
http://bradymd.com/appliance/update3/
another thread:
https://sourceforge.net/forum/forum.php?thread_id=3117812&forum_id=202505
At some point, will hopefully get this on the wiki (the issue is that the upgrades from old versions can be personalized as in Sam’s case and hinge on several factors (if user has php-gacl, sql-ledger, and and ‘admin’ username).
-brady
bradymiller wrote on Thursday, May 14, 2009:
Sam,
Above is to just clarify the overall upgrade process. Do you have the means to copy everything to a developer copy and make the leap to 3.0.1 with this developer copy for testing (probably safest route). I’m also wondering if your blob structure (as I recall you patient docs are in the database) will unmask some issues in the upgraded code.
-brady
bo2999 wrote on Friday, May 15, 2009:
Quoting for Brady,
“php-GACL doesn’t care about passwords, you just have to make sure you have a ‘admin’ user to ensure you don’t get locked out of the embedded gacl”.
Yes, I did not get lockout. However, if I did not change admin password to ‘pass’, I could still log in BUT with a ‘front office’ permission only. I could not log into ‘admin’ menu to get access to “GACL” or even “users” menu.
I have tried many times before coming up with this solution!!! (changing admin pass word to ‘pass’ before upgrading to Embedded GACL).
I was so desperate. I almost did the unthinkable - to “wipe out ‘users’ table.”! Just Kidding!
Bo,
bradymiller wrote on Friday, May 15, 2009:
Bo,
This is very strange indeed. In php-gacl sql tables, gacl_aro table holds the user info (no password column there, or anywhere else in the gacl tables) and the setup scripts for gacl don’t use a password, so can’t foresee anyway a password will have any effect on gacl stuff. Of course, anything’s possible and my upgrading has been done with the default ‘pass’ password. What was your exact upgrade procedure; maybe there’s a clue there. If still unclear I’ll see what happens if I upgrade from 2.8.3 (don’t have 2.8.2-dev around) with the admin not set to ‘pass’.
-brady
bo2999 wrote on Friday, May 15, 2009:
Brady,
Maybe GACL table do not have any password, but I think it is embedded in the program? I may be wrong, but it works for me.
I don’t remember what I did exactly when I upgrade my computer. Recently, I upgrade my brother-in-law computer from 2.8.2-dev to . The very first thing I did was
1) To reassign admin password to ‘pass’,
2) Copy new openemr 3.0.1 to openemr.
3) Then upgrade database by pointing browser to localhost/openemr/sql_upgrade.php select to upgrade 2.8.2, waiting for done message.
4) Assuming I ignore old GACL database and /phpgacl directory . I ,then, point my browser to localhost/openemr/acl_setup.php. As soon as I hit enter, I got the message that the database has already been set up. Just ignore that message. I know the table with gacl_ prefix were not there before I hit enter, it only appear after I hit enter!
Database was done
5) Log back into openemr with admin user and password ‘pass’.
6) Next is to use admin user to click on users-edit and SAVE to allow them to log into openemr with their old password. That’s it.
Optional:
7) Next thing to do is to setup Fee sheet table again from ‘lists’. IT IS A PAIN.
8) Next is to setup some other settings in ‘layouts’ to customize. This time I am business!
There are couple more steps for me because I need to output HCFA in text format for uploading to clearing house. But that should be it.
You try this to see if the virgin table of GACL accept other passwords than ‘pass’ by doing this steps:
1) Make sure that your admin password works with current GACL database.
2) Then go to /var/lib/mysql/openemr and delete all tables with gacl_ prefix, and then
3)Ppoint your browser to /localhost/openemr/acl_setup.php to initialize new GACL table. I bet you cannot log in with admin privilege this time!!!
By the way your Xampp package is extremely useful, and easy to install! It also has GD library installed! I do need that for testing with graphs. Thank again.
Bo,
bradymiller wrote on Friday, May 15, 2009:
hi,
I’m assuming in step 4 you also did the following steps before pointing browser to localhost/openemr/acl_setup.php (if your not doing below steps, then I’m becoming concerned that perhaps your not really doing a complete upgrade):
1) Copy openemr/library/sqlconf.php file from old version into the new version
2) Edit openemr/interface/globals.php (set $webserver_root and $web_root to be same as old version)
3) Open up your openemr/library/sqlconf.php file and note the variables for host, login, pass, and dbase variables (I’d suggest writing these on a piece of paper in the order listed). Then place these values (with above ordering) in the corresponding blank variables found in openemr/gacl/gacl.ini.php (host, user, password, name) and openemr/gacl/gacl.class.php (db_host, db_user, db_password, db_name)
4) In browser run localhost/openemr/gacl/setup.php
I’m also assuming that you see the following message in browser when run localhost/openemr/acl_setup.php:
OpenEMR ACL Setup
All done configuring and installing access controls (php-GACL)!
I changed my admin password to ‘boo’, deleted all gacl_ tables (then unable to login), then ran in browser localhost/openemr/gacl/setup.php followed by localhost/openemr/acl_setup.php. I then logged in fine with admin privileges intact with the ‘boo’ password.
The only thing I can think of is maybe there are session/cookie issues lingering from the old version causing problems with the new release, or maybe it’s a windows thing. But that’s really stretching it, because the openemr password is not hard-coded anywhere in openemr/library/acl.inc (openemr’s connector to gacl), setup scripts, or gacl (database or directory) itself. Plan to ensure this isn’t a problem in a full 2.8.1 upgrade later today; if it is, then will modify upgrade instructions, and try to figure out what bug is being unmasked. Again, the most important thing is that your method was successful for you.
Dr. Sam Bowen deserves the credit for the masterful XAMPP release, I just made the download link.
thanks,
brady
bo2999 wrote on Friday, May 15, 2009:
You are right, I did not mention the steps to change sqlconfig.php and gacl.inc.php for host, user, password, name and openemr/gacl/gacl.class.php (db_host, db_user, db_password, db_name). And finally change globals.php as you mention above. Oops, thanks for pointing that out.
Maybe, it the cookies session that messed me up!
Of course, when I install or upgrade Openemr I always open a link windows to your instruction before I attempt to do anything! Thanks for everything!
Bo,