some bug fixes (openemr#4918)

library/globals.inc.php

@@ -2888,6 +2888,20 @@ function gblTimeZones()
             xl('Patient is required to enter their contact e-mail if present in Demographics Contact.')
         ),
 
+        'google_recaptcha_site_key' => array(
+            xl('Google reCAPTCHA V2 site key'),
+            'text',
+            '',
+            xl('Google reCAPTCHA V2 site key')
+        ),
+
+        'google_recaptcha_secret_key' => array(
+            xl('Google reCAPTCHA V2 secret key'),
+            'encrypted',
+            '',
+            xl('Google reCAPTCHA V2 secret key')
+        ),
+
         'portal_onsite_two_register' => array(
             xl('Allow New Patient Registration Widget'),
             'bool',                           // data type

library/js/xl/jquery-datetimepicker-2-5-4-alternate.js.php

@@ -55,7 +55,7 @@
 var datepicker_xlMonths = [<?php echo xlj('January'); ?>, <?php echo xlj('February'); ?>, <?php echo xlj('March'); ?>, <?php echo xlj('April'); ?>, <?php echo xlj('May'); ?>, <?php echo xlj('June'); ?>, <?php echo xlj('July'); ?>, <?php echo xlj('August'); ?>, <?php echo xlj('September'); ?>, <?php echo xlj('October'); ?>, <?php echo xlj('November'); ?>, <?php echo xlj('December'); ?>];
 var datepicker_xlDayofwkshort= [<?php echo xlj('Sun'); ?>, <?php echo xlj('Mon'); ?>, <?php echo xlj('Tue'); ?>, <?php echo xlj('Wed'); ?>, <?php echo xlj('Thu'); ?>, <?php echo xlj('Fri'); ?>, <?php echo xlj('Sat'); ?>];
 var datepicker_xlDayofwk= [<?php echo xlj('Sunday'); ?>, <?php echo xlj('Monday'); ?>, <?php echo xlj('Tuesday'); ?>, <?php echo xlj('Wednesday'); ?>, <?php echo xlj('Thursday'); ?>, <?php echo xlj('Friday'); ?>, <?php echo xlj('Saturday'); ?>];
-var datepicker_rtl = <?php echo ($_SESSION['language_direction'] == 'rtl') ? "true" : "false"; ?>;
+var datepicker_rtl = <?php echo (($_SESSION['language_direction'] ?? '') == 'rtl') ? "true" : "false"; ?>;
 var datepicker_yearStart = '1900';
 var datepicker_format = 'Y-m-d';
 var datepicker_scrollInput = false;
@@ -65,7 +65,7 @@
 var datetimepicker_xlMonths = [<?php echo xlj('January'); ?>, <?php echo xlj('February'); ?>, <?php echo xlj('March'); ?>, <?php echo xlj('April'); ?>, <?php echo xlj('May'); ?>, <?php echo xlj('June'); ?>, <?php echo xlj('July'); ?>, <?php echo xlj('August'); ?>, <?php echo xlj('September'); ?>, <?php echo xlj('October'); ?>, <?php echo xlj('November'); ?>, <?php echo xlj('December'); ?>];
 var datetimepicker_xlDayofwkshort= [<?php echo xlj('Sun'); ?>, <?php echo xlj('Mon'); ?>, <?php echo xlj('Tue'); ?>, <?php echo xlj('Wed'); ?>, <?php echo xlj('Thu'); ?>, <?php echo xlj('Fri'); ?>, <?php echo xlj('Sat'); ?>];
 var datetimepicker_xlDayofwk= [<?php echo xlj('Sunday'); ?>, <?php echo xlj('Monday'); ?>, <?php echo xlj('Tuesday'); ?>, <?php echo xlj('Wednesday'); ?>, <?php echo xlj('Thursday'); ?>, <?php echo xlj('Friday'); ?>, <?php echo xlj('Saturday'); ?>];
-var datetimepicker_rtl = <?php echo ($_SESSION['language_direction'] == 'rtl') ? "true" : "false"; ?>;
+var datetimepicker_rtl = <?php echo (($_SESSION['language_direction'] ?? '') == 'rtl') ? "true" : "false"; ?>;
 var datetimepicker_yearStart = '1900';
 var datetimepicker_format = 'Y-m-d H:i:s';
 var datetimepicker_step = '30';

library/js/xl/jquery-datetimepicker-2-5-4.js.php

@@ -54,7 +54,7 @@
             ]
         },
     },
-    <?php if ($_SESSION['language_direction'] == 'rtl') { ?>
+    <?php if (($_SESSION['language_direction'] ?? '') == 'rtl') { ?>
     /**
      * In RTL languages a datepicker popup is opened in left and it's cutted by the edge of the window
      * This patch resolves that and moves a datepicker popup to right side.
@@ -76,7 +76,7 @@
     yearStart: '1900',
     scrollInput: false,
     scrollMonth: false,
-    rtl: <?php echo ($_SESSION['language_direction'] == 'rtl') ? "true" : "false"; ?>,
+    rtl: <?php echo (($_SESSION['language_direction'] ?? '') == 'rtl') ? "true" : "false"; ?>,
     <?php if (!empty($datetimepicker_minDate)) { ?>
         minDate: '<?php echo $datetimepicker_minDate; ?>',
     <?php } ?>

portal/account/account.php

@@ -17,6 +17,7 @@
 OpenEMR\Common\Session\SessionUtil::portalSessionStart();
 
 if (
+    (!empty($_SESSION['verifyPortalEmail']) && ($_SESSION['verifyPortalEmail'] === true)) ||
     (($_SESSION['register'] ?? null) === true && isset($_SESSION['pid'])) ||
     (($_SESSION['credentials_update'] ?? null) === 1 && isset($_SESSION['pid'])) ||
     (($_SESSION['itsme'] ?? null) === 1 && isset($_SESSION['password_update']))
@@ -29,11 +30,41 @@
 require_once(__DIR__ . "/../lib/portal_mail.inc");
 require_once("$srcdir/pnotes.inc");
 require_once("./account.lib.php");
+
+use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Logging\SystemLogger;
+use OpenEMR\Core\Header;
+
 $action = $_REQUEST['action'] ?? '';
-if ($action == 'set_lang') {
-    $_SESSION['language_choice'] = (int)$_REQUEST['value'];
-    echo 'okay';
-    exit();
+
+if ($action == 'verify_email') {
+    if (!empty($_SESSION['verifyPortalEmail']) && ($_SESSION['verifyPortalEmail'] === true)) {
+        if (!empty($GLOBALS['portal_onsite_two_register']) && !empty($GLOBALS['google_recaptcha_site_key']) && !empty($GLOBALS['google_recaptcha_secret_key'])) {
+            // check csrf
+            if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"], 'verifyEmailCsrf')) {
+                CsrfUtils::csrfNotVerified(true, true, false);
+                cleanupRegistrationSession();
+                exit;
+            }
+            // check recaptcha
+            $recaptcha = processRecaptcha($_POST['g-recaptcha-response'] ?? '');
+            if (!$recaptcha) {
+                echo xlt("Something went wrong. Recommend contacting the clinic.");
+                cleanupRegistrationSession();
+                exit;
+            }
+            // process
+            $rtn = verifyEmail($_POST['languageChoice'] ?? '', $_POST['fname'] ?? '', $_POST['mname'] ?? '', $_POST['lname'] ?? '', $_POST['dob'] ?? '', $_POST['email'] ?? '');
+            if ($rtn) {
+                Header::setupHeader();
+                echo '<div class="alert alert-success" role="alert">' . xlt("Check your email inbox (and possibly your spam folder) for further instructions to register. If you have not received an email, then recommend contacting the clinic.") . '</div>';
+            } else {
+                echo xlt("Something went wrong. Recommend contacting the clinic.");
+            }
+        }
+    }
+    cleanupRegistrationSession();
+    exit;
 }
 
 if ($action == 'userIsUnique') {
@@ -66,58 +97,85 @@
     exit;
 }
 
-if ($action == 'get_newpid') {
-    $email = $_REQUEST['email'] ?? '';
-    $rtn = isNew($_REQUEST['dob'], $_REQUEST['last'], $_REQUEST['first'], $email);
-    if ((int)$rtn != 0) {
-        echo xlt("This account already exists.") . "\r\n\r\n" .
-            xlt("We are sorry you are having troubles with your account.") . "\r\n" .
-            xlt("Please contact your provider.") . "\r\n" .
-            xlt("Reference this Account Number") . " " . $rtn;
+if ($action == 'reset_password') {
+    if (($_SESSION['register'] ?? null) === true && isset($_SESSION['pid'])) {
+        $rtn = 0;
+        if (!empty($GLOBALS['portal_two_pass_reset']) && !empty($GLOBALS['google_recaptcha_site_key']) && !empty($GLOBALS['google_recaptcha_secret_key'])) {
+            // check csrf
+            if (!CsrfUtils::verifyCsrfToken($_GET["csrf_token_form"], 'passwordResetCsrf')) {
+                CsrfUtils::csrfNotVerified(true, true, false);
+                cleanupRegistrationSession();
+                exit;
+            }
+            // check recaptcha
+            $recaptcha = processRecaptcha($_GET['g-recaptcha-response'] ?? '');
+            if ($recaptcha) {
+                // Allow Patients to Reset Credentials setting is turned on
+                $rtn = resetPassword($_GET['dob'] ?? '', $_GET['last'] ?? '', $_GET['first'] ?? '', $_GET['email'] ?? '');
+            }
+        }
+        echo js_escape($rtn);
+        exit();
+    } else {
+        cleanupRegistrationSession();
         exit();
     }
-    $rtn = getNewPid();
-    echo js_escape($rtn);
-    exit();
-}
-
-if ($action == 'is_new') {
-    $email = isset($_REQUEST['email']) ? $_REQUEST['email'] : '';
-    $rtn = isNew($_REQUEST['dob'], $_REQUEST['last'], $_REQUEST['first'], $email);
-    echo js_escape($rtn);
-    exit();
 }
 
 if ($action == 'do_signup') {
-    $rtn = doCredentials($_REQUEST['pid']);
-    echo js_escape($rtn);
+    if (($_SESSION['register_silo_ajax'] ?? null) === true && ($_SESSION['register'] ?? null) === true && isset($_SESSION['pid'])) {
+        if (!empty($GLOBALS['portal_onsite_two_register']) && !empty($GLOBALS['google_recaptcha_site_key']) && !empty($GLOBALS['google_recaptcha_secret_key'])) {
+            $pidHolder = getPidHolder();
+            if ($pidHolder == 0) {
+                (new SystemLogger())->error("account.php action do_signup failed because unable to collect pid from pid_holder");
+                cleanupRegistrationSession();
+                exit();
+            }
+            $rtn = doCredentials($pidHolder);
+            if ($rtn) {
+                (new SystemLogger())->debug("account.php action do_signup apparently successful");
+                if (!empty($_GET['provider'])) {
+                    notifyAdmin($pidHolder, $_GET['provider']);
+                    (new SystemLogger())->debug("account.php action do_signup apparently successful, so sent a pnote to the provider");
+                }
+                Header::setupHeader();
+                echo '<div class="alert alert-success" role="alert">' . xlt("Your new credentials have been sent. Check your email inbox and also possibly your spam folder. Once you log into your patient portal feel free to make an appointment or send us a secure message. We look forward to seeing you soon.") . '</div>';
+            } else {
+                (new SystemLogger())->debug("account.php action do_signup apparently not successful");
+                Header::setupHeader();
+                echo '<div class="alert alert-danger" role="alert">' . xlt("There was a problem registering you. Recommend contacting clinic for assistance.") . '</div>';
+            }
+        } else {
+            (new SystemLogger())->error("account.php action do_signup attempted without registration module on, so failed");
+        }
+    }
+    cleanupRegistrationSession();
     exit();
 }
 
 if ($action == 'new_insurance') {
-    $pid = $_REQUEST['pid'];
-    saveInsurance($pid);
-    exit();
-}
-
-if ($action == 'notify_admin') {
-    $pid = $_REQUEST['pid'];
-    $provider = $_REQUEST['provider'];
-    $rtn = notifyAdmin($pid, $provider);
-    echo js_escape($rtn);
-    exit();
+    if (($_SESSION['register_silo_ajax'] ?? null) === true && ($_SESSION['register'] ?? null) === true && isset($_SESSION['pid'])) {
+        if (!empty($GLOBALS['portal_onsite_two_register']) && !empty($GLOBALS['google_recaptcha_site_key']) && !empty($GLOBALS['google_recaptcha_secret_key'])) {
+            $pidHolder = getPidHolder(true);
+            if ($pidHolder == 0) {
+                (new SystemLogger())->error("account.php action new_insurance was not successful because unable to collect pid from pid_holder. will still complete registration process, which will not include insurance.");
+                exit();
+            }
+            saveInsurance($pidHolder);
+            (new SystemLogger())->debug("account.php action new_insurance was apparently successful");
+            exit();
+        } else {
+            (new SystemLogger())->error("account.php action new_insurance attempted without registration module on, so failed");
+            cleanupRegistrationSession();
+            exit();
+        }
+    } else {
+        cleanupRegistrationSession();
+        exit();
+    }
 }
 
 if ($action == 'cleanup') {
-    unset($_SESSION['patient_portal_onsite_two']);
-    unset($_SESSION['authUser']);
-    unset($_SESSION['pid']);
-    unset($_SESSION['site_id']);
-    unset($_SESSION['register']);
-    echo 'gone';
-    OpenEMR\Common\Session\SessionUtil::portalSessionCookieDestroy();
-// I know, makes little sense.
-} else {
+    cleanupRegistrationSession();
     exit();
 }
-die(); //too be sure