Allow pros to only open patients they have access to

app/Http/Controllers/HomeController.php

@@ -662,4 +662,14 @@ class HomeController extends Controller
             return redirect(route('dashboard'));
         }
     }
+
+    public function getTicket(Request $request, Ticket $ticket) {
+        $ticket->data = json_decode($ticket->data);
+//        $ticket->created_at = friendly_date_time($ticket->created_at);
+        $ticket->assignedPro;
+        $ticket->managerPro;
+        $ticket->orderingPro;
+        $ticket->initiatingPro;
+        return json_encode($ticket);
+    }
 }

app/Http/Controllers/PatientController.php

@@ -378,16 +378,6 @@ class PatientController extends Controller
             compact('patient', 'pros', 'appointments', 'appointmentPros', 'forPro', 'status'));
     }
 
-    public function getTicket(Request $request, Ticket $ticket) {
-        $ticket->data = json_decode($ticket->data);
-//        $ticket->created_at = friendly_date_time($ticket->created_at);
-        $ticket->assignedPro;
-        $ticket->managerPro;
-        $ticket->orderingPro;
-        $ticket->initiatingPro;
-        return json_encode($ticket);
-    }
-
     public function mcpRequests(Request $request, Client $patient) {
         return view('app.patient.mcp-requests', compact('patient'));
     }

app/Http/Kernel.php

@@ -66,5 +66,6 @@ class Kernel extends HttpKernel
         'pro.auth' => \App\Http\Middleware\ProAuthenticated::class,
         'pro.auth.redirect' => \App\Http\Middleware\RedirectAuthenticatedPro::class,
         'pro.auth.admin' => \App\Http\Middleware\EnsureAdminPro::class,
+        'pro.auth.can-access-patient' => \App\Http\Middleware\EnsureProCanAccessPatient::class,
     ];
 }

app/Http/Middleware/EnsureProCanAccessPatient.php

@@ -0,0 +1,37 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Models\AppSession;
+use Closure;
+
+class EnsureProCanAccessPatient
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $sessionKey = $request->cookie('sessionKey');
+        $appSession = AppSession::where('session_key', $sessionKey)->where('is_active', true)->first();
+        $authenticated = $sessionKey && $appSession && $appSession->pro;
+       
+        if (!$authenticated) {
+            abort(403);
+        }
+
+        $patient = \request()->route('patient');
+
+        if(!!$patient) {
+            if(!$appSession->pro->canAccess($patient->uid)) {
+                abort(403);
+            }
+        }
+
+        return $next($request);
+    }
+}

app/Models/Pro.php

@@ -298,6 +298,27 @@ class Pro extends Model
         return $query;
     }
 
+    public function canAccess($_patientUid) {
+        $proID = $this->id;
+        if ($this->pro_type === 'ADMIN') {
+            return true;
+        }
+        $canAccess = Client::select('uid')
+            ->where('uid', $_patientUid)
+            ->where(function ($q) use ($proID) {
+                $q->where('mcp_pro_id', $proID)
+                    ->orWhere('cm_pro_id', $proID)
+                    ->orWhere('rmm_pro_id', $proID)
+                    ->orWhere('rme_pro_id', $proID)
+                    ->orWhere('physician_pro_id', $proID)
+                    ->orWhereRaw('id IN (SELECT client_id FROM client_pro_access WHERE is_active AND pro_id = ?)', [$proID])
+                    ->orWhereRaw('id IN (SELECT client_id FROM appointment WHERE status NOT IN (\'CANCELLED\', \'ABANDONED\') AND pro_id = ?)', [$proID])
+                    ->orWhereRaw('id IN (SELECT mcp_pro_id FROM client_program WHERE client_id = client.id AND is_active = TRUE)')
+                    ->orWhereRaw('id IN (SELECT manager_pro_id FROM client_program WHERE client_id = client.id AND is_active = TRUE)');
+            })->count();
+        return !!$canAccess;
+    }
+
     public function canAddCPMEntryForMeasurement(Measurement $measurement, Pro $pro)
     {
         // check if client has any programs where this measurement type is allowed

public/js/mc.js

@@ -224,7 +224,10 @@ function fastLoad(_href, _history = true, _useCache = true, _replaceState = fals
     } else {
         $.get(_href, function (_data) {
             onFastLoaded(_data, _href, _history);
-        }).fail(function () {
+        }).fail(function (_jqXhr) {
+            if(_jqXhr.status === 403) {
+                alert('You do not have access to this patient.');
+            }
             onFastLoaded('error', _href, _history);
         });
     }

routes/web.php

@@ -134,73 +134,77 @@ Route::middleware('pro.auth')->group(function () {
     });
 
     Route::name('patients.view.')->prefix('patients/view/{patient}')->group(function () {
-        Route::get('intake', 'PatientController@intake')->name('intake');
-        Route::get('', 'PatientController@dashboard')->name('dashboard');
-        Route::get('care-plan', 'PatientController@carePlan')->name('care-plan');
-        Route::get('medications', 'PatientController@medications')->name('medications');
-        Route::get('dx-and-focus-areas', 'PatientController@dxAndFocusAreas')->name('dx-and-focus-areas');
-        Route::get('care-team', 'PatientController@careTeam')->name('care-team');
-        Route::get('devices', 'PatientController@devices')->name('devices');
-        Route::get('measurements', 'PatientController@measurements')->name('measurements');
-        Route::get('labs-and-studies', 'PatientController@labsAndStudies')->name('labs-and-studies');
-        Route::get('history', 'PatientController@history')->name('history');
-        Route::get('memos', 'PatientController@memos')->name('memos');
-        Route::get('sms', 'PatientController@sms')->name('sms');
-        Route::get('sms-numbers', 'PatientController@smsNumbers')->name('sms-numbers');
-        Route::get('immunizations', 'PatientController@immunizations')->name('immunizations');
-        Route::get('allergies', 'PatientController@allergies')->name('allergies');
-        Route::get('action-items', 'PatientController@actionItems')->name('action-items');
-        Route::get('action-items-erx/view/{ticket}', 'PatientController@actionItemsErxSingle')->name('action-items-erx-single');
-        Route::get('action-items-lab/view/{ticket}', 'PatientController@actionItemsLabSingle')->name('action-items-lab-single');
-        Route::get('action-items-imaging/view/{ticket}', 'PatientController@actionItemsImagingSingle')->name('action-items-imaging-single');
-        Route::get('action-items-equipment/view/{ticket}', 'PatientController@actionItemsEquipmentSingle')->name('action-items-equipment-single');
-        Route::get('action-items-other/view/{ticket}', 'PatientController@actionItemsOtherSingle')->name('action-items-other-single');
-        Route::get('action-items-erx/{filter?}', 'PatientController@actionItemsErx')->name('action-items-erx');
-        Route::get('action-items-lab/{filter?}', 'PatientController@actionItemsLab')->name('action-items-lab');
-        Route::get('action-items-imaging/{filter?}', 'PatientController@actionItemsImaging')->name('action-items-imaging');
-        Route::get('action-items-equipment/{filter?}', 'PatientController@actionItemsEquipment')->name('action-items-equipment');
-        Route::get('action-items-other/{filter?}', 'PatientController@actionItemsOther')->name('action-items-other');
-        Route::get('notes/{filter?}', 'PatientController@notes')->name('notes');
-        Route::name('notes.view.')->prefix('notes/view/{note}')->group(function () {
-            Route::get('', 'NoteController@dashboard')->name('dashboard');
-        });
-        Route::get('sections', 'PatientController@sections')->name('sections');
-        Route::get('handouts', 'PatientController@handouts')->name('handouts');
-        Route::get('settings', 'PatientController@settings')->name('settings');
-        Route::get('pros', 'PatientController@pros')->name('pros');
-        Route::get('account', 'PatientController@account')->name('account');
-        Route::get('care-checklist', 'PatientController@careChecklist')->name('care-checklist');
-        Route::get('documents', 'PatientController@documents')->name('documents');
-        Route::get('incoming-reports/{currentReport?}', 'PatientController@incomingReports')->name('incoming-reports');
-        Route::get('education', 'PatientController@education')->name('education');
-        Route::get('messaging', 'PatientController@messaging')->name('messaging');
-        Route::get('duplicate', 'PatientController@duplicate')->name('duplicate');
-        Route::get('care-months', 'PatientController@careMonths')->name('care-months');
-        Route::name('care-months.view.')->prefix('care-months/view/{careMonth}')->group(function () {
-            Route::get('', 'CareMonthController@dashboard')->name('dashboard');
-        });
-
-        // appointment calendar
-        Route::get('calendar/{currentAppointment?}', 'PatientController@calendar')->name('calendar');
-
-        // programs
-        Route::get('programs/{filter?}', 'PatientController@programs')->name('programs');
-
-        // flowsheets
-        Route::get('flowsheets/{filter?}', 'PatientController@flowsheets')->name('flowsheets');
 
-        // vitals-graph
-        Route::get('vitals-graph/{filter?}', 'PatientController@vitalsGraph')->name('vitals-graph');
-
-        // tickets
-        Route::get('tickets/{type?}/{currentTicket?}', 'PatientController@tickets')->name('patient-tickets');
-
-        // appointments
-        Route::get('appointments/{forPro}/{status}', 'PatientController@appointments')->name('appointments');
-
-        Route::get('supply-orders/{supplyOrder?}', 'PatientController@supplyOrders')->name('supply-orders');
-        Route::get('shipments/{shipment?}', 'PatientController@shipments')->name('shipments');
+        Route::middleware('pro.auth.can-access-patient')->group(function() {
+
+            Route::get('intake', 'PatientController@intake')->name('intake');
+            Route::get('', 'PatientController@dashboard')->name('dashboard');
+            Route::get('care-plan', 'PatientController@carePlan')->name('care-plan');
+            Route::get('medications', 'PatientController@medications')->name('medications');
+            Route::get('dx-and-focus-areas', 'PatientController@dxAndFocusAreas')->name('dx-and-focus-areas');
+            Route::get('care-team', 'PatientController@careTeam')->name('care-team');
+            Route::get('devices', 'PatientController@devices')->name('devices');
+            Route::get('measurements', 'PatientController@measurements')->name('measurements');
+            Route::get('labs-and-studies', 'PatientController@labsAndStudies')->name('labs-and-studies');
+            Route::get('history', 'PatientController@history')->name('history');
+            Route::get('memos', 'PatientController@memos')->name('memos');
+            Route::get('sms', 'PatientController@sms')->name('sms');
+            Route::get('sms-numbers', 'PatientController@smsNumbers')->name('sms-numbers');
+            Route::get('immunizations', 'PatientController@immunizations')->name('immunizations');
+            Route::get('allergies', 'PatientController@allergies')->name('allergies');
+            Route::get('action-items', 'PatientController@actionItems')->name('action-items');
+            Route::get('action-items-erx/view/{ticket}', 'PatientController@actionItemsErxSingle')->name('action-items-erx-single');
+            Route::get('action-items-lab/view/{ticket}', 'PatientController@actionItemsLabSingle')->name('action-items-lab-single');
+            Route::get('action-items-imaging/view/{ticket}', 'PatientController@actionItemsImagingSingle')->name('action-items-imaging-single');
+            Route::get('action-items-equipment/view/{ticket}', 'PatientController@actionItemsEquipmentSingle')->name('action-items-equipment-single');
+            Route::get('action-items-other/view/{ticket}', 'PatientController@actionItemsOtherSingle')->name('action-items-other-single');
+            Route::get('action-items-erx/{filter?}', 'PatientController@actionItemsErx')->name('action-items-erx');
+            Route::get('action-items-lab/{filter?}', 'PatientController@actionItemsLab')->name('action-items-lab');
+            Route::get('action-items-imaging/{filter?}', 'PatientController@actionItemsImaging')->name('action-items-imaging');
+            Route::get('action-items-equipment/{filter?}', 'PatientController@actionItemsEquipment')->name('action-items-equipment');
+            Route::get('action-items-other/{filter?}', 'PatientController@actionItemsOther')->name('action-items-other');
+            Route::get('notes/{filter?}', 'PatientController@notes')->name('notes');
+            Route::name('notes.view.')->prefix('notes/view/{note}')->group(function () {
+                Route::get('', 'NoteController@dashboard')->name('dashboard');
+            });
+            Route::get('sections', 'PatientController@sections')->name('sections');
+            Route::get('handouts', 'PatientController@handouts')->name('handouts');
+            Route::get('settings', 'PatientController@settings')->name('settings');
+            Route::get('pros', 'PatientController@pros')->name('pros');
+            Route::get('account', 'PatientController@account')->name('account');
+            Route::get('care-checklist', 'PatientController@careChecklist')->name('care-checklist');
+            Route::get('documents', 'PatientController@documents')->name('documents');
+            Route::get('incoming-reports/{currentReport?}', 'PatientController@incomingReports')->name('incoming-reports');
+            Route::get('education', 'PatientController@education')->name('education');
+            Route::get('messaging', 'PatientController@messaging')->name('messaging');
+            Route::get('duplicate', 'PatientController@duplicate')->name('duplicate');
+            Route::get('care-months', 'PatientController@careMonths')->name('care-months');
+            Route::name('care-months.view.')->prefix('care-months/view/{careMonth}')->group(function () {
+                Route::get('', 'CareMonthController@dashboard')->name('dashboard');
+            });
+
+            // appointment calendar
+            Route::get('calendar/{currentAppointment?}', 'PatientController@calendar')->name('calendar');
+
+            // programs
+            Route::get('programs/{filter?}', 'PatientController@programs')->name('programs');
+
+            // flowsheets
+            Route::get('flowsheets/{filter?}', 'PatientController@flowsheets')->name('flowsheets');
+
+            // vitals-graph
+            Route::get('vitals-graph/{filter?}', 'PatientController@vitalsGraph')->name('vitals-graph');
+
+            // tickets
+            Route::get('tickets/{type?}/{currentTicket?}', 'PatientController@tickets')->name('patient-tickets');
+
+            // appointments
+            Route::get('appointments/{forPro}/{status}', 'PatientController@appointments')->name('appointments');
+
+            Route::get('supply-orders/{supplyOrder?}', 'PatientController@supplyOrders')->name('supply-orders');
+            Route::get('shipments/{shipment?}', 'PatientController@shipments')->name('shipments');
 
+        });
 
     });
 
@@ -238,7 +242,7 @@ Route::middleware('pro.auth')->group(function () {
     Route::get('/patients/{patient}/presence', 'PatientController@presence');
 
     // refresh single ticket
-    Route::get('/get-ticket/{ticket}', 'PatientController@getTicket');
+    Route::get('/get-ticket/{ticket}', 'HomeController@getTicket');
 
 
     Route::get('/appointment-confirmation-history/{appointment}', 'AppointmentController@appointmentConfirmationHistory')->name('appointment-confirmation-history');