Only show custom php page if logged in to FreePBX Admin

Is there a simple hook built in to the framework that we can check before loading a custom php page?
I am already using the bootstrap to get to some functions.
image

Honestly I have little to no experience with PHP.

https://wiki.freepbx.org/pages/viewpage.action?pageId=108134646 is this helpful?

No, but that led me to this, which handles it.
https://wiki.freepbx.org/display/FOP/A+note+about+security

I knew there was a solution, I had seen it before, but searching failed me.

Now to make it work.

2 Likes

@lgaetz well it does not work in a basic test.

So what am I missing? The wiki said simply add that.

My file resides in /var/www/html/custom to stay away from anything updated when FreePBX updates.

I am logged in.

Poking around, if I include ../admin/config.php this happens.

Looking in there, if I rip out the beginning of admin/config.php, then it works as expected.

<?php /* $Id$ */
//	License for all code of this FreePBX module can be found in the license file inside the module directory
//	Copyright 2013 Schmooze Com Inc.
//

//set variables
$vars = array(
	'action'			=> null,
	'confirm_email'		=> '',
	'confirm_password'	=> '',
	'display'			=> '',
	'extdisplay'		=> null,
	'email_address'		=> '',
	'fw_popover' 		=> '',
	'fw_popover_process' => '',
	'logout'			=> false,
	'password'			=> '',
	'quietmode'			=> '',
	'restrictmods'		=> false,
	'skip'				=> 0,
	'skip_astman'		=> false,
	'type'				=> '',
	'username'			=> '',
	'unlock'			=> false,
);

foreach ($vars as $k => $v) {
	//were use config_vars instead of, say, vars, so as not to polute
	// page.<some_module>.php (which usually uses $var or $vars)
	$config_vars[$k] = $$k = isset($_REQUEST[$k]) ? $_REQUEST[$k] : $v;

	//special handling
	switch ($k) {
	case 'extdisplay':
		$extdisplay = (isset($extdisplay) && $extdisplay !== false)
			? htmlspecialchars($extdisplay, ENT_QUOTES)
			: false;
		$_REQUEST['extdisplay'] = $extdisplay;
		break;

	case 'restrictmods':
		$restrict_mods = $restrictmods
			? array_flip(explode('/', $restrictmods))
			: false;
		break;

	case 'skip_astman':
		$bootstrap_settings['skip_astman']	= $skip_astman;
		break;
	}
}

header('Last-Modified: '.gmdate('D, d M Y H:i:s').' GMT');
header('Expires: Sat, 01 Jan 2000 00:00:00 GMT');
header('Cache-Control: post-check=0, pre-check=0',false);
header('Pragma: no-cache');
header('Content-Type: text/html; charset=utf-8');
header('X-Frame-Options: SAMEORIGIN');
//header("Content-Security-Policy: default-src 'none';");

// This needs to be included BEFORE the session_start or we fail so
// we can't do it in bootstrap and thus we have to depend on the
// __FILE__ path here.
require_once(dirname(__FILE__) . '/libraries/ampuser.class.php');

session_set_cookie_params(60 * 60 * 24 * 30);//(re)set session cookie to 30 days
ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 30);//(re)set session to 30 days
if (!isset($_SESSION)) {
	//start a session if we need one
	$ss = @session_start();
	if(!$ss){
		session_regenerate_id(true); // replace the Session ID
		session_start();
	}
}

//unset the ampuser if the user logged out
if ($logout == 'true') {
	unset($_SESSION['AMP_user']);
	exit();
}

I had to change the reference to ampuser.class.php to the specific location, but that was it.

If you have
$_SESSION['AMP_user'];

someone is logged in.

logged in:
42%20AM

Not logged in
12%20AM

2 Likes

Not working with only a call to load the bootstrap.
Logged in, but test.php has nothing in $_SESSION.

Logged out has the same result.

don’t do the FREEPBX_IS_AUTH. That is a really old example and has been removed from almost everywhere it was originally put. If it is on the wiki like that it should be changed

1 Like

Ignore that in my last post, I added the print_r above it anyway to illustrate the issue with $_SESSION that you suggested.

Logged in or out, if you are only loading freepbx.conf the array $_SESSION['AMP_user'] is not properly loaded.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.