Is there a simple hook built in to the framework that we can check before loading a custom php page?
I am already using the bootstrap to get to some functions.
Honestly I have little to no experience with PHP.
https://wiki.freepbx.org/pages/viewpage.action?pageId=108134646 is this helpful?
No, but that led me to this, which handles it.
https://wiki.freepbx.org/display/FOP/A+note+about+security
I knew there was a solution, I had seen it before, but searching failed me.
Now to make it work.
@lgaetz well it does not work in a basic test.
So what am I missing? The wiki said simply add that.
My file resides in /var/www/html/custom
to stay away from anything updated when FreePBX updates.
I am logged in.
Poking around, if I include ../admin/config.php
this happens.
Looking in there, if I rip out the beginning of admin/config.php
, then it works as expected.
<?php /* $Id$ */
// License for all code of this FreePBX module can be found in the license file inside the module directory
// Copyright 2013 Schmooze Com Inc.
//
//set variables
$vars = array(
'action' => null,
'confirm_email' => '',
'confirm_password' => '',
'display' => '',
'extdisplay' => null,
'email_address' => '',
'fw_popover' => '',
'fw_popover_process' => '',
'logout' => false,
'password' => '',
'quietmode' => '',
'restrictmods' => false,
'skip' => 0,
'skip_astman' => false,
'type' => '',
'username' => '',
'unlock' => false,
);
foreach ($vars as $k => $v) {
//were use config_vars instead of, say, vars, so as not to polute
// page.<some_module>.php (which usually uses $var or $vars)
$config_vars[$k] = $$k = isset($_REQUEST[$k]) ? $_REQUEST[$k] : $v;
//special handling
switch ($k) {
case 'extdisplay':
$extdisplay = (isset($extdisplay) && $extdisplay !== false)
? htmlspecialchars($extdisplay, ENT_QUOTES)
: false;
$_REQUEST['extdisplay'] = $extdisplay;
break;
case 'restrictmods':
$restrict_mods = $restrictmods
? array_flip(explode('/', $restrictmods))
: false;
break;
case 'skip_astman':
$bootstrap_settings['skip_astman'] = $skip_astman;
break;
}
}
header('Last-Modified: '.gmdate('D, d M Y H:i:s').' GMT');
header('Expires: Sat, 01 Jan 2000 00:00:00 GMT');
header('Cache-Control: post-check=0, pre-check=0',false);
header('Pragma: no-cache');
header('Content-Type: text/html; charset=utf-8');
header('X-Frame-Options: SAMEORIGIN');
//header("Content-Security-Policy: default-src 'none';");
// This needs to be included BEFORE the session_start or we fail so
// we can't do it in bootstrap and thus we have to depend on the
// __FILE__ path here.
require_once(dirname(__FILE__) . '/libraries/ampuser.class.php');
session_set_cookie_params(60 * 60 * 24 * 30);//(re)set session cookie to 30 days
ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 30);//(re)set session to 30 days
if (!isset($_SESSION)) {
//start a session if we need one
$ss = @session_start();
if(!$ss){
session_regenerate_id(true); // replace the Session ID
session_start();
}
}
//unset the ampuser if the user logged out
if ($logout == 'true') {
unset($_SESSION['AMP_user']);
exit();
}
I had to change the reference to ampuser.class.php to the specific location, but that was it.
If you have
$_SESSION['AMP_user'];
someone is logged in.
logged in:
Not logged in
Not working with only a call to load the bootstrap.
Logged in, but test.php has nothing in $_SESSION.
Logged out has the same result.
don’t do the FREEPBX_IS_AUTH. That is a really old example and has been removed from almost everywhere it was originally put. If it is on the wiki like that it should be changed
Ignore that in my last post, I added the print_r
above it anyway to illustrate the issue with $_SESSION
that you suggested.
Logged in or out, if you are only loading freepbx.conf
the array $_SESSION['AMP_user']
is not properly loaded.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.