Cache or PHP-info is none of your business
Heine — Sat, 24/02/2007 - 09:41
I've a few extra scripts in the webroot of several sites to provide me with server information when I need it. These scripts tend to provide too much information to just anyone. Here's how you can quickly limit access to the Drupal admin user (the first user created on the site).
Create a file restrict.php. The example assumes all files (restrict.php, info.php and apc.php) are in the Drupal root directory. You need to adapt the include paths if you save the files elsewhere. You can make the access criteria as baroque as you need; the example simply checks on user id.
// restrict.php
// Check whether the users is the Drupal admin user. Display an access denied page and exit if not.
require_once("./includes/bootstrap.inc");
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
if ($user->uid != 1) {
drupal_maintenance_theme();
drupal_set_title('Access denied');
print theme('maintenance_page', '<p>Access denied. You are not authorized to access this page.</p>');
exit();
}
// Check whether the users is the Drupal admin user. Display an access denied page and exit if not.
require_once("./includes/bootstrap.inc");
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
if ($user->uid != 1) {
drupal_maintenance_theme();
drupal_set_title('Access denied');
print theme('maintenance_page', '<p>Access denied. You are not authorized to access this page.</p>');
exit();
}
You can, by simply including restrict.php, limit access to phpinfo ...
// Restrict access to info.php
require_once('./restrict.php');
phpinfo();
require_once('./restrict.php');
phpinfo();
... or apc.php.
// ...
# Tie in to Drupal access control.
# Prevent non-uid 1 users from accessing this page.
require_once('./restrict.php');
$VERSION='$Id: apc.php,v 3.51 2005/04/02 02:07:41 rasmus Exp $';
//...
# Tie in to Drupal access control.
# Prevent non-uid 1 users from accessing this page.
require_once('./restrict.php');
$VERSION='$Id: apc.php,v 3.51 2005/04/02 02:07:41 rasmus Exp $';
//...
I think
Anonymous (not verified) — Sun, 22/04/2007 - 00:32don't you need global $user; at the beginning?
Scope
Heine — Thu, 03/05/2007 - 14:58No, as we're mucking in the global scope, $user is already available.
changelog
bertboerland (not verified) — Sat, 05/04/2008 - 17:38so we obfuscate HTTP headers on d.o (just apache and php, no version information) and we hide phpinfo. but having a CHANGELOG.txt in the docroot is no bad? I dont get it Heine, and yes this s one of the 100 things I dont agree with "the rest" but learned to deal with it :)
Post new comment