Create a secured phpinfo page with Symfony and the EasyAdminBundle

This is the very first post of the Tokeeen technical blog. It's also an easy one to understand and you will be able to apply it to your project in a matter of minutes.

Posted on 2019-01-13 by (Updated on 2019-01-26)

Symfony  Symfony3  bundle  admin  EasyAdminBundle  security 

Published in "A week of Symfony n°576" on Symfony.com

Goal

The goal of this post is to show how to add a new menu entry in your easyadmin that will open a secured phpinfo() page only accessible by administrators on your production server. A phpinfo() page is always useful because it gives a lot of information about how is configured your web server. Also, sometimes you don't have a ssh access to the production server. If there is a dedicated ops team handling the servers for example. But as it contains a lot of information it should only be accessed by an administrator or developer of the project.

Uploading a PHP file containing the following source code <?php phpinfo() at the root of your /web directory, even with a random filename is, therefore a very bad practice! Such a file like should never be available because a web server should expose the least possible information.

Here is how to proceed to have one menu entry in your admin like this:

Integrate a secured phpinfo page in your admin

Configuration

This post was written using the following components:

Pre-requisites:

We will assume that you are already familiar with Symfony, the EasyAdminBundle, it's installation and basic configuration.

Let's go!

The easy admin setup:

First, let's modify the easy admin configuration file and add an entry like the following:

easy_admin:
    design:
        menu:
            label: System
            icon: 'server'
            children:
                - { label: 'PHP Info', route: easyadmin_phpinfo, icon: 'info' }

easyadmin_phpinfo is the route name of the action we will create in our custom admin controller. The rest is self-explanatory. Check out the bundle documentation about this menu configuration.

The custom action

Our custom admin action will be very simple:

<?php

// src/AppBundle/Controller/Admin/AdminController.php

namespace AppBundle\Controller\Admin;

use EasyCorp\Bundle\EasyAdminBundle\Controller\AdminController as BaseAdminController;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;

/**
 * Extends the easy admin default controller for custom actions.
 *
 * @Route("/admin")
 */
class AdminController extends BaseAdminController
{
    /**
     * @Route("/phpinfo", name="easyadmin_phpinfo")
     */
    public function phpInfoAction(): Response
    {
        if ($this->container->has('profiler')) {
            $this->container->get('profiler')->disable();
        }
        ob_start();
        phpinfo();
        $str = ob_get_contents();
        ob_get_clean();

        return new Response($str);
    }
}

To access the page, go to /admin/phpinfo (if you are using the default admin route). If you aren't logged or don't have the admin right then you will be redirected to the login form of your application. Check out the documentation to see how to extend the default bundle admin controller.

Did you know?

When using the development environment (with the debug bar) the profiler already includes a phpinfo page. Access /app_dev.php/_profiler/phpinfo or use the "View full PHP configuration" link in the configuration panel of the profiler. Of course, it isn't available when using the production environment.

Link to the phpinfo page in the Symfony profiler configuration panel

About this blog

This was the very first post on this technical blog. In fact, it was a very basic one just to bootstrap the blog. If you read this between 2018-14-01 and 2018-01-21, this post is almost just a Twig template, yes really! No complicated stuff here!

At Tokeeen, we have a very pragmatical approach when coding. Code mustn't be complicated and we only build things when we really need them.
So when we will write the next posts we will refactor, clean up what we wrote before and add tests. We will repeat this until we have something that perfectly fits our needs, no more, no less!

What's next?

We already have a lot of ideas, in the next weeks we may talk about:

Call to action

Did you like these posts? You can help us back in several ways:


Thank you for reading! And see you soon on Tokeeen! 😉

COil


profile for Tokeeen.com at Stack Overflow, Q&A for professional and enthusiast programmers



PS: For security reasons the /admin route of this site has been changed with a random token.