Create a secured phpinfo page with Symfony and the EasyAdminBundle
This is the very first post of the Tokeeen technical blog. It's also an easy one to understand and you will be able to apply it to your project in a matter of minutes.
Posted on 2019-01-13 by COil (Updated on 2019-01-26)
Symfony Symfony3 bundle admin EasyAdminBundle securityPublished in "A week of Symfony n°576" on Symfony.com
Goal
The goal of this post is to show how to add a new menu entry in your easyadmin that will open a secured phpinfo()
page only accessible by administrators on your production server. A phpinfo()
page is always useful because it gives a lot of information about how is configured your web server. Also, sometimes you don't have a ssh access to the production server. If there is a dedicated ops team handling the servers for example. But as it contains a lot of information it should only be accessed by an administrator or developer of the project.
Uploading a PHP file containing the following source code <?php phpinfo()
at the root of your /web
directory, even with a random filename is, therefore a very bad practice! Such a file like should never be available because a web server should expose the least possible information.
Here is how to proceed to have one menu entry in your admin like this:
Configuration
This post was written using the following components:
Pre-requisites:
We will assume that you are already familiar with Symfony, the EasyAdminBundle, it's installation and basic configuration.
Let's go!
The easy admin setup:
First, let's modify the easy admin configuration file and add an entry like the following:
easy_admin:
design:
menu:
label: System
icon: 'server'
children:
- { label: 'PHP Info', route: easyadmin_phpinfo, icon: 'info' }
easyadmin_phpinfo
is the route name of the action we will create in our custom admin controller. The rest is self-explanatory. Check out the bundle documentation about this menu configuration.
The custom action
Our custom admin action will be very simple:
<?php
// src/AppBundle/Controller/Admin/AdminController.php
namespace AppBundle\Controller\Admin;
use EasyCorp\Bundle\EasyAdminBundle\Controller\AdminController as BaseAdminController;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
/**
* Extends the easy admin default controller for custom actions.
*
* @Route("/admin")
*/
class AdminController extends BaseAdminController
{
/**
* @Route("/phpinfo", name="easyadmin_phpinfo")
*/
public function phpInfoAction(): Response
{
if ($this->container->has('profiler')) {
$this->container->get('profiler')->disable();
}
ob_start();
phpinfo();
$str = ob_get_contents();
ob_get_clean();
return new Response($str);
}
}
- We deactivate the Symfony profiler because we don't it to pollute the raw output of the phpinfo() function that already includes all the stuff it needs.
- Then we catch the output of the phpinfo() function and return a basic response with it. That's it!
To access the page, go to /admin/phpinfo
(if you are using the default admin route). If you aren't logged or don't have the admin right then you will be redirected to the login form of your application. Check out the documentation to see how to extend the default bundle admin controller.
Did you know?
When using the development environment (with the debug bar) the profiler already includes a phpinfo page. Access /app_dev.php/_profiler/phpinfo
or use the "View full PHP configuration" link in the configuration panel of the profiler. Of course, it isn't available when using the production environment.
About this blog
This was the very first post on this technical blog. In fact, it was a very basic one just to bootstrap the blog. If you read this between 2018-14-01 and 2018-01-21, this post is almost just a Twig template, yes really! No complicated stuff here!
At Tokeeen, we have a very pragmatical approach when coding. Code mustn't be complicated and we only build things when we really need them.
So when we will write the next posts we will refactor, clean up what we wrote before and add tests. We will repeat this until we have something that perfectly fits our needs, no more, no less!
What's next?
We already have a lot of ideas, in the next weeks we may talk about:
- Development of this blog from scratch.
- i18n (internationalization) and language switching (Look at the flag at the top right of the header bar.).
- How to use a CDN for your assets.
- How to easily optimize your assets.
- ...
Call to action
Did you like these posts? You can help us back in several ways:
- Create an account and test Tokeeen which is still BETA.
- Subscribe to the newsletter and get notified of the official launch.
- Subscribe to the RSS feed
- Follow us on Twitter
- Report any error/typo (use the contact form).
- Report something that could be improved.
Thank you for reading! And see you soon on Tokeeen! 😉
Suivez C0il sur Twitter
PS: For security reasons the /admin
route of this site has been changed with a random token.