This may have been discussed ad infinitum, but it's always new to someone, and this thread is a top Google result.
I'd have to agree that it is counter-intuitive that by default, end users need admin privileges to access their ARI panel. If that is cached in their browser, what is to stop a curious/disgruntled employee from getting in to the main admin area and deleting trunks and extensions?
Re. the "Big Button" solution, how about a compromise: add a button to enable access to the ARI from within the local subnet? An "Advanced" option could allow listing subnets.
I needed access from two subnets. With help from
lgaetz and
Hyksos, here's what worked for me:
/etc/pbx/httpdconf/ari.conf
Code:
#Only allow access to ARI from trusted subnets
<Directory /var/www/html/recordings>
Deny from all
Allow from 192.168.50.0/255.255.255.0
Allow from 192.168.100.0/255.255.255.0
</Directory>
#Allow critical assets for ARI
<Directory ~ "^/var/www/html/admin/assets/(js|images|css)">
Satisfy Any
Allow from 192.168.50.0/255.255.255.0
Allow from 192.168.100.0/255.255.255.0
</Directory>
In the second block, you do need Satisfy Any. Per the
Apache docs, Satisfy is only needed when you're using both Require and Allow. And in fact, /etc/pbx/httpdconf/pbx.conf does have a "Require user wwwadmin maint" on the /admin directory. Basically the Satisfy Any is saying you can have access to these specific /admin subdirectories by providing the wwwadmin/maint password OR by coming in from a listed subnet. Satisfy Any is not needed in the first block because there is no other definition for the /recordings folder, i.e. there is no Require directive.