Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

includes/html/graphs/application/bind_rr_negative.inc.php

@@ -0,0 +1,72 @@
+<?php
+
+$unitlen       = 10;
+$bigdescrlen   = 9;
+$smalldescrlen = 9;
+$dostack       = 0;
+$printtotal    = 0;
+$unit_text    = 'RR sets';
+$colours      = 'psychedelic';
+$rrd_list     = array();
+
+
+
+$rrd_filename = rrd_name($device['hostname'], array('app', 'bind', $app['app_id'], 'rrnegative'));
+$array        = array(
+    'any',
+    'a',
+    'aaaa',
+    'cname',
+    'mx',
+    'ns',
+    'ptr',
+    'soa',
+    'srv',
+    'spf',
+    'afsdb',
+    'apl',
+    'caa',
+    'cdnskey',
+    'cds',
+    'cert',
+    'dhcid',
+    'dlv',
+    'dnskey',
+    'ds',
+    'ipseckey',
+    'key',
+    'kx',
+    'loc',
+    'naptr',
+    'nsec',
+    'nsec3',
+    'nsec3param',
+    'rrsig',
+    'rp',
+    'sig',
+    'sshfp',
+    'ta',
+    'tkey',
+    'tlsa',
+    'tsig',
+    'txt',
+    'uri',
+    'dname',
+    'nxdomain',
+    'axfr',
+    'ixfr',
+    'opt',
+);
+if (rrdtool_check_rrd_exists($rrd_filename)) {
+    foreach ($array as $ds) {
+        $rrd_list[]=array(
+            'filename' => $rrd_filename,
+            'descr' => '!'.strtoupper($ds),
+            'ds' => $ds,
+        );
+    }
+} else {
+    echo "file missing: $file";
+}
+
+require 'includes/html/graphs/generic_multi_line.inc.php';