Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

includes/html/pages/device/apps/squid.inc.php

@@ -0,0 +1,40 @@
+<?php
+
+global $config;
+
+$graphs = array(
+    'squid_bytehit' => 'Byte Hits',
+    'squid_reqhit' => 'Request Hits',
+    'squid_http' => 'Client HTTP',
+    'squid_httpbw' => 'Client HTTP Bandwidth',
+    'squid_server' => 'Server HTTP',
+    'squid_serverbw' => 'Server HTTP Bandwidth',
+    'squid_clients' => 'Clients',
+    'squid_cputime' => 'CPU Time',
+    'squid_cpuusage' => 'CPU Usage',
+    'squid_filedescr' => 'File Descriptors',
+    'squid_memory' => 'Memory',
+    'squid_objcount' => 'Object Count',
+    'squid_pagefaults' => 'Pagefaults',
+    'squid_sysnumread' => 'Sys Read',
+);
+
+foreach ($graphs as $key => $text) {
+    $graph_type            = $key;
+    $graph_array['height'] = '100';
+    $graph_array['width']  = '215';
+    $graph_array['to']     = $config['time']['now'];
+    $graph_array['id']     = $app['app_id'];
+    $graph_array['type']   = 'application_'.$key;
+
+    echo '<div class="panel panel-default">
+    <div class="panel-heading">
+        <h3 class="panel-title">'.$text.'</h3>
+    </div>
+    <div class="panel-body">
+    <div class="row">';
+    include 'includes/html/print-graphrow.inc.php';
+    echo '</div>';
+    echo '</div>';
+    echo '</div>';
+}