Allow whitelisting specific IP to avoid secret_url

web/inc/secure_login.php

@@ -4,6 +4,9 @@ $skip_login_url_check=0;
 if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/index.php') $skip_login_url_check=1; // it's accessible only from localhost
 if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/index.php') $skip_login_url_check=1;
 
+if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/api/index.php') $skip_login_url_check=1; // api has its own security check
+if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//api/index.php') $skip_login_url_check=1;
+
 if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/set-ar.php') $skip_login_url_check=1; // commercial addon for changing auto-reply from Roundcube, not included in this fork, also accessible only from localhost
 if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/set-ar.php') $skip_login_url_check=1;
 if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/get-ar.php') $skip_login_url_check=1;
@@ -16,6 +19,16 @@ if (substr($_SERVER['SCRIPT_FILENAME'], 0, 29)=='/usr/local/vesta/softaculous/')
 if (substr($_SERVER['SCRIPT_FILENAME'], 0, 33)=='/usr/local/vesta/web/softaculous/') $skip_login_url_check=1; // allow softaculous
 if (substr($_SERVER['SCRIPT_FILENAME'], 0, 34)=='/usr/local/vesta/web//softaculous/') $skip_login_url_check=1; // allow softaculous
 
+$check_file="/usr/local/vesta/conf_web/allow_ip_for_secret_url.conf";
+if (file_exists($check_file)) {
+    $file_content=file($check_file);
+    if (is_array($file_content)) {
+        foreach ($file_content as $line) {
+            if (trim($line) == $_SERVER['REMOTE_ADDR']) {$skip_login_url_check=1; break;}
+        }
+    }
+}
+
 if ($skip_login_url_check==0) {
     if (!isset($login_url_loaded)) {
         $login_url_loaded=1;