How to make sure a PHP script that handles an ajax request is not accessible to use and the user is authenticated?

Question

I have an jquery ajax request that calls a PHP script that will send an email. This email is happening from the admin, so a user must be authenticated in order to be able to do this. I've got two questions:

1. How can I lock this PHP file down from somebody being able to go directly to the path in the browser and keep submitting it?
2. How do I only run the file if the user is authenticated?

PHP:

$emailer = new GiftCardEmailer();
$emailer->SendGiftCardEmail($gift_card);

jQuery:

 $(document).ready(function() {                
     var status = $('p#status');
     status.hide();

     $('#sendemail').click(function() {                   
          $.ajax({
                    url: 'mail-handler.php',
                    beforeSend: function() {
                        status.fadeIn();
                        status.html('<img src="images/ajax-loader.gif" />');  
                    },                        
                    success: function( data ) {
                        if (console && console.log){
                            console.log( 'Sample of data:', data.slice(0,100) );
                        }                            
                        status.html('Email Sent Successfully.');   
                        setTimeout(function() {
                            status.fadeOut(); 
                        }, 4000);                            
                    }
                });
            });
        });

Answer 1

One approach would be to check for a valid session at the head of the file containing the actual mail code. If no session exists then simply terminate the script.

Check out ajax and security, might be helpful.

Answer 2

I do all of mine with session_start() at the top of a php page and then check for my specific session variables for authentication.

No session, no access.