Add audit logging of POST actions

1 files changed, 15 insertions, 4 deletions

diff --git a/api.php b/api.php
index 5a451f3a..2680821c 100644
--- a/api.php
+++ b/api.php
@@ -53,14 +53,25 @@ if (!empty($_REQUEST['do'])) {
 
 Module::init();
 if (Module::isAvailable($module)) {
-	$module = 'modules/' . $module . '/api.inc.php';
+	$moduleFile = 'modules/' . $module . '/api.inc.php';
 } else {
-	$module = 'apis/' . $module . '.inc.php';
+	$moduleFile = 'apis/' . $module . '.inc.php';
 }
 
-if (!file_exists($module)) {
+if (!file_exists($moduleFile)) {
 	ErrorHandler::traceError('Invalid module, or module without API: ' . $module);
 }
+
+// Auditing - log any post requests, but mask potential password fields.
+// This REQUIRES naming those form fields accordingly
+if (isLocalExecution() || ($_SERVER['REQUEST_METHOD'] ?? 'POST') === 'POST') {
+	if ($module !== 'clientlog' && $module !== 'cb' && $module !== 'cron'
+			&& $module !== 'remoteaccess' && $module !== 'taskmanager') {
+		User::load();
+		Audit::run($module);
+	}
+}
+
 if (php_sapi_name() === 'cli') {
 	register_shutdown_function(function() {
 		if (class_exists('Message', false)) {
@@ -79,6 +90,6 @@ if (php_sapi_name() === 'cli') {
 	ob_start('ob_gzhandler');
 }
 // Load module - it will execute pre-processing, or act upon request parameters
-require_once($module);
+require_once($moduleFile);