summaryrefslogtreecommitdiffstats
path: root/api.php
diff options
context:
space:
mode:
Diffstat (limited to 'api.php')
-rw-r--r--api.php19
1 files changed, 15 insertions, 4 deletions
diff --git a/api.php b/api.php
index 5a451f3a..2680821c 100644
--- a/api.php
+++ b/api.php
@@ -53,14 +53,25 @@ if (!empty($_REQUEST['do'])) {
Module::init();
if (Module::isAvailable($module)) {
- $module = 'modules/' . $module . '/api.inc.php';
+ $moduleFile = 'modules/' . $module . '/api.inc.php';
} else {
- $module = 'apis/' . $module . '.inc.php';
+ $moduleFile = 'apis/' . $module . '.inc.php';
}
-if (!file_exists($module)) {
+if (!file_exists($moduleFile)) {
ErrorHandler::traceError('Invalid module, or module without API: ' . $module);
}
+
+// Auditing - log any post requests, but mask potential password fields.
+// This REQUIRES naming those form fields accordingly
+if (isLocalExecution() || ($_SERVER['REQUEST_METHOD'] ?? 'POST') === 'POST') {
+ if ($module !== 'clientlog' && $module !== 'cb' && $module !== 'cron'
+ && $module !== 'remoteaccess' && $module !== 'taskmanager') {
+ User::load();
+ Audit::run($module);
+ }
+}
+
if (php_sapi_name() === 'cli') {
register_shutdown_function(function() {
if (class_exists('Message', false)) {
@@ -79,6 +90,6 @@ if (php_sapi_name() === 'cli') {
ob_start('ob_gzhandler');
}
// Load module - it will execute pre-processing, or act upon request parameters
-require_once($module);
+require_once($moduleFile);
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2026-02-19 16:23:35 +0100