projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dc2add4)
Move api_key write permission checks from api to BAO
authorColeman Watts <coleman@civicrm.org>
Thu, 27 Jun 2019 22:57:08 +0000 (18:57 -0400)
committerColeman Watts <coleman@civicrm.org>
Thu, 27 Jun 2019 23:10:59 +0000 (19:10 -0400)
CRM/Contact/BAO/Contact.php patch | blob | blame | history
api/v3/Contact.php patch | blob | blame | history

diff --git a/CRM/Contact/BAO/Contact.php b/CRM/Contact/BAO/Contact.php
index 1dffb1d80501a07c47f128f478e53376074623aa..a6f660669d429b6883f3cb9ea504d116a1ce8e0e 100644 (file)
--- a/CRM/Contact/BAO/Contact.php
+++ b/CRM/Contact/BAO/Contact.php
@@ -267,18 +267,25 @@ class CRM_Contact_BAO_Contact extends CRM_Contact_DAO_Contact {
       return $contact;
     }
 
-    if (!empty($params['contact_id']) && empty($params['contact_type'])) {
+    $isEdit = !empty($params['contact_id']);
+
+    if ($isEdit && empty($params['contact_type'])) {
       $params['contact_type'] = self::getContactType($params['contact_id']);
     }
 
-    $isEdit = TRUE;
+    if (!empty($params['check_permissions']) && isset($params['api_key'])
+      && !CRM_Core_Permission::check([['edit api keys', 'administer CiviCRM']])
+      && !($isEdit && CRM_Core_Permission::check('edit own api keys') && $params['contact_id'] == CRM_Core_Session::getLoggedInContactID())
+    ) {
+      throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify api key');
+    }
+
     if ($invokeHooks) {
       if (!empty($params['contact_id'])) {
         CRM_Utils_Hook::pre('edit', $params['contact_type'], $params['contact_id'], $params);
       }
       else {
         CRM_Utils_Hook::pre('create', $params['contact_type'], NULL, $params);
-        $isEdit = FALSE;
       }
     }
 
diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index c1174571e9478bc2ebefb1623a48e39b85dd0349..d5f6fc3613763f20ea1a63c75c506dfa6db926ad 100644 (file)
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -67,18 +67,6 @@ function civicrm_api3_contact_create($params) {
     return $values;
   }
 
-  if (array_key_exists('api_key', $params) && !empty($params['check_permissions'])) {
-    if (CRM_Core_Permission::check('edit api keys') || CRM_Core_Permission::check('administer CiviCRM')) {
-      // OK
-    }
-    elseif ($contactID && CRM_Core_Permission::check('edit own api keys') && CRM_Core_Session::singleton()->get('userID') == $contactID) {
-      // OK
-    }
-    else {
-      throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify api key');
-    }
-  }
-
   if (!$contactID) {
     // If we get here, we're ready to create a new contact
     if (($email = CRM_Utils_Array::value('email', $params)) && !is_array($params['email'])) {