CRM-18112 - Additional permission for editing "api_key"

diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index 2742c8285edf4efbd81da3bef8d9a01978b24974..89d28717b462e91ab86bc056d1cbee211ef7cca7 100644 (file)
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -838,6 +838,14 @@ class CRM_Core_Permission {
         $prefix . ts('view my invoices'),
         ts('Allow users to view/ download their own invoices'),
       ),
+      'edit api keys' => array(
+        $prefix . ts('edit api keys'),
+        ts('Edit API keys'),
+      ),
+      'edit own api keys' => array(
+        $prefix . ts('edit own api keys'),
+        ts('Edit user\'s own API keys'),
+      ),
     );
 
     return $permissions;

diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index f375d0666916e5f5638008a1e4837fd38b774906..5bd3d1e0ca98ae012d09132edf573076164d8ca7 100644 (file)
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -57,6 +57,18 @@ function civicrm_api3_contact_create($params) {
     return $values;
   }
 
+  if (array_key_exists('api_key', $params) && !empty($params['check_permissions'])) {
+    if (CRM_Core_Permission::check('edit api keys') || CRM_Core_Permission::check('administer CiviCRM')) {
+      // OK
+    }
+    elseif ($contactID && CRM_Core_Permission::check('edit own api keys') && CRM_Core_Session::singleton()->get('userID') == $contactID) {
+      // OK
+    }
+    else {
+      throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify api key');
+    }
+  }
+
   if (!$contactID) {
     // If we get here, we're ready to create a new contact
     if (($email = CRM_Utils_Array::value('email', $params)) && !is_array($params['email'])) {