CRM-18112 - Additional permission for editing "api_key"

diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index 242fdf40748f897f2b3fa50486a076458fbfeb2b..300efaec8e979d5407d82d14e9d98bab17e5022c 100644 (file)
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -833,6 +833,14 @@ class CRM_Core_Permission {
         $prefix . ts('view my invoices'),
         ts('Allow users to view/ download their own invoices'),
       ),
+      'edit api keys' => array(
+        $prefix . ts('edit api keys'),
+        ts('Edit API keys'),
+      ),
+      'edit own api keys' => array(
+        $prefix . ts('edit own api keys'),
+        ts('Edit user\'s own API keys'),
+      ),
     );
 
     return $permissions;

diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index 3dfe80f5a74322308adfed114f792b3ed120a5ce..8f20591af87d03612ee6ec66d153f583b1820011 100644 (file)
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -61,6 +61,18 @@ function civicrm_api3_contact_create($params) {
     return $values;
   }
 
+  if (array_key_exists('api_key', $params) && !empty($params['check_permissions'])) {
+    if (CRM_Core_Permission::check('edit api keys') || CRM_Core_Permission::check('administer CiviCRM')) {
+      // OK
+    }
+    elseif ($contactID && CRM_Core_Permission::check('edit own api keys') && CRM_Core_Session::singleton()->get('userID') == $contactID) {
+      // OK
+    }
+    else {
+      throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify api key');
+    }
+  }
+
   if (!$contactID) {
     // If we get here, we're ready to create a new contact
     if (($email = CRM_Utils_Array::value('email', $params)) && !is_array($params['email'])) {