From: Tim Otten <totten@civicrm.org>
Date: Fri, 10 Apr 2015 06:03:18 +0000 (-0700)
Subject: CRM-16173 - Cxn.get API - Hide 'secret'
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=52079b6da925506c184006c951e9816a51472341;p=civicrm-core.git

CRM-16173 - Cxn.get API - Hide 'secret'
---

diff --git a/api/v3/Cxn.php b/api/v3/Cxn.php
index 4c0d29df90..102d6d0bbb 100644
--- a/api/v3/Cxn.php
+++ b/api/v3/Cxn.php
@@ -163,6 +163,11 @@ function civicrm_api3_cxn_unregister($params) {
   return $result;
 }
 
+function _civicrm_api3_cxn_get_spec(&$spec) {
+  // Don't trust AJAX callers or other external code to modify, filter, or return the secret.
+  unset($spec['secret']);
+}
+
 /**
  * Returns an array of Cxn records.
  *
@@ -173,6 +178,9 @@ function civicrm_api3_cxn_unregister($params) {
  *   API result array.
  */
 function civicrm_api3_cxn_get($params) {
+  // Don't trust AJAX callers or other external code to modify, filter, or return the secret.
+  unset($params['secret']);
+
   $result = _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params);
   if (is_array($result['values'])) {
     foreach (array_keys($result['values']) as $i) {
@@ -182,7 +190,10 @@ function civicrm_api3_cxn_get($params) {
       if (!empty($result['values'][$i]['perm'])) {
         $result['values'][$i]['perm'] = json_decode($result['values'][$i]['perm'], TRUE);
       }
+      // Don't trust AJAX callers or other external code to modify, filter, or return the secret.
+      unset($result['values'][$i]['secret']);
     }
   }
+
   return $result;
 }