From: Tim Otten <totten@civicrm.org>
Date: Wed, 22 Feb 2017 21:03:48 +0000 (-0800)
Subject: CRM-20159 - Contact.create API - Filter output
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=c10bca201aa982ff5b2cfc3f774dada68733b12f;p=civicrm-core.git

CRM-20159 - Contact.create API - Filter output
---

diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index 8b2711cd1e..2d1da21a38 100644
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -129,6 +129,8 @@ function civicrm_api3_contact_create($params) {
     _civicrm_api3_object_to_array_unique_fields($contact, $values[$contact->id]);
   }
 
+  $values = _civicrm_api3_contact_formatResult($params, $values);
+
   return civicrm_api3_create_success($values, $params, 'Contact', 'create');
 }
 
@@ -168,9 +170,39 @@ function civicrm_api3_contact_get($params) {
   $options = array();
   _civicrm_api3_contact_get_supportanomalies($params, $options);
   $contacts = _civicrm_api3_get_using_query_object('Contact', $params, $options);
+  $contacts = _civicrm_api3_contact_formatResult($params, $contacts);
   return civicrm_api3_create_success($contacts, $params, 'Contact');
 }
 
+/**
+ * Filter the result.
+ *
+ * @param array $result
+ *
+ * @return array
+ * @throws \CRM_Core_Exception
+ */
+function _civicrm_api3_contact_formatResult($params, $result) {
+  $apiKeyPerms = array('edit api keys', 'administer CiviCRM');
+  $allowApiKey = empty($params['check_permissions']) || CRM_Core_Permission::check(array($apiKeyPerms));
+  if (!$allowApiKey) {
+    if (is_array($result)) {
+      // Single-value $result
+      if (isset($result['api_key'])) {
+        unset($result['api_key']);
+      }
+
+      // Multi-value $result
+      foreach ($result as $key => $row) {
+        if (is_array($row)) {
+          unset($result[$key]['api_key']);
+        }
+      }
+    }
+  }
+  return $result;
+}
+
 /**
  * Get number of contacts matching the supplied criteria.
  *