From: Tim Otten <totten@civicrm.org>
Date: Fri, 26 Feb 2016 20:07:08 +0000 (-0800)
Subject: CRM-18112 - Additional permission for editing "api_key"
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=d4463076e7124e211d9f82ce44821ea1093ba0c7;p=civicrm-core.git

CRM-18112 - Additional permission for editing "api_key"
---

diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php
index 242fdf4074..300efaec8e 100644
--- a/CRM/Core/Permission.php
+++ b/CRM/Core/Permission.php
@@ -833,6 +833,14 @@ class CRM_Core_Permission {
         $prefix . ts('view my invoices'),
         ts('Allow users to view/ download their own invoices'),
       ),
+      'edit api keys' => array(
+        $prefix . ts('edit api keys'),
+        ts('Edit API keys'),
+      ),
+      'edit own api keys' => array(
+        $prefix . ts('edit own api keys'),
+        ts('Edit user\'s own API keys'),
+      ),
     );
 
     return $permissions;
diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index 3dfe80f5a7..8f20591af8 100644
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -61,6 +61,18 @@ function civicrm_api3_contact_create($params) {
     return $values;
   }
 
+  if (array_key_exists('api_key', $params) && !empty($params['check_permissions'])) {
+    if (CRM_Core_Permission::check('edit api keys') || CRM_Core_Permission::check('administer CiviCRM')) {
+      // OK
+    }
+    elseif ($contactID && CRM_Core_Permission::check('edit own api keys') && CRM_Core_Session::singleton()->get('userID') == $contactID) {
+      // OK
+    }
+    else {
+      throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify api key');
+    }
+  }
+
   if (!$contactID) {
     // If we get here, we're ready to create a new contact
     if (($email = CRM_Utils_Array::value('email', $params)) && !is_array($params['email'])) {