From 52079b6da925506c184006c951e9816a51472341 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Thu, 9 Apr 2015 23:03:18 -0700
Subject: [PATCH] CRM-16173 - Cxn.get API - Hide 'secret'

---
 api/v3/Cxn.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/api/v3/Cxn.php b/api/v3/Cxn.php
index 4c0d29df90..102d6d0bbb 100644
--- a/api/v3/Cxn.php
+++ b/api/v3/Cxn.php
@@ -163,6 +163,11 @@ function civicrm_api3_cxn_unregister($params) {
   return $result;
 }
 
+function _civicrm_api3_cxn_get_spec(&$spec) {
+  // Don't trust AJAX callers or other external code to modify, filter, or return the secret.
+  unset($spec['secret']);
+}
+
 /**
  * Returns an array of Cxn records.
  *
@@ -173,6 +178,9 @@ function civicrm_api3_cxn_unregister($params) {
  *   API result array.
  */
 function civicrm_api3_cxn_get($params) {
+  // Don't trust AJAX callers or other external code to modify, filter, or return the secret.
+  unset($params['secret']);
+
   $result = _civicrm_api3_basic_get(_civicrm_api3_get_BAO(__FUNCTION__), $params);
   if (is_array($result['values'])) {
     foreach (array_keys($result['values']) as $i) {
@@ -182,7 +190,10 @@ function civicrm_api3_cxn_get($params) {
       if (!empty($result['values'][$i]['perm'])) {
         $result['values'][$i]['perm'] = json_decode($result['values'][$i]['perm'], TRUE);
       }
+      // Don't trust AJAX callers or other external code to modify, filter, or return the secret.
+      unset($result['values'][$i]['secret']);
     }
   }
+
   return $result;
 }
-- 
2.25.1