From d4463076e7124e211d9f82ce44821ea1093ba0c7 Mon Sep 17 00:00:00 2001 From: Tim Otten Date: Fri, 26 Feb 2016 12:07:08 -0800 Subject: [PATCH] CRM-18112 - Additional permission for editing "api_key" --- CRM/Core/Permission.php | 8 ++++++++ api/v3/Contact.php | 12 ++++++++++++ 2 files changed, 20 insertions(+) diff --git a/CRM/Core/Permission.php b/CRM/Core/Permission.php index 242fdf4074..300efaec8e 100644 --- a/CRM/Core/Permission.php +++ b/CRM/Core/Permission.php @@ -833,6 +833,14 @@ class CRM_Core_Permission { $prefix . ts('view my invoices'), ts('Allow users to view/ download their own invoices'), ), + 'edit api keys' => array( + $prefix . ts('edit api keys'), + ts('Edit API keys'), + ), + 'edit own api keys' => array( + $prefix . ts('edit own api keys'), + ts('Edit user\'s own API keys'), + ), ); return $permissions; diff --git a/api/v3/Contact.php b/api/v3/Contact.php index 3dfe80f5a7..8f20591af8 100644 --- a/api/v3/Contact.php +++ b/api/v3/Contact.php @@ -61,6 +61,18 @@ function civicrm_api3_contact_create($params) { return $values; } + if (array_key_exists('api_key', $params) && !empty($params['check_permissions'])) { + if (CRM_Core_Permission::check('edit api keys') || CRM_Core_Permission::check('administer CiviCRM')) { + // OK + } + elseif ($contactID && CRM_Core_Permission::check('edit own api keys') && CRM_Core_Session::singleton()->get('userID') == $contactID) { + // OK + } + else { + throw new \Civi\API\Exception\UnauthorizedException('Permission denied to modify api key'); + } + } + if (!$contactID) { // If we get here, we're ready to create a new contact if (($email = CRM_Utils_Array::value('email', $params)) && !is_array($params['email'])) { -- 2.25.1