CiviCRM Community Forums (archive)

If I update a contact record using the API, it looks like the contact updated the data itself. The corresponding record at the log table, has the contact id as the "modified_id", who is supossed to be the author of the change.

The ID of the user related with the provided api_key, is being verified but then ignored:

CRM/Utils/REST.php (line 292, 4.5.alpha1)
    // Check and see if a valid secret API key is provided.
    $api_key = CRM_Utils_Request::retrieve('api_key', 'String', $store, FALSE, NULL, 'REQUEST');
    if (!$api_key || strtolower($api_key) == 'null') {
      return self::error("FATAL: mandatory param 'api_key' (user key) missing");
    }
    $valid_user = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key');

After that line, CiviCRM validates that $valid_user isn't empty. If it is, it raises an authentication error. Otherwise, it continues but the value stored at the local variable $valid_user (wich is the id of the contact with the given API key) is no longer used.

When the log record is created, CiviCRM runs:

CRM/Core/BAO/Log.php (line 86, 4.5.alpha1)
    if (!$userID) {
      $session = CRM_Core_Session::singleton();
      $userID = $session->get('userID');
    }

    if (!$userID) {
      $userID = $contactID;
    }

    if (!$userID) {
      return;
    }

Before the assignation of $contactID as the author of the changes, I've added this:

    if (!$userID) {
      $api_key = CRM_Utils_Request::retrieve('api_key', 'String', $store, FALSE, NULL, 'REQUEST');

      if ($api_key && strtolower($api_key) != 'null') {
        $userID = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key');
      }
    }
So now, changes look like made by my "API User", insted of the contact itself.

Is it a intentional behaviour? Or should I send a pull request with the patch?

I am bit unclear on few things, let's discuss in person

Kurund

awesome