Changes made via API looks like made by the modified contacts

If I update a contact record using the API, it looks like the contact updated the data itself. The corresponding record at the log table, has the contact id as the "modified_id", who is supossed to be the author of the change.

The ID of the user related with the provided api_key, is being verified but then ignored:

CRM/Utils/REST.php (line 292, 4.5.alpha1)
// Check and see if a valid secret API key is provided.
$api_key = CRM_Utils_Request::retrieve('api_key', 'String', $store, FALSE, NULL, 'REQUEST');
if (!$api_key || strtolower($api_key) == 'null')

{ return self::error("FATAL: mandatory param 'api_key' (user key) missing"); }

$valid_user = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key');

After that line, CiviCRM validates that $valid_user isn't empty. If it is, it raises an authentication error. Otherwise, it continues but the value stored at the local variable $valid_user (wich is the id of the contact with the given API key) is no longer used.

When the log record is created, CiviCRM runs:

CRM/Core/BAO/Log.php (line 86, 4.5.alpha1)
if (!$userID)

{ $session = CRM_Core_Session::singleton(); $userID = $session->get('userID'); }

if (!$userID)

{ $userID = $contactID; }

if (!$userID)

{ return; }

Before the assignation of $contactID as the author of the changes, it misses:

if (!$userID) {
$api_key = CRM_Utils_Request::retrieve('api_key', 'String', $store, FALSE, NULL, 'REQUEST');

if ($api_key && strtolower($api_key) != 'null')

{ $userID = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', $api_key, 'id', 'api_key'); }

}

Previously notified at: http://forum.civicrm.org/index.php/topic,30202.0.html