2 files changed, 19 insertions, 3 deletions

diff --git a/application/controllers/api/v1/user.php b/application/controllers/api/v1/user.php
index 4c2e5345d..39c833d86 100644
--- a/application/controllers/api/v1/user.php
+++ b/application/controllers/api/v1/user.php
@@ -21,9 +21,19 @@ class user extends \controllers\api\api_controller {
 		$this->muser->require_access("full");
 		return send_json_reply(\service\user::apikeys($this->muser->get_userid()));
 	}
-	
+
 	public function create_apikey()
 	{
-		// TODO: implement
+		$this->muser->require_access("full");
+		$userid = $this->muser->get_userid();
+		$comment = $this->input->post("comment");
+		$comment = $comment === false ? "" : $comment;
+		$access_level = $this->input->post("access_level");
+
+		$key = \service\user::create_apikey($userid, $comment, $access_level);
+
+		return send_json_reply(array(
+			"new_key" => $key,
+		));
 	}
 }
diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php
index 1e724a865..fc08b10ae 100644
--- a/application/core/MY_Controller.php
+++ b/application/core/MY_Controller.php
@@ -66,7 +66,13 @@ class MY_Controller extends CI_Controller {
 			show_error("Function not JSON enabled");
 		}
 
-		if ($this->input->post("apikey") !== false) {
+		if ($this->uri->segment(1) == "api") {
+			is_cli_client(true);
+		}
+
+		if ($this->input->post("apikey") !== false
+				|| ($this->input->post("username") !== false
+					&& $this->input->post("password") !== false)) {
 			/* This relies on the authentication code always verifying the supplied
 			 * apikey. If the key is not verified/logged in an attacker could simply
 			 * add an empty "apikey" field to the CSRF form to circumvent the