[Vtigercrm-developers] SOAP services

[Joao Oliveira]

Hello all,

I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've
realized that there is an authentication mechanism for them, but it only
returns true or false...

Once that you guys have been doing a great effort in order to improve
security, but i think that all security is possible to bypass by accessing
by SOAP Services. Am I wrong ?

for example...

method DeleteTasks($username,$crmid) in vtigerolservice.php

If i'm a stranger, i still can do something like DeleteTasks('admin', 1);
without any kind of authentication ...

IMHO, it should be used any kind of token authentication and saved in
$_SERVER[] variable, or authenticate an user with username/password each
time one method is call.

Best Regards
João Oliveira.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060321/62e30301/attachment-0005.html