[Vtigercrm-developers] SOAP services

Mike Fedyk mfedyk at mikefedyk.com
Wed Mar 22 00:11:52 PST 2006

How hard is it to do the authentication code?  If it can't be done 
quickly then let's create a variable that turns soap off when (so 
upgrades will disable soap even if the new variable is not in config.php).

Joao Oliveira wrote:
> Hello all,
> I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've 
> realized that there is an authentication mechanism for them, but it 
> only returns true or false...
> Once that you guys have been doing a great effort in order to improve 
> security, but i think that all security is possible to bypass by 
> accessing by SOAP Services. Am I wrong ?
> for example...
> method DeleteTasks($username,$crmid) in vtigerolservice.php
> If i'm a stranger, i still can do something like DeleteTasks('admin', 
> 1); without any kind of authentication ...
> IMHO, it should be used any kind of token authentication and saved in 
> $_SERVER[] variable, or authenticate an user with username/password 
> each time one method is call.
> Best Regards
> João Oliveira.
> ------------------------------------------------------------------------
> _______________________________________________
> This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 

More information about the vtigercrm-developers mailing list