[Vtigercrm-developers] SOAP services
Mike Fedyk
mfedyk at mikefedyk.com
Wed Mar 22 00:11:52 PST 2006
How hard is it to do the authentication code? If it can't be done
quickly then let's create a variable that turns soap off when (so
upgrades will disable soap even if the new variable is not in config.php).
Joao Oliveira wrote:
> Hello all,
>
> I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've
> realized that there is an authentication mechanism for them, but it
> only returns true or false...
>
> Once that you guys have been doing a great effort in order to improve
> security, but i think that all security is possible to bypass by
> accessing by SOAP Services. Am I wrong ?
>
> for example...
>
> method DeleteTasks($username,$crmid) in vtigerolservice.php
>
> If i'm a stranger, i still can do something like DeleteTasks('admin',
> 1); without any kind of authentication ...
>
> IMHO, it should be used any kind of token authentication and saved in
> $_SERVER[] variable, or authenticate an user with username/password
> each time one method is call.
>
> Best Regards
> João Oliveira.
> ------------------------------------------------------------------------
>
> _______________________________________________
> This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt
More information about the vtigercrm-developers
mailing list