[Vtigercrm-developers] password vs accessKey
Adam Heinz
amh at metricwise.net
Wed Apr 3 18:15:35 UTC 2013
Argh. Just FYI, ctrl+enter in Gmail sends the email (on accident).
I considered adding in some sort of security to prevent plain text password
login if not on HTTPS, but the main CRM login doesn't check, and neither
does modules/Mobile/api/ws/Login.php
[1] http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7668#comment:1
On Wed, Apr 3, 2013 at 2:12 PM, Adam Heinz <amh at metricwise.net> wrote:
> I went ahead and implemented this feature [1].
>
>
> On Thu, Mar 21, 2013 at 1:13 PM, Adam Heinz <amh at metricwise.net> wrote:
>
>> Why do we need both? I've recently written a small mobile application
>> (barcode scanner on a Windows Mobile device) to track Assets. It uses the
>> web service for everything. The web service only allows login with
>> accessKey, not password. Originally, we thought this wasn't a big deal,
>> but we've run into a number of problems:
>>
>> 1. There is no mechanism for changing the accessKey. It's randomly
>> generated as something a human could never remember, and it is not possible
>> to edit it from Settings > Users as an administrator.
>> 2. The accessKey is stored in the database as plain text, and displayed
>> via Settings > Users.
>>
>> The simplest thing for our customers' warehouse staff would be to use the
>> same password that they use to access the CRM. I'm strongly inclined to
>> add a password login action to the web service. In the cases where we use
>> a true access key for an automated process, we create a corresponding user,
>> so that the ModTracker change log reflects that the automated process made
>> the change.
>>
>> The only scenario I can envision where having the separate password and
>> accessKey is useful is if you want to prevent someone from logging into the
>> CRM (as an automated account, perhaps), but this begs the question, why not
>> use a single password, then add flags to the account marking whether they
>> have web service API access, CRM access or both.
>>
>> Opinions?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130403/d1fd1500/attachment.html>
More information about the vtigercrm-developers
mailing list