<div dir="ltr"><div>Argh. Just FYI, ctrl+enter in Gmail sends the email (on accident).<br></div><div><br></div><div style>I considered adding in some sort of security to prevent plain text password login if not on HTTPS, but the main CRM login doesn't check, and neither does modules/Mobile/api/ws/Login.php<br>
</div><div><br></div><div>[1] <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7668#comment:1">http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7668#comment:1</a></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, Apr 3, 2013 at 2:12 PM, Adam Heinz <span dir="ltr"><<a href="mailto:amh@metricwise.net" target="_blank">amh@metricwise.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I went ahead and implemented this feature [1].</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 21, 2013 at 1:13 PM, Adam Heinz <span dir="ltr"><<a href="mailto:amh@metricwise.net" target="_blank">amh@metricwise.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Why do we need both? I've recently written a small mobile application (barcode scanner on a Windows Mobile device) to track Assets. It uses the web service for everything. The web service only allows login with accessKey, not password. Originally, we thought this wasn't a big deal, but we've run into a number of problems:<div>
<br></div><div>1. There is no mechanism for changing the accessKey. It's randomly generated as something a human could never remember, and it is not possible to edit it from Settings > Users as an administrator.</div>
<div>2. The accessKey is stored in the database as plain text, and displayed via Settings > Users.</div><div><br></div><div>The simplest thing for our customers' warehouse staff would be to use the same password that they use to access the CRM. I'm strongly inclined to add a password login action to the web service. In the cases where we use a true access key for an automated process, we create a corresponding user, so that the ModTracker change log reflects that the automated process made the change.</div>
<div><br></div><div>The only scenario I can envision where having the separate password and accessKey is useful is if you want to prevent someone from logging into the CRM (as an automated account, perhaps), but this begs the question, why not use a single password, then add flags to the account marking whether they have web service API access, CRM access or both.</div>
<div><br></div><div>Opinions?<br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>