Friday 27 January 2017

Validating api user-key vtiger customer portal

MYC Vtiger Customer Portal with vtiger 6.4 , if you put invalid api_user & api_pass , then you try to login in customer portal. You will see it will allowed you to logged in to customer portal without verifying your keys. Configuration file generated by MYC Vtiger Customer Portal is below.
 
 return array (
  'date_format' => 'd-m-Y',
  'portal_theme' => 'default',
  'admin_user' => 'admin',
  'admin_pass' => 'admin',
  'admin_email' => 'test@code2you.com',
  'vtiger_path' => $vtiger_path,
  'upload_dir' => $upload_dir,
  'default_timezone' => '',
  'default_charset' => 'UTF-8',
  'default_language' => 'en_us',
  'api_user' => 'admin',
  'api_pass' => 'KLkUoAKPbNsLEa6w',
  'google_api_key' => '',
  'hiddenmodules' => 
  );
So for fixing this type of security checked , you need to edit portal.php file which exists in root of MYC Vtiger Customer Portal installed folder. You can open file , there is a class call User::check_login() associated with static function check_login , generally Api::connect() is built in function provided by MYC customer portal , it is placed in index.php file in root folder. if some things goes wrong like api key or api password is not valid it will return constant define as NOT_CONFIGURED , API_LOGIN_FAILED. Below is the code which not only check for api_user and api_key for vtiger 6.4 , also validate username and password.
 class User {
/*****************************************************************************
 * Function: User::check_login()
 * *************************************************************************** */
public static function check_login() {
 global $opresult;
 /* Addd by code2you */
  $crm_api_status = Api::connect();
 /* End */
 //ADDED TO ENABLE THEME SWITCHING
 if (isset($_REQUEST['theme']) && $_REQUEST['theme'] != "" && is_dir("themes/" . $_REQUEST['theme']))
  $_SESSION["portal_theme"] = $_REQUEST['theme'];
  if (isset($_SESSION["portal_theme"]))
   $currtheme = $_SESSION['portal_theme'];
  else
   $currtheme = $GLOBALS["portal_theme"];
 //********************************
 if (isset($_REQUEST['logout'])) {
 session_unset();
 $_SESSION["portal_theme"] = $currtheme;
 header("Location: index.php");
 die();
}
if (!isset($_SESSION['loggeduser']) || $_SESSION["loggeduser"] == "ERROR") {
 $login = false;
 /*ORIGINAL LINES*/
 //if (isset($_REQUEST["email"]) && isset($_REQUEST["pass"]))
 //$login = User::portal_login($_REQUEST["email"], $_REQUEST["pass"]);
 /*ENDs*/
 /* Added condition for api keys issue code2you */
 if (isset($_REQUEST["email"]) && isset($_REQUEST["pass"])) {
    if ($crm_api_status == "NOT_CONFIGURED" || $crm_api_status == "API_LOGIN_FAILED") {
        $loginerror = API_LOGIN_FAILED;
    }else {
        $login = User::portal_login($_REQUEST["email"], $_REQUEST["pass"]);
    }
 }
/* End */
if (isset($_REQUEST["email"]) && isset($_REQUST["forgot"]))
    $lres = User::forgot_password($_REQUEST["email"]);
if (!$login || $login[0] == "INVALID_USERNAME_OR_PASSWORD") {
    if ($login[0] == "INVALID_USERNAME_OR_PASSWORD")
        $loginerror = $login[0];
    if (isset($lres) && $lres == "ERROR")
        $forgot_loginerror = "The Email you Request is not in our system!";
    else if (isset($lres) && $lres == "SUCCESS")
        $forgot_successmess = "We have send an email of your password at the address!";
    if (file_exists("themes/" . $currtheme . "/login.php"))
        require_once("themes/" . $currtheme . "/login.php");
    else
        require_once("themes/default/login.php");
    session_unset();
    die();
    }
} else
  User::portal_login($_SESSION['loggeduser']['user_name'], $_SESSION['loggeduser']['user_password']);
 if (isset($_SESSION['loggeduser']) && isset($_REQUEST['fun']) && $_REQUEST['fun'] == "changepassword")
  $GLOBALS["opresult"] = User::change_password();
 if (isset($_SESSION['loggeduser']) && isset($_REQUEST['fun']) && $_REQUEST['fun'] == "wevservice")
  $GLOBALS["opresult"] = User::callWebservice();
}