UPDATE 10/5/2010: I submitted the updates to the Trac site for vTiger as diff updates to the 5.2.0 RC code, which might be easier to use to update the code.
One of the things that really bothers me is that there are no built-in password restrictions for users in vTiger. That means if a user wants to set his/her password to the number 1, they can do that. That leaves the user’s account VERY vulnerable to attack.
It’s very easy to implement enforcement of strong passwords in vTiger. There are 2 places we need to implement this: in Javascript and in the actual PHP code. By implementing this in Javascript, the user is alerted immediately that their password doesn’t meet the password requirements without requiring a post to the server. By implementing this in the actual PHP code, we can ensure that the user didn’t try to bypass the Javascript (for instance, they may have Javascript turned off in their browser).
In addition to making changes in Javascript and the PHP code, we need to make these changes to the Customer Portal as well. Since the Customer Portal is considered a separate module, I’ll cover how to enforce strong passwords in the Customer portal in another post. We’ll divide this update into 2 parts:
1.) vtigercrm Front end password enforcement (vtigercrm Javascript)
2.) vtigercrm Back end password enforcement (vtigercrm PHP code)
I’ll iterate through each section and outline the changes to make:
1.) vtigercrm Front end password enforcement – update to verify_data function in vtigercrm/modules/Users/Forms.php
Line: 163
var passwordCheckRegex = new RegExp(“^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$”, “g”);
if (passwordCheckRegex.test(trim(form.user_password.value)) == false) {
isError = true;
errorMessage += ‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’;
oField_miss = form.user_password;
}
Line: 214
-if(trim(form.user_password.value) != trim(form.confirm_password.value))
-{
-set_fieldfocus(“The password does’t match”,form.user_password);
-return false;
-}
var passwordCheckRegex = new RegExp(“^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$”, “g”);
if (passwordCheckRegex.test(trim(form.user_password.value)) == false) {
set_fieldfocus(‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’, form.user_password);
return false;
}
-check_duplicates();
–
In file: vtigercrm/modules/Users/ChangePassword.php at Line 40 and Line 56
->function set_password(form) {
var passwordCheckRegex = new RegExp(“^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$”, “g”);
…
if (passwordCheckRegex.test(trim(form.new_password.value)) == false) {
alert(‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’);
return false;
}
2.) vtigercrm Back end password enforcement in file vtigercrm/modules/Users/Users.php:
Line: 526
-if( !isset($new_password) || $new_password == “”) {
-$this->error_string = $mod_strings['ERR_PASSWORD_CHANGE_FAILED_1'].$user_name.$mod_strings['ERR_PASSWORD_CHANGE_FAILED_2'];
-return false;
-}
if (!(preg_match(‘/^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$/’, $new_password, $matches) >= 1)) {
$this->error_string = ‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’;
return false;
}
-$encrypted_password = $this->encrypt_password($user_password);
NOTE: I did not create this regex. I used the medium regex created by Doug in his post found here.
And there you have it. Next post, how to enforce strong passwords in the customer portal module.
Resources: Check Password Strength with Javascript and Regular Expressions
If you enjoyed this article, please consider sharing it!
There are two fields in the vtiger_users table – user_password and confirm_password and they contain different values. How is the latter generated?
That’s a very good question. Unfortunately, I don’t have the answer to it. The best I can offer is this post from prasad on the vtiger forums: http://forums.vtiger.com/viewtopic.php?t=34520&sid=e5cd8739a8fa77e9ebdf4f5fac1b49c7
However, the post really doesn’t make it clear as to what the difference is between those 2 fields.
One thing in the code that may help you: in vtigercrm/modules/Users/Users.php on start line 391, this snippet of code suggests that user_password is the field that is actually used for authentication:
default:
$this->log->debug("Using integrated/SQL authentication");
$encrypted_password = $this->encrypt_password($user_password);
$query = "SELECT * from $this->table_name where user_name=? AND user_password=?";
$result = $this->db->requirePsSingleResult($query, array($usr_name, $encrypted_password), false);
if (empty($result)) {
return false;
} else {
return true;
}
break;
[...] This is a continuation from Part 2 – Enforcing strong passwords in vTiger. [...]
Password checking is something we have been meaning to implement in our installation for a while. Thank you for this!
Hi Christopher,
Do you know what I need to do to get this working with version 5.1.0? Followed your code but just got errors,
Any help would be appreciated,
Vekondja,
I wasn’t really doing much with vTiger in version 5.1.0. My experience is with vTiger is 5.2.0 and later, so I probably won’t be much help. If you upgrade to 5.2.0, the instructions should work for you.