Sugarcrm + Joomla + Password Hash

[midiguy732]

Our new website will be Joomla 1.5 based, running in "legacy mode". We installed SugarCRM in a directory underneath that, and from Joomla (with some custom php scripts in between), we call SugarCRM with username and password information embedded in the URL. Like so:

Code:

<?php

  $user =& JFactory::getUser();
  echo "<a href=http://ourinternalwebsite/sugarcrm/index.php?action=Authenticate&module=Users&user_name=".$user->username."&user_password=".$user->password.">Customer Relationship Management</a>";

?>

The above works if we manually load $user->password with a clear text password, which of course Joomla does not provide - instead, it provides I believe an MD5 hashed password. The above PHP snippet essentially provides the user with a link to click which in theory would go directly into SugarCRM, bypassing the login screen for signle-sign on functionality.

Is there a nifty/fairly easy way of passing the username and password hash to Sugar on the URL?

After reading much of the SugarCRM documention, this wasn't particularly obvious as to whether this can be done, or not.

In case it matters, we are one version back with SugarCRM (4.51 I believe) and utilizing the Community Edition (the free one).

We do not mind modifying SugarCRM code if necessary, but at a loss as to where to begin.

Thank you in advance!

Frederic

[eggsurplus]

I'd suggest looking into a SSO solution as passing the user/pass through a url is highly insecure in so many ways. It's a setup for disaster.

[midiguy732]

I appreciate your concern however this is for our company intranet, therefore there is no public exposure. Also, the URL bar is hidden in all the internal desktops that access our intranet - for this very reason.

I'll check out the SSO features in the meantime, but I was hoping for an example of code we could build from.

Thanks again

[eggsurplus]

Just did a search and found an old post I made that accomplishes what you're doing. BTW, we did go to SSO afterwards by utilizing Crowd which is part of our Atlassian suite.

http://www.sugarcrm.com/forums/showp...63&postcount=4

[midiguy732]

Thank you EggSurplus.... I gave that a try, and checked the syntax about for times without any joy... obviously I did something grostesly incorrect.

None-the-less, I crudely solved the problem another way. I created a php file called "syncpasswords.php" and it's called every time a user changes their password on the joomla "your details' form, using a php include.

Code:

<?php

  $joomlauser =& JFactory::getUser();

  $joomlahpass = trim(strtolower(md5($joomlauser->password)));

  $query="UPDATE users SET user_hash='$hpassword' WHERE user_name='$username' ; ";
  $passs = mysql_query($query);
  mysql_close($dbh);

?>

What the above does is take the joomla hash and re-hash it and shove that re-hash into sugarCRM as the hash, rather than the password. Since sugarCRM uses md5 to create a hash from a clear-text password passed on the URL or the login form (by chaing $_POST to $_REQUEST in the appropriate places of course), this works fine.

This method would open security issues for a publically exposed SugarCRM, which ours is not - it resides on a private server with no internet access whatsoever.

Since the user's URL bar/window/area is hidden, they cannot see what is passed and neither can someone looking over their shoulder. They click, and magically Joomla disappears and Sugarcrm appears.

Nifty

Anyway, thank you for your help folks, very much appreciated.... BTW, we also did this for "webERP", our accounting package, and it works in the same manner just fine.

The key is to have Joomla update the various databases for other packages right after it updates the password in it's own database, expanding on the code above.

And, less modification to SugarCRM code meaning upgrades are that much easier.