UPDATE 9/8/2010: I submitted the updates to the Trac site for vTiger as diff updates to the 5.2.0 RC code, which might be easier to use to update the code.
I preface this post with the title Part 1 in the subject, because I plan to post more information on customizations to vTiger as I find things that I feel are useful to more people than just myself. NOTE: This modification was done on vTiger CRM 5.2.0 RC. The final release version 5.2.0 is due out by the end of August, 2010.
I’ve been playing with the Customer Portal extension for vTiger. One thing I noticed, it stores customer passwords in cleartext in the vtiger_portalinfo table. I’m not keen on the idea of not implementing password hashing for an internet-facing deployment of a “Customer Portal” extension on a production CRM system. Hash algorithms have been around for a VERY long time and are easy to use. Furthermore, the regular users table utilized password hashing with salts, which could easily be mimicked for the Customer Portal module.
Now, this is NOT a new find. This information was reported about a month ago by someone else on the Trac site for vTiger. But, vTiger is open source so I decided to just make the change myself. From an architecture stand point, I see a couple of different ways this change could be implemented. I chose a course that I felt would be easy to modify and still offer an appropriate level of security of the passwords in the database. To implement this, there are 3 “actions” in the code that need to be modified:
1.) Creation of portal users in vTiger CRM
2.) Changing portal user passwords in the Customer Portal
3.) Authentication of portal users to the Customer Portal
We’re going to use MD5, because it’s quick and easy, and I see that vTiger uses it for the vtiger_users table. Unfortunately, the vtiger_portalinfo.user_password is only 30 characters, so we’ll need to make it larger. Log into your mysql database for vtigercrm and run this statement: ALTER TABLE vtiger_portalinfo MODIFY user_password VARCHAR(32);
Now, we need to update the code:
1.) Update the Create Customer Portal Users code in vtigercrm/modules/Contacts/Save.php (add this line: $user_hash = strtolower(md5($password)); # AND update $params – As seen below):
Line: 188
-if($insert == ‘true’)
-{
-$password = makeRandomPassword();
$user_hash = strtolower(md5($password)); // ADD THIS LINE
-$sql = “insert into vtiger_portalinfo values(?,?,?,?,?,?,?,?)”;
$params = array($focus->id, $username, $user_hash, ‘C’, ‘0000-00-00 00:00:00’, ‘0000-00-00 00:00:00’, ‘0000-00-00 00:00:00’, 1); // UPDATE THIS LINE
-$adb->pquery($sql, $params);
-}
–
2.) Update the Change Password functions
a.) Update the change_password function in vtigercrm/soap/customerportal.php (add this line: $password = strtolower(md5($password)); –> As seen below):
Start Line: 1030
-if(!empty($list[0][‘id’])){
-return array(‘MORE_THAN_ONE_USER’);
-}
$password = strtolower(md5($password)); // ADD THIS LINE
-$sql = “update vtiger_portalinfo set user_password=? where id=? and user_name=?”;
-$result = $adb->pquery($sql, array($password, $id, $username));
b.) Update the SavePassword function in vtigercrm/customerportal/HelpDesk/Utils.php
Line: 111
if(strtolower(md5($oldpw)) == $result[0][‘user_password’]) // UPDATE THIS LINE
c.) Add these lines to the send_mail_for_password function in vtigercrm/soap/customerportal.php
Line: 1094
-$from = $adb->query_result($from_res,0,’email1′);
$password = makeRandomPassword(); // ADD THIS LINE
$user_hash = strtolower(md5($password)); // ADD THIS LINE
$sql = “update vtiger_portalinfo set user_password=? where user_name=?”; // ADD THIS LINE
$adb->pquery($sql, array($user_hash, $user_name)); // ADD THIS LINE
-$contents = $mod_strings[‘LBL_LOGIN_DETAILS’]
–
3.) Update the Authentication of user functions
a.) Update the authenticate_user function in vtigercrm/soap/customerportal.php (add this line: $password = strtolower(md5($password)); –> As seen below):
Start Line: 962
$password = strtolower(md5($password)); // ADD THIS LINE
-$username = $adb->sql_escape_string($username);
-$password = $adb->sql_escape_string($password);
b.) Update the final user/password check in vtigercrm/customerportal/CustomerAuthenticate.php:
Start Line: 49
if(strtolower($result[0][‘user_name’]) == strtolower($username) && strtolower($result[0][‘user_password’]) == strtolower(md5($password))) // UPDATE THIS LINE
That’s it! Of course, if you have been using the Customer Portal prior to this update, you will need to hash all the passwords in the vtiger_portalinfo table. To do that, login to the mysql database for vtigercrm and run this query: UPDATE vtiger_portalinfo SET user_password = md5(user_password);
About 10 lines of code and 2 database updates later, you have your portal passwords hashed!
ChristopherKois.com 
Great article! Thanks.
LikeLike
Hi there,
Thank you for sharing this… very valuable info.
Q-1, have you implemented this for vTiger CP 5.4
Q-2, Would this fix problems with accented characters
Thanks again
LikeLike
Have you taken this further to allow customers to reset their own passwords on the customer portal if they forgot their password?
LikeLike
isn’t that going to break the workflow functions that email the user their password on portal activation?
LikeLike
ah, no it won’t. Never mind. Nice work!
LikeLike