UPDATE 10/5/2010: I submitted the updates to the Trac site for vTiger as diff updates to the 5.2.0 RC code, which might be easier to use to update the code.
One of the things that really bothers me is that there are no built-in password restrictions for users in vTiger. That means if a user wants to set his/her password to the number 1, they can do that. That leaves the user’s account VERY vulnerable to attack.
It’s very easy to implement enforcement of strong passwords in vTiger. There are 2 places we need to implement this: in Javascript and in the actual PHP code. By implementing this in Javascript, the user is alerted immediately that their password doesn’t meet the password requirements without requiring a post to the server. By implementing this in the actual PHP code, we can ensure that the user didn’t try to bypass the Javascript (for instance, they may have Javascript turned off in their browser).
In addition to making changes in Javascript and the PHP code, we need to make these changes to the Customer Portal as well. Since the Customer Portal is considered a separate module, I’ll cover how to enforce strong passwords in the Customer portal in another post. We’ll divide this update into 2 parts:
1.) vtigercrm Front end password enforcement (vtigercrm Javascript)
2.) vtigercrm Back end password enforcement (vtigercrm PHP code)
I’ll iterate through each section and outline the changes to make:
1.) vtigercrm Front end password enforcement – update to verify_data function in vtigercrm/modules/Users/Forms.php
Line: 163
var passwordCheckRegex = new RegExp(“^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$”, “g”);
if (passwordCheckRegex.test(trim(form.user_password.value)) == false) {
isError = true;
errorMessage += ‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’;
oField_miss = form.user_password;
}
Line: 214
-if(trim(form.user_password.value) != trim(form.confirm_password.value))
-{
-set_fieldfocus(“The password does’t match”,form.user_password);
-return false;
-}
var passwordCheckRegex = new RegExp(“^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$”, “g”);
if (passwordCheckRegex.test(trim(form.user_password.value)) == false) {
set_fieldfocus(‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’, form.user_password);
return false;
}
-check_duplicates();
—
In file: vtigercrm/modules/Users/ChangePassword.php at Line 40 and Line 56
->function set_password(form) {
var passwordCheckRegex = new RegExp(“^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$”, “g”);
…
if (passwordCheckRegex.test(trim(form.new_password.value)) == false) {
alert(‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’);
return false;
}
2.) vtigercrm Back end password enforcement in file vtigercrm/modules/Users/Users.php:
Line: 526
-if( !isset($new_password) || $new_password == “”) {
-$this->error_string = $mod_strings[‘ERR_PASSWORD_CHANGE_FAILED_1’].$user_name.$mod_strings[‘ERR_PASSWORD_CHANGE_FAILED_2’];
-return false;
-}
if (!(preg_match(‘/^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$/’, $new_password, $matches) >= 1)) {
$this->error_string = ‘Password not strong enough. Please enter a password 8 characters or more, 1 upper case letter, 1 lower case letter and 1 number’;
return false;
}
–$encrypted_password = $this->encrypt_password($user_password);
NOTE: I did not create this regex. I used the medium regex created by Doug in his post found here.
And there you have it. Next post, how to enforce strong passwords in the customer portal module.
Resources: Check Password Strength with Javascript and Regular Expressions
ChristopherKois.com 
There are two fields in the vtiger_users table – user_password and confirm_password and they contain different values. How is the latter generated?
LikeLike
That’s a very good question. Unfortunately, I don’t have the answer to it. The best I can offer is this post from prasad on the vtiger forums: http://forums.vtiger.com/viewtopic.php?t=34520&sid=e5cd8739a8fa77e9ebdf4f5fac1b49c7
However, the post really doesn’t make it clear as to what the difference is between those 2 fields.
One thing in the code that may help you: in vtigercrm/modules/Users/Users.php on start line 391, this snippet of code suggests that user_password is the field that is actually used for authentication:
default:
$this->log->debug("Using integrated/SQL authentication");
$encrypted_password = $this->encrypt_password($user_password);
$query = "SELECT * from $this->table_name where user_name=? AND user_password=?";
$result = $this->db->requirePsSingleResult($query, array($usr_name, $encrypted_password), false);
if (empty($result)) {
return false;
} else {
return true;
}
break;
LikeLike
Password checking is something we have been meaning to implement in our installation for a while. Thank you for this!
LikeLike
Hi Christopher,
Do you know what I need to do to get this working with version 5.1.0? Followed your code but just got errors,
Any help would be appreciated,
LikeLike
Vekondja,
I wasn’t really doing much with vTiger in version 5.1.0. My experience is with vTiger is 5.2.0 and later, so I probably won’t be much help. If you upgrade to 5.2.0, the instructions should work for you.
LikeLike
is it working on vtiger 5.3 or 5.4? thanks
LikeLike
Hi Chris,
thank you for a great set of articles.
However I am using vtiger 5.4
My problem is trying to figure where to start with on
1.) vtigercrm Front end password enforcement
you say insert your code at line 163, but I have noticed that the forms.php in vtiger 5.4 is a little different. I don’t have access to the old forms.php.
My question is could you provide the code that I should look out for, to put you code after, you have done this elsewhere in your article.
Alternatively if you could email me the contents of the unmodified or modified php files you refer to in all three of you articles on Vtiger customisations, I could do the the figuring out myself. Of course I would send you back the results so you could update you article so that other people like me on newer versions could implement your great solutions. Thanking you in advance.
Kind Regards,
Joe
LikeLike