Entrypoint with Auth required fails to redirect properly after login

An entrypoint with custom arguments that requires user to be logged in is sent to user via email action, when user clicks on that link, he is redirected to Login page. Once they login, the CRM does not redirect to the supposed entryPoint URL. Following is a sample url for entryPoint.

suitecrm.com/index.php?entryPoint=Forum&user_id=123&date=2020-03-16

Does crm only redirects for module and action parameters but not a custom EntryPoint?

Does your entry point start with the usual code?

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');

And did you add an entry point registry entry?

<?php
  $entry_point_registry['MyTimeEntryPoint'] = array(
      'file' => 'custom/MyTimeEntryPoint.php',
      'auth' => true,
  );

Yes the entrypoint has both of these already.

Yes, It seems they are checking request with only actions are
'module', 'action', 'record', 'token', 'oauth_token', 'mobile'

If you want to change it You can check at
include/MVC/SugarApplication.php
function getLoginRedirect

suitecrm core should get query string arguments and redirect to whatever the user request was. That would be the best generic solution or bug fix for this issue.

May be restricted due the security issue.

i don’t think that is a security issue, if an entrypoint requires user to login, then its already limited to Valid Users, so once a user validates himself, now suitecrm should redirect to whatever the custom entrypoint args were sent.

It is upto the developer, To make it robust you should sanatize all your query string in your script and to verify each variable with injection free data.

@cherub-chum I think you have a point. A redirect could just pass all the URL along without much concern except perhaps basic terminators and quote characters.

The real security gateway is when does values start to be used in the code (as @sagarjaydeep mentioned correctly).

Maybe this could be a nice PR to contribute to core. But I would advise starting some discussion among developers first, to see what other people think of the idea.

Are you active in our SuiteCRM Gitter channel for developers?

Yes, we are using our company account @urdhvatech on Gitter

1 Like

Yeah but I meant @cherub-chum could ask for opinions there.

But I’ll count on you also to join us there :slight_smile:

Only valid entrypoints that user has setup and are set to auth true would pass out all params or rebuild the query string which was the original referrer before redirecting/authenticating on the login page.

1 Like