We’re getting a head start on our New Year’s Resolutions!  We’ve given our developer community a fresh, new look, and we feel ten pounds lighter.  Let me give you a tour!

First, we’ve migrated our blog from developer.sugarcrm.com to the Developer Community at https://community.sugarcrm.com/community/developer/pages/dev-blog.  We’re really excited about this change as the community is now your one-stop-shop for everything related to developing on Sugar.  We’ll temporarily be putting new posts on both blogs, but please update your bookmarks now.

Second, we’ve redesigned the Developer Community to feel more modern and make it easier to find content.  

When you navigate to the community’s home page, you’ll notice 4 new buttons at the top:

Home page buttons

If you’re new to developing on Sugar (or you just need a refresher), click Getting Started with Sugar.  On this page you’ll learn how to get setup, trained, and certified.  You’ll also learn how to integrate with and create add-ons for Sugar.

Screen Shot 2017-11-10 at 9.07.37 AM

If you want to leverage the Sugar Mobile Application Configuration Service or our Mobile SDK, click Getting Started with Mobile.  This subspace has its own documentation as well as a place for you to ask and answer questions.  If you’re a mobile developer, you’ll definitely want to follow the Mobile Developers space.

Mobile SDK Space

If you’re feeling helpful, click Answer a Question to browse questions from your fellow community members and share your expertise.

Questions and Answers

If you want to learn something new, click Try a Tutorial.  You’ll be able to get your hands in the code on a variety of topics including the REST API, Advanced Workflow, the Mobile SDK, and Quotes.

Tutorials

If you continue scrolling down the home page, you’ll see Recent Activity with all of the latest community content as well as a form where you can sign up for Developer News to receive the latest Sugar Developer news, webinars, and surveys straight to your e-mail inbox (I highly recommend signing up if you haven’t already!).

If you browse the home page’s right column, you’ll see a set of helpful widgets.  At the top, you’ll find a search box where you can search the developer community.  Next, you’ll see our latest Tweets (you may want to follow us on Twitter if you haven’t already).  If you continue scrolling, you’ll find the Developer Tools widget.  This is one of my favorite pieces of the community as it has all of our favorite resources listed in one place!

Developer Tools Widget

Be sure to check out the last widget:  Top Participants.  We hope to see your name there!

Top Participants Widget

We hope you enjoy our new look!  Have suggestions on how we can improve the community?  Let us know in the comments below!

Sugar uses platforms to support the needs of multiple Sugar clients.  The Sugar REST API uses the platform parameter to indicate which platform is being used.  If you’d like a refresher on what the platform parameter is and how to use it, check out this blog post.  

In Sugar 7.9, we added a new Platform extension that we advised developers to start using in the Sugar 7.9 Migration Guide.  The Platform extension allows you to indicate a particular custom platform should be allowed when the disable_unknown_platforms configuration setting is on.

Changes coming in Winter ’18 release

In the Winter ’18 release, we will be preventing REST API access to Sugar from unknown platform types.

Sugar has a configuration setting disable_unknown_platforms that controls whether or not unregistered platforms are allowed to be used when logging in using the REST API. The current default value for disable_unknown_platforms is false. In the Winter ’18 release, we will be changing the default to true, which is how it is already reflected in the documentation.

If your integration uses a custom platform, this custom platform will need to be registered in each Sugar instance or your integration will break!

Continue Reading…

Are you ready to build an integration with Sugar but not sure where to start?  You’ve come to the right place!

When you want to access or interact with information stored in Sugar, the REST API is a great place to start.  In this tutorial, you’ll learn how to authenticate to the Sugar REST API.  Then you’ll learn how to perform create, read, update, and delete (aka CRUD) operations.

Watch the video tutorial below or view the text-based tutorial at bit.ly/tutorial_rest.

Have you ever found yourself wishing you could create a custom Sidecar user interface within your Sugar instance? Maybe you want to allow users to visit a URL that displays a custom view.

It turns out that creating a linkable URL (or route) to within the Sugar client is fairly simple. In this post, I’ll walk you through how to implement a new route in your Sugar instance that displays an alert.

Continue Reading…

Sugar Fall ’17 (7.10) is now available!

You’ve heard all about this, but I’ll recap. SugarCRM’s fall 2017 release is a Sugar On-Demand only release. This is the first release that follows our new Sugar release process. Our on-premise customers will get a roll up spring release that includes features from this fall and subsequent winter release. So all of our customers will enjoy all of the same advanced features–just not all at once.

Here are some of the great developer resources available for the Sugar Fall ’17 release (also known as Sugar 7.10).

Last, but not least, we will be providing developer downloads of On-Demand releases such as 7.10 that can be used by Sugar developers for code development and test purposes.

Continue Reading…

In our most recent set of security releases, we made some changes in Sugar that address input sanitization issues reported by a 3rd party security researcher. Conveniently, these issues can be addressed with the input validation and CSRF form authentication frameworks added in Sugar 7.7.0.0 and 7.7.1.0. Both of these frameworks offer “soft” failure modes that will log warnings into the sugarcrm.log instead of fatal exceptions.

Input Sanitization Soft Failures

CSRF form authentication is strictly enforced by default. But, up until now, the default for the input validation framework has been to use soft failure mode. Choosing to make soft failure mode the default was a pragmatic decision to maximize compatibility for Sugar customizations while developers updated customizations and integrations. However, these recent reported vulnerabilities make it clear that it is time to take the next step to more strictly enforce input sanitization.

SugarCRM plans to strictly enforce input validation in upcoming releases. We will also remove the soft failure mode options at that time which will break customizations or integrations that have not adopted CSRF form authentication or pass that do not pass input validation.

Strict enforcement of Input Validation and CSRF Form Authentication

You should enable strict enforcement of the Input Validation and CSRF Form Authentication checks now for two reasons: (1) to ensure that your Sugar customizations and integrations work properly after upgrading to our winter releases and (2) to create the most secure environment for your current users. The configuration settings in question are the Input Validation ‘validation.soft_fail’ flag as well as the CSRF ‘csrf.soft_fail_form‘ flag.

Sugar Cloud has disabled soft failure modes by default but for Sugar On-Site you can adjust these settings for yourself. Add the following lines to your config_override.php file.

$sugar_config['validation']['soft_fail'] = false;
$sugar_config['csrf']['soft_fail_form'] = false;

Strictly enforced checks

In response to security issues, there are now strictly enforced input validation checks that ignore the validation.soft_fail configuration setting. In particular, we added strict validation to the platform authentication parameter used in our REST API. This can have an impact on platform identifiers using characters that are not part of the POSIX portable filename character set.

Also recall the disable_unknown_platforms configuration setting affects the use of platforms. Custom platforms should be registered using the Platforms extension. This check is planned to be enforced in Sugar On-Demand in the future as well.

What you need to do to prepare customizations

In development instances,

Set validation.soft_fail setting to false.

Set disable_unknown_platforms setting to true.

Then run regression tests on your integrations and customizations to very they still work.

In production instances,

Enable warn log level to collect and analyze any input validation or platform name violation warnings.

Other Resources

Slides from the UnCon 2016 session on Sugar’s input validation framework are also available in the Sugar Community.

More information about best practices for using the Platform parameter can also be found on a previous post on this blog.

 

Do you need to set up your Sugar development environment but only have 20 minutes to spare?  With the help of Vagrant, I’ve got you covered. Check out my new video below:

 

Prefer text-based instructions?  Get them here.