Let the platform do the work
SugarClubContact+1 (877) 842-7276

Endpoints and Entry Points

Overview

This document describes how to disable out of the box REST API endpoints and legacy MVC entry points.

Advisory ID: sugarcrm-sr-2015-001
Revision: 1.1
Last updated: 2015-10-01

Description

SugarCRM has both legacy entry points and REST API endpoints which are shipped out of the box. Not every customer uses all capabilities of the SugarCRM product. To harden the configuration both entry points can be disabled based on the customer's requirements.

Legacy Entry Points

All stock entry points are defined in include/MVC/Controller/entry_point_registry.php. Using the SugarCRM Extension framework the configuration directives can be overridden in an upgrade safe manner. As an example consider the entrypoint "removeme". To disable this entrypoint use the following procedure.

Create a new php file ./custom/Extension/application/Ext/EntryPointRegistry/disable_removeme.php and add the following content:

  <?php

if (isset($entry_point_registry['removeme'])) {
    unset($entry_point_registry['removeme']);
}

Execute a quick repair and rebuild as SugarCRM administrator. The entry point is now fully disabled and no longer accessible to respond to any calls. Note that when trying to hit an non-existing (or disabled) entry point, the application will redirect you to the homepage (or login screen if the user has no session).

REST API Endpoints

To disable the HelpAPI which is located at clients/base/api/HelpApi.php use the following procedure.

Create a new php file custom/clients/base/api/CustomHelpApi.php and add the following content:

  <?php

require_once 'clients/base/api/HelpApi.php';

class CustomHelpApi extends HelpApi
{
    public function getHelp($api, $args)
    {
        throw new SugarApiExceptionNotFound();
    }
}

Execute a quick repair and rebuild as SugarCRM administrator. The entry point is now fully disabled. When making a REST API call to /rest/v10/help the followingHTTP 404 Not Found error will be returned:

  {
    "error": "not_found",
    "error_message": "Your requested resource was not found."
}

Publication History

2015-10-01 Adding REST API endpoint example
2015-06-16 Initial publication

A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.