Open francescor opened 4 years ago
This is the HTML code that produce the banner
<a href="#" onclick="hideSubPanel('insideview');document.getElementById('hide_link_insideview').style.display='none';document.getElementById('show_link_insideview').style.display='';return false;"></a>
<div style="width: 100%; float: left; padding: 10px 0px 20px 0pt;">
<a target="_blank" href="http://community.insideview.com/t5/Getting-Started/Find-Opportunities-to-Reach-Out-to-Customers/ta-p/1133" style="float: left; width: 230px;display:block;text-decoration:none;">
<img title="Find Opportunities" src="https://my.insideview.com/iv/common/ruby/images/sugarembed-img1.png" style="float: left;border:0 solid;">
<div style="float: left; padding-top: 11px; width: 150px;">
<span style="color: #990000; float: left; font-family: arial; font-size: 14px; font-weight: bold;">Find Opportunities</span>
<span style="font-size: 10px; font-weight: bold; font-family: arial; color: #333333;float: left;">to reach out to customers</span>
</div>
</a>
<a target="_blank" href="http://community.insideview.com/t5/Getting-Started/Get-Referrals-to-Key-Decision-Makers/ta-p/1141" style="float: left; width: 230px;display:block;text-decoration:none;">
<img title="Get Referrals" src="https://my.insideview.com/iv/common/ruby/images/sugarembed-img2.png" style="float: left;border:0 solid;">
<div style="float: left; padding-top: 11px; padding-left: 10px;width: 150px;">
<span style="color: #990000; float: left; font-family: arial; font-size: 14px; font-weight: bold;">Get Referrals</span>
<span style="font-size: 10px; font-weight: bold; font-family: arial; color: #333333;float: left;">to key decision makers</span>
</div>
</a>
<a target="_blank" href="http://community.insideview.com/t5/Getting-Started/Engage-Prospects-and-Customers/ta-p/1127" style="float: left; width: 230px;display:block;text-decoration:none;">
<img title="Engage Customers" src="https://my.insideview.com/iv/common/ruby/images/sugarembed-img3.png" style="float: left;border:0 solid;">
<div style="float: left; padding-top: 11px; padding-left: 10px;width: 140px;">
<span style="color: #990000; float: left; font-family: arial; font-size: 14px; font-weight: bold;">Engage Customers</span>
<span style="font-size: 10px; font-weight: bold; font-family: arial; color: #333333;float: left;">with conversation starters</span>
</div>
</a>
</div>
<hr style="border-color: rgb(238, 238, 238); background-color: rgb(238, 238, 238); width: 100%;">
<form>
<input type="checkbox" class="checkbox" name="insideview_accept_box" id="insideview_accept_box" style="display: none;" onclick="toggleGettingStartedButton();">
<div style="float:left;padding:0 0 10px 0">
<div style="font-size: 11px; float:left;margin: 5px 15px 0px 150px;">
By clicking "Get Started" you agree to InsideView's <a href="http://www.insideview.com/cat-terms-use.html" target="_blank" style="color:#0099CC;text-decoration: none; font-size: 11px;">Terms of Use</a> and <a style="color:#0099CC;text-decoration: none; font-size: 11px;" target="_blank" href="http://www.insideview.com/cat-privacy.html">Privacy Policy</a>.
</div>
<div onclick="allowInsideView(); return false;" name="insideview_accept_button" id="insideview_accept_button" style="float:right;height: 30px; background-image: url('https://my.insideview.com/iv/common/ruby/images/sugarembed-button.png');font-weight: bold; width: 113px; font-size: 14px;cursor:pointer;">
<div style="float:left;margin:7px 0 0 18px;color:#ffffff;">Get Started!</div>
</div>
</div>
</form>
<div class="clear"></div>
please note that, even the cited privacy banner lead to a non existing page!
This just means that your server got hacked, or your browser has a bad add-on installed... not a SuiteCRM issue.
I see they have a SugarCRM plugin called InsideView, maybe it works also with SuiteCRM and you installed it? Check your Admin / Module Loader page.
Here the screenshot
I can probably disable the whole "InsideView" advert in here?
can I ?
That seems to be a legitimate software, that somebody installed on your server. You should determine what it does, before removing it. You probably paid for it.
You can also contact the makers of that software and ask them about the annoying ad. I assume they thought it was a good idea to get that permission, for GDPR reasons (or similar).
Please close this Issue here, it's really not a SuiteCRM problem.
We can keep discussing this in comments even after the Issue is closed, if you need more help. Thanks
Yes, my client had a previous installation of SugarCRM (Indeed I read "Sugar Version 6.5.25 Build 344" in the actual SuiteCRM installation about page): I'm very glad this stuff does not come from your code, believe me!
Is this about this same issue? https://community.suitecrm.com/t/inside-view-subpanel-how-to-remove/12966
@pgorod many thanks for your feeds: please have a look, since your statement about the server being hacked forced us to open a serious internal incident.
It seems to me that this "advertisement" was part of the previous sugarcrm, which has nothing to do with SuiteCRM (I'm glad!) but unfortunately that king of code got automatically imported in our brand new SuiteCRM installation that we just set up migrating from sugar following SuiteCRM migration instructions.
This is sure something that can help previous (new) users coming here from SugarCRM, and will keep SuiteCRM clean
Did you check Admin / Module Loader page to see if the module can be uninstalled from there?
You're better off ensuring that no part of that add-on is still operational, I don't know if the Connector is everything, or if there is more.
I agree this information might be useful for the future, though not here, it should be on the Forums, it's better to look for help there before coming here.
Yes, sorry for not telling you: Admin / Module Loader page has nothing on it
Ok, yes, next time I'll start with the forum, thanks
here is where that code should just be:
# grep -rl insideview.com /var/www/SuiteCRM/*
modules/Connectors/connectors/sources/ext/rest/insideview/InsideViewLogicHook.php
modules/Connectors/connectors/sources/ext/rest/insideview/tpls/InsideView.tpl
# ll modules/Connectors/connectors/sources/ext/rest/insideview/
total 40
-rw-r--r-- 1 apache apache 10133 May 31 13:25 InsideViewLogicHook.php
-rw-r--r-- 1 apache apache 2254 May 31 13:25 config.php
drwxr-sr-x 2 apache apache 4096 Feb 27 2013 images
-rw-r--r-- 1 apache apache 4903 May 31 13:25 insideview.php
drwxr-sr-x 2 apache apache 4096 Feb 27 2013 language
-rw-r--r-- 1 apache apache 2262 May 31 13:25 mapping.php
drwxr-sr-x 2 apache apache 4096 Feb 27 2013 tpls
# tree modules/Connectors/connectors/sources/ext/rest/insideview/
modules/Connectors/connectors/sources/ext/rest/insideview/
|-- InsideViewLogicHook.php
|-- config.php
|-- images
| |-- close.png
| |-- insideview.png
| |-- insideview_collapsed.png
| |-- insideview_expanded.png
| `-- video.png
|-- insideview.php
|-- language
| `-- en_us.lang.php
|-- mapping.php
`-- tpls
`-- InsideView.tpl
3 directories, 11 files
and apparently this is the original writer of that code https://php.wekeepcoding.com/article/12052779/sugarcrm+community+edition+set+connectors+properties+showing+blank+box
Don't panic. InsideView is a third party add on service for filling in business data on your leads, it was promoted inside the SugarCRM 6.5 Community Edition (the open source version). You can disable it without any worries. https://www.insideview.com/how-we-source-personal-data/
wait a sec: I just downloaded and installed a pristine SuiteCRM 7.11.13, and that connector is there
]# tree /var/www/Vergine-SuiteCRM-7.11.13/modules/Connectors/connectors/sources/ext/rest/insideview/
/var/www/Vergine-SuiteCRM-7.11.13/modules/Connectors/connectors/sources/ext/rest/insideview/
|-- InsideViewLogicHook.php
|-- config.php
|-- images
| |-- close.png
| |-- insideview.png
| |-- insideview_collapsed.png
| |-- insideview_expanded.png
| `-- video.png
|-- insideview.php
|-- language
| `-- en_us.lang.php
|-- mapping.php
`-- tpls
`-- InsideView.tpl
3 directories, 11 files
and yes, it is just not enable by default
Ok, so I just need to disable, which solve my problem, thanks.
BUT, let me say that that connector smells pretty bad: there "Terms of Use" is pretty bad I think, and even in this brand new installation of SuiteCRM the link to their privacy policy is wrong (https://www.insideview.com/cat-privacy.html/ ).
I do not know the SuiteCRM community, yet, and how you developers work, but I wonder if developers are aware of this.
You could remove it by deleting the connector code and its directories. It comes with the SugarCRM 6.5 CE, so you would have to delete it every time you upgraded the core SugarCRM 6.5 CE software.
Not sure how much we can do cause it's from before the fork, I'll mark this up as a potential cleanup for now.
@francescor although already said please consult the fourms and raise issues likes these there in the future. At worse if we feel it is a bug we'll direct you to raise and issue here anyways 👍👍
@francescor could you also please modify the title to better reflect the raised issue. Maybe something along the lines of "SugarCM Core Plugin does not link to privacy policy"
I'll point out we will take a look at editing the code or if deemed able and sensable potential removing this module however there's a lot resting on that for it being part of the legacy system that changing stuff can open doors you don't want to 👍
@chris001 the code is in SuiteCrm, too
and it is installed by default https://github.com/salesagility/SuiteCRM/blob/master/modules/Connectors/InstallDefaultConnectors.php
then even in the upgrade wizard https://github.com/salesagility/SuiteCRM/blob/master/modules/UpgradeWizard/uw_utils.php
and here, too https://github.com/salesagility/SuiteCRM/blob/master/install/install_utils.php
With that banner (I would have not another way of defining it) a user (any user in the organization) is only one click away from accepting the T&C which are pretty bad in my opinion (you can read it yourself, I can give my personal consideration about it) https://www.insideview.com/terms-use/ and, I have no time to dig it but for sure somebody is more prepared than me on this, it does not even respect the european privacy GDPR.
I am pretty surprised Insideview has such a priviege inside SuiteCRM code development: you may know the reason (which could be more than, legit, of course) and I would like to know it
InsideView was added to SugarCRM in April 2011, this was several years before data and privacy became huge issues and GDPR was adopted in May 2018. InsideView is a SugarCRM partner, so they agree not to misuse user data. They have a database with detailed data on almost all companies, like Dun & Bradstreet, so if you have the email address for a contact/lead/account stored in your SuiteCRM, and that email domain matches a company in the InsideView database, the software auto fills in the missing data about that person/company in the record for you, it saves a lot of user/employee time on re-typing in so much publicly known company data (address, phone numbers, fax numbers, website, industry code, company size, who the person reports to, etc). That being said, you may very well want to just disable the InsideView connector so that your users won't see the panel with their "terms of use" link, which is currently a broken link anyway, and possibly click on "Agree".
Ok, I've got it now (and yes, I already removed its code in my client's server). Where can I purpose developers the removal of that code? as you said:
(btw @chris001 I see your website has a weird return a weird file in homepage, with somehow encoded mv etc/ /old_etc
command inside)
Where can I purpose developers the removal of that code?
You should ask here in this issue for someone to submit a pull request, to modify the install settings for SuiteCRM included connectors, so that the InsideView connector would be installed as disabled
.
I see your website has a weird return a weird file in homepage, with somehow encoded
mv etc/ /old_etc
command inside
Thank you - link fixed now.
Ok, so I would suggest developers to submit a pull request to remove of the default enabled installation of the Insideview connector cited in code at
thanks
Already been sorted @francescor when I marked it with a priority, your welcome to make the PR yourself if you know of the required changes and have the time :+1:
I see insideview is still enabled by default in a pristine installation, this is still a security issue to me
Can someone help me to find out what, in the installation setup, set 'enabled' => true
in custom_directory/modules/Connectors/metadata/connectors.php
'ext_rest_insideview' =>
array (
'id' => 'ext_rest_insideview',
'name' => 'InsideView©',
'enabled' => true,
'directory' => 'modules/Connectors/connectors/sources/ext/rest/insideview',
'eapm' => false,
'modules' =>
array (
0 => 'Accounts',
1 => 'Contacts',
2 => 'Leads',
3 => 'Opportunities',
),
),
thanks to User: pgr, see https://community.suitecrm.com/t/insideview-a-connector-that-to-me-is-a-security-issue/78671/3, I just fired a pull request https://github.com/salesagility/SuiteCRM/pull/9052
We just notices an advertisement while surfing our private hosted SuiteCRM installation.
The advert promote: http://www.insideview.com where at the terms of use at http://www.insideview.com/cat-terms-use.html I read something very serious (and bad):
"You hereby grant InsideView a non-exclusive, royalty-free, worldwide license to use the Customer Data as may be reasonable or necessary for InsideView to provide the Services to You."
The advert is at center of a page while viewing a customer (our customer!) data, and the banner says: if click you agree (!!)
we are willing to send you the screenshot if you want.
SuiteCRM Version 7.11.13, with data imported from Sugar Version 6.5.25 (Build 344), on brand new linux Centos 7, php 7.4