Merge branch 'support/2.7' into develop

# Conflicts:
#	README.md
#	composer.json
#	composer.lock
#	core/cmdbsource.class.inc.php
#	core/dbobject.class.php
#	datamodels/2.x/combodo-db-tools/db_analyzer.class.inc.php
#	datamodels/2.x/combodo-db-tools/dbtools.php
#	datamodels/2.x/combodo-db-tools/dictionaries/zh_cn.dict.combodo-db-tools.php
#	datamodels/2.x/itop-attachments/dictionaries/zh_cn.dict.itop-attachments.php
#	datamodels/2.x/itop-core-update/dictionaries/zh_cn.dict.itop-core-update.php
#	dictionaries/zh_cn.dictionary.itop.core.php
#	dictionaries/zh_cn.dictionary.itop.ui.php
#	lib/composer/InstalledVersions.php
#	lib/composer/autoload_classmap.php
#	lib/composer/autoload_static.php
#	lib/composer/installed.php
#	lib/composer/platform_check.php
#	pages/ajax.render.php
#	pages/csvimport.php
#	setup/ajax.dataloader.php
#	setup/index.php
#	setup/setuputils.class.inc.php
#	test/application/UtilsTest.php

setup/setuputils.class.inc.php

@@ -2076,6 +2076,7 @@ JS
 	 * Create and store Setup authentication token
 	 *
 	 * @return string token
+	 * @since 2.6.5 2.7.0 N°3952
 	 */
 	final public static function CreateSetupToken()
 	{
@@ -2087,7 +2088,7 @@ JS
 		}
 		$sUID = hash('sha256', rand());
 		file_put_contents(APPROOT.'data/setup/authent', $sUID);
-
+		$_SESSION['setup_token'] = $sUID;
 		return $sUID;
 	}
 
@@ -2097,6 +2098,7 @@ JS
 	 * @param bool $bRemoveToken
 	 *
 	 * @throws \SecurityException
+	 * @since 2.6.5 2.7.0 N°3952
 	 */
 	final public static function CheckSetupToken($bRemoveToken = false)
 	{
@@ -2110,6 +2112,38 @@ JS
 		}
 	}
 
+	/**
+	 * Check setup transaction and create a new one if necessary
+	 *
+	 * @return bool
+	 * @since 2.6.5 2.7.5 3.0.0 N°3952
+	 */
+	public static function IsSessionSetupTokenValid()
+	{
+		if (isset($_SESSION['setup_token'])) {
+			$sAuth = $_SESSION['setup_token'];
+			$sTokenFile = APPROOT.'data/setup/authent';
+			if (file_exists($sTokenFile) && $sAuth === file_get_contents($sTokenFile)) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * @since 2.6.5 2.7.5 3.0.0 N°3952
+	 */
+	public static function EraseSetupToken()
+	{
+		$sTokenFile = APPROOT.'data/setup/authent';
+		if (is_file($sTokenFile)) {
+			unlink($sTokenFile);
+		}
+		unset($_SESSION['setup_token']);
+	}
+
+
 	/**
 	 * @param string $sText
 	 *

setup/wizard.php

@@ -31,6 +31,7 @@ require_once(APPROOT.'/setup/setuppage.class.inc.php');
 require_once(APPROOT.'/setup/wizardcontroller.class.inc.php');
 require_once(APPROOT.'/setup/wizardsteps.class.inc.php');
 
+session_start();
 clearstatcache(); // Make sure we know what we are doing !
 // Set a long (at least 4 minutes) execution time for the setup to avoid timeouts during this phase
 ini_set('max_execution_time', max(240, ini_get('max_execution_time')));
@@ -39,7 +40,6 @@ ini_set('display_errors', true);
 ini_set('display_startup_errors', true);
 date_default_timezone_set('Europe/Paris'); // Just to avoid a warning if the timezone is not set in php.ini
 
-SetupUtils::ExitMaintenanceMode(false);
 
 /////////////////////////////////////////////////////////////////////
 // Fake functions to protect the first run of the installer
@@ -51,9 +51,8 @@ if (!function_exists('json_encode'))
 		return '[]';
 	}
 }
-if (!function_exists('json_decode'))
-{
-	function json_decode($json, $assoc=null)
+if (!function_exists('json_decode')) {
+	function json_decode($json, $assoc = null)
 	{
 		return array();
 	}
@@ -61,6 +60,14 @@ if (!function_exists('json_decode'))
 /////////////////////////////////////////////////////////////////////
 //N°3671 setup context: force $bForceTrustProxy to be persisted in next calls
 utils::GetAbsoluteUrlAppRoot(true);
-
 $oWizard = new WizardController('WizStepWelcome');
-$oWizard->Run();
+//N°3952
+if (SetupUtils::IsSessionSetupTokenValid()) {
+	// Normal operation
+	$oWizard->Run();
+} else {
+	SetupUtils::ExitMaintenanceMode(false);
+	// Force initializing the setup
+	$oWizard->Start();
+	SetupUtils::CreateSetupToken();
+}

setup/wizardcontroller.class.inc.php

@@ -105,7 +105,7 @@ class WizardController
 	/**
 	 * Starts the wizard by displaying it in its initial state
 	 */
-	protected function Start()
+	public function Start()
 	{
 		$sCurrentStepClass = $this->sInitialStepClass;
 		$oStep = new $sCurrentStepClass($this, $this->sInitialState);
@@ -121,7 +121,7 @@ class WizardController
 		$sCurrentState = utils::ReadParam('_state', $this->sInitialState);
 		/** @var \WizardStep $oStep */
 		$oStep = new $sCurrentStepClass($this, $sCurrentState);
-		if ($oStep->ValidateParams($sCurrentState))
+		if ($oStep->ValidateParams())
 		{
 			$this->PushStep(array('class' => $sCurrentStepClass, 'state' => $sCurrentState));
 			$aPossibleSteps = $oStep->GetPossibleSteps();
@@ -174,7 +174,7 @@ class WizardController
 				if (!is_writable($sConfigFile))
 				{
 					SetupUtils::ExitReadOnlyMode(false); // Reset readonly mode in case of problem
-
+					SetupUtils::EraseSetupToken();
 					$sRelativePath = utils::GetConfigFilePathRelative();
 					$oP = new SetupPage('Installation Cannot Continue');
 					$oP->add("<h2>Fatal error</h2>\n");
@@ -182,7 +182,8 @@ class WizardController
 					$oP->p("The wizard cannot modify the configuration file for you. If you want to upgrade ".ITOP_APPLICATION.", make sure that the file '<b>".$sRelativePath."</b>' can be modified by the web server.");
 					$oP->p('<button type="button" onclick="window.location.reload()">Reload</button>');
 					$oP->output();
-					return;
+					// Prevent token creation
+					exit;
 				}
 			}			
 		}

setup/wizardsteps.class.inc.php

@@ -2216,7 +2216,7 @@ CSS
 		$oPage->add('<div class="closed"><span class="title ibo-setup-summary-title">Database Parameters</span><ul>');
 		$oPage->add('<li>Server Name: '.$aInstallParams['database']['server'].'</li>');
 		$oPage->add('<li>DB User Name: '.$aInstallParams['database']['user'].'</li>');
-		$oPage->add('<li>DB user password: '.$aInstallParams['database']['pwd'].'</li>');
+		$oPage->add('<li>DB user password: ***</li>');
 		if (($sMode == 'install') && ($this->oWizard->GetParameter('create_db') == 'yes'))
 		{
 			$oPage->add('<li>Database Name: '.$aInstallParams['database']['name'].' (will be created)</li>');
@@ -2654,18 +2654,16 @@ class WizStepDone extends WizardStep
 		$aAdditionalModules = array();
 		foreach(json_decode($this->oWizard->GetParameter('additional_extensions_modules'), true) as $idx => $aModuleInfo)
 		{
-			if (in_array('_'.$idx, $aParameters[count($aParameters)-1]))
-			{
+			if (in_array('_'.$idx, $aParameters[count($aParameters)-1])) {
 				// Extensions "choices" can now have more than one module
-				foreach($aModuleInfo['modules'] as $sModuleName)
-				{
+				foreach ($aModuleInfo['modules'] as $sModuleName) {
 					$aAdditionalModules[] = $sModuleName;
 				}
 			}
 		}
 		$idx = 0;
 		$aReportedModules = array();
-		while($idx < count($aAdditionalModules) && (strlen($sImgUrl.'&m='.urlencode(implode(' ', $aReportedModules))) < 2000)) // reasonable limit for the URL: 2000 chars
+		while ($idx < count($aAdditionalModules) && (strlen($sImgUrl.'&m='.urlencode(implode(' ', $aReportedModules))) < 2000)) // reasonable limit for the URL: 2000 chars
 		{
 			$aReportedModules[] = $aAdditionalModules[$idx];
 			$idx++;
@@ -2675,6 +2673,7 @@ class WizStepDone extends WizardStep
 		$oPage->add('<img style="border:0" src="'.$sImgUrl.'"/>');
 		$sForm = addslashes($sForm);
 		$oPage->add_ready_script("$('#wiz_form').after('$sForm');");
+		SetupUtils::EraseSetupToken();
 	}
 
 	public function CanMoveForward()