Merge remote-tracking branch 'origin/support/2.7' into support/3.0

# Conflicts:
#	application/utils.inc.php
#	core/htmlsanitizer.class.inc.php
#	datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
#	pages/UI.php
#	test/OQL/DataLocalizerTest.php
#	test/OQL/OQLToSQLAllClassesTest.php
#	test/OQL/OQLToSQLGroupByTest.php
#	test/OQL/OQLToSQLNestedSelectTest.php
#	test/OQL/OQLToSQLTest.php
#	test/application/UtilsTest.php

datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php

@@ -120,17 +120,6 @@ class ObjectFormManager extends FormManager
 	{
 		$aJson = static::DecodeFormManagerData($sJson);
 
-		$oConfig = utils::GetConfig();
-		$bIsContentCheckEnabled = $oConfig->GetModuleSetting(PORTAL_ID, 'enable_formmanager_content_check', true);
-		if ($bIsContentCheckEnabled && (false === $bTrustContent)) {
-			/** @noinspection NestedPositiveIfStatementsInspection */
-			if (isset($aJson['formproperties']['layout']['type']) && ($aJson['formproperties']['layout']['type'] === 'twig')) {
-				// There will be an IssueLog above in the hierarchy due to the exception, but we are logging here so that we can output the JSON data !
-				IssueLog::Error('Portal received a query with forbidden twig content!', \LogChannels::PORTAL, ['formmanager_data' => $aJson]);
-				throw new \SecurityException('Twig content not allowed in this context!');
-			}
-		}
-
 		/** @var \Combodo\iTop\Portal\Form\ObjectFormManager $oFormManager */
 		$oFormManager = parent::FromJSON($sJson);
 
@@ -1185,16 +1174,18 @@ class ObjectFormManager extends FormManager
 		$sObjectClass = get_class($this->oObject);
 
 		try {
+			// modification flags
+			$bIsNew = $this->oObject->IsNew();
+			$bWasModified = $this->oObject->IsModified();
+			$bActivateTriggers = (!$bIsNew && $bWasModified);
+
 			// Forcing allowed writing on the object if necessary. This is used in some particular cases.
-			$bAllowWrite = ($sObjectClass === 'Person' && $this->oObject->GetKey() == UserRights::GetContactId());
+			$bAllowWrite = $this->oContainer->get('security_helper')->IsActionAllowed($bIsNew ? UR_ACTION_CREATE : UR_ACTION_MODIFY, $sObjectClass, $this->oObject->GetKey());
 			if ($bAllowWrite) {
 				$this->oObject->AllowWrite(true);
 			}
 
 			// Writing object to DB
-			$bIsNew = $this->oObject->IsNew();
-			$bWasModified = $this->oObject->IsModified();
-			$bActivateTriggers = (!$bIsNew && $bWasModified);
 			try
 			{
 				$this->oObject->DBWrite();

datamodels/2.x/itop-portal-base/portal/src/Helper/SecurityHelper.php

@@ -103,6 +103,12 @@ class SecurityHelper
 			return false;
 		}
 
+		// Forcing allowed writing on the object if necessary. This is used in some particular cases.
+		$bObjectIsCurrentUser = ($sObjectClass === 'Person' && $sObjectId == UserRights::GetContactId());
+		if(in_array($sAction , array(UR_ACTION_MODIFY, UR_ACTION_READ)) && $bObjectIsCurrentUser){
+			return true;
+	    }
+
 		// Checking the scopes layer
 		// - Transforming scope action as there is only 2 values
 		$sScopeAction = ($sAction === UR_ACTION_READ) ? UR_ACTION_READ : UR_ACTION_MODIFY;

datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php

@@ -161,6 +161,12 @@ class AppExtension extends AbstractExtension
 		 */
 		$filters[] = new Twig_SimpleFilter('var_export', 'var_export');
 
+		$filters[] = new Twig_SimpleFilter('filter', function ($array, $arrow) {
+			if ($arrow == 'system'){
+				return json_encode($array);
+			}
+			return  twig_array_filter($array, $arrow);
+		});
 
 		return $filters;
 	}