Version number bump.

* security hardening

.github/pull_request_template.md

@@ -0,0 +1,83 @@
+<!--
+
+IMPORTANT: Please follow the guidelines within this PR template before submitting it, it will greatly help us process your PR. 🙏
+
+Any PRs not following the guidelines or with missing information will not be considered.
+
+-->
+
+## Base information
+| Question                                                      | Answer 
+|---------------------------------------------------------------|--------
+| Related to a SourceForge thead / Another PR / Combodo ticket? | <!-- Put the URL -->
+| Type of change?                                               | Bug fix / Enhancement / Translations
+
+
+## Symptom (bug) / Objective (enhancement)
+<!--
+If it's a bug
+  - Explain the symptom in details
+  - If possible put error messages, logs or screenshots (you can paste image directly in this editor).
+
+If it's an enhancement
+  - Describe what is blocking you, what is the objective with as much details as possible.
+  - Add screenshots if it's related to UI.
+-->
+
+
+## Reproduction procedure (bug)
+<!--
+Remove this section only if it's NOT a bug.
+
+Otherwise, explain step by step how to reproduce the issue on a standard iTop Community.
+
+If it requires a custom datamodel, provide the minimal XML delta to reproduce it on a standard iTop Community.
+-->
+
+1. On iTop x.y.z <!-- Put complete iTop version (eg. 3.1.0-2) -->
+2. With PHP x.y.z <!-- Put complete PHP version (eg. 8.1.24) -->
+2. First go there
+2. Then do that
+3. ...
+4. Finally, see that...
+
+
+## Cause (bug)
+<!--
+Remove this section only if it's NOT a bug.
+
+Otherwise, explain what is the cause of the issue (where in the code and why)
+-->
+
+
+## Proposed solution (bug and enhancement)
+<!--
+Explain in details how you are proposing to solve this:
+  - What did you do in the code and why
+  - If you changed something in the UI, put before / after screenshots (you can paste image directly in this editor)
+-->
+
+
+## Checklist before requesting a review
+<!--
+Don't remove these lines, check them once done.
+-->
+- [ ] I have performed a self-review of my code
+- [ ] I have tested all changes I made on an iTop instance
+- [ ] I have added a unit test, otherwise I have explained why I couldn't
+- [ ] Is the PR clear and detailed enough so anyone can understand digging in the code?
+
+## Checklist of things to do before PR is ready to merge
+<!--
+Things that needs to be done in the PR before it can be considered as ready to be merged
+
+Examples:
+- Changes requested in the review
+- Unit test to add
+- Dictionary entries to translate
+- ...
+-->
+
+- [ ] ...
+- [ ] ...
+- [ ] ...

.github/workflows/action.yml

@@ -0,0 +1,43 @@
+name: Add PRs to Combodo PRs Dashboard
+
+on:
+  pull_request_target:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add PR to Combodo Project
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if author is a member of the organization
+        id: check-membership
+        run: |
+          ORG="Combodo"
+          AUTHOR=$(jq -r .pull_request.user.login "$GITHUB_EVENT_PATH")
+          RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}" \
+            "https://api.github.com/orgs/$ORG/members/$AUTHOR")
+          if [ "$RESPONSE" == "404" ]; then
+            echo "project_url=https://github.com/orgs/Combodo/projects/5" >> $GITHUB_ENV
+            echo "is_member=false" >> $GITHUB_ENV
+          else
+            echo "project_url=https://github.com/orgs/Combodo/projects/4" >> $GITHUB_ENV
+            echo "is_member=true" >> $GITHUB_ENV
+
+          fi
+
+      - name: Add internal tag if member
+        if: env.is_member == 'true'
+        run: |
+          curl -X POST -H "Authorization: token ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/repos/Combodo/iTop/issues/${{ github.event.pull_request.number }}/labels \
+            -d '{"labels":["internal"]}'
+        env:
+          is_member: ${{ env.is_member }}
+
+      - name: Add PR to the appropriate project
+        uses: actions/add-to-project@v1.0.2
+        with:
+          project-url: ${{ env.project_url }}
+          github-token: ${{ secrets.PR_AUTOMATICALLY_ADD_TO_PROJECT }}

.make/build/commands/setupCssCompiler.php

@@ -27,7 +27,7 @@ $iTopFolder = __DIR__."/../../../";
 require_once("$iTopFolder/approot.inc.php");
 require_once(APPROOT."/application/utils.inc.php");
 
-if (php_sapi_name() !== 'cli')
+if (PHP_SAPI !== 'cli')
 {
 	throw new \Exception('This script can only run from CLI');
 }
@@ -48,4 +48,4 @@ if (!file_exists($sCssFile))
 {
 	fwrite(STDERR, "Failed to compile $sCssFile, exiting.");
 	exit(1);
-}
+}

.make/composer/rmDeniedTestDir.php

@@ -26,7 +26,7 @@ $iTopFolder = __DIR__ . "/../../" ;
 require_once ("$iTopFolder/approot.inc.php");
 require_once (APPROOT."/setup/setuputils.class.inc.php");
 
-if  (php_sapi_name() !== 'cli')
+if  (PHP_SAPI !== 'cli')
 {
 	throw new \Exception('This script can only run from CLI');
 }
@@ -70,4 +70,4 @@ if (false === empty($aMissing)) {
 	echo "Some new tests dirs exists !\n"
 		.'  They must be declared either in the allowed or denied list in '.iTopComposer::class." (see N°2651).\n"
 		.'  List of dirs:'."\n".var_export($aMissing, true);
-}
+}

application/ajaxwebpage.class.inc.php

@@ -42,7 +42,7 @@ class ajax_page extends WebPage implements iTabbedPage
 		$this->m_sReadyScript = "";
 		//$this->add_header("Content-type: text/html; charset=utf-8");
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->m_oTabs = new TabManager();
 		$this->sContentType = 'text/html';
 		$this->sContentDisposition = 'inline';
@@ -51,6 +51,16 @@ class ajax_page extends WebPage implements iTabbedPage
 		utils::InitArchiveMode();
 	}
 
+	/**
+	 * Disabling sending the header so that resource won't be blocked by CORB. See parent method documentation.
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 */
+	public function add_xcontent_type_options()
+	{
+		// Nothing to do !
+	}
+
 	/**
 	 * @inheritDoc
 	 * @throws \Exception

application/applicationextension.inc.php

@@ -1709,8 +1709,16 @@ class RestUtils
 		elseif (is_string($key))
 		{
 			// OQL
-			$oSearch = DBObjectSearch::FromOQL($key);
-		}
+            try {
+                $oSearch = DBObjectSearch::FromOQL($key);
+            } catch (Exception $e) {
+                throw new CoreOqlException('Query failed to execute', [
+                        'query' => $key,
+                        'exception_class' => get_class($e),
+                        'exception_message' => $e->getMessage(),
+                ]);
+            }
+        }
 		else
 		{
 			throw new Exception("Wrong format for key");

application/cmdbabstract.class.inc.php

@@ -3218,13 +3218,13 @@ EOF
 				if ($oAttDef->GetEditClass() == 'Document')
 				{
 					$oDocument = $this->Get($sAttCode);
-					if (!$oDocument->IsEmpty())
+					if (is_object($oDocument) && !$oDocument->IsEmpty())
 					{
 						$sDisplayValue = $this->GetAsHTML($sAttCode);
 						$sDisplayValue .= "<br/>".Dict::Format('UI:OpenDocumentInNewWindow_',
-								$oDocument->GetDisplayLink(get_class($this), $this->GetKey(), $sAttCode)).", \n";
+						$oDocument->GetDisplayLink(get_class($this), $this->GetKey(), $sAttCode)).", \n";
 						$sDisplayValue .= "<br/>".Dict::Format('UI:DownloadDocument_',
-								$oDocument->GetDownloadLink(get_class($this), $this->GetKey(), $sAttCode)).", \n";
+						$oDocument->GetDownloadLink(get_class($this), $this->GetKey(), $sAttCode)).", \n";
 					}
 					else
 					{

application/csvpage.class.inc.php

@@ -33,7 +33,7 @@ class CSVPage extends WebPage
 		parent::__construct($s_title);
 		$this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		//$this->add_header("Content-Transfer-Encoding: binary");
 	}
 

application/dashboard.class.inc.php

@@ -1193,12 +1193,12 @@ EOF
 		$sOkButtonLabel = Dict::S('UI:Button:Save');
 		$sCancelButtonLabel = Dict::S('UI:Button:Cancel');
 		
-		$sId = utils::HtmlEntities($this->sId);
-		$sLayoutClass = utils::HtmlEntities($this->sLayoutClass);
+		$sId = json_encode($this->sId);
+		$sLayoutClass = json_encode($this->sLayoutClass);
 		$sAutoReload = $this->bAutoReload ? 'true' : 'false';
 		$sAutoReloadSec = (string) $this->iAutoReloadSec;
-		$sTitle = utils::HtmlEntities($this->sTitle);
-		$sFile = utils::HtmlEntities($this->GetDefinitionFile());
+		$sTitle = json_encode($this->sTitle);
+		$sFile = json_encode($this->GetDefinitionFile());
 		$sUrl = utils::GetAbsoluteUrlAppRoot().'pages/ajax.render.php';
 		$sReloadURL = $this->GetReloadURL();
 
@@ -1250,15 +1250,15 @@ $('#dashboard_editor').dialog({
 });
 
 $('#dashboard_editor .ui-layout-center').runtimedashboard({
-	dashboard_id: '$sId', 
-	layout_class: '$sLayoutClass', 
-	title: '$sTitle',
+	dashboard_id: $sId, 
+	layout_class: $sLayoutClass, 
+	title: $sTitle,
 	auto_reload: $sAutoReload, 
 	auto_reload_sec: $sAutoReloadSec,
 	submit_to: '$sUrl', 
-	submit_parameters: {operation: 'save_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	submit_parameters: {operation: 'save_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	render_to: '$sUrl', 
-	render_parameters: {operation: 'render_dashboard', file: '$sFile', extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
+	render_parameters: {operation: 'render_dashboard', file: $sFile, extra_params: $sJSExtraParams, reload_url: '$sReloadURL'},
 	new_dashlet_parameters: {operation: 'new_dashlet'}
 });
 

application/itopwebpage.class.inc.php

@@ -71,7 +71,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
 		$this->SetRootUrl(utils::GetAbsoluteUrlAppRoot());
 		$this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->add_linked_stylesheet("../css/jquery.treeview.css");
 		$this->add_linked_stylesheet("../css/jquery.autocomplete.css");
 		$this->add_linked_stylesheet("../css/jquery-ui-timepicker-addon.css");

application/logindefault.class.inc.php

@@ -117,6 +117,11 @@ class LoginDefaultAfter extends AbstractLoginFSMExtension implements iLogoutExte
 	protected function OnConnected(&$iErrorCode)
 	{
 		unset($_SESSION['login_temp_auth_user']);
+		if (is_null(UserRights::GetUserObject())){
+			//N°7085 avoid infinite loop
+			IssueLog::Error("No user logged in. exit");
+			exit(-1);
+		}
 		return LoginWebPage::LOGIN_FSM_CONTINUE;
 	}
 
@@ -132,4 +137,4 @@ class LoginDefaultAfter extends AbstractLoginFSMExtension implements iLogoutExte
 			}
 		}
 	}
-}
+}

application/loginwebpage.class.inc.php

@@ -85,7 +85,7 @@ class LoginWebPage extends NiceWebPage
 		parent::__construct($sTitle);
 		$this->SetStyleSheet();
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 	}
 	
 	public function SetStyleSheet()

application/utils.inc.php

@@ -199,16 +199,8 @@ class utils
 
 	public static function IsModeCLI()
 	{
-		$sSAPIName = php_sapi_name();
-		$sCleanName = strtolower(trim($sSAPIName));
-		if ($sCleanName == 'cli')
-		{
-			return true;
-		}
-		else
-		{
-			return false;
-		}
+		$sCleanName = strtolower(trim(PHP_SAPI));
+		return ($sCleanName === 'cli');
 	}
 
 	protected static $bPageMode = null;
@@ -316,13 +308,13 @@ class utils
 		}
 		return self::Sanitize($retValue, $defaultValue, $sSanitizationFilter);
 	}
-	
+
 	public static function ReadPostedParam($sName, $defaultValue = '', $sSanitizationFilter = 'parameter')
 	{
 		$retValue = isset($_POST[$sName]) ? $_POST[$sName] : $defaultValue;
 		return self::Sanitize($retValue, $defaultValue, $sSanitizationFilter);
 	}
-	
+
 	public static function Sanitize($value, $defaultValue, $sSanitizationFilter)
 	{
 		if ($value === $defaultValue)
@@ -338,7 +330,7 @@ class utils
 				$retValue = $defaultValue;
 			}
 		}
-		return $retValue;		
+		return $retValue;
 	}
 
 	/**
@@ -481,11 +473,11 @@ class utils
 					$sMimeType = self::GetFileMimeType($sTmpName);
 					$oDocument = new ormDocument($doc_content, $sMimeType, $sName);
 				break;
-				
+
 				case UPLOAD_ERR_NO_FILE:
 				// no file to load, it's a normal case, just return an empty document
 				break;
-				
+
 				case UPLOAD_ERR_FORM_SIZE:
 				case UPLOAD_ERR_INI_SIZE:
 				throw new FileUploadException(Dict::Format('UI:Error:UploadedFileTooBig', ini_get('upload_max_filesize')));
@@ -494,7 +486,7 @@ class utils
 				case UPLOAD_ERR_PARTIAL:
 				throw new FileUploadException(Dict::S('UI:Error:UploadedFileTruncated.'));
 				break;
-				
+
 				case UPLOAD_ERR_NO_TMP_DIR:
 				throw new FileUploadException(Dict::S('UI:Error:NoTmpDir'));
 				break;
@@ -507,7 +499,7 @@ class utils
 				$sName = is_null($sIndex) ? $aFileInfo['name'] : $aFileInfo['name'][$sIndex];
 				throw new FileUploadException(Dict::Format('UI:Error:UploadStoppedByExtension_FileName', $sName));
 				break;
-				
+
 				default:
 				throw new FileUploadException(Dict::Format('UI:Error:UploadFailedUnknownCause_Code', $sError));
 				break;
@@ -615,17 +607,17 @@ class utils
 
 		return $aSelectedObj;
 	}
-	
+
 	public static function GetNewTransactionId()
 	{
 		return privUITransaction::GetNewTransactionId();
 	}
-	
+
 	public static function IsTransactionValid($sId, $bRemoveTransaction = true)
 	{
 		return privUITransaction::IsTransactionValid($sId, $bRemoveTransaction);
 	}
-	
+
 	public static function RemoveTransaction($sId)
 	{
 		return privUITransaction::RemoveTransaction($sId);
@@ -810,9 +802,9 @@ class utils
 			$aDateTokens = array_keys($aSpec);
 			$aDateRegexps = array_values($aSpec);
 		}
-	   
+
 	   $sDateRegexp = str_replace($aDateTokens, $aDateRegexps, $sFormat);
-	   
+
 	   if (preg_match('!^(?<head>)'.$sDateRegexp.'(?<tail>)$!', $sDate, $aMatches))
 	   {
 			$sYear = isset($aMatches['year']) ? $aMatches['year'] : 0;
@@ -829,7 +821,7 @@ class utils
 	   }
 	   // http://www.spaweditor.com/scripts/regex/index.php
 	}
-	
+
 	/**
 	 * Convert an old date/time format specification (using % placeholders)
 	 * to a format compatible with DateTime::createFromFormat
@@ -1248,7 +1240,7 @@ class utils
 		{
 			$aArguments['param_file'] = $sParamFile;
 		}
-		
+
 		$aArgs = array();
 		foreach($aArguments as $sName => $value)
 		{
@@ -1257,7 +1249,7 @@ class utils
 			$aArgs[] = "--$sName=".escapeshellarg($value);
 		}
 		$sArgs = implode(' ', $aArgs);
-		
+
 		$sScript = realpath(APPROOT.$sScriptName);
 		if (!file_exists($sScript))
 		{
@@ -1348,7 +1340,7 @@ class utils
 	public static function GetPopupMenuItems($oPage, $iMenuId, $param, &$aActions, $sTableId = null, $sDataTableId = null)
 	{
 		// 1st - add standard built-in menu items
-		// 
+		//
 		switch($iMenuId)
 		{
 			case iPopupMenuExtension::MENU_OBJLIST_TOOLKIT:
@@ -1373,7 +1365,7 @@ class utils
 						"mailto:?body=".urlencode($sUrl).' ' // Add an extra space to make it work in Outlook
 				);
 			}
-			
+
 			if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) != UR_ALLOWED_NO)
 			{
 				// Bulk export actions
@@ -1387,7 +1379,7 @@ class utils
 			}
 			$aResult[] = new JSPopupMenuItem('UI:Menu:AddToDashboard', Dict::S('UI:Menu:AddToDashboard'), "DashletCreationDlg('$sOQL', '$sContext')");
 			$aResult[] = new JSPopupMenuItem('UI:Menu:ShortcutList', Dict::S('UI:Menu:ShortcutList'), "ShortcutListDlg('$sOQL', '$sDataTableId', '$sContext')");
-				
+
 			break;
 
 			case iPopupMenuExtension::MENU_OBJDETAILS_ACTIONS:
@@ -1401,7 +1393,7 @@ class utils
 			$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/tabularfieldsselector.js');
 			$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/jquery.dragtable.js');
 			$oPage->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/dragtable.css');
-			
+
 			$aResult = array(
 				new SeparatorPopupMenuItem(),
 				// Static menus: Email this page & CSV Export
@@ -1465,7 +1457,7 @@ class utils
 				if (is_object($oMenuItem))
 				{
 					$aActions[$oMenuItem->GetUID()] = $oMenuItem->GetMenuItem();
-					
+
 					foreach($oMenuItem->GetLinkedScripts() as $sLinkedScript)
 					{
 						$oPage->add_linked_script($sLinkedScript);
@@ -1602,7 +1594,7 @@ class utils
 			return $sProposed;
 		}
 	}
-	
+
 	/**
 	 * Some characters cause troubles with jQuery when used inside DOM IDs, so let's replace them by the safe _ (underscore)
 	 * @param string $sId The ID to sanitize
@@ -1612,13 +1604,13 @@ class utils
 	{
 		return str_replace(array(':', '[', ']', '+', '-'), '_', $sId);
 	}
-	
+
 	/**
 	 * Helper to execute an HTTP POST request
 	 * Source: http://netevil.org/blog/2006/nov/http-post-from-php-without-curl
 	 *         originaly named after do_post_request
 	 * Does not require cUrl but requires openssl for performing https POSTs.
-	 * 
+	 *
 	 * @param string $sUrl The URL to POST the data to
 	 * @param array $aData The data to POST as an array('param_name' => value)
 	 * @param string $sOptionnalHeaders Additional HTTP headers as a string with newlines between headers
@@ -1629,11 +1621,11 @@ class utils
 	 *
 	 * @return string The result of the POST request
 	 * @throws Exception with a specific error message depending on the cause
-	 */ 
+	 */
 	public static function DoPostRequest($sUrl, $aData, $sOptionnalHeaders = null, &$aResponseHeaders = null, $aCurlOptions = array())
 	{
 		// $sOptionnalHeaders is a string containing additional HTTP headers that you would like to send in your request.
-	
+
 		if (function_exists('curl_init'))
 		{
 			// If cURL is available, let's use it, since it provides a greater control over the various HTTP/SSL options
@@ -1667,7 +1659,7 @@ class utils
 				CURLOPT_POSTFIELDS		=> http_build_query($aData),
 				CURLOPT_HTTPHEADER		=> $aHTTPHeaders,
 			);
-			
+
 			$aAllOptions = $aCurlOptions + $aOptions;
 			$ch = curl_init($sUrl);
 			curl_setopt_array($ch, $aAllOptions);
@@ -1693,7 +1685,7 @@ class utils
 		else
 		{
 			// cURL is not available let's try with streams and fopen...
-			
+
 			$sData = http_build_query($aData);
 			$aParams = array('http' => array(
 									'method' => 'POST',
@@ -1705,7 +1697,7 @@ class utils
 				$aParams['http']['header'] .= $sOptionnalHeaders;
 			}
 			$ctx = stream_context_create($aParams);
-		
+
 			$fp = @fopen($sUrl, 'rb', false, $ctx);
 			if (!$fp)
 			{
@@ -1746,7 +1738,7 @@ class utils
 
 	/**
 	 * Get a standard list of character sets
-	 *	 
+	 *
  	 * @param array $aAdditionalEncodings Additional values
 	 * @return array of iconv code => english label, sorted by label
 	 */
@@ -1776,8 +1768,8 @@ class utils
 	public static function HtmlEntities($sValue)
 	{
 		return htmlentities($sValue, ENT_QUOTES, 'UTF-8');
-	}	
-	
+	}
+
 	/**
 	 * Helper to encapsulation iTop's html_entity_decode
 	 * @param string $sValue
@@ -1806,7 +1798,7 @@ class utils
 			return $e->getMessage();
 		}
 	}
-	
+
 	/**
 	 * Convert (?) plain text to some HTML markup by replacing newlines by <br/> tags
 	 * and escaping HTML entities
@@ -1819,7 +1811,7 @@ class utils
 		$sText = str_replace("\r", "\n", $sText);
 		return str_replace("\n", '<br/>', htmlentities($sText, ENT_QUOTES, 'UTF-8'));
 	}
-	
+
 	/**
 	 * Eventually compiles the SASS (.scss) file into the CSS (.css) file
 	 *
@@ -1882,7 +1874,7 @@ class utils
 
 		return $sCss;
 	}
-	
+
 	public static function GetImageSize($sImageData)
 	{
 		if (function_exists('getimagesizefromstring')) // PHP 5.4.0 or higher
@@ -1939,7 +1931,7 @@ class utils
 			case 'image/png':
 			$img = @imagecreatefromstring($oImage->GetData());
 			break;
-			
+
 			default:
 			// Unsupported image type, return the image as-is
 			//throw new Exception("Unsupported image type: '".$oImage->GetMimeType()."'. Cannot resize the image, original image will be used.");
@@ -1953,14 +1945,14 @@ class utils
 		else
 		{
 			// Let's scale the image, preserving the transparency for GIFs and PNGs
-			
+
 			$fScale = min($iMaxImageWidth / $iWidth, $iMaxImageHeight / $iHeight);
 
 			$iNewWidth = $iWidth * $fScale;
 			$iNewHeight = $iHeight * $fScale;
-			
+
 			$new = imagecreatetruecolor($iNewWidth, $iNewHeight);
-			
+
 			// Preserve transparency
 			if(($oImage->GetMimeType() == "image/gif") || ($oImage->GetMimeType() == "image/png"))
 			{
@@ -1968,38 +1960,38 @@ class utils
 				imagealphablending($new, false);
 				imagesavealpha($new, true);
 			}
-			
+
 			imagecopyresampled($new, $img, 0, 0, 0, 0, $iNewWidth, $iNewHeight, $iWidth, $iHeight);
-			
+
 			ob_start();
 			switch ($oImage->GetMimeType())
 			{
 				case 'image/gif':
 				imagegif($new); // send image to output buffer
 				break;
-				
+
 				case 'image/jpeg':
 				imagejpeg($new, null, 80); // null = send image to output buffer, 80 = good quality
 				break;
-				 
+
 				case 'image/png':
 				imagepng($new, null, 5); // null = send image to output buffer, 5 = medium compression
 				break;
 			}
 			$oResampledImage = new ormDocument(ob_get_contents(), $oImage->GetMimeType(), $oImage->GetFileName());
 			@ob_end_clean();
-			
+
 			imagedestroy($img);
 			imagedestroy($new);
-							
+
 			return $oResampledImage;
 		}
-				
+
 	}
-	
+
 	/**
 	 * Create a 128 bit UUID in the format: {########-####-####-####-############}
-	 * 
+	 *
 	 * Note: this method can be run from the command line as well as from the web server.
 	 * Note2: this method is not cryptographically secure! If you need a cryptographically secure value
 	 * consider using open_ssl or PHP 7 methods.
@@ -2037,7 +2029,7 @@ class utils
 	{
         return ModuleService::GetInstance()->GetCurrentModuleName($iCallDepth + 1);
 	}
-	
+
 	/**
 	 * **Warning** : returned result can be invalid as we're using backtrace to find the module dir name
 	 *
@@ -2068,7 +2060,7 @@ class utils
 	{
 		return ModuleService::GetInstance()->GetCurrentModuleUrl(1);
 	}
-	
+
 	/**
 	 * @param string $sProperty The name of the property to retrieve
 	 * @param mixed $defaultvalue
@@ -2078,7 +2070,7 @@ class utils
 	{
         return ModuleService::GetInstance()->GetCurrentModuleSetting($sProperty, $defaultvalue);
 	}
-	
+
 	/**
 	 * @param string $sModuleName
 	 * @return string|NULL compiled version of a given module, as it was seen by the compiler
@@ -2087,7 +2079,7 @@ class utils
 	{
         return ModuleService::GetInstance()->GetCompiledModuleVersion($sModuleName);
 	}
-	
+
 	/**
 	 * Check if the given path/url is an http(s) URL
 	 * @param string $sPath
@@ -2102,7 +2094,7 @@ class utils
 		}
 		return $bRet;
 	}
-	
+
 	/**
 	 * Check if the given URL is a link to download a document/image on the CURRENT iTop
 	 * In such a case we can read the content of the file directly in the database (if the users rights allow) and return the ormDocument
@@ -2151,7 +2143,7 @@ class utils
 		}
 		return $result;
 	}
-	
+
 	/**
 	 * Read the content of a file (and retrieve its MIME type) from either:
 	 * - an URL pointing to a blob (image/document) on the current iTop server
@@ -2195,7 +2187,7 @@ class utils
 			'html' => 'text/html',
 			'exe' => 'application/octet-stream',
 		);
-	
+
 		$sData = null;
 		$sMimeType = 'text/plain'; // Default MIME Type: treat the file as a bunch a characters...
 		$sFileName = 'uploaded-file'; // Default name for downloaded-files
@@ -2251,7 +2243,7 @@ class utils
 			}
 			$sExtension = strtolower(pathinfo($sPath, PATHINFO_EXTENSION));
 			$sFileName = basename($sPath);
-				
+
 			if (array_key_exists($sExtension, $aKnownExtensions))
 			{
 				$sMimeType = $aKnownExtensions[$sExtension];
@@ -2265,7 +2257,7 @@ class utils
 		}
 		return $oUploadedDoc;
 	}
-	
+
 	protected static function ParseHeaders($aHeaders)
 	{
 		$aCleanHeaders = array();
@@ -2290,7 +2282,7 @@ class utils
 		}
 		return $aCleanHeaders;
 	}
-	
+
 	/**
 	 * @return string a string based on compilation time or (if not available because the datamodel has not been loaded)
 	 * the version of iTop. This string is useful to prevent browser side caching of content that may vary at each
@@ -2445,7 +2437,7 @@ class utils
 		{
 			return false;
 		}
-		
+
 		return substr_compare($haystack, $needle, -strlen($needle)) === 0;
 	}
 

application/webpage.class.inc.php

@@ -483,12 +483,24 @@ class WebPage implements Page
 	}
 
 	/**
-	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
+	 * @param string|null $sXFrameOptionsHeaderValue passed to {@see add_xframe_options}
+	 *
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation, replace {@see add_xframe_options} consumers call
+	 */
+	public function add_http_headers($sXFrameOptionsHeaderValue = null)
+	{
+		$this->add_xframe_options($sXFrameOptionsHeaderValue);
+		$this->add_xcontent_type_options();
+	}
+
+	/**
+	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the `security_header_xframe` config parameter value.
 	 *
 	 * @since 2.7.3 3.0.0 N°3416
-	 * @uses security_header_xframe config parameter
 	 * @uses \utils::GetConfig()
-	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+	 *
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options HTTP header MDN documentation
 	 */
 	public function add_xframe_options($sHeaderValue = null)
 	{
@@ -499,6 +511,38 @@ class WebPage implements Page
 		$this->add_header('X-Frame-Options: '.$sHeaderValue);
 	}
 
+	/**
+	 * Warning : this header will trigger the Cross-Origin Read Blocking (CORB) protection for some mime types (HTML, XML except SVG, JSON, text/plain)
+	 * In consequence some children pages will override this method.
+	 *
+	 * Sending header can be disabled globally using the `security.enable_header_xcontent_type_options` optional config parameter.
+	 *
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 *
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options HTTP header MDN documentation
+	 * @link https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#determining-whether-a-response-is-corb_protected "Determining whether a response is CORB-protected"
+	 */
+	public function add_xcontent_type_options()
+	{
+		try {
+			$oConfig = utils::GetConfig();
+		} catch (ConfigException|CoreException $e) {
+			$oConfig = null;
+		}
+		if (is_null($oConfig)) {
+			$bSendXContentTypeOptionsHttpHeader = true;
+		} else {
+			$bSendXContentTypeOptionsHttpHeader = $oConfig->Get('security.enable_header_xcontent_type_options');
+		}
+
+		if ($bSendXContentTypeOptionsHttpHeader === false) {
+			return;
+		}
+
+		$this->add_header('X-Content-Type-Options: nosniff');
+	}
+
 	/**
 	 * Add needed headers to the page so that it will no be cached
 	 */

application/xmlpage.class.inc.php

@@ -44,10 +44,20 @@ class XMLPage extends WebPage
 		$this->m_bHeaderSent = false;
 		$this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->add_header("Content-location: export.xml");
 	}
 
+	/**
+	 * Disabling sending the header so that resource won't be blocked by CORB. See parent method documentation.
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 */
+	public function add_xcontent_type_options()
+	{
+		// Nothing to do !
+	}
+
 	public function output()
 	{
 		if (!$this->m_bPassThrough)

approot.inc.php

@@ -14,7 +14,7 @@ define('APPCONF', APPROOT.'conf/');
  * @used-by utils::GetItopVersionWikiSyntax()
  * @used-by iTopModulesPhpVersionIntegrationTest
  */
-define('ITOP_CORE_VERSION', '2.7.9');
+define('ITOP_CORE_VERSION', '2.7.12');
 
 
 require_once APPROOT.'bootstrap.inc.php';

bootstrap.inc.php

@@ -48,7 +48,7 @@ if (file_exists(MAINTENANCE_MODE_FILE) && !$bBypassMaintenance)
 	http_response_code(503);
 	// Display message depending on the request
 	include(APPROOT.'application/maintenancemsg.php');
-	$sSAPIName = strtoupper(trim(php_sapi_name()));
+	$sSAPIName = strtoupper(trim(PHP_SAPI));
 
 	switch (true)
 	{

core/attributedef.class.inc.php

@@ -2695,6 +2695,11 @@ class AttributeObjectKey extends AttributeDBFieldVoid
 		return ($proposedValue == 0);
 	}
 
+    /**
+     * @inheritDoc
+     *
+     * @param int|DBObject $proposedValue Object key or valid ({@see MetaModel::IsValidObject()}) datamodel object
+     */
 	public function MakeRealValue($proposedValue, $oHostObj)
 	{
 		if (is_null($proposedValue))
@@ -2707,7 +2712,6 @@ class AttributeObjectKey extends AttributeDBFieldVoid
 		}
 		if (MetaModel::IsValidObject($proposedValue))
 		{
-			/** @var \DBObject $proposedValue */
 			return $proposedValue->GetKey();
 		}
 
@@ -5940,6 +5944,11 @@ class AttributeDateTime extends AttributeDBField
 		}
 	}
 
+    /**
+     * @inheritDoc
+     *
+     * @param int|string $proposedValue timestamp ({@see DateTime::getTimestamp()) or date as string, following the {@see GetInternalFormat} format.
+     */
 	public function MakeRealValue($proposedValue, $oHostObj)
 	{
 		if (is_null($proposedValue))
@@ -7655,9 +7664,9 @@ class AttributeBlob extends AttributeDefinition
 	}
 
 	/**
-	 * Users can provide the document from an URL (including an URL on iTop itself)
-	 * for CSV import. Administrators can even provide the path to a local file
-	 * {@inheritDoc}
+     * {@inheritDoc}
+     *
+     * @param string $proposedValue Can be an URL (including an URL to iTop itself), or a local path (CSV import)
 	 *
 	 * @see AttributeDefinition::MakeRealValue()
 	 */

core/cmdbsource.class.inc.php

@@ -95,7 +95,7 @@ class MySQLHasGoneAwayException extends MySQLException
 	{
 		return array(
 			2006,
-			2013
+			2013,
 		);
 	}
 
@@ -134,6 +134,12 @@ class CMDBSource
 	const ENUM_DB_VENDOR_MARIADB = 'MariaDB';
 	const ENUM_DB_VENDOR_PERCONA = 'Percona';
 
+	/**
+	 * @since 2.7.10 3.0.4 3.1.2 3.0.2 N°6889 constant creation
+	 * @internal will be removed in a future version
+	 */
+	const MYSQL_DEFAULT_PORT = 3306;
+
 	/**
 	 * Error: 1205 SQLSTATE: HY000 (ER_LOCK_WAIT_TIMEOUT)
 	 *   Message: Lock wait timeout exceeded; try restarting transaction
@@ -319,16 +325,19 @@ class CMDBSource
 	/**
 	 * @param string $sDbHost initial value ("p:domain:port" syntax)
 	 * @param string $sServer server variable to update
-	 * @param int $iPort port variable to update
+	 * @param int|null $iPort port variable to update, will return null if nothing is specified in $sDbHost
+	 *
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°6889 will return null in $iPort if port isn't present in $sDbHost. Use {@see MYSQL_DEFAULT_PORT} if needed
+	 *
+	 * @link http://php.net/manual/en/mysqli.persistconns.php documentation for the "p:" prefix (persistent connexion)
 	 */
 	public static function InitServerAndPort($sDbHost, &$sServer, &$iPort)
 	{
 		$aConnectInfo = explode(':', $sDbHost);
 
 		$bUsePersistentConnection = false;
-		if (strcasecmp($aConnectInfo[0], 'p') == 0)
+		if (strcasecmp($aConnectInfo[0], 'p') === 0)
 		{
-			// we might have "p:" prefix to use persistent connections (see http://php.net/manual/en/mysqli.persistconns.php)
 			$bUsePersistentConnection = true;
 			$sServer = $aConnectInfo[0].':'.$aConnectInfo[1];
 		}
@@ -346,10 +355,6 @@ class CMDBSource
 		{
 			$iPort = (int)($aConnectInfo[1]);
 		}
-		else
-		{
-			$iPort = 3306;
-		}
 	}
 
 	/**
@@ -669,10 +674,9 @@ class CMDBSource
 	/**
 	 * @param string $sSQLQuery
 	 *
-	 * @return \mysqli_result|null
-	 * @throws \MySQLException
-	 * @throws \MySQLHasGoneAwayException
-	 * @throws \CoreException
+     * @return mysqli_result|null
+     * @throws MySQLException
+     * @throws MySQLHasGoneAwayException
 	 *
 	 * @since 2.7.0 N°679 handles nested transactions
 	 */
@@ -1292,8 +1296,8 @@ class CMDBSource
 	 */
 	public static function IsSameFieldTypes($sItopGeneratedFieldType, $sDbFieldType)
 	{
-		list($sItopFieldDataType, $sItopFieldTypeOptions, $sItopFieldOtherOptions) = static::GetFieldDataTypeAndOptions($sItopGeneratedFieldType);
-		list($sDbFieldDataType, $sDbFieldTypeOptions, $sDbFieldOtherOptions) = static::GetFieldDataTypeAndOptions($sDbFieldType);
+		[$sItopFieldDataType, $sItopFieldTypeOptions, $sItopFieldOtherOptions] = static::GetFieldDataTypeAndOptions($sItopGeneratedFieldType);
+		[$sDbFieldDataType, $sDbFieldTypeOptions, $sDbFieldOtherOptions] = static::GetFieldDataTypeAndOptions($sDbFieldType);
 
 		if (strcasecmp($sItopFieldDataType, $sDbFieldDataType) !== 0)
 		{
@@ -1730,8 +1734,20 @@ class CMDBSource
 		return false;
 	}
 
-	/**
-	 * @return string query to upgrade database charset and collation if needed, null if not
+    public static function GetClusterNb()
+    {
+        $result = 0;
+        $sSql = "SHOW STATUS LIKE 'wsrep_cluster_size';";
+        $aRows = self::QueryToArray($sSql);
+        if (count($aRows) > 0)
+        {
+            $result = $aRows[0]['Value'];
+        }
+        return intval($result);
+    }
+
+    /**
+     * @return string query to upgrade database charset and collation if needed, null if not
 	 * @throws \MySQLException
 	 *
 	 * @since 2.5.0 N°1001 switch to utf8mb4

core/config.class.inc.php

@@ -1320,6 +1320,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'security.enable_header_xcontent_type_options' => [
+			'type' => 'bool',
+			'description' => 'If set to false, iTop will stop sending the X-Content-Type-Options HTTP header. This header could trigger CORB protection on certain resources (JSON, XML, HTML, text) therefore blocking them.',
+			'default' => true,
+			'value' => '',
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		],
 		'behind_reverse_proxy' => [
 			'type' => 'bool',
 			'description' => 'If true, then proxies custom header (X-Forwarded-*) are taken into account. Use only if the webserver is not publicly accessible (reachable only by the reverse proxy)',
@@ -1626,7 +1634,7 @@ class Config
 		}
 		if (strlen($sNoise) > 0)
 		{
-			// Note: sNoise is an html output, but so far it was ok for me (e.g. showing the entire call stack) 
+			// Note: sNoise is an html output, but so far it was ok for me (e.g. showing the entire call stack)
 			throw new ConfigException('Syntax error in configuration file',
 				array('file' => $sConfigFile, 'error' => '<tt>'.htmlentities($sNoise, ENT_QUOTES, 'UTF-8').'</tt>'));
 		}
@@ -1901,6 +1909,24 @@ class Config
 		$this->m_sAllowedLoginTypes = implode('|', $aAllowedLoginTypes);
 	}
 
+	/**
+	 * @since 2.7.11 N°7085
+	 * Add login mode if not configured already
+	 * @param string $sLoginMode
+	 *
+	 * @return void
+	 */
+	public function AddAllowedLoginTypes($sLoginMode)
+	{
+		$aAllowedLoginTypes = $this->GetAllowedLoginTypes();
+		if (in_array($sLoginMode, $aAllowedLoginTypes)){
+			return;
+		}
+
+		$aAllowedLoginTypes[] = $sLoginMode;
+		$this->SetAllowedLoginTypes($aAllowedLoginTypes);
+	}
+
 	public function SetExternalAuthenticationVariable($sExtAuthVariable)
 	{
 		$this->m_sExtAuthVariable = $sExtAuthVariable;
@@ -2420,7 +2446,7 @@ class ConfigPlaceholdersResolver
 		}
 
 		$sPattern = '/\%(env|server)\((\w+)\)(?:\?:(\w*))?\%/'; //3 capturing groups, ie `%env(HTTP_PORT)?:8080%` produce: `env` `HTTP_PORT` and `8080`.
-		
+
 		if (! preg_match_all($sPattern, $rawValue, $aMatchesCollection, PREG_SET_ORDER))
 		{
 			return $rawValue;
@@ -2473,4 +2499,4 @@ class ConfigPlaceholdersResolver
 		IssueLog::Error($sErrorMessage, self::class, array($sSourceName, $sKey, $sDefault, $sWholeMask));
 		throw new ConfigException($sErrorMessage);
 	}
-}
+}

core/dbobject.class.php

@@ -532,11 +532,10 @@ abstract class DBObject implements iDisplay
      * Attributes setter
      *
      * Set $sAttCode to $value.
-     * The value must be valid according to the type of attribute.
+     * The value must be valid according to the type of attribute : see the different {@see AttributeDefinition::MakeRealValue()} implementations
      * The value will not be recorded into the DB until DBObject::DBWrite() is called.
      *
      * @api
-     * @see DBWrite()
      *
      * @param string $sAttCode
      * @param mixed $value
@@ -544,6 +543,8 @@ abstract class DBObject implements iDisplay
      * @return bool
      * @throws CoreException
      * @throws CoreUnexpectedValue
+     *
+     * @see DBWrite()
      */
 	public function Set($sAttCode, $value)
 	{
@@ -2084,16 +2085,17 @@ abstract class DBObject implements iDisplay
 	}
 
 	/**
+     * @param array $aUniquenessRuleProperties uniqueness rule properties
+	 *
+     * @param string $sUniquenessRuleId uniqueness rule ID
+	 * @return \DBSearch
+	 * @throws \OQLException
+     * @throws \CoreException
+     *
      * @internal
      *
-	 * @param string $sUniquenessRuleId uniqueness rule ID
-	 * @param array $aUniquenessRuleProperties uniqueness rule properties
-	 *
-	 * @return \DBSearch
-	 * @throws \CoreException
-	 * @throws \OQLException
-	 * @since 2.6.0 N°659 uniqueness constraint
-	 * @api
+     * @since 2.6.0 N°659 uniqueness constraint
+     * @since 2.7.11 3.1.2 3.2.0 N°4314 Fix Uniqueness rules not working with Silo
 	 */
 	protected function GetSearchForUniquenessRule($sUniquenessRuleId, $aUniquenessRuleProperties)
 	{
@@ -2123,8 +2125,10 @@ abstract class DBObject implements iDisplay
 			$oUniquenessQuery->AddConditionForInOperatorUsingParam('finalclass', $aChildClassesWithRuleDisabled, false);
 		}
 
-		return $oUniquenessQuery;
-	}
+        $oUniquenessQuery->AllowAllData();
+
+        return $oUniquenessQuery;
+    }
 
 	/**
 	 * Check integrity rules (before inserting or updating the object)
@@ -2297,15 +2301,19 @@ abstract class DBObject implements iDisplay
 				continue;
 			}
 
-			/** @noinspection NotOptimalIfConditionsInspection */
-			/** @noinspection TypeUnsafeComparisonInspection */
 			if (utils::IsNullOrEmptyString($sRemoteObjectClass)
 				|| utils::IsNullOrEmptyString($sRemoteObjectKey)
-				|| ($sRemoteObjectKey == 0) // non-strict comparison as we might have bad surprises
 			) {
 				continue;
 			}
 
+			// 0 : Undefined ext. key (EG. non-mandatory and no value provided)
+			// < 0 : Non yet persisted object
+            /** @noinspection TypeUnsafeComparisonInspection Non-strict comparison as object ID can be string */
+			if ($sRemoteObjectKey <= 0) {
+				continue;
+			}
+
 			if (false === $oIsObjectLoadableCallback($sRemoteObjectClass, $sRemoteObjectKey)) {
 				throw new InvalidExternalKeyValueException($this, $sAttDefCode);
 			}

core/dbsearch.class.php

@@ -866,11 +866,11 @@ abstract class DBSearch
 			return;
 		}
 
-		if (count($aColumns) == 0)
-		{
-			$aColumns = array_keys(MetaModel::ListAttributeDefs($this->GetClass()));
-			// Add the standard id (as first column)
-			array_unshift($aColumns, 'id');
+        if (count($aColumns) == 0)
+        {
+            $aColumns = array_keys(MetaModel::ListAttributeDefs($this->GetClass()));
+            // Add the standard id (as first column)
+            array_unshift($aColumns, 'id');
 		}
 
 		$aQueryCols = CMDBSource::GetColumns($resQuery, $sSQL);
@@ -900,6 +900,55 @@ abstract class DBSearch
 		return $aRes;
 	}
 
+    /**
+     * Selects a column ($sAttCode) from the specified class ($sClassAlias - default main class) of the DBsearch object and gives the result as an array
+     * @param string $sAttCode
+     * @param string|null $sClassAlias
+     *
+     * @return array
+     * @throws ConfigException
+     * @throws CoreException
+     * @throws MissingQueryArgument
+     * @throws MySQLException
+     * @throws MySQLHasGoneAwayException
+     */
+    public function SelectAttributeToArray(string $sAttCode, ?string $sClassAlias = null):array
+    {
+       if(is_null($sClassAlias)) {
+           $sClassAlias = $this->GetClassAlias();
+       }
+
+       $sClass = $this->GetClass();
+       if($sAttCode === 'id'){
+           $aAttToLoad[$sClassAlias]=[];
+       } else {
+           $aAttToLoad[$sClassAlias][$sAttCode] = MetaModel::GetAttributeDef($sClass, $sAttCode);
+       }
+
+        $sSQL = $this->MakeSelectQuery([], [], $aAttToLoad);
+        $resQuery = CMDBSource::Query($sSQL);
+        if (!$resQuery)
+        {
+            return [];
+        }
+
+        $sColName = $sClassAlias.$sAttCode;
+
+        $aRes = [];
+        while ($aRow = CMDBSource::FetchArray($resQuery))
+        {
+            $aMappedRow = array();
+            if($sAttCode === 'id') {
+                $aMappedRow[$sAttCode] = $aRow[$sColName];
+            } else {
+                $aMappedRow[$sAttCode] = $aAttToLoad[$sClassAlias][$sAttCode]->FromSQLToValue($aRow, $sColName);
+            }
+            $aRes[] = $aMappedRow;
+        }
+        CMDBSource::FreeResult($resQuery);
+        return $aRes;
+    }
+
 	////////////////////////////////////////////////////////////////////////////
 	//
 	// Construction of the SQL queries

core/mutex.class.inc.php

@@ -22,7 +22,9 @@
  * A class to serialize the execution of some code sections
  * Emulates the API of PECL Mutex class
  * Relies on MySQL locks because the API sem_get is not always present in the
- * installed PHP.    
+ * installed PHP.
+ *
+ * @link https://dev.mysql.com/doc/refman/5.7/en/locking-functions.html MySQL locking functions documentation
  *
  * @copyright   Copyright (C) 2013-2018 Combodo SARL
  * @license     http://opensource.org/licenses/AGPL-3.0

core/simplegraph.class.inc.php

@@ -537,7 +537,7 @@ EOF
 		}
 		else
 		{
-			throw new Exception('graphviz not found (executable path: '.$sDotExecutable.')');
+            throw new Exception('graphviz not found');
 		}
 		return $sHtml;
 	}
@@ -592,7 +592,7 @@ EOF
 		}
 		else
 		{
-			throw new Exception('graphviz not found (executable path: '.$sDotExecutable.')');
+            throw new Exception('graphviz not found');
 		}
 		return $sHtml;
 	}

core/userrights.class.inc.php

@@ -110,7 +110,7 @@ abstract class UserRightsAddOnAPI
 				$oSearchSharers->AllowAllData();
 				$oSearchSharers->AddCondition_ReferencedBy($oShareSearch, 'sharing_org_id');
 				$aSharers = array();
-				foreach($oSearchSharers->ToDataArray(array('id')) as $aRow)
+				foreach($oSearchSharers->SelectAttributeToArray('id') as $aRow)
 				{
 					$aSharers[] = $aRow['id'];
 				}
@@ -135,7 +135,7 @@ abstract class UserRightsAddOnAPI
 				$oOrgField = new FieldExpression('org_id', $sShareClass);
 				$oSearchShares->AddConditionExpression(new BinaryExpression($oOrgField, 'IN', $oListExpr));
 				$aShared = array();
-				foreach($oSearchShares->ToDataArray(array($sShareAttCode)) as $aRow)
+				foreach($oSearchShares->SelectAttributeToArray($sShareAttCode) as $aRow)
 				{
 					$aShared[] = $aRow[$sShareAttCode];
 				}

css/css-variables.scss

@@ -17,7 +17,7 @@
  */
 
 // Beware the version number MUST be enclosed with quotes otherwise v2.3.0 becomes v2 0.3 .0
-$version: "v2.7.9";
+$version: "v2.7.12";
 $approot-relative: "../../../../../" !default; // relative to env-***/branding/themes/***/main.css
 
 // Base colors

css/setup.css

@@ -15,10 +15,14 @@
  *
  * You should have received a copy of the GNU Affero General Public License
  */
+/* integrityCheck: begin (do not remove/edit) */
 /* Helpers classes */
 .center {
   text-align: center;
 }
+.hidden {
+  display: none;
+}
 /* Animations */
 @keyframes progress_bar_color_ongoing {
   from {
@@ -265,4 +269,4 @@ fieldset > legend {
   font-weight: bold;
   color: #e60000b8;
 }
-
+/* integrityCheck: end (do not remove/edit) */

css/setup.scss

@@ -56,6 +56,9 @@ $progress-bar-error-bg-color: #F56565 !default;
 .center {
 	text-align: center;
 }
+.hidden {
+  display: none;
+}
 
 /* Animations */
 @keyframes progress_bar_color_ongoing {

datamodels/2.x/authent-cas/module.authent-cas.php

@@ -5,7 +5,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-cas/2.7.9',
+	'authent-cas/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/authent-external/module.authent-external.php

@@ -27,7 +27,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-external/2.7.9',
+	'authent-external/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/authent-ldap/module.authent-ldap.php

@@ -9,7 +9,7 @@ if (function_exists('ldap_connect'))
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-ldap/2.7.9',
+	'authent-ldap/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/authent-local/module.authent-local.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-local/2.7.9',
+	'authent-local/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/combodo-db-tools/module.combodo-db-tools.php

@@ -24,7 +24,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'combodo-db-tools/2.7.9',
+	'combodo-db-tools/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-attachments/module.itop-attachments.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-attachments/2.7.9',
+	'itop-attachments/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-backup/module.itop-backup.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-backup/2.7.9',
+	'itop-backup/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-bridge-virtualization-storage/module.itop-bridge-virtualization-storage.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-virtualization-storage/2.7.9',
+	'itop-bridge-virtualization-storage/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-change-mgmt-itil/module.itop-change-mgmt-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-change-mgmt-itil/2.7.9',
+	'itop-change-mgmt-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-change-mgmt/module.itop-change-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-change-mgmt/2.7.9',
+	'itop-change-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-config-mgmt/module.itop-config-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-config-mgmt/2.7.9',
+	'itop-config-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-config/module.itop-config.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-config/2.7.9',
+	'itop-config/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-core-update/module.itop-core-update.php

@@ -24,7 +24,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-core-update/2.7.9',
+	'itop-core-update/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-datacenter-mgmt/module.itop-datacenter-mgmt.php

@@ -18,7 +18,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-datacenter-mgmt/2.7.9',
+	'itop-datacenter-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-endusers-devices/module.itop-endusers-devices.php

@@ -25,7 +25,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-endusers-devices/2.7.9',
+	'itop-endusers-devices/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-files-information/module.itop-files-information.php

@@ -24,7 +24,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-files-information/2.7.9',
+	'itop-files-information/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-full-itil/module.itop-full-itil.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-full-itil/2.7.9',
+	'itop-full-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-hub-connector/TokenValidation.php

@@ -0,0 +1,19 @@
+<?php
+
+class TokenValidation
+{
+	// construct function
+	public function __construct()
+	{
+	}
+	public function isSetupTokenValid($sParamToken) : bool
+	{
+		if (!file_exists(APPROOT.'data/.setup')) {
+			return false;
+		}
+		$sSetupToken = trim(file_get_contents(APPROOT.'data/.setup'));
+		unlink(APPROOT.'data/.setup');
+		return $sParamToken === $sSetupToken;
+	}
+
+}

datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php

@@ -7,7 +7,7 @@ class HubConnectorPage extends NiceWebPage
 	    parent::__construct($sTitle);
 
 	    $this->no_cache();
-	    $this->add_xframe_options();
+	    $this->add_http_headers();
 
 	    $sImagesDir = utils::GetAbsoluteUrlAppRoot().'images';
 	    $sModuleImagesDir = utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/images';

datamodels/2.x/itop-hub-connector/launch.php

@@ -280,6 +280,7 @@ try
 	require_once ('hubconnectorpage.class.inc.php');
 	
 	require_once (APPROOT.'/application/startup.inc.php');
+    require_once('TokenValidation.php');
 	
 	$sTargetRoute = utils::ReadParam('target', ''); // ||browse_extensions|deploy_extensions|
 	
@@ -299,11 +300,20 @@ try
 		case 'inform_after_setup':
 		// Hidden IFRAME at the end of the setup
 		require_once (APPROOT.'/application/ajaxwebpage.class.inc.php');
-		$oPage = new NiceWebPage('');
-		$aDataToPost = MakeDataToPost($sTargetRoute);
-		$oPage->add('<form id="hub_launch_form" action="'.$sHubUrlStateless.'" method="post">');
-		$oPage->add('<input type="hidden" name="json" value="'.htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8').'">');
-		$oPage->add_ready_script('$("#hub_launch_form").submit();');
+
+            $sParamToken = utils::ReadParam('setup_token');
+            $oTokenValidation = new TokenValidation();
+            $bIsTokenValid = $oTokenValidation->isSetupTokenValid($sParamToken);
+            if (UserRights::IsAdministrator() || $bIsTokenValid) {
+                $oPage = new NiceWebPage('');
+                $aDataToPost = MakeDataToPost($sTargetRoute);
+                $oPage->add('<form id="hub_launch_form" action="' . $sHubUrlStateless . '" method="post">');
+                $oPage->add('<input type="hidden" name="json" value="' . htmlentities(json_encode($aDataToPost), ENT_QUOTES, 'UTF-8') . '">');
+                $oPage->add_ready_script('$("#hub_launch_form").submit();');
+            } else {
+                IssueLog::Error('TokenValidation failed on inform_after_setup page');
+                throw new Exception("Not allowed");
+            }
 		break;
 		
 		default:

datamodels/2.x/itop-hub-connector/module.itop-hub-connector.php

@@ -5,7 +5,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-hub-connector/2.7.9',
+	'itop-hub-connector/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-incident-mgmt-itil/module.itop-incident-mgmt-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-incident-mgmt-itil/2.7.9',
+	'itop-incident-mgmt-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-knownerror-mgmt/module.itop-knownerror-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-knownerror-mgmt/2.7.9',
+	'itop-knownerror-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-oauth-client/assets/js/oauth_connect.js

@@ -92,6 +92,8 @@ const OAuthConnect = function(sClass, sId, sAjaxUri) {
 		function (oData) {
 			if (oData.status === 'success') {
 				oOpenSignInWindow(oData.data.authorization_url, 'OAuth authorization')
+			} else {
+				alert(oData.error_description);
 			}
 		}
 	);

datamodels/2.x/itop-oauth-client/datamodel.itop-oauth-client.xml

@@ -339,6 +339,11 @@
           <default_value>no</default_value>
           <is_null_allowed>true</is_null_allowed>
         </field>
+        <field id="tenant" xsi:type="AttributeString">
+          <sql>tenant</sql>
+          <default_value>common</default_value>
+          <is_null_allowed>false</is_null_allowed>
+        </field>
       </fields>
       <presentation>
         <details>
@@ -364,15 +369,18 @@
                     <item id="redirect_url">
                       <rank>50</rank>
                     </item>
-                    <item id="client_id">
+                    <item id="tenant">
                       <rank>60</rank>
                     </item>
-                    <item id="client_secret">
+                    <item id="client_id">
                       <rank>70</rank>
                     </item>
-                    <item id="mailbox_list">
+                    <item id="client_secret">
                       <rank>80</rank>
                     </item>
+                    <item id="mailbox_list">
+                      <rank>90</rank>
+                    </item>
                   </items>
                 </item>
               </items>

datamodels/2.x/itop-oauth-client/en.dict.itop-oauth-client.php

@@ -93,6 +93,8 @@ Dict::Add('EN US', 'English', 'English', array(
 	'Class:OAuthClientAzure/Attribute:used_for_smtp+' => 'At least one OAuth client must have this flag to “Yes”, if you want iTop to use it for sending mails',
 	'Class:OAuthClientAzure/Attribute:used_for_smtp/Value:yes' => 'Yes',
 	'Class:OAuthClientAzure/Attribute:used_for_smtp/Value:no' => 'No',
+    'Class:OAuthClientAzure/Attribute:tenant' => 'Tenant',
+    'Class:OAuthClientAzure/Attribute:tenant+' => 'Tenant ID of the configured application. For multi-tenant application, use common.',
 ));
 
 //

datamodels/2.x/itop-oauth-client/module.itop-oauth-client.php

@@ -5,7 +5,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-oauth-client/2.7.9',
+	'itop-oauth-client/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-oauth-client/src/Controller/AjaxOauthClientController.php

@@ -10,6 +10,7 @@ use cmdbAbstractObject;
 use Combodo\iTop\Application\TwigBase\Controller\Controller;
 use Combodo\iTop\Core\Authentication\Client\OAuth\OAuthClientProviderFactory;
 use Dict;
+use Exception;
 use IssueLog;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use MetaModel;
@@ -31,8 +32,13 @@ class AjaxOauthClientController extends Controller
 
 		$aResult = ['status' => 'success', 'data' => []];
 
-		$sAuthorizationUrl = OAuthClientProviderFactory::GetAuthorizationUrl($oOAuthClient);
-		$aResult['data']['authorization_url'] = $sAuthorizationUrl;
+        try {
+            $sAuthorizationUrl = OAuthClientProviderFactory::GetAuthorizationUrl($oOAuthClient);
+            $aResult['data']['authorization_url'] = $sAuthorizationUrl;
+        } catch (Exception $oException) {
+            $aResult['status'] = 'error';
+            $aResult['error_description'] = $oException->getMessage();
+        }
 
 		$this->DisplayJSONPage($aResult);
 	}

datamodels/2.x/itop-portal-base/module.itop-portal-base.php

@@ -20,7 +20,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-portal-base/2.7.9', array(
+	'itop-portal-base/2.7.12', array(
 	// Identification
 	'label' => 'Portal Development Library',
 		'category' => 'Portal',

datamodels/2.x/itop-portal-base/portal/config/routes/user_profile_brick.yaml

@@ -15,6 +15,11 @@
 #  You should have received a copy of the GNU Affero General Public License
 #  along with iTop. If not, see <http://www.gnu.org/licenses/>
 
+p_user_profile_brick_edit_person:
+  path: '/user/edit_person'
+  defaults:
+    _controller: 'Combodo\iTop\Portal\Controller\UserProfileBrickController::EditPerson'
+
 p_user_profile_brick:
   path: '/user/{sBrickId}'
   defaults:

datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php

@@ -1246,7 +1246,12 @@ class ObjectController extends BrickController
 		$bIgnoreSilos = $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
 		$aParams = array('objects_id' => $aObjectIds);
 		$oSearch = DBObjectSearch::FromOQL("SELECT $sObjectClass WHERE id IN (:objects_id)");
-		if ($bIgnoreSilos === true)
+        if (!$oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass)
+        ) {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to read ' . $sObjectClass . ' object.');
+            throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
+        }
+        if ($bIgnoreSilos === true)
 		{
 			$oSearch->AllowAllData();
 		}

datamodels/2.x/itop-portal-base/portal/src/Controller/UserProfileBrickController.php

@@ -35,7 +35,7 @@ use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use UserRights;
 use utils;
-
+use Dict;
 /**
  * Class UserProfileBrickController
  *
@@ -66,34 +66,9 @@ class UserProfileBrickController extends BrickController
 		$oRequestManipulator = $this->get('request_manipulator');
 		/** @var \Combodo\iTop\Portal\Helper\ObjectFormHandlerHelper $ObjectFormHandler */
 		$ObjectFormHandler = $this->get('object_form_handler');
-		/** @var \Combodo\iTop\Portal\Brick\BrickCollection $oBrickCollection */
-		$oBrickCollection = $this->get('brick_collection');
+        $oBrick = $this->GetBrick($sBrickId);
 
-		// If the brick id was not specified, we get the first one registered that is an instance of UserProfileBrick as default
-		if ($sBrickId === null)
-		{
-			/** @var \Combodo\iTop\Portal\Brick\PortalBrick $oTmpBrick */
-			foreach ($oBrickCollection->GetBricks() as $oTmpBrick)
-			{
-				if ($oTmpBrick instanceof UserProfileBrick)
-				{
-					$oBrick = $oTmpBrick;
-				}
-			}
-
-			// We make sure a UserProfileBrick was found
-			if (!isset($oBrick) || $oBrick === null)
-			{
-				$oBrick = new UserProfileBrick();
-				//throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, 'UserProfileBrick : Brick could not be loaded as there was no UserProfileBrick loaded in the application.');
-			}
-		}
-		else
-		{
-			$oBrick = $oBrickCollection->GetBrickById($sBrickId);
-		}
-
-		$aData = array();
+        $aData = array();
 
 		// Setting form mode regarding the demo mode parameter
 		$bDemoMode = MetaModel::GetConfig()->Get('demo_mode');
@@ -130,11 +105,12 @@ class UserProfileBrickController extends BrickController
 			$oCurContact = UserRights::GetContactObject();
 			$sCurContactClass = get_class($oCurContact);
 			$sCurContactId = $oCurContact->GetKey();
-
+            $aForm = $oBrick->GetForm();
+            $aForm['submit_endpoint'] = $this->generateUrl('p_user_profile_brick_edit_person', ['sBrickId' => $sBrickId]);
 			// Preparing forms
-			$aData['forms']['contact'] = $ObjectFormHandler->HandleForm($oRequest, $sFormMode, $sCurContactClass, $sCurContactId,
-				$oBrick->GetForm());
-			$aData['forms']['preferences'] = $this->HandlePreferencesForm($oRequest, $sFormMode);
+            $aData['forms']['contact'] = $ObjectFormHandler->HandleForm($oRequest, $sFormMode, $sCurContactClass, $sCurContactId,
+                    $aForm);
+            $aData['forms']['preferences'] = $this->HandlePreferencesForm($oRequest, $sFormMode);
 			// - If user can change password, we display the form
 			$aData['forms']['password'] = (UserRights::CanChangePassword()) ? $this->HandlePasswordForm($oRequest, $sFormMode) : null;
 
@@ -150,6 +126,35 @@ class UserProfileBrickController extends BrickController
 		return $oResponse;
 	}
 
+    public function EditPerson(Request $oRequest)
+    {
+        /** @var \Combodo\iTop\Portal\Helper\ObjectFormHandlerHelper $oObjectFormHandler */
+        $oObjectFormHandler = $this->get('object_form_handler');
+        /** @var \Combodo\iTop\Portal\Helper\SecurityHelper $oSecurityHelper */
+        $oSecurityHelper = $this->get('security_helper');
+
+        $oCurContact = UserRights::GetContactObject();
+        $sObjectClass = get_class($oCurContact);
+        $sObjectId = $oCurContact->GetKey();
+
+        // Checking security layers
+        // Warning : This is a dirty quick fix to allow editing its own contact information
+        $bAllowWrite = ($sObjectClass === 'Person' && $sObjectId == UserRights::GetContactId());
+        if (!$oSecurityHelper->IsActionAllowed(UR_ACTION_MODIFY, $sObjectClass, $sObjectId) && !$bAllowWrite) {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to modify ' . $sObjectClass . '::' . $sObjectId . ' object.');
+            throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
+        }
+
+        $aForm = $this->GetBrick()->GetForm();
+        $aForm['submit_endpoint'] = $this->generateUrl('p_user_profile_brick_edit_person');
+
+        $aData = ['sMode' => 'edit'];
+        $aData['form'] = $oObjectFormHandler->HandleForm($oRequest, $aData['sMode'], $sObjectClass, $sObjectId, $aForm);
+
+        return new JsonResponse($aData);
+    }
+
+
 	/**
 	 * @param \Symfony\Component\HttpFoundation\Request $oRequest
 	 * @param string                                    $sFormMode
@@ -388,4 +393,34 @@ class UserProfileBrickController extends BrickController
 		return $aFormData;
 	}
 
+    /**
+     * @param $sBrickId
+     * @return \Combodo\iTop\Portal\Brick\PortalBrick|UserProfileBrick
+     * @throws \Combodo\iTop\Portal\Brick\BrickNotFoundException
+     */
+    public function GetBrick($sBrickId = null)
+    {
+        /** @var \Combodo\iTop\Portal\Brick\BrickCollection $oBrickCollection */
+        $oBrickCollection = $this->get('brick_collection');
+
+        // If the brick id was not specified, we get the first one registered that is an instance of UserProfileBrick as default
+        if ($sBrickId === null) {
+            /** @var \Combodo\iTop\Portal\Brick\PortalBrick $oTmpBrick */
+            foreach ($oBrickCollection->GetBricks() as $oTmpBrick) {
+                if ($oTmpBrick instanceof UserProfileBrick) {
+                    $oBrick = $oTmpBrick;
+                }
+            }
+
+            // We make sure a UserProfileBrick was found
+            if (!isset($oBrick) || $oBrick === null) {
+                $oBrick = new UserProfileBrick();
+                //throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, 'UserProfileBrick : Brick could not be loaded as there was no UserProfileBrick loaded in the application.');
+            }
+        } else {
+            $oBrick = $oBrickCollection->GetBrickById($sBrickId);
+        }
+        return $oBrick;
+    }
+
 }

datamodels/2.x/itop-portal-base/portal/src/EventListener/UserProvider.php

@@ -29,6 +29,7 @@ use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use UserRights;
+use utils;
 
 /**
  * Class UserProvider
@@ -91,6 +92,9 @@ class UserProvider implements ContainerAwareInterface
 		}
 		$this->oContainer->set('combodo.current_user', $oUser);
 
+        // User allowed to log off or not
+        $this->oContainer->set('combodo.current_user.can_logoff', utils::CanLogOff());
+
 		// Allowed portals
 		$aAllowedPortals = UserRights::GetAllowedPortals();
 

datamodels/2.x/itop-portal-base/portal/src/Helper/ObjectFormHandlerHelper.php

@@ -132,10 +132,8 @@ class ObjectFormHandlerHelper
 		$bModal = ($oRequest->isXmlHttpRequest() && empty($sOperation));
 
 		// - Retrieve form properties
-		if ($aFormProperties === null)
-		{
-			$aFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf['forms'], $sObjectClass, $sMode);
-		}
+		$aFormProperties = $aFormProperties ?? ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf['forms'], $sObjectClass, $sMode);
+
 		// - Create and
 		if (empty($sOperation))
 		{
@@ -243,13 +241,17 @@ class ObjectFormHandlerHelper
 				case static::ENUM_MODE_CREATE:
 				case static::ENUM_MODE_EDIT:
 				case static::ENUM_MODE_VIEW:
-					$sFormEndpoint = $this->oUrlGenerator->generate(
-						'p_object_'.$sMode,
-						array(
-							'sObjectClass' => $sObjectClass,
-							'sObjectId' => $sObjectId,
-						)
-					);
+                    if(array_key_exists('submit_endpoint', $aFormProperties)) {
+                        $sFormEndpoint = $aFormProperties['submit_endpoint'];
+                    } else {
+                        $sFormEndpoint = $this->oUrlGenerator->generate(
+                                'p_object_' . $sMode,
+                                array(
+                                        'sObjectClass' => $sObjectClass,
+                                        'sObjectId' => $sObjectId,
+                                )
+                        );
+                    }
 					break;
 
 				case static::ENUM_MODE_APPLY_STIMULUS:
@@ -282,7 +284,8 @@ class ObjectFormHandlerHelper
 				->SetActionRulesToken($sActionRulesToken)
 				->SetRenderer($oFormRenderer)
 				->SetFormProperties($aFormProperties);
-
+			$oFormManager->PrepareFormAndHTMLDocument();
+			$oFormManager->PrepareFields();
 			$oFormManager->Build();
 			$aFormData['hidden_fields'] = $oFormManager->GetHiddenFieldsId();
 			// Check the number of editable fields

datamodels/2.x/itop-portal-base/portal/templates/layout.html.twig

@@ -3,11 +3,13 @@
 
 {% if app['combodo.current_user'] is defined and app['combodo.current_user'] is not null %}
 	{% set bUserConnected = true %}
+    {% set bUserCanLogOff = app['combodo.current_user.can_logoff'] %}
 	{% set sUserFullname = app['combodo.current_user'].Get('first_name') ~ ' ' ~ app['combodo.current_user'].Get('last_name') %}
 	{% set sUserEmail = app['combodo.current_user'].Get('email') %}
 	{% set sUserPhotoUrl = app['combodo.current_contact.photo_url'] %}
 {% else %}
 	{% set bUserConnected = false %}
+    {% set bUserCanLogOff = false %}
 	{% set sUserFullname = '' %}
 	{% set sUserEmail = '' %}
 	{% set sUserPhotoUrl = app['combodo.portal.base.absolute_url'] ~ 'img/user-profile-default-256px.png' %}
@@ -62,12 +64,12 @@
         {% endif %}
 		{# Custom CSS that is supposed to do adjustments to the portal #}
 		{% if app['combodo.portal.instance.conf'].properties.themes.custom is defined %}
-			<link href="{{ app['combodo.portal.instance.conf'].properties.themes.custom|add_itop_version }}" rel="stylesheet">
+			<link href="{{ app['combodo.absolute_url'] ~ app['combodo.portal.instance.conf'].properties.themes.custom|add_itop_version }}" rel="stylesheet">
 		{% endif %}
 		{# Others CSS that will come after the theme/portal/custom, in an undefined order #}
 		{% if app['combodo.portal.instance.conf'].properties.themes.others is defined %}
 			{% for theme in app['combodo.portal.instance.conf'].properties.themes.others %}
-				<link href="{{ theme|add_itop_version }}" rel="stylesheet">
+				<link href="{{ app['combodo.absolute_url'] ~ theme|add_itop_version }}" rel="stylesheet">
 			{% endfor %}
 		{% endif %}
 	{% endblock %}
@@ -230,11 +232,13 @@
 											<li><a href="{{ aPortal.url }}" target="_blank"><span class="brick_icon {{ sIconClass }} fa-2x fa-fw"></span>{{ aPortal.label|dict_s }}</a></li>
 										{% endif %}
 									{% endfor %}
-									{# We display the separator only if the user has more then 1 portal. Meaning default portal + console or several portal at least #}
-									{% if app['combodo.current_user.allowed_portals']|length > 1 %}
-										<li role="separator" class="divider"></li>
-									{% endif %}
-									<li><a href="{{ app['combodo.absolute_url'] }}pages/logoff.php"><span class="brick_icon fas fa-sign-out-alt fa-2x fa-fw"></span>{{ 'Brick:Portal:UserProfile:Navigation:Dropdown:Logout'|dict_s }}</a></li>
+                                    {% if bUserCanLogOff %}
+                                        {# We display the separator only if the user has more then 1 portal. Meaning default portal + console or several portal at least #}
+                                        {% if app['combodo.current_user.allowed_portals']|length > 1 %}
+                                            <li role="separator" class="divider"></li>
+                                        {% endif %}
+									    <li><a href="{{ app['combodo.absolute_url'] }}pages/logoff.php"><span class="brick_icon fas fa-sign-out-alt fa-2x fa-fw"></span>{{ 'Brick:Portal:UserProfile:Navigation:Dropdown:Logout'|dict_s }}</a></li>
+                                    {% endif %}
 								{% endif %}
 							</ul>
 						</div>
@@ -269,11 +273,13 @@
 											<li><a href="{{ aPortal.url }}" {% if app['combodo.portal.instance.conf'].properties.allowed_portals.opening_mode == 'tab' %}target="_blank"{% endif %} title="{{ aPortal.label|dict_s }}"><span class="brick_icon {{ sGlyphiconClass }} fa-lg fa-fw"></span>{{ aPortal.label|dict_s }}</a></li>
 										{% endif %}
 									{% endfor %}
-									{# We display the separator only if the user has more then 1 portal. Meaning default portal + console or several portal at least #}
-									{% if app['combodo.current_user.allowed_portals']|length > 1 %}
-										<li role="separator" class="divider"></li>
-									{% endif %}
-									<li><a href="{{ app['combodo.absolute_url'] }}pages/logoff.php"><span class="brick_icon fas fa-sign-out-alt fa-lg fa-fw"></span>{{ 'Brick:Portal:UserProfile:Navigation:Dropdown:Logout'|dict_s }}</a></li>
+                                    {% if bUserCanLogOff %}
+                                        {# We display the separator only if the user has more then 1 portal. Meaning default portal + console or several portal at least #}
+                                        {% if app['combodo.current_user.allowed_portals']|length > 1 %}
+                                            <li role="separator" class="divider"></li>
+                                        {% endif %}
+									    <li><a href="{{ app['combodo.absolute_url'] }}pages/logoff.php"><span class="brick_icon fas fa-sign-out-alt fa-lg fa-fw"></span>{{ 'Brick:Portal:UserProfile:Navigation:Dropdown:Logout'|dict_s }}</a></li>
+                                    {% endif %}
 								</ul>
 							</div>
 						</div>
@@ -458,8 +464,8 @@
                         sBody = '{{ 'Error:XHR:Fail'|dict_format(constant('ITOP_APPLICATION_SHORT'))|escape('js') }}';
 					}
 					var oModalElem = $('#modal-for-alert');
-                    oModalElem.find('.modal-content .modal-header .modal-title').html(sTitle);
-                    oModalElem.find('.modal-content .modal-body .alert').addClass('alert-danger').html(sBody);
+                    oModalElem.find('.modal-content .modal-header .modal-title').text(sTitle);
+                    oModalElem.find('.modal-content .modal-body .alert').addClass('alert-danger').text(sBody);
                     oModalElem.modal('show');
 				};
 			{% endblock %}

datamodels/2.x/itop-portal/module.itop-portal.php

@@ -20,7 +20,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-portal/2.7.9', array(
+	'itop-portal/2.7.12', array(
 	// Identification
 	'label' => 'Enhanced Customer Portal',
 	'category' => 'Portal',

datamodels/2.x/itop-problem-mgmt/module.itop-problem-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-problem-mgmt/2.7.9',
+	'itop-problem-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-profiles-itil/module.itop-profiles-itil.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-profiles-itil/2.7.9',
+	'itop-profiles-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-request-mgmt-itil/module.itop-request-mgmt-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-request-mgmt-itil/2.7.9',
+	'itop-request-mgmt-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-request-mgmt/module.itop-request-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-request-mgmt/2.7.9',
+	'itop-request-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-service-mgmt-provider/module.itop-service-mgmt-provider.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-service-mgmt-provider/2.7.9',
+	'itop-service-mgmt-provider/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-service-mgmt/module.itop-service-mgmt.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-service-mgmt/2.7.9',
+	'itop-service-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-sla-computation/module.itop-sla-computation.php

@@ -18,7 +18,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-sla-computation/2.7.9',
+	'itop-sla-computation/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-storage-mgmt/module.itop-storage-mgmt.php

@@ -25,7 +25,7 @@
  
  SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	 'itop-storage-mgmt/2.7.9',
+	 'itop-storage-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-tickets/module.itop-tickets.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__,
-	'itop-tickets/2.7.9',
+	'itop-tickets/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-virtualization-mgmt/module.itop-virtualization-mgmt.php

@@ -16,7 +16,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-virtualization-mgmt/2.7.9',
+	'itop-virtualization-mgmt/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/itop-welcome-itil/module.itop-welcome-itil.php

@@ -3,7 +3,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-welcome-itil/2.7.9',
+	'itop-welcome-itil/2.7.12',
 	array(
 		// Identification
 		//

datamodels/2.x/version.xml

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <information>
-  <version>2.7.9</version>
+  <version>2.7.12</version>
 </information>

pages/ajax.document.php

@@ -67,7 +67,7 @@ try
 
 					// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 					// so we're resetting its value ! (see N°3416)
-					$oPage->add_xframe_options('');
+					$oPage->add_http_headers('');
 
 					$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
 				}
@@ -88,7 +88,7 @@ try
 
 				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 				// so we're resetting its value ! (see N°3416)
-				$oPage->add_xframe_options('');
+				$oPage->add_http_headers('');
 
 				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
 			}
@@ -103,7 +103,7 @@ try
 
 			// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 			// so we're resetting its value ! (see N°3416)
-			$oPage->add_xframe_options('');
+			$oPage->add_http_headers('');
 
 			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
 			break;

pages/ajax.render.php

@@ -1036,7 +1036,7 @@ try
 
 				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 				// so we're resetting its value ! (see N°3416)
-				$oPage->add_xframe_options('');
+				$oPage->add_http_headers('');
 
 				// N°4129 - Prevent XSS attacks & other script executions
 				if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {

pages/audit.php

@@ -1,20 +1,7 @@
 <?php
-/**
- * Copyright (C) 2013-2019 Combodo SARL
- *
- * This file is part of iTop.
- *
- * iTop is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * iTop is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
+/*
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
  */
 
 /**
@@ -113,7 +100,7 @@ function GetRuleResultFilter($iRuleId, $oDefinitionFilter, $oAppContext)
 	{
 		// The query returns only the valid elements, all the others are invalid
 		// Warning : we're generating a `WHERE ID IN`... query, and this could be very slow if there are lots of id !
-		$aValidRows = $oRuleFilter->ToDataArray(array('id'));
+      	$aValidRows = $oRuleFilter->ToDataArray(array('id'));
 		$aValidIds = array();
 		foreach($aValidRows as $aRow)
 		{
@@ -163,7 +150,7 @@ try
 	require_once(APPROOT.'/application/itopwebpage.class.inc.php');
 	require_once(APPROOT.'/application/csvpage.class.inc.php');
 
-	
+
 	require_once(APPROOT.'/application/startup.inc.php');
 	$operation = utils::ReadParam('operation', '');
 	$oAppContext = new ApplicationContext();
@@ -232,7 +219,7 @@ try
 			$oP->p("<div id=\"$sBlockId\" style=\"clear:both\">\n");
 			$oBlock = DisplayBlock::FromObjectSet($oErrorObjectSet, 'csv', array('show_obsolete_data' => true));
 			$oBlock->Display($oP, 1);
-			$oP->p("</div>\n");    
+			$oP->p("</div>\n");
 			// Adjust the size of the Textarea containing the CSV to fit almost all the remaining space
 			$oP->add_ready_script(" $('#1>textarea').height(400);"); // adjust the size of the block			
 			$sExportUrl = utils::GetAbsoluteUrlAppRoot()."pages/audit.php?operation=csv&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey();
@@ -246,7 +233,7 @@ try
 		$oP->SetBreadCrumbEntry('ui-tool-auditerrors', $sTitle, '', '', utils::GetAbsoluteUrlAppRoot().'images/wrench.png');
 		$iCategory = utils::ReadParam('category', '');
 		$iRuleIndex = utils::ReadParam('rule', 0);
-	
+
 		$oAuditCategory = MetaModel::GetObject('AuditCategory', $iCategory);
 		$oDefinitionFilter = DBObjectSearch::FromOQL($oAuditCategory->Get('definition_set'));
 		$oDefinitionFilter->UpdateContextFromUser();
@@ -265,7 +252,7 @@ try
 		$sExportUrl = utils::GetAbsoluteUrlAppRoot()."pages/audit.php?operation=csv&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey();
 		$oP->add_ready_script("$('a[href*=\"pages/UI.php?operation=search\"]').attr('href', '".$sExportUrl."')");
 		break;
-		
+
 		case 'audit':
 		default:
 		$oP->SetBreadCrumbEntry('ui-tool-audit', Dict::S('Menu:Audit'), Dict::S('UI:Audit:InteractiveAudit'), '', utils::GetAbsoluteUrlAppRoot().'images/wrench.png');
@@ -286,7 +273,7 @@ try
 				$oDefinitionFilter = DBObjectSearch::FromOQL($oAuditCategory->Get('definition_set'));
 				$oDefinitionFilter->UpdateContextFromUser();
 				FilterByContext($oDefinitionFilter, $oAppContext);
-				
+
 				$aObjectsWithErrors = array();
 				if (!empty($currentOrganization))
 				{
@@ -308,7 +295,7 @@ try
 					if ($iCount == 0)
 					{
 						// nothing to check, really !
-						$aRow['nb_errors'] = "<a href=\"audit.php?operation=errors&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey()."\">0</a>"; 
+						$aRow['nb_errors'] = "<a href=\"audit.php?operation=errors&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey()."\">0</a>";
 						$aRow['percent_ok'] = '100.00';
 						$aRow['class'] = GetReportColor($iCount, 0);
 					}
@@ -317,19 +304,19 @@ try
 						try
 						{
 							$oFilter = GetRuleResultFilter($oAuditRule->GetKey(), $oDefinitionFilter, $oAppContext);
-							$aErrors = $oFilter->ToDataArray(array('id'));
+							$aErrors = $oFilter->SelectAttributeToArray('id');
 							$iErrorsCount = count($aErrors);
 							foreach($aErrors as $aErrorRow)
 							{
 								$aObjectsWithErrors[$aErrorRow['id']] = true;
 							}
-							$aRow['nb_errors'] = ($iErrorsCount == 0) ? '0' : "<a href=\"?operation=errors&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey()."&".$oAppContext->GetForLink()."\">$iErrorsCount</a> <a href=\"?operation=csv&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey()."&".$oAppContext->GetForLink()."\">(CSV)</a>"; 
+							$aRow['nb_errors'] = ($iErrorsCount == 0) ? '0' : "<a href=\"?operation=errors&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey()."&".$oAppContext->GetForLink()."\">$iErrorsCount</a> <a href=\"?operation=csv&category=".$oAuditCategory->GetKey()."&rule=".$oAuditRule->GetKey()."&".$oAppContext->GetForLink()."\">(CSV)</a>";
 							$aRow['percent_ok'] = sprintf('%.2f', 100.0 * (($iCount - $iErrorsCount) / $iCount));
-							$aRow['class'] = GetReportColor($iCount, $iErrorsCount);							
+							$aRow['class'] = GetReportColor($iCount, $iErrorsCount);
 						}
 						catch(Exception $e)
 						{
-							$aRow['nb_errors'] = "OQL Error"; 
+							$aRow['nb_errors'] = "OQL Error";
 							$aRow['percent_ok'] = 'n/a';
 							$aRow['class'] = 'red';
 							$sMessage = Dict::Format('UI:Audit:ErrorIn_Rule_Reason', $oAuditRule->GetHyperlink(), $e->getMessage());
@@ -346,12 +333,12 @@ try
 			{
 				$aRow = array();
 				$aRow['description'] = "OQL error";
-				$aRow['nb_errors'] = "n/a"; 
+				$aRow['nb_errors'] = "n/a";
 				$aRow['percent_ok'] = '';
-				$aRow['class'] = 'red';				
+				$aRow['class'] = 'red';
 				$sMessage = Dict::Format('UI:Audit:ErrorIn_Category_Reason', $oAuditCategory->GetHyperlink(), utils::HtmlEntities($e->getMessage()));
 				$oP->p("<img style=\"vertical-align:middle\" src=\"../images/stop-mid.png\"/>&nbsp;".$sMessage);
-				$aResults[] = $aRow;					
+				$aResults[] = $aRow;
 
 				$sClass = 'red';
 				$iTotalErrors = 'n/a';

pages/preferences.php

@@ -81,7 +81,7 @@ function DisplayPreferences($oP)
 	$oP->add('<fieldset><legend>'.Dict::S('UI:FavoriteOtherSettings').'</legend>');
 	$oP->add('<form method="post" onsubmit="return ValidateOtherSettings()">');
 
-	$iDefaultPageSize = appUserPreferences::GetPref('default_page_size', MetaModel::GetConfig()->GetMinDisplayLimit());
+	$iDefaultPageSize = (int)appUserPreferences::GetPref('default_page_size', MetaModel::GetConfig()->GetMinDisplayLimit());
 	$oP->add('<p>'.Dict::Format('UI:Favorites:Default_X_ItemsPerPage', '<input id="default_page_size" name="default_page_size" type="text" size="3" value="'.$iDefaultPageSize.'"/><span id="v_default_page_size"></span>').'</p>');
 
 	$bShow = utils::IsArchiveMode() || appUserPreferences::GetPref('show_obsolete_data', MetaModel::GetConfig()->Get('obsolescence.show_obsolete_data'));

setup/applicationinstaller.class.inc.php

@@ -3,7 +3,7 @@
 //
 //   This file is part of iTop.
 //
-//   iTop is free software; you can redistribute it and/or modify	
+//   iTop is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU Affero General Public License as published by
 //   the Free Software Foundation, either version 3 of the License, or
 //   (at your option) any later version.
@@ -25,7 +25,7 @@ require_once(APPROOT.'setup/backup.class.inc.php');
  * The installation process is split into a sequence of unitary steps
  * for performance reasons (i.e; timeout, memory usage) and also in order
  * to provide some feedback about the progress of the installation.
- * 
+ *
  * This class can be used for a step by step interactive installation
  * while displaying a progress bar, or in an unattended manner
  * (for example from the command line), to run all the steps
@@ -157,7 +157,7 @@ class ApplicationInstaller
 			}
 		}
 		while(($aRes['status'] != self::ERROR) && ($aRes['next-step'] != ''));
-		
+
 		return ($iOverallStatus == self::OK);
 	}
 
@@ -225,7 +225,7 @@ class ApplicationInstaller
 
 				case 'copy':
 					$aPreinstall = $this->oParams->Get('preinstall');
-					$aCopies = $aPreinstall['copies'];
+					$aCopies = $aPreinstall['copies'] ?? [];
 
 					self::DoCopy($aCopies);
 					$sReport = "Copying...";
@@ -472,7 +472,7 @@ class ApplicationInstaller
 		{
 			$sSource = $aCopy['source'];
 			$sDestination = APPROOT.$aCopy['destination'];
-			
+
 			SetupUtils::builddir($sDestination);
 			SetupUtils::tidydir($sDestination);
 			SetupUtils::copydir($sSource, $sDestination);
@@ -513,7 +513,7 @@ class ApplicationInstaller
 		$oBackup->CreateCompressedBackup($sTargetFile, $sSourceConfigFile);
 	}
 
-	
+
 	protected static function DoCompile($aSelectedModules, $sSourceDir, $sExtensionDir, $sTargetDir, $sEnvironment, $bUseSymbolicLinks = false)
 	{
 		SetupPage::log_info("Compiling data model.");
@@ -525,7 +525,7 @@ class ApplicationInstaller
 		if (empty($sSourceDir) || empty($sTargetDir))
 		{
 			throw new Exception("missing parameter source_dir and/or target_dir");
-		}		
+		}
 
 		$sSourcePath = APPROOT.$sSourceDir;
 		$aDirsToScan = array($sSourcePath);
@@ -582,10 +582,10 @@ class ApplicationInstaller
 		}
 
 		$oFactory = new ModelFactory($aDirsToScan);
-		
+
 		$oDictModule = new MFDictModule('dictionaries', 'iTop Dictionaries', APPROOT.'dictionaries');
 		$oFactory->LoadModule($oDictModule);
-		
+
 		$sDeltaFile = APPROOT.'core/datamodel.core.xml';
 		if (file_exists($sDeltaFile))
 		{
@@ -598,7 +598,7 @@ class ApplicationInstaller
 			$oApplicationModule = new MFCoreModule('application', 'Application Module', $sDeltaFile);
 			$oFactory->LoadModule($oApplicationModule);
 		}
-		
+
 		$aModules = $oFactory->FindModules();
 
 		foreach($aModules as $oModule)
@@ -611,7 +611,7 @@ class ApplicationInstaller
 		}
 		// Dump the "reference" model, just before loading any actual delta
 		$oFactory->SaveToFile(APPROOT.'data/datamodel-'.$sEnvironment.'.xml');
-		
+
 		$sDeltaFile = APPROOT.'data/'.$sEnvironment.'.delta.xml';
 		if (file_exists($sDeltaFile))
 		{
@@ -635,12 +635,12 @@ class ApplicationInstaller
 		if (file_exists($sFileToPatch))
 		{
 			$sContent = file_get_contents($sFileToPatch);
-			
+
 			$sContent = str_replace("require_once(APPROOT.'modules/itop-welcome-itil/model.itop-welcome-itil.php');", "//\n// The line below is no longer needed in iTop 2.0 -- patched by the setup program\n// require_once(APPROOT.'modules/itop-welcome-itil/model.itop-welcome-itil.php');", $sContent);
-			
+
 			file_put_contents($sFileToPatch, $sContent);
 		}
-		
+
 		// Set an "Instance UUID" identifying this machine based on a file located in the data directory
 		$sInstanceUUIDFile = APPROOT.'data/instance.txt';
 		SetupUtils::builddir(APPROOT.'data');
@@ -699,7 +699,7 @@ class ApplicationInstaller
 		// Starting 2.0, all table names must be lowercase
 		if ($sMode != 'install')
 		{
-			SetupPage::log_info("Renaming '{$sDBPrefix}priv_internalUser' into '{$sDBPrefix}priv_internaluser' (lowercase)"); 
+			SetupPage::log_info("Renaming '{$sDBPrefix}priv_internalUser' into '{$sDBPrefix}priv_internaluser' (lowercase)");
 			// This command will have no effect under Windows...
 			// and it has been written in two steps so as to make it work under windows!
 			CMDBSource::SelectDB($sDBName);
@@ -710,18 +710,18 @@ class ApplicationInstaller
 			}
 			catch (Exception $e)
 			{
-				SetupPage::log_info("Renaming '{$sDBPrefix}priv_internalUser' failed (already done in a previous upgrade?)"); 
+				SetupPage::log_info("Renaming '{$sDBPrefix}priv_internalUser' failed (already done in a previous upgrade?)");
 			}
-			
+
 			// let's remove the records in priv_change which have no counterpart in priv_changeop
-			SetupPage::log_info("Cleanup of '{$sDBPrefix}priv_change' to remove orphan records"); 
+			SetupPage::log_info("Cleanup of '{$sDBPrefix}priv_change' to remove orphan records");
 			CMDBSource::SelectDB($sDBName);
 			try
 			{
 				$sTotalCount = "SELECT COUNT(*) FROM `{$sDBPrefix}priv_change`";
 				$iTotalCount = (int)CMDBSource::QueryToScalar($sTotalCount);
 				SetupPage::log_info("There is a total of $iTotalCount records in {$sDBPrefix}priv_change.");
-				
+
 				$sOrphanCount = "SELECT COUNT(c.id) FROM `{$sDBPrefix}priv_change` AS c left join `{$sDBPrefix}priv_changeop` AS o ON c.id = o.changeid WHERE o.id IS NULL";
 				$iOrphanCount = (int)CMDBSource::QueryToScalar($sOrphanCount);
 				SetupPage::log_info("There are $iOrphanCount useless records in {$sDBPrefix}priv_change (".sprintf('%.2f', ((100.0*$iOrphanCount)/$iTotalCount))."%)");
@@ -745,11 +745,11 @@ class ApplicationInstaller
 			}
 			catch (Exception $e)
 			{
-				SetupPage::log_info("Cleanup of orphan records in `{$sDBPrefix}priv_change` failed: ".$e->getMessage()); 
+				SetupPage::log_info("Cleanup of orphan records in `{$sDBPrefix}priv_change` failed: ".$e->getMessage());
 			}
-			
+
 		}
-		
+
 		// Module specific actions (migrate the data)
 		//
 		$aAvailableModules = $oProductionEnv->AnalyzeInstallation(MetaModel::GetConfig(), APPROOT.$sModulesDir);
@@ -757,9 +757,9 @@ class ApplicationInstaller
 
 		if(!$oProductionEnv->CreateDatabaseStructure(MetaModel::GetConfig(), $sMode))
 		{
-			throw new Exception("Failed to create/upgrade the database structure for environment '$sTargetEnvironment'");		
+			throw new Exception("Failed to create/upgrade the database structure for environment '$sTargetEnvironment'");
 		}
-		
+
 		// Set a DBProperty with a unique ID to identify this instance of iTop
 		$sUUID = DBProperty::GetProperty('database_uuid', '');
 		if ($sUUID === '')
@@ -767,10 +767,10 @@ class ApplicationInstaller
 			$sUUID = utils::CreateUUID('database');
 			DBProperty::SetProperty('database_uuid', $sUUID, 'Installation/upgrade of '.ITOP_APPLICATION, 'Unique ID of this '.ITOP_APPLICATION.' Database');
 		}
-		
+
 		// priv_change now has an 'origin' field to distinguish between the various input sources
 		// Let's initialize the field with 'interactive' for all records were it's null
-		// Then check if some records should hold a different value, based on a pattern matching in the userinfo field 
+		// Then check if some records should hold a different value, based on a pattern matching in the userinfo field
 		CMDBSource::SelectDB($sDBName);
 		try
 		{
@@ -778,21 +778,21 @@ class ApplicationInstaller
 			$iCount = (int)CMDBSource::QueryToScalar($sCount);
 			if ($iCount > 0)
 			{
-				SetupPage::log_info("Initializing '{$sDBPrefix}priv_change.origin' ($iCount records to update)"); 
-				
+				SetupPage::log_info("Initializing '{$sDBPrefix}priv_change.origin' ($iCount records to update)");
+
 				// By default all uninitialized values are considered as 'interactive'
 				$sInit = "UPDATE `{$sDBPrefix}priv_change` SET `origin` = 'interactive' WHERE `origin` IS NULL";
 				CMDBSource::Query($sInit);
-				
+
 				// CSV Import was identified by the comment at the end
 				$sInit = "UPDATE `{$sDBPrefix}priv_change` SET `origin` = 'csv-import.php' WHERE `userinfo` LIKE '%Web Service (CSV)'";
 				CMDBSource::Query($sInit);
-				
+
 				// CSV Import was identified by the comment at the end
 				$sInit = "UPDATE `{$sDBPrefix}priv_change` SET `origin` = 'csv-interactive' WHERE `userinfo` LIKE '%(CSV)' AND origin = 'interactive'";
 				CMDBSource::Query($sInit);
-				
-				
+
+
 				// Syncho data sources were identified by the comment at the end
 				// Unfortunately the comment is localized, so we have to search for all possible patterns
 				$sCurrentLanguage = Dict::GetUserLanguage();
@@ -806,19 +806,19 @@ class ApplicationInstaller
 				Dict::SetUserLanguage($sCurrentLanguage);
 				$sCondition = "`userinfo` LIKE ".implode(" OR `userinfo` LIKE ", array_keys($aSuffixes));
 
-				$sInit = "UPDATE `{$sDBPrefix}priv_change` SET `origin` = 'synchro-data-source' WHERE ($sCondition)"; 
+				$sInit = "UPDATE `{$sDBPrefix}priv_change` SET `origin` = 'synchro-data-source' WHERE ($sCondition)";
 				CMDBSource::Query($sInit);
-				
-				SetupPage::log_info("Initialization of '{$sDBPrefix}priv_change.origin' completed."); 
+
+				SetupPage::log_info("Initialization of '{$sDBPrefix}priv_change.origin' completed.");
 			}
 			else
 			{
-				SetupPage::log_info("'{$sDBPrefix}priv_change.origin' already initialized, nothing to do."); 
+				SetupPage::log_info("'{$sDBPrefix}priv_change.origin' already initialized, nothing to do.");
 			}
 		}
 		catch (Exception $e)
 		{
-			SetupPage::log_error("Initializing '{$sDBPrefix}priv_change.origin' failed: ".$e->getMessage()); 
+			SetupPage::log_error("Initializing '{$sDBPrefix}priv_change.origin' failed: ".$e->getMessage());
 		}
 
 		// priv_async_task now has a 'status' field to distinguish between the various statuses rather than just relying on the date columns
@@ -830,24 +830,24 @@ class ApplicationInstaller
 			$iCount = (int)CMDBSource::QueryToScalar($sCount);
 			if ($iCount > 0)
 			{
-				SetupPage::log_info("Initializing '{$sDBPrefix}priv_async_task.status' ($iCount records to update)"); 
-				
+				SetupPage::log_info("Initializing '{$sDBPrefix}priv_async_task.status' ($iCount records to update)");
+
 				$sInit = "UPDATE `{$sDBPrefix}priv_async_task` SET `status` = 'planned' WHERE (`status` IS NULL) AND (`started` IS NULL)";
 				CMDBSource::Query($sInit);
 
 				$sInit = "UPDATE `{$sDBPrefix}priv_async_task` SET `status` = 'error' WHERE (`status` IS NULL) AND (`started` IS NOT NULL)";
 				CMDBSource::Query($sInit);
-				
-				SetupPage::log_info("Initialization of '{$sDBPrefix}priv_async_task.status' completed."); 
+
+				SetupPage::log_info("Initialization of '{$sDBPrefix}priv_async_task.status' completed.");
 			}
 			else
 			{
-				SetupPage::log_info("'{$sDBPrefix}priv_async_task.status' already initialized, nothing to do."); 
+				SetupPage::log_info("'{$sDBPrefix}priv_async_task.status' already initialized, nothing to do.");
 			}
 		}
 		catch (Exception $e)
 		{
-			SetupPage::log_error("Initializing '{$sDBPrefix}priv_async_task.status' failed: ".$e->getMessage()); 
+			SetupPage::log_error("Initializing '{$sDBPrefix}priv_async_task.status' failed: ".$e->getMessage());
 		}
 
 		SetupPage::log_info("Database Schema Successfully Updated for environment '$sTargetEnvironment'.");
@@ -887,15 +887,15 @@ class ApplicationInstaller
 		$oProductionEnv = new RunTimeEnvironment($sTargetEnvironment);
 		$oProductionEnv->InitDataModel($oConfig, true);  // load data model and connect to the database
 		$oContextTag = new ContextTag(ContextTag::TAG_SETUP);
-		self::$bMetaModelStarted = true; // No need to reload the final MetaModel in case the installer runs synchronously 
-		
+		self::$bMetaModelStarted = true; // No need to reload the final MetaModel in case the installer runs synchronously
+
 		// Perform here additional DB setup... profiles, etc...
 		//
 		$aAvailableModules = $oProductionEnv->AnalyzeInstallation(MetaModel::GetConfig(), APPROOT.$sModulesDir);
 		$oProductionEnv->CallInstallerHandlers($aAvailableModules, $aSelectedModules, 'AfterDatabaseCreation');
 
 		$oProductionEnv->UpdatePredefinedObjects();
-		
+
 		if($sMode == 'install')
 		{
 			if (!self::CreateAdminAccount(MetaModel::GetConfig(), $sAdminUser, $sAdminPwd, $sAdminLanguage))
@@ -907,20 +907,20 @@ class ApplicationInstaller
 				SetupPage::log_info("Administrator account '$sAdminUser' created.");
 			}
 		}
-		
+
 		// Perform final setup tasks here
 		//
 		$oProductionEnv->CallInstallerHandlers($aAvailableModules, $aSelectedModules, 'AfterDatabaseSetup');
 	}
-	
+
 	/**
 	 * Helper function to create and administrator account for iTop
-	 * @return boolean true on success, false otherwise 
+	 * @return boolean true on success, false otherwise
 	 */
 	protected static function CreateAdminAccount(Config $oConfig, $sAdminUser, $sAdminPwd, $sLanguage)
 	{
 		SetupPage::log_info('CreateAdminAccount');
-	
+
 		if (UserRights::CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage))
 		{
 			return true;
@@ -946,9 +946,9 @@ class ApplicationInstaller
 				'user rights' => 'addons/userrights/userrightsprofile.db.class.inc.php',
 			));
 		}
-		
+
 		$oProductionEnv = new RunTimeEnvironment($sTargetEnvironment);
-		
+
 		//Load the MetaModel if needed (asynchronous mode)
 		if (!self::$bMetaModelStarted)
 		{
@@ -956,8 +956,8 @@ class ApplicationInstaller
 			$oContextTag = new ContextTag(ContextTag::TAG_SETUP);
 
 			self::$bMetaModelStarted = true; // No need to reload the final MetaModel in case the installer runs synchronously
-		} 
-		
+		}
+
 		$aAvailableModules = $oProductionEnv->AnalyzeInstallation($oConfig, APPROOT.$sModulesDir);
 		$oProductionEnv->LoadData($aAvailableModules, $aSelectedModules, $bSampleData);
 
@@ -992,7 +992,7 @@ class ApplicationInstaller
 		$bPreserveModuleSettings = false;
 		if ($sMode == 'upgrade')
 		{
-			try 
+			try
 			{
 				$oOldConfig = new Config($sPreviousConfigFile);
 				$oConfig = clone($oOldConfig);
@@ -1038,7 +1038,7 @@ class ApplicationInstaller
 		{
 			mkdir(APPCONF);
 			chmod(APPCONF, 0770); // RWX for owner and group, nothing for others
-			SetupPage::log_info("Created configuration directory: ".APPCONF);		
+			SetupPage::log_info("Created configuration directory: ".APPCONF);
 		}
 
 		// Write the final configuration file
@@ -1048,7 +1048,7 @@ class ApplicationInstaller
 		@chmod($sConfigDir, 0770); // RWX for owner and group, nothing for others
 
 		$oConfig->WriteToFile($sConfigFile);
-			
+
 		// try to make the final config file read-only
 		@chmod($sConfigFile, 0440); // Read-only for owner and group, nothing for others
 

setup/backup.class.inc.php

@@ -305,9 +305,8 @@ class DBBackup
 		// Store the results in a temporary file
 		$sTmpFileName = self::EscapeShellArg($sBackupFileName);
 
-		$sPortOption = self::GetMysqliCliSingleOption('port', $this->iDBPort);
+		$sPortAndTransportOptions = self::GetMysqlCliPortAndTransportOptions($this->sDBHost, $this->iDBPort);
 		$sTlsOptions = self::GetMysqlCliTlsOptions($this->oConfig);
-		$sProtocolOption = self::GetMysqlCliTransportOption($this->sDBHost);
 
 		$sMysqlVersion = CMDBSource::GetDBVersion();
 		$bIsMysqlSupportUtf8mb4 = (version_compare($sMysqlVersion, self::MYSQL_VERSION_WITH_UTF8MB4_IN_PROGRAMS) === -1);
@@ -326,10 +325,10 @@ EOF;
 		chmod($sMySQLDumpCnfFile, 0600);
 		file_put_contents($sMySQLDumpCnfFile, $sMySQLDumpCnf, LOCK_EX);
 
-			// Note: opt implicitely sets lock-tables... which cancels the benefit of single-transaction!
+		// Note: opt implicitly sets lock-tables... which cancels the benefit of single-transaction!
 			//       skip-lock-tables compensates and allows for writes during a backup
-			$sCommand = "$sMySQLDump --defaults-extra-file=\"$sMySQLDumpCnfFile\" --opt --skip-lock-tables --default-character-set=".$sMysqldumpCharset." --add-drop-database --single-transaction --host=$sHost $sPortOption $sProtocolOption --user=$sUser $sTlsOptions --result-file=$sTmpFileName $sDBName $sTables 2>&1";
-			$sCommandDisplay = "$sMySQLDump --defaults-extra-file=\"$sMySQLDumpCnfFile\" --opt --skip-lock-tables --default-character-set=".$sMysqldumpCharset." --add-drop-database --single-transaction --host=$sHost $sPortOption $sProtocolOption --user=xxxxx $sTlsOptions --result-file=$sTmpFileName $sDBName $sTables";
+		$sCommand = "$sMySQLDump --defaults-extra-file=\"$sMySQLDumpCnfFile\" --opt --skip-lock-tables --default-character-set=" . $sMysqldumpCharset . " --add-drop-database --single-transaction --host=$sHost $sPortAndTransportOptions --user=$sUser $sTlsOptions --result-file=$sTmpFileName $sDBName $sTables 2>&1";
+		$sCommandDisplay = "$sMySQLDump --defaults-extra-file=\"$sMySQLDumpCnfFile\" --opt --skip-lock-tables --default-character-set=" . $sMysqldumpCharset . " --add-drop-database --single-transaction --host=$sHost $sPortAndTransportOptions --user=xxxxx $sTlsOptions --result-file=$sTmpFileName $sDBName $sTables";
 
 		// Now run the command for real
 		$this->LogInfo("backup: generate data file with command: $sCommandDisplay");
@@ -523,25 +522,37 @@ EOF;
 	}
 
 	/**
-	 * Define if we should force a transport option
-	 * 
-	 * @param string $sHost
+	 * @return string CLI options for port and protocol
 	 *
-	 * @return string .
-
-	 * @since 2.7.9 3.0.4 3.1.1 N°6123
+	 * @since 2.7.9 3.0.4 3.1.1 N°6123 method creation
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°6889 rename method to return both port and transport options. Keep default socket connexion if we are on localhost with no port
+	 *
+	 * @link https://bugs.mysql.com/bug.php?id=55796 MySQL CLI tools will ignore `--port` option on localhost
+	 * @link https://jira.mariadb.org/browse/MDEV-14974 Since 10.6.1 the MariaDB CLI tools will use the `--port` option on host=localhost
 	 */
-	public static function GetMysqlCliTransportOption(string $sHost)
+	private static function GetMysqlCliPortAndTransportOptions(string $sHost, ?int $iPort): string
 	{
-		$sTransportOptions = '';
-		
-		/** N°6123 As we're using a --port option, if we use localhost as host,
-		 * MariaDB > 10.6 will implicitly change its protocol from socket to tcp and throw a warning **/
-		if($sHost === 'localhost'){
-			$sTransportOptions = '--protocol=tcp';
+		if (strtolower($sHost) === 'localhost') {
+			/**
+			 * Since MariaDB 10.6.1 if we have host=localhost, and only the --port option we will get a warning
+			 * To avoid this warning if we want to set --port option we must set --protocol=tcp
+			 **/
+			if (is_null($iPort)) {
+				// no port specified => no option to return, this will mean using socket protocol (unix socket)
+				return '';
+			}
+
+			$sPortOption = self::GetMysqliCliSingleOption('port', $iPort);
+			$sTransportOptions = ' --protocol=tcp';
+			return $sPortOption . $sTransportOptions;
 		}
 
-		return $sTransportOptions;
+		if (is_null($iPort)) {
+			$iPort = CMDBSource::MYSQL_DEFAULT_PORT;
+		}
+		$sPortOption = self::GetMysqliCliSingleOption('port', $iPort);
+
+		return $sPortOption;
 	}
 
 	/**

setup/csp-detection.js

@@ -0,0 +1,121 @@
+/**
+ * Detects the current server's Content-Security-Policy to stop the setup if any directive doesn't meet the application's requirements
+ *
+ * @type {{_FindItopVersionInURI: (function(): string|string), aFlags: {bUnsafeInlineScriptOk: boolean, bUnsafeEvalScriptOk: boolean, bUnsafeInlineStyleOk: boolean}, _TestUnsafeEvalScript: SetupCSPDetection._TestUnsafeEvalScript, _HideContinueButtonIfPolicyNotOk: SetupCSPDetection._HideContinueButtonIfPolicyNotOk, _TestUnsafeInlineStyle: SetupCSPDetection._TestUnsafeInlineStyle, Run: SetupCSPDetection.Run, _TestUnSafeInlineScript: SetupCSPDetection._TestUnSafeInlineScript, _AddErrorAlert: SetupCSPDetection._AddErrorAlert}}
+ * @since 2.7.11 3.0.5 3.1.2 3.2.0 N°7075
+ */
+SetupCSPDetection = {
+	aFlags: {
+		bUnsafeInlineScriptOk: false,
+		bUnsafeEvalScriptOk: false,
+		bUnsafeInlineStyleOk: false,
+	},
+	Run: function () {
+		this._TestUnSafeInlineScript();
+		this._TestUnsafeEvalScript();
+		this._TestUnsafeInlineStyle();
+		this._HideContinueButtonIfPolicyNotOk();
+	},
+	/**
+	 * Test if the CSP "unsafe-inline" directive for script-src if enabled, otherwise it forbids the setup to go further
+	 * @private
+	 */
+	_TestUnSafeInlineScript: function() {
+		var sBaitElemID = "csp-detection--unsafe-inline-script-bait";
+
+		// Add inline script that should add an element in the DOM
+		var sAddedScript = '<script>$("body").append(\'<div id="' + sBaitElemID + '" class="hidden">If this is present in the DOM, then unsafe-inline for scripts policy is allowed</div>\')</script>';
+		$("body").append(sAddedScript);
+
+		// Check if element has been added to the DOM
+		if ($("#" + sBaitElemID).length === 1) {
+			this.aFlags.bUnsafeInlineScriptOk = true;
+		} else {
+			this._AddErrorAlert("unsafe-inline", "script");
+		}
+	},
+	/**
+	 * Test if the CSP "unsafe-eval" directive for script-src if enabled, otherwise it forbids the setup to go further
+	 * @private
+	 */
+	_TestUnsafeEvalScript: function() {
+		var sBaitElemID = "csp-detection--unsafe-eval-script-bait";
+
+		// Add inline eval script that should add an element in the DOM
+		var sAddedScript = '<script>eval(\'$("body").append(\\\'<div id="' + sBaitElemID + '" class="hidden">If this is present in the DOM, then unsafe-eval for scripts policy is allowed</div>\\\')\')</script>';
+		$("body").append(sAddedScript);
+
+		// Check if element has been added to the DOM
+		if ($("#" + sBaitElemID).length === 1) {
+			this.aFlags.bUnsafeEvalScriptOk = true;
+		} else {
+			this._AddErrorAlert("unsafe-eval", "script");
+		}
+	},
+	/**
+	 * Test if the CSP "unsafe-inline" directive for style-src if enabled, otherwise it forbids the setup to go further
+	 * @private
+	 */
+	_TestUnsafeInlineStyle: function() {
+		var sBaitElemID = "csp-detection--unsafe-inline-style-bait";
+
+		// Add inline eval script that should add an element in the DOM
+		$("body").append("<div id=\"" + sBaitElemID + "\">If this is present in the DOM and visible, then unsafe-inline for styles policy must be allowed</div>");
+		$("body").append("<style>#" + sBaitElemID + " { display: none; }</style>");
+
+		// Check if style has been applied
+		if ($("#" + sBaitElemID).is(":visible") === false) {
+			this.aFlags.bUnsafeInlineStyleOk = true;
+		} else {
+			// Remove bait div to avoid polluting the screen
+			$("#" + sBaitElemID).remove();
+			this._AddErrorAlert("unsafe-inline", "style");
+		}
+	},
+	/**
+	 * Hide continue button to prevent setup from going further if any policy is not OK
+	 * @private
+	 */
+	_HideContinueButtonIfPolicyNotOk: function() {
+		if (false === this.aFlags.bUnsafeInlineScriptOk || false === this.aFlags.bUnsafeEvalScriptOk || false === this.aFlags.bUnsafeInlineStyleOk) {
+			// Hide next button to prevent user from going forward.
+			// Note that we don't remove it completely to be able to by-pass it.
+			$("#btn_next").addClass("hidden");
+		}
+	},
+	/**
+	 * Internal helper to add an error alert in case of failure
+	 * @param {String} sPolicyOption e.g. "unsafe-inline", "unsafe-eval", ...
+	 * @param {String} sResourceType script|style
+	 * @private
+	 */
+	_AddErrorAlert: function(sPolicyOption, sResourceType) {
+		var sFilesType = sResourceType === "script" ? "scripts" : "styles";
+
+		// Add alert in the DOM
+		$("<div class=\"message message-error\"><span class=\"message-title\">Error:</span>Your server Content-Security-Policy header doesn't allow <b>" + sPolicyOption + " " + sFilesType + "</b>. Therefore, the application cannot be installed (<a" +
+			" href=\"https://www.itophub.io/wiki/page?id=" + this._FindItopVersionInURI() + ":install:security#content-security-policy\" target=\"_blank\">see documentation</a>).</div>")
+			.insertAfter(
+				$("#wiz_form h1:first")
+			);
+
+	},
+	/**
+	 * Internal helper to find the iTop version as wiki syntax from the script URI
+	 * @returns {string|string}
+	 * @private
+	 */
+	_FindItopVersionInURI: function() {
+		// First find script tag for the current file
+		var sScriptURI = $('script[src*="setup/csp-detection.js"]').attr("src");
+
+		// Extract parameter value from URI
+		var regex = new RegExp('[\\?&]' + 'itop_version_wiki_syntax' + '=([^&#]*)');
+		var results = regex.exec(sScriptURI);
+		return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' '));
+	}
+};
+
+$(document).ready(function() {
+	SetupCSPDetection.Run();
+});

setup/email.test.php

@@ -38,7 +38,7 @@ $oP = new SetupPage('iTop email test utility');
 
 // Although this page doesn't expose sensitive info, with it we can send multiple emails
 // So we're adding this http header to reduce CSRF exposure...
-$oP->add_xframe_options('DENY');
+$oP->add_http_headers('DENY');
 
 
 /**

setup/modelfactory.class.inc.php

@@ -932,10 +932,12 @@ class ModelFactory
 						$this->aDictKeys[$sLanguageCode][$sCode] = $oXmlEntry;
 					}
 				}
-			}
-			catch (Exception $e)
+            } catch (Exception|Error $e) // Error can occurs on eval() calls
 			{
-				throw new Exception('Failed to load dictionary file "'.$sPHPFile.'", reason: '.$e->getMessage());
+                throw new DictException('Failed to load dictionary file "' . $sPHPFile . '"', [
+                        'exception_class' => get_class($e),
+                        'exception_msg' => $e->getMessage(),
+                ]);
 			}
 
 		}

setup/modulediscovery.class.inc.php

@@ -76,7 +76,7 @@ class ModuleDiscovery
 		'doc.manual_setup' => 'url',
 		'doc.more_information' => 'url',
 	);
-	
+
 
 	// Cache the results and the source directories
 	protected static $m_aSearchDirs = null;
@@ -148,7 +148,7 @@ class ModuleDiscovery
 			self::$m_aModuleVersionByName[$sModuleName]['version'] = $sModuleVersion;
 			self::$m_aModuleVersionByName[$sModuleName]['id'] = $sId;
 		}
-		
+
 		self::$m_aModules[$sId] = $aArgs;
 
 		// Now keep the relative paths, as provided
@@ -250,7 +250,7 @@ class ModuleDiscovery
 		if ($bAbortOnMissingDependency && count($aDependencies) > 0)
 		{
 			$aModulesInfo = array();
-			$aModuleDeps = array();			
+			$aModuleDeps = array();
 			foreach($aDependencies as $sId => $aDeps)
 			{
 				$aModule = $aModules[$sId];
@@ -282,7 +282,7 @@ class ModuleDiscovery
 		// The de-duplication is now done directly by the AddModule method
 		return $aModules;
 	}
-		
+
 	protected static function DependencyIsResolved($sDepString, $aOrderedModules, $aSelectedModules)
 	{
 		$bResult = false;
@@ -329,12 +329,12 @@ class ModuleDiscovery
 							if (version_compare($sCurrentVersion, $sExpectedVersion, $sOperator))
 							{
 								$aReplacements[$sModuleId] = '(true)'; // Add parentheses to protect against invalid condition causing
-																	   // a function call that results in a runtime fatal error								
+																	   // a function call that results in a runtime fatal error
 							}
 							else
 							{
 								$aReplacements[$sModuleId] = '(false)'; // Add parentheses to protect against invalid condition causing
-																	   // a function call that results in a runtime fatal error								
+																	   // a function call that results in a runtime fatal error
 							}
 						}
 						else
@@ -393,20 +393,20 @@ class ModuleDiscovery
 		{
 			self::ResetCache();
 		}
-		
+
 		if (is_null(self::$m_aSearchDirs))
 		{
 			self::$m_aSearchDirs = $aSearchDirs;
-			
+
 			// Not in cache, let's scan the disk
 			foreach($aSearchDirs as $sSearchDir)
 			{
-				$sLookupDir = realpath($sSearchDir);			
+				$sLookupDir = realpath($sSearchDir);
 				if ($sLookupDir == '')
 				{
 					throw new Exception("Invalid directory '$sSearchDir'");
 				}
-	
+
 				clearstatcache();
 				self::ListModuleFiles(basename($sSearchDir), dirname($sSearchDir));
 			}
@@ -418,7 +418,7 @@ class ModuleDiscovery
 			return self::GetModules($bAbortOnMissingDependency, $aModulesToLoad);
 		}
 	}
-	
+
 	public static function ResetCache()
 	{
 		self::$m_aSearchDirs = null;
@@ -430,7 +430,7 @@ class ModuleDiscovery
 	 * Helper function to interpret the name of a module
 	 * @param $sModuleId string Identifier of the module, in the form 'name/version'
 	 * @return array(name, version)
-	 */    
+	 */
 	public static function GetModuleName($sModuleId)
 	{
 		$aMatches = array();
@@ -459,7 +459,7 @@ class ModuleDiscovery
 	{
 		static $iDummyClassIndex = 0;
 		$sDirectory = $sRootDir.'/'.$sRelDir;
-		
+
 		if ($hDir = opendir($sDirectory))
 		{
 			// This is the correct way to loop over the directory. (according to the documentation)
@@ -495,12 +495,12 @@ class ModuleDiscovery
 							$idx++;
 						}
 						$bRet = eval($sModuleFileContents);
-						
+
 						if ($bRet === false)
 						{
 							SetupPage::log_warning("Eval of $sRelDir/$sFile returned false");
 						}
-						
+
 						//echo "<p>Done.</p>\n";
 					}
 					catch(ParseError $e)
@@ -528,7 +528,7 @@ class ModuleDiscovery
 /** Alias for backward compatibility with old module files in which
  *  the declaration of a module invokes SetupWebPage::AddModule()
  *  whereas the new form is ModuleDiscovery::AddModule()
- */  
+ */
 class SetupWebPage extends ModuleDiscovery
 {
 	// For backward compatibility with old modules...
@@ -555,9 +555,9 @@ class SetupWebPage extends ModuleDiscovery
 	public static function log($sText)
 	{
 		SetupPage::log($sText);
-	}	
+	}
 }
-		
+
 /** Ugly patch !!!
  * In order to be able to analyse / load several times
  * the same module file, we rename the class (to avoid duplicate class definitions)

setup/runtimeenv.class.inc.php

@@ -3,7 +3,7 @@
 //
 //   This file is part of iTop.
 //
-//   iTop is free software; you can redistribute it and/or modify	
+//   iTop is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU Affero General Public License as published by
 //   the Free Software Foundation, either version 3 of the License, or
 //   (at your option) any later version.
@@ -100,14 +100,14 @@ class RunTimeEnvironment
 		$this->log_info(sprintf('%.3fs - query: %s ', $fDuration, $sQuery));
 		$this->log_db_query($sQuery);
 	}
-	
+
 	/**
 	 * Helper function to initialize the ORM and load the data model
 	 * from the given file
 	 * @param $oConfig object The configuration (volatile, not necessarily already on disk)
-	 * @param $bModelOnly boolean Whether or not to allow loading a data model with no corresponding DB 
+	 * @param $bModelOnly boolean Whether or not to allow loading a data model with no corresponding DB
 	 * @return none
-	 */    
+	 */
 	public function InitDataModel($oConfig, $bModelOnly = true, $bUseCache = false)
 	{
 		require_once APPROOT.'/setup/moduleinstallation.class.inc.php';
@@ -121,15 +121,15 @@ class RunTimeEnvironment
 		{
 			$this->log_info("MetaModel::Startup (ModelOnly = $bModelOnly)");
 		}
-	
+
 		if (!$bUseCache)
 		{
 			// Reset the cache for the first use !
 			MetaModel::ResetCache(md5(APPROOT).'-'.$this->sTargetEnv);
 		}
-	
+
 		MetaModel::Startup($oConfig, $bModelOnly, $bUseCache, false /* $bTraceSourceFiles */, $this->sTargetEnv);
-		
+
 		if ($this->oExtensionsMap === null)
 		{
 			$this->oExtensionsMap = new iTopExtensionsMap($this->sTargetEnv);
@@ -139,7 +139,7 @@ class RunTimeEnvironment
 	/**
 	 * Analyzes the current installation and the possibilities
 	 *
-	 * @param Config $oConfig Defines the target environment (DB)
+	 * @param null|Config $oConfig Defines the target environment (DB)
 	 * @param mixed $modulesPath Either a single string or an array of absolute paths
 	 * @param bool $bAbortOnMissingDependency ...
 	 * @param array $aModulesToLoad List of modules to search for, defaults to all if omitted
@@ -178,7 +178,7 @@ class RunTimeEnvironment
 				'name_code' => ITOP_APPLICATION,
 			)
 		);
-	
+
 		$aDirs = is_array($modulesPath) ? $modulesPath : array($modulesPath);
 		$aModules = ModuleDiscovery::GetAvailableModules($aDirs, $bAbortOnMissingDependency, $aModulesToLoad);
 		foreach($aModules as $sModuleId => $aModuleInfo)
@@ -194,11 +194,11 @@ class RunTimeEnvironment
 				//throw new Exception("Missing version for the module: '$sModuleId'");
 				$sModuleVersion  = '1.0.0';
 			}
-	
+
 			$sModuleAppVersion = $aModuleInfo['itop_version'];
 			$aModuleInfo['version_db'] = '';
 			$aModuleInfo['version_code'] = $sModuleVersion;
-	
+
 			if (!in_array($sModuleAppVersion, array('1.0.0', '1.0.1', '1.0.2')))
 			{
 				// This module is NOT compatible with the current version
@@ -223,18 +223,20 @@ class RunTimeEnvironment
 			}
 			$aRes[$sModuleName] = $aModuleInfo;
 		}
-	
+
 		try
 		{
-			CMDBSource::InitFromConfig($oConfig);
-			$aSelectInstall = CMDBSource::QueryToArray("SELECT * FROM ".$oConfig->Get('db_subname')."priv_module_install");
+			$aSelectInstall = array();
+			if (! is_null($oConfig)) {
+				CMDBSource::InitFromConfig($oConfig);
+				$aSelectInstall = CMDBSource::QueryToArray("SELECT * FROM ".$oConfig->Get('db_subname')."priv_module_install");
+			}
 		}
 		catch (MySQLException $e)
 		{
 			// No database or erroneous information
-			$aSelectInstall = array();
 		}
-	
+
 		// Build the list of installed module (get the latest installation)
 		//
 		$aInstallByModule = array(); // array of <module> => array ('installed' => timestamp, 'version' => <version>)
@@ -251,7 +253,7 @@ class RunTimeEnvironment
 				}
 			}
 		}
-		
+
 		foreach ($aSelectInstall as $aInstall)
 		{
 			//$aInstall['comment']; // unsused
@@ -265,7 +267,7 @@ class RunTimeEnvironment
 				// as being installed
 				$sModuleVersion = '0.0.0';
 			}
-	
+
 			if ($aInstall['parent_id'] == 0)
 			{
 				$sModuleName = ROOT_MODULE;
@@ -275,7 +277,7 @@ class RunTimeEnvironment
 				// Skip all modules belonging to previous installations
 				continue;
 			}
-	
+
 			if (array_key_exists($sModuleName, $aInstallByModule))
 			{
 				if ($iInstalled < $aInstallByModule[$sModuleName]['installed'])
@@ -283,30 +285,30 @@ class RunTimeEnvironment
 					continue;
 				}
 			}
-	
+
 			if ($aInstall['parent_id'] == 0)
 			{
 				$aRes[$sModuleName]['version_db'] = $sModuleVersion;
 				$aRes[$sModuleName]['name_db'] = $aInstall['name'];
 			}
-	
+
 			$aInstallByModule[$sModuleName]['installed'] = $iInstalled;
 			$aInstallByModule[$sModuleName]['version'] = $sModuleVersion;
 		}
-	
+
 		// Adjust the list of proposed modules
 		//
 		foreach ($aInstallByModule as $sModuleName => $aModuleDB)
 		{
 			if ($sModuleName == ROOT_MODULE) continue; // Skip the main module
-				
+
 			if (!array_key_exists($sModuleName, $aRes))
 			{
-				// A module was installed, it is not proposed in the new build... skip 
+				// A module was installed, it is not proposed in the new build... skip
 				continue;
 			}
 			$aRes[$sModuleName]['version_db'] = $aModuleDB['version'];
-	
+
 			if ($aRes[$sModuleName]['install']['flag'] == MODULE_ACTION_MANDATORY)
 			{
 				$aRes[$sModuleName]['uninstall'] = array(
@@ -322,7 +324,7 @@ class RunTimeEnvironment
 				);
 			}
 		}
-	
+
 		return $aRes;
 	}
 
@@ -336,9 +338,9 @@ class RunTimeEnvironment
 	{
 		self::MakeDirSafe(APPCONF);
 		self::MakeDirSafe(APPCONF.$this->sTargetEnv);
-		
+
 		$sTargetConfigFile = APPCONF.$this->sTargetEnv.'/'.ITOP_CONFIG_FILE;
-		
+
 		// Write the config file
 		@chmod($sTargetConfigFile, 0770); // In case it exists: RWX for owner and group, nothing for others
 		$oConfig->WriteToFile($sTargetConfigFile);
@@ -354,7 +356,7 @@ class RunTimeEnvironment
 		// Do nothing, overload this method if needed
 		return array();
 	}
-	
+
 	/**
 	 * Decide whether or not the given extension is selected for installation
 	 * @param iTopExtension $oExtension
@@ -364,10 +366,10 @@ class RunTimeEnvironment
 	{
 		return ($oExtension->sSource == iTopExtension::SOURCE_REMOTE);
 	}
-	
+
 	/**
-	 * Get the installed modules (only the installed ones)	
-	 */	
+	 * Get the installed modules (only the installed ones)
+	 */
 	protected function GetMFModulesToCompile($sSourceEnv, $sSourceDir)
 	{
 		$sSourceDirFull = APPROOT.$sSourceDir;
@@ -388,7 +390,7 @@ class RunTimeEnvironment
 
 		$aExtraDirs = $this->GetExtraDirsToScan($aDirsToCompile);
 		$aDirsToCompile = array_merge($aDirsToCompile, $aExtraDirs);
-				
+
 		$aRet = array();
 
 		// Determine the installed modules and extensions
@@ -396,7 +398,7 @@ class RunTimeEnvironment
 		$oSourceConfig = new Config(APPCONF.$sSourceEnv.'/'.ITOP_CONFIG_FILE);
 		$oSourceEnv = new RunTimeEnvironment($sSourceEnv);
 		$aAvailableModules = $oSourceEnv->AnalyzeInstallation($oSourceConfig, $aDirsToCompile);
-		
+
 		// Actually read the modules available for the target environment,
 		// but get the selection from the source environment and finally
 		// mark as (automatically) chosen alll the "remote" modules present in the
@@ -416,7 +418,7 @@ class RunTimeEnvironment
 		//
 		$oDictModule = new MFDictModule('dictionaries', 'iTop Dictionaries', APPROOT.'dictionaries');
 		$aRet[$oDictModule->GetName()] = $oDictModule;
-		
+
 		$oFactory = new ModelFactory($aDirsToCompile);
 		$sDeltaFile = APPROOT.'core/datamodel.core.xml';
 		if (file_exists($sDeltaFile))
@@ -430,14 +432,14 @@ class RunTimeEnvironment
 			$oApplicationModule = new MFCoreModule('application', 'Application Module', $sDeltaFile);
 			$aRet[$oApplicationModule->GetName()] = $oApplicationModule;
 		}
-		
+
 		$aModules = $oFactory->FindModules();
 		foreach($aModules as $oModule)
 		{
 			$sModule = $oModule->GetName();
 			$sModuleRootDir = $oModule->GetRootDir();
 			$bIsExtra = $this->oExtensionsMap->ModuleIsChosenAsPartOfAnExtension($sModule, iTopExtension::SOURCE_REMOTE);
-			if (array_key_exists($sModule, $aAvailableModules)) 
+			if (array_key_exists($sModule, $aAvailableModules))
 			{
 				if (($aAvailableModules[$sModule]['version_db'] != '') ||  $bIsExtra && !$oModule->IsAutoSelect()) //Extra modules are always unless they are 'AutoSelect'
 				{
@@ -445,7 +447,7 @@ class RunTimeEnvironment
 				}
 			}
 		}
-		
+
 		// Now process the 'AutoSelect' modules
 		do
 		{
@@ -514,7 +516,7 @@ class RunTimeEnvironment
 			}
 			$oFactory->LoadModule($oModule);
 		}
-		
+
 
 		if ($oModule instanceof MFDeltaModule)
 		{
@@ -565,7 +567,7 @@ class RunTimeEnvironment
 		{
 			$this->log_info("Creating the structure in '".$oConfig->Get('db_name')."'.");
 		}
-	
+
 		//MetaModel::CheckDefinitions();
 		if ($sMode == 'install')
 		{
@@ -597,7 +599,7 @@ class RunTimeEnvironment
 
 				MetaModel::DBCreate(array($this, 'LogQueryCallback'));
 				$this->log_ok("Database structure successfully updated.");
-	
+
 				// Check (and update only if it seems needed) the hierarchical keys
 				if (MFCompiler::SkipRebuildHKeys()) {
 					$this->log_ok("Hierchical keys are NOT rebuilt due to the presence of the \"data/.setup-rebuild-hkeys-never\" file");
@@ -657,7 +659,7 @@ class RunTimeEnvironment
 			if ($aPredefinedObjects != null)
 			{
 				$this->log_info("$sClass::GetPredefinedObjects() returned " . count($aPredefinedObjects) . " elements.");
-				
+
 				// Create/Delete/Update objects of this class,
 				// according to the given constant values
 				//
@@ -699,7 +701,7 @@ class RunTimeEnvironment
 		// Restore the previous access mode
 		$oConfig->Set('access_mode', $iPrevAccessMode);
 	}
-	
+
 	public function RecordInstallation(Config $oConfig, $sDataModelVersion, $aSelectedModuleCodes, $aSelectedExtensionCodes, $sShortComment = null)
 	{
 		// Have it work fine even if the DB has been set in read-only mode for the users
@@ -708,7 +710,7 @@ class RunTimeEnvironment
 		//$oConfig->Set('access_mode', ACCESS_FULL);
 
 		if (CMDBSource::DBName() == '')
-		{		
+		{
 			// In case this has not yet been done
 			CMDBSource::InitFromConfig($oConfig);
 		}
@@ -718,7 +720,7 @@ class RunTimeEnvironment
 			$sShortComment = 'Done by the setup program';
 		}
 		$sMainComment = $sShortComment."\nBuilt on ".ITOP_BUILD_DATE;
-		
+
 		// Record datamodel version
 		$aData = array(
 			'source_dir' => $oConfig->Get('source_dir'),
@@ -731,7 +733,7 @@ class RunTimeEnvironment
 		$oInstallRec->Set('parent_id', 0); // root module
 		$oInstallRec->Set('installed', $iInstallationTime);
 		$iMainItopRecord = $oInstallRec->DBInsertNoReload();
-		
+
 		// Record main installation
 		$oInstallRec = new ModuleInstallation();
 		$oInstallRec->Set('name', ITOP_APPLICATION);
@@ -740,8 +742,8 @@ class RunTimeEnvironment
 		$oInstallRec->Set('parent_id', 0); // root module
 		$oInstallRec->Set('installed', $iInstallationTime);
 		$iMainItopRecord = $oInstallRec->DBInsertNoReload();
-	
-		
+
+
 		// Record installed modules and extensions
 		//
 		$aAvailableExtensions = array();
@@ -775,7 +777,7 @@ class RunTimeEnvironment
 				$aComments[] = "Depends on module: $sDependOn";
 			}
 			$sComment = implode("\n", $aComments);
-	
+
 			$oInstallRec = new ModuleInstallation();
 			$oInstallRec->Set('name', $sName);
 			$oInstallRec->Set('version', $sVersion);
@@ -784,7 +786,7 @@ class RunTimeEnvironment
 			$oInstallRec->Set('installed', $iInstallationTime);
 			$oInstallRec->DBInsertNoReload();
 		}
-		
+
 		if ($this->oExtensionsMap)
 		{
 			// Mark as chosen the selected extensions code passed to us
@@ -796,7 +798,7 @@ class RunTimeEnvironment
 					$this->oExtensionsMap->MarkAsChosen($oExtension->sCode);
 				}
 			}
-			
+
 			foreach($this->oExtensionsMap->GetChoices() as $oExtension)
 			{
 				$oInstallRec = new ExtensionInstallation();
@@ -813,9 +815,9 @@ class RunTimeEnvironment
 		MetaModel::GetConfig()->Set('access_mode', $iPrevAccessMode);
 
 		// Database is created, installation has been tracked into it
-		return true;	
+		return true;
 	}
-	
+
 	public function GetApplicationVersion(Config $oConfig)
 	{
 		$aResult = false;
@@ -832,7 +834,7 @@ class RunTimeEnvironment
 			$this->log_error('Exception '.$e->getMessage());
 			return false;
 		}
-	
+
 		// Scan the list of installed modules to get the version of the 'ROOT' module which holds the main application version
 		foreach ($aSelectInstall as $aInstall)
 		{
@@ -844,7 +846,7 @@ class RunTimeEnvironment
 				// as being installed
 				$sModuleVersion = '0.0.0';
 			}
-			
+
 			if ($aInstall['parent_id'] == 0)
 			{
 				if ($aInstall['name'] == DATAMODEL_MODULE)
@@ -870,7 +872,7 @@ class RunTimeEnvironment
 			$aResult['datamodel_version'] = $aResult['product_version'];
 		}
 		$this->log_info("GetApplicationVersion returns: product_name: ".$aResult['product_name'].', product_version: '.$aResult['product_version']);
-		return $aResult;	
+		return $aResult;
 	}
 
 	public static function MakeDirSafe($sDir)
@@ -886,8 +888,8 @@ class RunTimeEnvironment
 	}
 
 	/**
-	 * Wrappers for logging into the setup log files	
-	 */	
+	 * Wrappers for logging into the setup log files
+	 */
 	protected function log_error($sText)
 	{
 		SetupPage::log_error($sText);
@@ -923,7 +925,7 @@ class RunTimeEnvironment
 			fclose($hSetupQueriesFile);
 		}
 	}
-	
+
 	public function GetCurrentDataModelVersion()
 	{
 		$oSearch = DBObjectSearch::FromOQL("SELECT ModuleInstallation WHERE name='".DATAMODEL_MODULE."'");
@@ -1079,13 +1081,14 @@ class RunTimeEnvironment
 			SetupUtils::tidydir(APPROOT.'env-'.$this->sTargetEnv);
 		}
 	}
-	
-	/**
-	 * Call the given handler method for all selected modules having an installation handler
-	 * @param array[] $aAvailableModules
-	 * @param string[] $aSelectedModules
-	 * @param string $sHandlerName
-	 */
+
+    /**
+     * Call the given handler method for all selected modules having an installation handler
+     * @param array[] $aAvailableModules
+     * @param string[] $aSelectedModules
+     * @param string $sHandlerName
+     * @throws CoreException
+     */
 	public function CallInstallerHandlers($aAvailableModules, $aSelectedModules, $sHandlerName)
 	{
 	    foreach($aAvailableModules as $sModuleId => $aModule)
@@ -1098,12 +1101,24 @@ class RunTimeEnvironment
 	            $aCallSpec = array($sModuleInstallerClass, $sHandlerName);
 	            if (is_callable($aCallSpec))
 	            {
-	               call_user_func_array($aCallSpec, array(MetaModel::GetConfig(), $aModule['version_db'], $aModule['version_code']));
-	            }
+                    try {
+                        call_user_func_array($aCallSpec, array(MetaModel::GetConfig(), $aModule['version_db'], $aModule['version_code']));
+                    } catch (Exception $e) {
+                        $sErrorMessage = "Module $sModuleId : error when calling module installer class $sModuleInstallerClass for $sHandlerName handler";
+                        $aExceptionContextData = [
+                                'ModulelId' => $sModuleId,
+                                'ModuleInstallerClass' => $sModuleInstallerClass,
+                                'ModuleInstallerHandler' => $sHandlerName,
+                                'ExceptionClass' => get_class($e),
+                                'ExceptionMessage' => $e->getMessage(),
+                        ];
+                        throw new CoreException($sErrorMessage, $aExceptionContextData, '', $e);
+                    }
+                }
 	        }
 	    }
 	}
-	
+
 	/**
 	 * Load data from XML files for the selected modules (structural data and/or sample data)
 	 * @param array[] $aAvailableModules All available modules and their definition
@@ -1113,13 +1128,13 @@ class RunTimeEnvironment
 	public function LoadData($aAvailableModules, $aSelectedModules, $bSampleData)
 	{
 	    $oDataLoader = new XMLDataLoader();
-	    
+
 	    CMDBObject::SetTrackInfo("Initialization");
 	    $oMyChange = CMDBObject::GetCurrentChange();
-	    
+
 	    SetupPage::log_info("starting data load session");
 	    $oDataLoader->StartSession($oMyChange);
-	    
+
 	    $aFiles = array();
 	    $aPreviouslyLoadedFiles = array();
 	    foreach($aAvailableModules as $sModuleId => $aModule)
@@ -1160,7 +1175,7 @@ class RunTimeEnvironment
 	            }
 	        }
 	    }
-	    
+
 	    // Simulate the load of the previously loaded files, in order to initialize
 	    // the mapping between the identifiers in the XML and the actual identifiers
 	    // in the current database
@@ -1172,12 +1187,12 @@ class RunTimeEnvironment
 	        {
 	            throw(new Exception("File $sFileName does not exist"));
 	        }
-	        
+
 	        $oDataLoader->LoadFile($sFileName, true);
 	        $sResult = sprintf("loading of %s done.", basename($sFileName));
 	        SetupPage::log_info($sResult);
 	    }
-	    
+
 	    foreach($aFiles as $sFileRelativePath)
 	    {
 	        $sFileName = APPROOT.$sFileRelativePath;
@@ -1186,16 +1201,16 @@ class RunTimeEnvironment
 	        {
 	            throw(new Exception("File $sFileName does not exist"));
 	        }
-	        
+
 	        $oDataLoader->LoadFile($sFileName);
 	        $sResult = sprintf("loading of %s done.", basename($sFileName));
 	        SetupPage::log_info($sResult);
 	    }
-	    
+
 	    $oDataLoader->EndSession();
 	    SetupPage::log_info("ending data load session");
 	}
-	
+
 	/**
 	 * Merge two arrays of file names, adding the relative path to the files provided in the array to merge
 	 * @param string[] $aSourceArray
@@ -1212,7 +1227,7 @@ class RunTimeEnvironment
 	    }
 	    return array_merge($aSourceArray, $aToMerge);
 	}
-	
+
 	/**
 	 * Check the MetaModel for some common pitfall (class name too long, classes requiring too many joins...)
 	 * The check takes about 900 ms for 200 classes
@@ -1252,7 +1267,7 @@ class RunTimeEnvironment
             $iCount++;
         }
         $fDuration = microtime(true) - $fStart;
-        
+
         return sprintf("Checked %d classes in %.1f ms. No error found.\n", $iCount, $fDuration*1000.0);
     }
 } // End of class

setup/setuppage.class.inc.php

@@ -35,6 +35,7 @@ class SetupPage extends NiceWebPage
 		parent::__construct($sTitle);
 		$this->add_linked_script("../js/jquery.blockUI.js");
 		$this->add_linked_script("../setup/setup.js");
+		$this->add_linked_script("../setup/csp-detection.js?itop_version_wiki_syntax=" . utils::GetItopVersionWikiSyntax());
 		$this->add_saas("css/setup.scss");
 	}
 

setup/setuputils.class.inc.php

@@ -897,16 +897,29 @@ class SetupUtils
 		return $f;
 	}
 
+    /**
+     * @param float $fBytes size in raw bytes, for example 162594750464.0
+     * @return string formatted string, for example "161.62 GB"
+     *
+     * @link https://en.wiktionary.org/wiki/byte byte and not Byte
+     * @link https://en.wikipedia.org/wiki/Kilobyte kB and not KB (IEC 80000-13)
+     * @link https://en.wiktionary.org/wiki/petabyte petabyte PB
+     * @link https://en.wiktionary.org/wiki/exabyte exabyte EB
+     */
 	public static function HumanReadableSize($fBytes)
 	{
-		$aSizes = array('bytes', 'Kb', 'Mb', 'Gb', 'Tb', 'Pb', 'Hb');
+		$aSizes = array('bytes', 'kB', 'MB', 'GB', 'TB', 'PB', 'EB');
 		$index = 0;
-		while (($fBytes > 1000) && ($index < count($aSizes)))
-		{
+		while (($fBytes > 1000) && ($index < count($aSizes))) {
 			$index++;
 			$fBytes = $fBytes / 1000;
 		}
 
+		if ($index == 0) {
+			// display int for bytes
+			return sprintf('%d %s', $fBytes, $aSizes[$index]);
+		}
+
 		return sprintf('%.2f %s', $fBytes, $aSizes[$index]);
 	}
 
@@ -1217,6 +1230,12 @@ EOF
 				$aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_connections is set to $iMaxConnections.");
 			}
 
+            $iClusters = $oDBSource->GetClusterNb();
+            if ($iClusters > 0) {
+                SetupLog::Warning('Warning - Using Galera will cause malfunctions and data corruptions. Combodo does not support this type of infrastructure.');
+                $aResult['checks'][] = new CheckResult(CheckResult::WARNING, 'Using Galera will cause malfunctions and data corruptions. Combodo does not support this type of infrastructure.');
+            }
+
 			try {
 				$aResult['databases'] = $oDBSource->ListDB();
 			}

setup/unattended-install/.htaccess

@@ -0,0 +1,13 @@
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *

setup/unattended-install/InstallationFileService.php

@@ -0,0 +1,365 @@
+<?php
+
+require_once(APPROOT.'/application/utils.inc.php');
+require_once(APPROOT.'/setup/setuppage.class.inc.php');
+require_once(APPROOT.'/setup/wizardcontroller.class.inc.php');
+require_once(APPROOT.'/setup/wizardsteps.class.inc.php');
+
+if (version_compare(ITOP_DESIGN_LATEST_VERSION, '2.7', '<=')) {
+	require_once(APPROOT.'/core/config.class.inc.php');
+	require_once(APPROOT.'/core/log.class.inc.php');
+	require_once(APPROOT.'/core/kpi.class.inc.php');
+	require_once(APPROOT.'/core/cmdbsource.class.inc.php');
+	require_once(APPROOT.'/application/clipage.class.inc.php');
+}
+
+class InstallationFileService {
+	/** @var \RunTimeEnvironment $oProductionEnv */
+	private $oProductionEnv;
+
+	/** @var \ItopExtensionsMap $oProductionEnv */
+	private $oItopExtensionsMap;
+
+	private $sTargetEnvironment;
+	private $sInstallationPath;
+	private $aSelectedModules;
+	private $aSelectedExtensions;
+	private $aAfterComputationSelectedExtensions;
+	private $aUnSelectedModules;
+	private $aAutoSelectModules;
+	private $bInstallationOptionalChoicesChecked;
+
+	/**
+	 * @param string $sInstallationPath
+	 * @param string $sTargetEnvironment
+	 * @param array $aSelectedExtensions
+	 * @param bool $bInstallationOptionalChoicesChecked : this option is used only when no extensions are selected (ie empty
+	 *     $aSelectedExtensions)
+	 */
+	public function __construct(string $sInstallationPath, string $sTargetEnvironment='production', array $aSelectedExtensions = [], bool $bInstallationOptionalChoicesChecked=true) {
+		$this->sInstallationPath = $sInstallationPath;
+		$this->aSelectedModules = [];
+		$this->aUnSelectedModules = [];
+		$this->sTargetEnvironment = $sTargetEnvironment;
+		$this->aSelectedExtensions = $aSelectedExtensions;
+		$this->aAfterComputationSelectedExtensions = (count($aSelectedExtensions)==0) ? [] : $aSelectedExtensions;
+		$this->bInstallationOptionalChoicesChecked = $bInstallationOptionalChoicesChecked;
+	}
+
+	public function Init(): void {
+		clearstatcache();
+
+		$this->ProcessDefaultModules();
+		$this->ProcessInstallationChoices();
+		$this->ProcessExtensionModulesNotSpecifiedInChoices();
+		$this->ProcessAutoSelectModules();
+	}
+
+	public function GetProductionEnv(): RunTimeEnvironment {
+		if (is_null($this->oProductionEnv)){
+			$this->oProductionEnv = new RunTimeEnvironment();
+		}
+		return $this->oProductionEnv;
+	}
+
+	public function SetProductionEnv(RunTimeEnvironment $oProductionEnv): void {
+		$this->oProductionEnv = $oProductionEnv;
+	}
+
+	public function GetAfterComputationSelectedExtensions(): array {
+		return $this->aAfterComputationSelectedExtensions;
+	}
+
+	public function SetItopExtensionsMap(ItopExtensionsMap $oItopExtensionsMap): void {
+		$this->oItopExtensionsMap = $oItopExtensionsMap;
+	}
+
+	public function GetItopExtensionsMap(): ItopExtensionsMap {
+		if (is_null($this->oItopExtensionsMap)){
+			$this->oItopExtensionsMap = new iTopExtensionsMap($this->sTargetEnvironment, true);
+		}
+		return $this->oItopExtensionsMap;
+	}
+
+	public function GetAutoSelectModules(): array {
+		return $this->aAutoSelectModules;
+	}
+
+	public function GetSelectedModules(): array {
+		return $this->aSelectedModules;
+	}
+
+	public function GetUnSelectedModules(): array {
+		return $this->aUnSelectedModules;
+	}
+
+	public function ProcessInstallationChoices(): void {
+		$oXMLParameters = new XMLParameters($this->sInstallationPath);
+		$aSteps = $oXMLParameters->Get('steps', []);
+		if (! is_array($aSteps)) {
+			return;
+		}
+
+		foreach ($aSteps as $aStepInfo) {
+			$aOptions = $aStepInfo["options"] ?? null;
+			if (! is_null($aOptions) && is_array($aOptions)) {
+				foreach ($aOptions as $aChoiceInfo) {
+					$this->ProcessSelectedChoice($aChoiceInfo, $this->bInstallationOptionalChoicesChecked);
+				}
+			}
+			$aOptions = $aStepInfo["alternatives"] ?? null;
+			if (! is_null($aOptions) && is_array($aOptions)) {
+				foreach ($aOptions as $aChoiceInfo) {
+					$this->ProcessSelectedChoice($aChoiceInfo, false);
+				}
+			}
+		}
+
+		foreach ($this->aSelectedModules as $sModuleId => $sVal){
+			if (array_key_exists($sModuleId, $this->aUnSelectedModules)){
+				unset($this->aUnSelectedModules[$sModuleId]);
+			}
+		}
+	}
+
+	private function ProcessUnSelectedChoice($aChoiceInfo) {
+		if (!is_array($aChoiceInfo)) {
+			return;
+		}
+
+		$aCurrentModules = $aChoiceInfo["modules"] ?? [];
+		foreach ($aCurrentModules as $sModuleId){
+			$this->aUnSelectedModules[$sModuleId] = true;
+		}
+
+		$aAlternatives = $aChoiceInfo["alternatives"] ?? null;
+		if (!is_null($aAlternatives) && is_array($aAlternatives)) {
+			foreach ($aAlternatives as $aSubChoiceInfo) {
+				$this->ProcessUnSelectedChoice($aSubChoiceInfo);
+			}
+		}
+
+		if (array_key_exists('sub_options', $aChoiceInfo)) {
+			if (array_key_exists('options', $aChoiceInfo['sub_options'])) {
+				$aSubOptions = $aChoiceInfo['sub_options']['options'];
+				if (!is_null($aSubOptions) && is_array($aSubOptions)) {
+					foreach ($aSubOptions as $aSubChoiceInfo) {
+						$this->ProcessUnSelectedChoice($aSubChoiceInfo);
+					}
+				}
+			}
+			if (array_key_exists('alternatives', $aChoiceInfo['sub_options'])) {
+				$aSubAlternatives = $aChoiceInfo['sub_options']['alternatives'];
+				if (!is_null($aSubAlternatives) && is_array($aSubAlternatives)) {
+					foreach ($aSubAlternatives as $aSubChoiceInfo) {
+						$this->ProcessUnSelectedChoice($aSubChoiceInfo);
+					}
+				}
+			}
+		}
+	}
+
+	private function ProcessSelectedChoice($aChoiceInfo, bool $bAllChecked) {
+		if (!is_array($aChoiceInfo)) {
+			return;
+		}
+
+		$sDefault = $aChoiceInfo["default"] ?? "false";
+		$sMandatory = $aChoiceInfo["mandatory"] ?? "false";
+
+		$aCurrentModules = $aChoiceInfo["modules"] ?? [];
+		$sExtensionCode = $aChoiceInfo["extension_code"] ?? null;
+		if (0 === count($this->aSelectedExtensions)){
+			$bSelected = $bAllChecked || $sDefault === "true" || $sMandatory === "true";
+			if ($bSelected){
+				$this->aAfterComputationSelectedExtensions[]= $sExtensionCode;
+			}
+		} else {
+			$bSelected = $sMandatory === "true" ||
+				(null !== $sExtensionCode && in_array($sExtensionCode, $this->aSelectedExtensions));
+		}
+
+		foreach ($aCurrentModules as $sModuleId){
+			if ($bSelected) {
+				$this->aSelectedModules[$sModuleId] = true;
+			} else {
+				$this->aUnSelectedModules[$sModuleId] = true;
+			}
+		}
+
+		$aAlternatives = $aChoiceInfo["alternatives"] ?? null;
+		if (!is_null($aAlternatives) && is_array($aAlternatives)) {
+			foreach ($aAlternatives as $aSubChoiceInfo) {
+				if ($bSelected) {
+					$this->ProcessSelectedChoice($aSubChoiceInfo, $bAllChecked);
+				} else {
+					$this->ProcessUnSelectedChoice($aSubChoiceInfo);
+				}
+			}
+		}
+
+		if (array_key_exists('sub_options', $aChoiceInfo)) {
+			if (array_key_exists('options', $aChoiceInfo['sub_options'])) {
+				$aSubOptions = $aChoiceInfo['sub_options']['options'];
+				if (!is_null($aSubOptions) && is_array($aSubOptions)) {
+					foreach ($aSubOptions as $aSubChoiceInfo) {
+						if ($bSelected) {
+							$this->ProcessSelectedChoice($aSubChoiceInfo, $bAllChecked);
+						} else {
+							$this->ProcessUnSelectedChoice($aSubChoiceInfo);
+						}
+					}
+				}
+			}
+			if (array_key_exists('alternatives', $aChoiceInfo['sub_options'])) {
+				$aSubAlternatives = $aChoiceInfo['sub_options']['alternatives'];
+				if (!is_null($aSubAlternatives) && is_array($aSubAlternatives)) {
+					foreach ($aSubAlternatives as $aSubChoiceInfo) {
+						if ($bSelected) {
+							$this->ProcessSelectedChoice($aSubChoiceInfo, false);
+						} else {
+							$this->ProcessUnSelectedChoice($aSubChoiceInfo);
+						}
+					}
+				}
+			}
+		}
+	}
+
+	private function GetExtraDirs() : array {
+		$aSearchDirs = [];
+
+		$aDirs = [
+			'/datamodels/1.x',
+			'/datamodels/2.x',
+			'data/' . $this->sTargetEnvironment . '-modules',
+			'extensions',
+		];
+		foreach ($aDirs as $sRelativeDir){
+			$sDirPath = APPROOT.$sRelativeDir;
+			if (is_dir($sDirPath))
+			{
+				$aSearchDirs[] = $sDirPath;
+			}
+		}
+
+		return $aSearchDirs;
+	}
+
+	public function ProcessDefaultModules() : void {
+		$sProductionModuleDir = APPROOT.'data/' . $this->sTargetEnvironment . '-modules/';
+
+		$aAvailableModules = $this->GetProductionEnv()->AnalyzeInstallation(MetaModel::GetConfig(), $this->GetExtraDirs(), false, null);
+
+		$this->aAutoSelectModules = [];
+		foreach ($aAvailableModules as $sModuleId => $aModule) {
+			if (($sModuleId != ROOT_MODULE)) {
+				if (isset($aModule['auto_select'])) {
+					$this->aAutoSelectModules[$sModuleId] = $aModule;
+					continue;
+				}
+
+				if (($aModule['category'] == 'authentication') || (!$aModule['visible'])) {
+					$this->aSelectedModules[$sModuleId] = true;
+					continue;
+				}
+				$bIsExtra = (array_key_exists('root_dir', $aModule) && (strpos($aModule['root_dir'],
+							$sProductionModuleDir) !== false)); // Some modules (root, datamodel) have no 'root_dir'
+				if ($bIsExtra) {
+					// Modules in data/production-modules/ are considered as mandatory and always installed
+					$this->aSelectedModules[$sModuleId] = true;
+				}
+			}
+		}
+	}
+
+	public function ProcessAutoSelectModules() : void {
+		foreach($this->GetAutoSelectModules() as $sModuleId => $aModule)
+		{
+			try {
+				$bSelected = false;
+				SetupInfo::SetSelectedModules($this->aSelectedModules);
+				eval('$bSelected = ('.$aModule['auto_select'].');');
+				if ($bSelected)
+				{
+					// Modules in data/production-modules/ are considered as mandatory and always installed
+					$this->aSelectedModules[$sModuleId] = true;
+				}
+			}
+			catch (Exception $e) {
+			}
+		}
+	}
+
+	public function CanChooseUnpackageExtension(iTopExtension $oExtension) : bool {
+		if ($oExtension->sSource === iTopExtension::SOURCE_REMOTE){
+			SetupLog::Info("Data Extension can be selected", null, ['extension' => $oExtension->sCode]);
+			return true;
+		}
+
+		$bSelectable = $this->bInstallationOptionalChoicesChecked && ($oExtension->sSource === iTopExtension::SOURCE_MANUAL);
+		if ($bSelectable){
+			SetupLog::Info("Manual Extension can be selected", null, ['extension' => $oExtension->sCode]);
+		} else {
+			SetupLog::Debug("Manual Extension can NOT be selected", null, ['extension' => $oExtension->sCode]);
+		}
+
+		return $bSelectable;
+	}
+
+	public function ProcessExtensionModulesNotSpecifiedInChoices() {
+		/** @var \iTopExtension $oExtension */
+		foreach($this->GetItopExtensionsMap()->GetAllExtensions() as $oExtension) {
+			if (in_array($oExtension->sCode, $this->aAfterComputationSelectedExtensions)){
+				//extension already processed in installation.xml
+				SetupLog::Info("Extension already processed via installation choices", null,
+					[
+						'extension' => $oExtension->sCode,
+					])      ;
+				continue;
+			}
+			if ($this->CanChooseUnpackageExtension($oExtension)){
+				if (($oExtension->bVisible) && (count($oExtension->aMissingDependencies) === 0)) {
+					$aCurrentModules = [];
+					$aUnselectableModules = [];
+					$bIsExtensionSelectable = true;
+					foreach ($oExtension->aModules as $sModuleId) {
+						if (array_key_exists($sModuleId, $this->aSelectedModules)) {
+							//already selected
+							continue;
+						}
+
+						if (array_key_exists($sModuleId, $this->aUnSelectedModules)) {
+							$aUnselectableModules[] = $sModuleId;
+
+							//already unselected
+							$bIsExtensionSelectable = false;
+						} else {
+							$aCurrentModules[$sModuleId] = true;
+						}
+					}
+
+					if ($bIsExtensionSelectable) {
+						SetupLog::Debug("Add modules from unpackaged extension", null,
+							[
+								'extension' => $oExtension->sCode,
+								'source' => $oExtension->sSource,
+								'modules to add' => array_keys($aCurrentModules),
+							]);
+						$this->aSelectedModules = array_merge($this->aSelectedModules, $aCurrentModules);
+						$this->aAfterComputationSelectedExtensions[] = $oExtension->sCode;
+					} else {
+						SetupLog::Warning("Unpackaged extension can not be selected due to modules incompatible with installation choices",
+							null,
+							[
+								'extension' => $oExtension->sCode,
+								'source' => $oExtension->sSource,
+								'modules' => array_keys($aCurrentModules),
+								'unselectable modules' => $aUnselectableModules,
+							]);
+					}
+				}
+			}
+		}
+	}
+}

setup/unattended-install/README.md

@@ -0,0 +1,73 @@
+# Unattended-install
+
+This script allows to install and update iTop via CLI.
+
+For more information, see the official Wiki : [Automated installation [iTop Documentation]](https://www.itophub.io/wiki/page?id=latest:advancedtopics:automatic_install)
+
+# unattended-install.php
+
+## Usage
+
+Execution of the unattended installation
+> Note:
+> Because the installation runs from the command line, make sure that the current user has enough rights to access the different locations and that the web server will be able to access the files and directories created during the scripted installation. In order to exactly emulate the behavior of
+the interactive installation it may be a good practice to run this installation from the user account used for running the web server process.
+
+Launch the script with the following command:  ```bash php unattended_install.php --param-file=fresh-install.xml ```
+
+Where: `fresh-install.xml` is the response file containing your desired settings for the installation (there are 4 models available in the folder `xml_setup`: fresh-install.xml, itil-fresh-install.xml, itil-upgrade.xml, upgrade.xml)
+
+Fresh installation parameters
+> Important:
+> In the case of a fresh installation (<mode>install</mode>), do not forget to complete below mandatory parameters before:
+
+```xml 
+<database>
+    <server></server>
+    <user></user>
+    <pwd></pwd>
+    <name></name>
+    <db_tls_enabled></db_tls_enabled>
+    <db_tls_ca></db_tls_ca>
+    <prefix></prefix>
+</database>
+<url>
+</url>
+<graphviz_path>/usr/bin/dot</graphviz_path>
+<admin_account>
+<user></user>
+<pwd></pwd>
+<language></language>
+</admin_account>
+<language></language>
+```
+
+## Options
+
+To get all available options of the script, you can perform the following command :
+```php unattended-install.php --help```
+
+# install-itop.sh
+
+## Usage
+
+You can install your iTop by only using config-itop.php settings and run either
+
+- a non-ITIL iTop fresh installation (use itil-fresh-install.xml to have ITIL modules instead)
+
+```
+./install-itop.sh ./xml_setup/fresh-install.xml
+```
+
+- a non-ITIL iTop upgrade (use itil-upgrade.xml to have ITIL modules instead)
+
+```
+./install-itop.sh ./xml_setup/upgrade.xml
+```
+
+- a specific iTop installation by providing both xml setup file
+  in below example file provided is the one generated by iTop during last setup.
+
+```
+./install-itop.sh ../../log/install-2024-04-03.xml
+```

setup/unattended-install/install-itop.sh

@@ -0,0 +1,50 @@
+#! /bin/bash
+
+CLI_NAME=$(basename $0)
+DIR=$(dirname $0)
+ITOP_DIR="$DIR/../.."
+
+HELP="Syntax: $CLI_NAME XML_SETUP [INSTALLATION_XML]"
+
+function HELP {
+	echo $HELP
+	exit 1
+}
+
+if [ $# -lt 1 ]
+then
+	echo "Missing parameters passed."
+	HELP
+fi
+
+if [ $# -gt 2 ]
+then
+	echo "Too much parameters passed ($#) : $*."
+	HELP
+fi
+
+XML_SETUP=$1
+if [ ! -f $XML_SETUP ]
+then
+  echo "XML_SETUP file ($XML_SETUP) not found."
+	HELP
+fi
+
+if [ $# -eq 2 ]
+then
+	INSTALLATION_XML=$2
+	if [ ! -f $INSTALLATION_XML ]
+	then
+		echo "INSTALLATION_XML file ($INSTALLATION_XML) not found."
+	  HELP
+	fi
+else
+  INSTALLATION_XML="$ITOP_DIR/datamodels/2.x/installation.xml"
+fi
+
+echo "$CLI_NAME: Using XML_SETUP ($XML_SETUP) and INSTALLATION_XML ($INSTALLATION_XML) files during unattended itop installation."
+
+rm -rf $ITOP_DIR/data/.maintenance;
+echo php $DIR/unattended-install.php --use_itop_config --installation_xml="$INSTALLATION_XML" --param-file="$XML_SETUP"
+
+php $DIR/unattended-install.php --use_itop_config --installation_xml="$INSTALLATION_XML" --param-file="$XML_SETUP"

setup/unattended-install/unattended-install.php

@@ -0,0 +1,406 @@
+<?php
+
+require_once(dirname(__FILE__, 3) . '/approot.inc.php');
+require_once(__DIR__ . '/InstallationFileService.php');
+
+function PrintUsageAndExit()
+{
+    echo <<<EOF
+Usage: php unattended-install.php --param-file=<path_to_response_file> [--installation_xml=<path_to_installation_xml>] [--use_itop_config]
+
+Options:
+    --param-file=<path_to_response_file>  Path to the file (XML) to use for the unattended installation. That file (generated by the setup into log directory) must contain the following sections:
+                                            - target_env: the target environment (production, test, dev)
+                                            - database: the database settings (server, user, pwd, name, prefix)
+                                            - selected_modules: the list of modules to install
+    --response_file                         DEPRECATED: use `--param-file` instead
+    --installation_xml=<path_to_installation_xml>  Use an installation.xml file to compute the modules to install depending on the selected extensions listed in the param file
+    --use_itop_config                       Use the iTop configuration file to get the database settings, otherwise use the database settings from the parameters file
+
+Advanced options:
+    --check-consistency=1                   Check the data model consistency after the installation (default: 0)
+    --clean=1                               In case of a first installation, cleanup the environment before proceeding: delete the configuration file, the cache directory, the target directory, the database (default: 0)
+    --install=0                             Set to 0 to perform a dry-run (default: 1)
+EOF;
+    exit(-1);
+}
+/////////////////////////////////////////////////
+
+$sCleanName = strtolower(trim(PHP_SAPI));
+if ($sCleanName !== 'cli')
+{
+	echo "Mode CLI only";
+	exit(-1);
+}
+
+if (in_array('--help', $argv)) {
+    PrintUsageAndExit();
+}
+
+$sParamFile = utils::ReadParam('param-file', null, true /* CLI allowed */, 'raw_data') ?? utils::ReadParam('response_file', null, true /* CLI allowed */, 'raw_data');
+if (is_null($sParamFile)) {
+	echo "Missing mandatory argument `--param-file`.\n";
+    PrintUsageAndExit();
+}
+$bCheckConsistency = (utils::ReadParam('check-consistency', '0', true /* CLI allowed */) == '1');
+
+if (false === file_exists($sParamFile)) {
+	echo "Param file `$sParamFile` doesn't exist! Exiting...\n";
+	exit(-1);
+}
+
+$oParams = new XMLParameters($sParamFile);
+
+$sMode = $oParams->Get('mode');
+
+$sTargetEnvironment = $oParams->Get('target_env', '');
+if ($sTargetEnvironment == '')
+{
+	$sTargetEnvironment = 'production';
+}
+
+$sXmlSetupBaseName = basename($sParamFile);
+$sInstallationXmlPath = utils::ReadParam('installation_xml', null, true /* CLI allowed */, 'raw_data');
+if (! is_null($sInstallationXmlPath) && is_file($sInstallationXmlPath)) {
+	$sInstallationBaseName = basename($sInstallationXmlPath);
+
+	$aSelectedExtensionsFromXmlSetup = $oParams->Get('selected_extensions', []);
+	$bInstallationChoicesProvided = count($aSelectedExtensionsFromXmlSetup) !== 0;
+	if ($bInstallationChoicesProvided) {
+		$sMsg = "Modules to install computed based on $sInstallationBaseName file and installation choices (listed in section `selected_extensions` of $sXmlSetupBaseName file)";
+		echo "$sMsg:\n".implode(',', $aSelectedExtensionsFromXmlSetup)."\n\n";
+		SetupLog::Info($sMsg, null, $aSelectedExtensionsFromXmlSetup);
+	} else {
+		$sMsg = "Modules to install computed based on default installation choices inside $sInstallationBaseName (no choice specified in section `selected_extensions` of $sXmlSetupBaseName file).";
+		echo "$sMsg\n\n";
+		SetupLog::Info($sMsg);
+	}
+
+	$oInstallationFileService = new InstallationFileService($sInstallationXmlPath, $sTargetEnvironment, $aSelectedExtensionsFromXmlSetup);
+	$oInstallationFileService->Init();
+
+	$aComputedExtensions = $oInstallationFileService->GetAfterComputationSelectedExtensions();
+	if (! $bInstallationChoicesProvided) {
+		$sMsg = "Computed installation choices";
+		echo "$sMsg:\n".implode(',', $aComputedExtensions)."\n\n";
+		SetupLog::Info($sMsg, null, $aComputedExtensions);
+		$oParams->Set('selected_extensions', $aComputedExtensions);
+	}
+
+	$aComputedModules = $oInstallationFileService->GetSelectedModules();
+	$aSelectedModules = array_keys($aComputedModules);
+	$oParams->Set('selected_modules', $aSelectedModules);
+
+	$sMsg = "Computed modules to install";
+} else {
+	$aSelectedModules = $oParams->Get('selected_modules', []);
+	$sMsg = "Modules to install listed in $sXmlSetupBaseName (selected_modules section)";
+}
+
+sort($aSelectedModules);
+echo "$sMsg:\n".implode(',', $aSelectedModules)."\n\n";
+SetupLog::Info($sMsg, null, $aSelectedModules);
+
+// Configuration file
+$sConfigFile = APPCONF.$sTargetEnvironment.'/'.ITOP_CONFIG_FILE;
+$bUseItopConfig = in_array('--use_itop_config', $argv);
+if ($bUseItopConfig && file_exists($sConfigFile)){
+	//unattended run based on db settings coming from itop configuration
+	copy($sConfigFile, "$sConfigFile.backup");
+
+	$oConfig = new Config($sConfigFile);
+	$aDBXmlSettings = $oParams->Get('database', array());
+	$aDBXmlSettings ['server'] = $oConfig->Get('db_host');
+	$aDBXmlSettings ['user'] = $oConfig->Get('db_user');
+	$aDBXmlSettings ['pwd'] = $oConfig->Get('db_pwd');
+	$aDBXmlSettings ['name'] = $oConfig->Get('db_name');
+	$aDBXmlSettings ['prefix'] = $oConfig->Get('db_subname');
+	$aDBXmlSettings ['db_tls_enabled'] = $oConfig->Get('db_tls.enabled');
+	//cannot be null or infinite loop triggered!
+	$aDBXmlSettings ['db_tls_ca'] = $oConfig->Get('db_tls.ca') ?? "";
+	$oParams->Set('database', $aDBXmlSettings);
+
+	$aFields = [
+		'url' => 'app_root_url',
+		'source_dir' => 'source_dir',
+		'graphviz_path' => 'graphviz_path',
+	];
+	foreach($aFields as $sSetupField => $sConfField){
+		$oParams->Set($sSetupField, $oConfig->Get($sConfField));
+	}
+
+	$oParams->Set('mysql_bindir', $oConfig->GetModuleSetting('itop-backup', 'mysql_bindir', ""));
+	$oParams->Set('language', $oConfig->GetDefaultLanguage());
+} else {
+	//unattended run based on db settings coming from response_file (XML file)
+	$aDBXmlSettings = $oParams->Get('database', array());
+}
+
+$sDBServer = $aDBXmlSettings['server'];
+$sDBUser = $aDBXmlSettings['user'];
+$sDBPwd = $aDBXmlSettings['pwd'];
+$sDBName = $aDBXmlSettings['name'];
+$sDBPrefix = $aDBXmlSettings['prefix'];
+
+if ($sMode == 'install')
+{
+	echo "Installation mode detected.\n";
+
+	$bClean = utils::ReadParam('clean', false, true /* CLI allowed */);
+	if ($bClean)
+	{
+		echo "Cleanup mode detected.\n";
+
+		if (file_exists($sConfigFile))
+		{
+			echo "Trying to delete the configuration file: '$sConfigFile'.\n";
+			@chmod($sConfigFile, 0770); // RWX for owner and group, nothing for others
+			unlink($sConfigFile);
+		}
+		else
+		{
+			echo "No config file to delete ($sConfigFile does not exist).\n";
+		}
+
+		// Starting with iTop 2.7.0, a failed setup leaves some lock files, let's remove them
+		$aLockFiles = array(
+			'data/.readonly' => 'read-only lock file',
+			'data/.maintenance' => 'maintenance mode lock file',
+		);
+		foreach($aLockFiles as $sFile => $sDescription)
+		{
+	 		$sLockFile = APPROOT.$sFile;
+			if (file_exists($sLockFile))
+			{
+				echo "Trying to delete the $sDescription: '$sLockFile'.\n";
+				unlink($sLockFile);
+			}
+		}
+
+		// Starting with iTop 2.6.0, let's remove the cache directory as well
+		// Can cause some strange issues in the setup (apparently due to the Dict class being automatically loaded ??)
+		$sCacheDir = APPROOT.'data/cache-'.$sTargetEnvironment;
+		if (file_exists($sCacheDir))
+		{
+			if (is_dir($sCacheDir))
+			{
+			 	echo "Emptying the cache directory '$sCacheDir'.\n";
+			 	SetupUtils::tidydir($sCacheDir);
+			}
+			else
+			{
+				die("ERROR the cache directory '$sCacheDir' exists, but is NOT a directory !!!\nExiting.\n");
+			}
+		}
+
+		// env-xxx directory
+		$sTargetDir = APPROOT.'env-'.$sTargetEnvironment;
+		if (file_exists($sTargetDir))
+		{
+			if (is_dir($sTargetDir))
+			{
+			 	echo "Emptying the target directory '$sTargetDir'.\n";
+			 	SetupUtils::tidydir($sTargetDir);
+			}
+			else
+			{
+				die("ERROR the target dir '$sTargetDir' exists, but is NOT a directory !!!\nExiting.\n");
+			}
+		}
+		else
+		{
+			echo "No target directory to delete ($sTargetDir does not exist).\n";
+		}
+
+		if ($sDBPrefix != '')
+		{
+			die("Cleanup not implemented for a partial database (prefix= '$sDBPrefix')\nExiting.");
+		}
+
+		$oMysqli = new mysqli($sDBServer, $sDBUser, $sDBPwd);
+		if ($oMysqli->connect_errno)
+		{
+		    die("Cannot connect to the MySQL server (".$oMysqli->connect_errno . ") ".$oMysqli->connect_error."\nExiting");
+		}
+		else
+		{
+			if ($oMysqli->select_db($sDBName))
+			{
+				echo "Deleting database '$sDBName'\n";
+				$oMysqli->query("DROP DATABASE `$sDBName`");
+			}
+			else
+			{
+				echo "The database '$sDBName' does not seem to exist. Nothing to cleanup.\n";
+			}
+		}
+	}
+}
+else
+{
+	//use settings from itop conf
+	$sTargetEnvironment = $oParams->Get('target_env', '');
+	if ($sTargetEnvironment == '')
+	{
+		$sTargetEnvironment = 'production';
+	}
+	$sTargetDir = APPROOT.'env-'.$sTargetEnvironment;
+}
+
+$bHasErrors = false;
+$aChecks = SetupUtils::CheckBackupPrerequisites(APPROOT.'data'); // mmm should be the backup destination dir
+
+$aSelectedModules = $oParams->Get('selected_modules');
+$sSourceDir = $oParams->Get('source_dir', 'datamodels/latest');
+$sExtensionDir = $oParams->Get('extensions_dir', 'extensions');
+$aChecks = array_merge($aChecks, SetupUtils::CheckSelectedModules($sSourceDir, $sExtensionDir, $aSelectedModules));
+
+foreach($aChecks as $oCheckResult)
+{
+	switch ($oCheckResult->iSeverity)
+	{
+		case CheckResult::ERROR:
+			$bHasErrors = true;
+			$sHeader = "Error";
+			break;
+
+		case CheckResult::WARNING:
+			$sHeader = "Warning";
+			break;
+
+		case 3: // CheckResult::TRACE added in iTop 3.0.0
+			// does nothing : those are old debug traces, see N°2214
+			$sHeader = 'Trace';
+			break;
+
+		case CheckResult::INFO:
+		default:
+			$sHeader = "Info";
+			break;
+	}
+	echo $sHeader.": ".$oCheckResult->sLabel;
+	if (strlen($oCheckResult->sDescription))
+	{
+		echo ' - '.$oCheckResult->sDescription;
+	}
+	echo "\n";
+}
+
+if ($bHasErrors)
+{
+	echo "Encountered stopper issues. Aborting...\n";
+	$sLogMsg = "Encountered stopper issues. Aborting...";
+	echo "$sLogMsg\n";
+	SetupLog::Error($sLogMsg);
+	exit(-1);
+}
+
+$bFoundIssues = false;
+
+$bInstall = utils::ReadParam('install', true, true /* CLI allowed */);
+if ($bInstall)
+{
+	echo "Starting the unattended installation...\n";
+	$oWizard = new ApplicationInstaller($oParams);
+	$bRes = $oWizard->ExecuteAllSteps();
+	if (!$bRes)
+	{
+		echo "\nencountered installation issues!";
+		$bFoundIssues = true;
+	}
+	else
+	{
+		$oMysqli = new mysqli($sDBServer, $sDBUser, $sDBPwd);
+		if (!$oMysqli->connect_errno)
+		{
+			if ($oMysqli->select_db($sDBName))
+			{
+				// Check the presence of a table to record information about the MTP (from the Designer)
+				$sDesignerUpdatesTable = $sDBPrefix.'priv_designer_update';
+				$sSQL = "SELECT id FROM `$sDesignerUpdatesTable`";
+				if ($oMysqli->query($sSQL) !== false)
+				{
+					// Record the Designer Udpates in the priv_designer_update table
+					$sDeltaFile = APPROOT.'data/'.$sTargetEnvironment.'.delta.xml';
+					if (is_readable($sDeltaFile))
+					{
+						// Retrieve the revision
+						$oDoc = new DOMDocument();
+						$oDoc->load($sDeltaFile);
+						$iRevision = 0;
+						$iRevision = $oDoc->firstChild->getAttribute('revision_id');
+						if ($iRevision > 0) // Safety net, just in case...
+						{
+							$sDate = date('Y-m-d H:i:s');
+							$sSQL = "INSERT INTO `$sDesignerUpdatesTable` (revision_id, compilation_date, comment) VALUES ($iRevision, '$sDate', 'Deployed using unattended.php.')";
+							if ($oMysqli->query($sSQL) !== false)
+							{
+								echo "\nDesigner update (MTP at revision $iRevision) successfully recorded.\n";
+							}
+							else
+							{
+								echo "\nFailed to record designer updates(".$oMysqli->error.").\n";
+							}
+						}
+						else
+						{
+							echo "\nFailed to read the revision from $sDeltaFile file. No designer update information will be recorded.\n";
+
+						}
+					}
+					else
+					{
+						echo "\nNo $sDeltaFile file (or the file is not accessible). No designer update information to record.\n";
+					}
+				}
+			}
+		}
+	}
+}
+else
+{
+	echo "No installation requested.\n";
+}
+if (!$bFoundIssues && $bCheckConsistency)
+{
+	echo "Checking data model consistency.\n";
+	ob_start();
+	$sCheckRes = '';
+	try
+	{
+		MetaModel::CheckDefinitions(false);
+		$sCheckRes = ob_get_clean();
+	}
+	catch(Exception $e)
+	{
+		$sCheckRes = ob_get_clean()."\nException: ".$e->getMessage();
+	}
+	if (strlen($sCheckRes) > 0)
+	{
+		echo $sCheckRes;
+		echo "\nfound consistency issues!";
+		$bFoundIssues = true;
+	}
+}
+
+if (! $bFoundIssues)
+{
+	// last line: used to check the install
+	// the only way to track issues in case of Fatal error or even parsing error!
+	$sLogMsg = "installed!";
+
+	if ($bUseItopConfig && is_file("$sConfigFile.backup"))
+	{
+		echo "\nuse config file provided by backup in $sConfigFile.";
+		copy("$sConfigFile.backup", $sConfigFile);
+	}
+
+	SetupLog::Info($sLogMsg);
+	echo "\n$sLogMsg";
+	exit(0);
+}
+
+$sLogMsg = "installation failed!";
+SetupLog::Error($sLogMsg);
+echo "\n$sLogMsg\n";
+exit(-1);

setup/unattended-install/web.config

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <system.webServer>
+    <security>
+      <requestFiltering>
+         <fileExtensions applyToWebDAV="false" allowUnlisted="false"></fileExtensions>
+      </requestFiltering>
+      <authorization>
+        <deny users="*" /> <!-- Denies all users -->
+      </authorization>
+    </security>
+  </system.webServer>
+</configuration>

setup/unattended-install/xml_setup/fresh-install.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<installation>
+  <mode>install</mode>
+  <preinstall>
+  </preinstall>
+  <source_dir>datamodels/2.x/</source_dir>
+  <datamodel_version>2.7.0</datamodel_version>
+  <previous_configuration_file>/var/www/html/iTop/conf/production/config-itop.php</previous_configuration_file>
+  <extensions_dir>extensions</extensions_dir>
+  <target_env>production</target_env>
+  <workspace_dir></workspace_dir>
+  <database>
+    <server></server>
+    <user></user>
+    <pwd></pwd>
+    <name></name>
+    <db_tls_enabled></db_tls_enabled>
+    <db_tls_ca></db_tls_ca>
+    <prefix></prefix>
+  </database>
+  <url></url>
+  <graphviz_path>/usr/bin/dot</graphviz_path>
+  <admin_account>
+    <user></user>
+    <pwd></pwd>
+    <language></language>
+  </admin_account>
+  <language></language>
+  <selected_modules type="array">
+  </selected_modules>
+  <selected_extensions type="array">
+  </selected_extensions>
+  <sample_data>1</sample_data>
+  <old_addon></old_addon>
+  <options type="array"/>
+  <mysql_bindir></mysql_bindir>
+  <selected_modules type="array">
+  </selected_modules>
+  <selected_extensions type="array">
+  </selected_extensions>
+</installation>

setup/unattended-install/xml_setup/itil-fresh-install.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<installation>
+  <mode>install</mode>
+  <preinstall>
+  </preinstall>
+  <source_dir>datamodels/2.x/</source_dir>
+  <datamodel_version>2.7.0</datamodel_version>
+  <previous_configuration_file>/var/www/html/iTop/conf/production/config-itop.php</previous_configuration_file>
+  <extensions_dir>extensions</extensions_dir>
+  <target_env>production</target_env>
+  <workspace_dir></workspace_dir>
+  <database>
+    <server></server>
+    <user></user>
+    <pwd></pwd>
+    <name></name>
+    <db_tls_enabled></db_tls_enabled>
+    <db_tls_ca></db_tls_ca>
+    <prefix></prefix>
+  </database>
+  <url></url>
+  <graphviz_path>/usr/bin/dot</graphviz_path>
+  <admin_account>
+    <user></user>
+    <pwd></pwd>
+    <language></language>
+  </admin_account>
+  <language></language>
+  <selected_modules type="array">
+  </selected_modules>
+  <selected_extensions type="array">
+  </selected_extensions>
+  <sample_data>1</sample_data>
+  <old_addon></old_addon>
+  <options type="array"/>
+  <mysql_bindir></mysql_bindir>
+  <selected_modules type="array">
+  </selected_modules>
+  <selected_extensions type="array">
+    <item>itop-config-mgmt-datacenter</item>
+    <item>itop-config-mgmt-end-user</item>
+    <item>itop-config-mgmt-storage</item>
+    <item>itop-config-mgmt-virtualization</item>
+    <item>itop-service-mgmt-enterprise</item>
+    <item>itop-ticket-mgmt-itil</item>
+    <item>itop-ticket-mgmt-itil-user-request</item>
+    <item>itop-ticket-mgmt-itil-incident</item>
+    <item>itop-ticket-mgmt-itil-enhanced-portal</item>
+    <item>itop-change-mgmt-itil</item>
+    <item>itop-config-mgmt-core</item>
+    <item>itop-kown-error-mgmt</item>
+  </selected_extensions>
+</installation>