N°9549 - Fix emails with mime type different than text/plain or text/html are no longer displayed correctly (#895)

* N°9549 - Fix emails with mime type different than text/plain or text/html are no longer displayed correctly

* N°9549 - Fix mime type comparisons to use the primary mime type instead of the whole string

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,59 @@
+name: "Bug report"
+description: "Report a bug that you identified in iTop, with the steps to reproduce it and the expected vs actual behavior. If you have an improvement proposition, please use the 'Enhancement suggestion' template instead."
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please explain why you're creating this issue :
+        - Are you willing to create a PR for the bug fix ? If so, we'll indicate in the issue if we're interested in it.
+        - Then, please describe how to reproduce the issue.
+
+  - type: dropdown
+    id: willing_to_pr
+    attributes:
+      label: Are you willing to create (at a later stage) a PR for that?
+      options:
+        - Yes
+        - No
+    validations:
+      required: true
+
+  - type: input
+    id: itop_version
+    attributes:
+      label: iTop version
+      description: "Complete iTop version (e.g., 3.2.3)"
+    validations:
+      required: false
+
+  - type: input
+    id: php_version
+    attributes:
+      label: PHP version
+      description: "Complete PHP version (e.g., 8.4.20)"
+    validations:
+      required: false
+
+  - type: textarea
+    id: reproduction_steps
+    attributes:
+      label: Reproduction procedure
+      description: |
+        Please explain step by step how to reproduce the issue on a standard iTop Community.
+        If it requires a custom datamodel, provide the minimal XML delta to reproduce it.
+      placeholder: |
+        1. First go there
+        2. Then do that
+        3. ...
+        4. Finally, see that... (what is expected and what is actually happening)
+    validations:
+      required: false
+
+  - type: upload
+    id: additional_info
+    attributes:
+      label: Additional information (if needed)
+      description: "Add/drag and drop screenshots, logs or any files that can be relevant for your issue."
+    validations:
+      required: false
+      accept: ".png, .jpg, .jpeg, .gif, .webp, .log, .txt, .json, .csv, .xml, .zip, .tar.gz"

.github/ISSUE_TEMPLATE/enhancement.yml

@@ -0,0 +1,54 @@
+name: "Enhancement suggestion"
+description: "Suggest an improvement to iTop, with a clear description of the expected behavior and the benefits it would bring. If you identified a bug and have an improvement proposition, please use the 'Bug report' template instead."
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please explain why you're creating this issue :
+        - Are you willing to create a PR for this enhancement ? If so, we'll indicate in the issue if we're interested in it.
+        - Then, please describe what's your improvement proposition.
+
+  - type: dropdown
+    id: willing_to_pr
+    attributes:
+      label: Are you willing to create (at a later stage) a PR for that?
+      options:
+        - Yes
+        - No
+    validations:
+      required: true
+
+  - type: input
+    id: itop_version
+    attributes:
+      label: iTop version
+      description: "Complete iTop version (e.g., 3.2.3)"
+    validations:
+      required: false
+
+  - type: input
+    id: php_version
+    attributes:
+      label: PHP version
+      description: "Complete PHP version (e.g., 8.4.20)"
+    validations:
+      required: false
+
+  - type: textarea
+    id: enhancement_details
+    attributes:
+      label: Enhancement details
+      description: |
+        Please explain what you want to improve, and your proposition to make it better.
+        If it requires a custom datamodel, provide the minimal XML delta to reproduce it.
+    validations:
+      required: false
+
+  - type: upload
+    id: additional_info
+    attributes:
+      label: Additional information (if needed)
+      description: "Add/drag and drop screenshots, logs or any files that can be relevant for your issue."
+    validations:
+      required: false
+      accept: ".png, .jpg, .jpeg, .gif, .webp, .log, .txt, .json, .csv, .xml, .zip, .tar.gz"

.github/pull_request_template.md

@@ -1,83 +1,76 @@
 <!--
+IMPORTANT: Before creating your PR, please create an issue first to know if Combodo is interested in your contribution (not needed for translations PR).
+Since we may refuse a PR, it's preferable to create an issue first, to avoid spending time coding something that won't be accepted.
 
-IMPORTANT: Please follow the guidelines within this PR template before submitting it, it will greatly help us process your PR. 🙏
+Once you've done it, and we confirmed we're interested in it, please follow the guidelines within this PR template before submitting it, it will greatly help us process your PR. 🙏
 
 Any PRs not following the guidelines or with missing information will not be considered.
-
 -->
 
 ## Base information
-| Question                                                      | Answer 
-|---------------------------------------------------------------|--------
-| Related to a SourceForge thead / Another PR / Combodo ticket? | <!-- Put the URL -->
-| Type of change?                                               | Bug fix / Enhancement / Translations
 
+| Question                                                                        | Answer                               |
+|---------------------------------------------------------------------------------|--------------------------------------|
+| Related to a SourceForge thread / Another PR / A GitHub Issue / Combodo ticket? | <!-- Put the URL -->                 |
+| Type of change?                                                                 | Bug fix / Enhancement / Translations |
 
 ## Symptom (bug) / Objective (enhancement)
+
 <!--
 If it's a bug
   - Explain the symptom in details
   - If possible put error messages, logs or screenshots (you can paste image directly in this editor).
 
 If it's an enhancement
-  - Describe what is blocking you, what is the objective with as much details as possible.
+  - Describe what is blocking you, what is the objective with as many details as possible.
   - Add screenshots if it's related to UI.
 -->
 
-
 ## Reproduction procedure (bug)
+
 <!--
-Remove this section only if it's NOT a bug.
-
-Otherwise, explain step by step how to reproduce the issue on a standard iTop Community.
-
+Please explain step by step how to reproduce the issue on a standard iTop Community.
 If it requires a custom datamodel, provide the minimal XML delta to reproduce it on a standard iTop Community.
 -->
 
 1. On iTop x.y.z <!-- Put complete iTop version (eg. 3.1.0-2) -->
 2. With PHP x.y.z <!-- Put complete PHP version (eg. 8.1.24) -->
-2. First go there
-2. Then do that
-3. ...
-4. Finally, see that...
+3. First go there
+4. Then do that
+5. ...
+6. Finally, see that... (what is expected and what is actually happening)
 
+## Reproduction procedure (enhancement - if needed)
+
+<!--
+Please explain how we can reproduce the feature/behavior you want to improve, and what's your proposition to make it better.
+Add screenshots if it's related to UI.
+If it requires a custom datamodel, provide the minimal XML delta to reproduce it on a standard iTop Community.
+-->
 
 ## Cause (bug)
+
 <!--
 Remove this section only if it's NOT a bug.
 
 Otherwise, explain what is the cause of the issue (where in the code and why)
 -->
 
-
 ## Proposed solution (bug and enhancement)
+
 <!--
 Explain in details how you are proposing to solve this:
   - What did you do in the code and why
   - If you changed something in the UI, put before / after screenshots (you can paste image directly in this editor)
 -->
 
-
 ## Checklist before requesting a review
+
 <!--
 Don't remove these lines, check them once done.
 -->
+
 - [ ] I have performed a self-review of my code
 - [ ] I have tested all changes I made on an iTop instance
 - [ ] I have added a unit test, otherwise I have explained why I couldn't
-- [ ] Is the PR clear and detailed enough so anyone can understand digging in the code?
-
-## Checklist of things to do before PR is ready to merge
-<!--
-Things that needs to be done in the PR before it can be considered as ready to be merged
-
-Examples:
-- Changes requested in the review
-- Unit test to add
-- Dictionary entries to translate
-- ...
--->
-
-- [ ] ...
-- [ ] ...
-- [ ] ...
+- [ ] Is the PR clear and detailed enough so anyone can understand without digging in the code?

CONTRIBUTING.md

@@ -4,30 +4,33 @@ You want to contribute to iTop? Many thanks to you! 🎉 👍
 
 Here are some guidelines that will help us integrate your work!
 
-
 ## Contributions
 
 ### Subjects
+
 You are welcome to create pull requests on any of those subjects:
 
 * 🐛 bug fix
 * 🌐 translation / i18n / l10n
+* 🚸 enhancement
 
-If you want to implement a **new feature**, please [create a corresponding ticket](https://sourceforge.net/p/itop/tickets/new/) for review.   
-If you ever want to begin implementation, do so in a fork, and add a link to the corresponding commits in the ticket.
+But before creating a PR, please [create a corresponding issue][itop-issues] for review.
+We should review within two weeks, and get back to you to indicate if we're interested in your proposal or not.
+If you don't create an issue, you won't know if we're interested in your contribution, and you may spend time coding something that won't be accepted.
+If you ever want to begin implementation, do so in a fork, and add a link to the corresponding commits in the issue.
 
 For all **security related subjects**, please see our [security policy](SECURITY.md).
 
-All **datamodel modification** should be done in an extension. Beware that such change would 
-impact all existing customers, and could prevent them from 
-upgrading!
-Combodo has a long experience of datamodel changes: they are very disruptive! 
+All **datamodel modification** should be done in an extension. Beware that such change would
+impact all existing customers, and could prevent them from upgrading!
+Combodo has a long experience of datamodel changes: they are very disruptive!
 This is why we avoid them in iTop core, especially the changes on existing objects/fields.   
-If you have an idea you're sure would benefit to all of iTop users, you may 
-[create a corresponding ticket](https://sourceforge.net/p/itop/tickets/new/) to submit it, but be warned that there are lots of good 
+If you have an idea you're sure would benefit to all of iTop users, you may
+[create a corresponding issue][itop-issues] to submit it, but be warned that there are lots of good
 reasons to refuse such changes.
 
 ### 📄 License and copyright
+
 iTop is distributed under the AGPL-3.0 license (see the [license.txt] file).
 
 The iTop repository is divided in three parts: iTop (mainly PHP/JS/XML sources and dictionaries), images, and third-party libraries.
@@ -37,48 +40,33 @@ Anyhow, you are encouraged to signal your contribution by the mean of `@author`
 If you want to use another license or keep the code ownership (copyright), you may [create an extension][wiki new ext].
 
 [license.txt]: https://github.com/Combodo/iTop/blob/develop/license.txt
-[wiki new ext]: https://www.itophub.io/wiki/page?id=latest%3Acustomization%3Astart#by_writing_your_own_extension
 
+[itop-issues]: https://github.com/Combodo/iTop/issues
+
+[wiki new ext]: https://www.itophub.io/wiki/page?id=latest%3Acustomization%3Astart#by_writing_your_own_extension
 
 ## 🔀 iTop branch model
 
 When we first start with Git, we were using the [GitFlow](https://nvie.com/posts/a-successful-git-branching-model/) branch model. As
- there was some confusions about branches to use for current developed release and previous maintained release, and also because we were
- using just a very few of the GitFlow commands, we decided to add just a little modification to this branch model : since april 2020
-  we don't have a `master` branch anymore.
+there was some confusions about branches to use for current developed release and previous maintained release, and also because we were
+using just a very few of the GitFlow commands, we decided to add just a little modification to this branch model : since April 2020
+we don't have a `master` branch anymore.
 
-Here are the branches we use and their meaning : 
+Here are the branches we use and their meaning :
 
 - `develop`: ongoing development version
-- `release/*`: if present, that means we are working on a alpha/beta/rc version for shipping
 - `support/*`: maintenance branches for older versions
 
 For example, if no version is currently prepared for shipping we could have:
 
-- `develop` containing future 3.1.0 version
-- `support/3.0`: 3.0.x maintenance version
-- `support/2.7`: 2.7.x maintenance version
-- `support/2.6`: 2.6.x maintenance version
+- `develop` containing future 3.3.0 version
+- `support/3.2`: 3.2.x maintenance version
 
-In this example, when 3.1.0-beta is shipped that will become:
-
-- `develop`: future 3.2.0 version
-- `release/3.1.0`: 3.1.0-beta
-- `support/3.0`: 3.0.x maintenance version
-- `support/2.7`: 2.7.x maintenance version
-- `support/2.6`: 2.6.x maintenance version
-
-And when 3.1.0 final will be out:
-
-- `develop`: future 3.2.0 version
-- `support/3.1`: 3.1.x maintenance version (will host developments for 3.1.1)
-- `support/3.0`: 3.0.x maintenance version
-- `support/2.7`: 2.7.x maintenance version
-- `support/2.6`: 2.6.x maintenance version
-
-Also note that we have a "micro-version" concept : each of those versions have a very small amount of modifications. They are made from
- `support/*` branches as well. For example 2.6.2-1 and 2.6.2-2 were made from the `support/2.6.2` branch. 
+And when 3.3.0 will be out:
 
+- `develop`: future 3.4.0 version
+- `support/3.3`: 3.3.x maintenance version (will host developments for 3.3.1)
+- `support/3.2`: 3.2.x maintenance version
 
 ## Coding
 
@@ -92,12 +80,11 @@ A [dedicated page](https://www.itophub.io/wiki/page?id=latest%3Acustomization%3A
 2. Create a branch in this fork, based on the develop branch
 3. Code !
 
-Do create a dedicated branch for each modification you want to propose : if you don't it will be very hard to merge back your work !
+Do create a dedicated branch for each modification you want to propose : if you don't, it will be very hard to merge back your work !
 
-Most of the time you should based your developments on the develop branch.    
+Most of the time you should base your developments on the develop branch.    
 That may be different if you want to fix a bug, please use develop anyway and ask in your PR if rebase is possible.
 
-
 ### 🎨 PHP styleguide
 
 Please follow [our guidelines](https://www.itophub.io/wiki/page?id=latest%3Acustomization%3Acoding_standards).
@@ -106,7 +93,7 @@ Please follow [our guidelines](https://www.itophub.io/wiki/page?id=latest%3Acust
 
 Please create tests that covers as much as possible the code you're submitting.
 
-Our tests are located in the `test/` directory, containing a PHPUnit config file : `phpunit.xml.dist`.
+Our tests are located in the `tests/` directory, containing a PHPUnit config file : `phpunit.xml.dist`.
 
 ### Git Commit Messages
 
@@ -138,14 +125,14 @@ When your code is working, please:
 * Rebase your branch on our repo last commit,
 * Create a pull request. _Detailed procedure to work on fork and create PR is available [in GitHub help pages](https://help.github.com/articles/creating-a-pull-request-from-a-fork/)_.
 * Pull request description: mind to add all the information useful to understand why you're suggesting this modification and anything necessary to dive into your work. Especially:
-  - Bugfixes: exact steps to reproduce the bug (given/when/then), description of the bug cause and what solution is implemented 
-  - Enhancements: use cases, implementation details if needed
-* Mind to check the "[Allow edits from maintainers](https://docs.github.com/en/github-ae@latest/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork)" option ! (note that if you are working with an org fork, this option [won't be available](https://github.com/orgs/community/discussions/5634))
-
+    - Bugfixes: exact steps to reproduce the bug (given/when/then), description of the bug cause and what solution is implemented
+    - Enhancements: use cases, implementation details if needed
+* Mind to check the "[Allow edits from maintainers](https://docs.github.com/en/github-ae@latest/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork)" option ! (note that if you are working with an org fork, this
+  option [won't be available](https://github.com/orgs/community/discussions/5634))
 
 ## 🙏 We are thankful
 
-We are thankful for all your contributions to the iTop universe! As a thank you gift, we will send stickers to every iTop (& extensions) contributors!
+We are thankful for all your contributions to the iTop universe! As a thank-you gift, we will send stickers to every iTop (& extensions) contributors!
 
 We have one sticker per contribution type. You might get multiple stickers with one contribution though :)
 
@@ -157,8 +144,4 @@ We have one sticker per contribution type. You might get multiple stickers with
 * Graduated: Follow a Combodo's iTop training
 * Ambassador: Outstanding community contributors
 * Beta tester: Test and give feedback on beta releases
-* Extension developer: Develop and publish an extension
-
-Here is the design of each stickers for year 2024:
-
-![iTop stickers 2024](.doc/contributing-guide/2024.contributing-stickers-side-by-side.png)
+* Extension developer: Develop and publish an extension

application/cmdbabstract.class.inc.php

@@ -810,6 +810,7 @@ HTML
 				foreach ($aNotificationClasses as $sNotifClass) {
 					$aNotifSearches[$sNotifClass] = DBObjectSearch::FromOQL("SELECT $sNotifClass AS Ev JOIN Trigger AS T ON Ev.trigger_id = T.id WHERE T.id IN (:triggers) AND Ev.object_id = :id");
 					$aNotifSearches[$sNotifClass]->SetInternalParams($aParams);
+					$aNotifSearches[$sNotifClass]->AllowAllData();
 					$oNotifSet = new DBObjectSet($aNotifSearches[$sNotifClass], []);
 					$iNotifsCount += $oNotifSet->Count();
 				}
@@ -823,6 +824,7 @@ HTML
 						'menu' => false,
 						'panel_title' => MetaModel::GetName($sNotifClass),
 						'panel_icon' => MetaModel::GetClassIcon($sNotifClass, false),
+						'display_unauthorized_objects' => true,
 					]);
 				}
 			}

application/displayblock.class.inc.php

@@ -724,6 +724,10 @@ class DisplayBlock
 				}
 			}
 
+			if (!$this->m_oFilter->IsAllDataAllowed() && ($aExtraParams['display_unauthorized_objects'] ?? false) === true) {
+				$this->m_oFilter->AllowAllData();
+			}
+
 			$aExtraParams['query_params'] = $this->m_oFilter->GetInternalParams();
 			$this->m_oSet = new CMDBObjectSet($this->m_oFilter, $aOrderBy, $aQueryParams);
 		}
@@ -1381,7 +1385,10 @@ JS
 
 		// Check the classes that can be read (i.e authorized) by this user...
 		foreach ($aClasses as $sAlias => $sClassName) {
-			if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) != UR_ALLOWED_NO) {
+			if (
+				(UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) !== UR_ALLOWED_NO)
+				|| ($aExtraParams['display_unauthorized_objects'] ?? false) === true
+			) {
 				$aAuthorizedClasses[$sAlias] = $sClassName;
 			}
 		}

application/loginexternal.class.inc.php

@@ -75,13 +75,10 @@ class LoginExternal extends AbstractLoginFSMExtension
 	}
 
 	/**
-	 * @return bool
+	 * @return bool|mixed
 	 */
 	private function GetAuthUser()
 	{
-		$sExtAuthVar = MetaModel::GetConfig()->GetExternalAuthenticationVariable(); // In which variable is the info passed ?
-		eval('$sAuthUser = isset('.$sExtAuthVar.') ? '.$sExtAuthVar.' : false;'); // Retrieve the value
-		/** @var string $sAuthUser */
-		return $sAuthUser; // Retrieve the value
+		return MetaModel::GetConfig()->GetExternalAuthenticationVariable();
 	}
 }

application/menunode.class.inc.php

@@ -1546,12 +1546,21 @@ class ShortcutMenuNode extends MenuNode
 	public function GetHyperlink($aExtraParams)
 	{
 		$sContext = $this->oShortcut->Get('context');
-		$aContext = unserialize($sContext);
-		if (isset($aContext['menu'])) {
-			unset($aContext['menu']);
-		}
-		foreach ($aContext as $sArgName => $sArgValue) {
-			$aExtraParams[$sArgName] = $sArgValue;
+		try {
+			$aContext = utils::Unserialize($sContext);
+			if (isset($aContext['menu'])) {
+				unset($aContext['menu']);
+			}
+			foreach ($aContext as $sArgName => $sArgValue) {
+				$aExtraParams[$sArgName] = $sArgValue;
+			}
+		} catch (Exception $e) {
+			IssueLog::Warning("User shortcut corrupted, delete the shortcut", LogChannels::CONSOLE, [
+				'shortcut_name' => $this->oShortcut->GetName(),
+				'root_cause' => $e->getMessage(),
+			]);
+			// delete the shortcut
+			$this->oShortcut->DBDelete();
 		}
 		return parent::GetHyperlink($aExtraParams);
 	}

application/themehandler.class.inc.php

@@ -936,11 +936,6 @@ CSS;
 	public static function CloneThemeParameterAndIncludeVersion($aThemeParameters, $bSetupCompilationTimestamp, $aImportsPaths)
 	{
 		$aThemeParametersVariable = [];
-		if (array_key_exists('variables', $aThemeParameters)) {
-			if (is_array($aThemeParameters['variables'])) {
-				$aThemeParametersVariable = array_merge([], $aThemeParameters['variables']);
-			}
-		}
 
 		if (array_key_exists('variable_imports', $aThemeParameters)) {
 			if (is_array($aThemeParameters['variable_imports'])) {
@@ -948,6 +943,14 @@ CSS;
 			}
 		}
 
+		// Variables defined in theme XML have the priority over variables defined in XML imports files
+		// They're defined after so they overwrite previous parameters
+		if (array_key_exists('variables', $aThemeParameters)) {
+			if (is_array($aThemeParameters['variables'])) {
+				$aThemeParametersVariable = array_merge($aThemeParametersVariable, $aThemeParameters['variables']);
+			}
+		}
+
 		$aThemeParametersVariable['$version'] = $bSetupCompilationTimestamp;
 		return $aThemeParametersVariable;
 	}

application/ui.linksdirectwidget.class.inc.php

@@ -228,7 +228,7 @@ JS
 			<<<HTML
 <form id="ObjectsAddForm_{$this->sInputid}">
     <div id="SearchResultsToAdd_{$this->sInputid}">
-        <div style="background: #fff; border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
+        <div style="border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
     </div>
     <input type="hidden" id="count_{$this->sInputid}" value="0"/>
 </form>

application/ui.searchformforeignkeys.class.inc.php

@@ -68,7 +68,7 @@ class UISearchFormForeignKeys
 			<<<HTML
 <form id="ObjectsAddForm_{$this->m_iInputId}">
     <div id="SearchResultsToAdd_{$this->m_iInputId}" style="vertical-align:top;height:100%;overflow:auto;padding:0;border:0;">
-        <div style="background: #fff; border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
+        <div style="border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
     </div>
     <input type="hidden" id="count_{$this->m_iInputId}" value="0"/>
 </form>

application/utils.inc.php

@@ -1455,6 +1455,12 @@ class utils
 
 			case iPopupMenuExtension::MENU_OBJLIST_TOOLKIT:
 				/** @var \DBObjectSet $param */
+
+				// Check if the user has the right to read the objects of this list, otherwise do not propose any action (eg. configure this list, export, etc.)
+				if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_READ, $param) !== UR_ALLOWED_YES) {
+					break;
+				}
+
 				$oAppContext = new ApplicationContext();
 				$sContext = $oAppContext->GetForLink(true);
 				$sDataTableId = is_null($sDataTableId) ? '' : $sDataTableId;
@@ -3246,4 +3252,50 @@ TXT
 
 		return $aTrace;
 	}
+
+	/**
+	 * PHP unserialize encapsulation, allow throwing exception when not allowed object class is detected (for security hardening)
+	 *
+	 * @param string $data data to unserialize
+	 * @param array $aOptions PHP @unserialise options
+	 * @param bool $bThrowNotAllowedObjectClassException flag to throw exception
+	 *
+	 * @return mixed PHP @unserialise return
+	 * @throws Exception
+	 */
+	public static function Unserialize(string $data, array $aOptions = ['allowed_classes' => false], bool $bThrowNotAllowedObjectClassException = true): mixed
+	{
+		$data = unserialize($data, $aOptions);
+
+		if ($bThrowNotAllowedObjectClassException) {
+			try {
+				self::AssertNoIncompleteClassDetected($data);
+			} catch (Exception $e) {
+				throw new CoreException('Unserialization failed because an incomplete class was detected.', [], '', $e);
+			}
+		}
+
+		return $data;
+	}
+
+	/**
+	 * Assert that data provided doesn't contain any incomplete class.
+	 *
+	 * @throws Exception
+	 */
+	public static function AssertNoIncompleteClassDetected(mixed $data): void
+	{
+		if (is_object($data)) {
+			if ($data instanceof __PHP_Incomplete_Class) {
+				throw new Exception('__PHP_Incomplete_Class_Name object detected');
+			}
+			foreach (get_object_vars($data) as $property) {
+				self::AssertNoIncompleteClassDetected($property);
+			}
+		} elseif (is_array($data)) {
+			foreach ($data as $value) {
+				self::AssertNoIncompleteClassDetected($value);
+			}
+		}
+	}
 }

approot.inc.php

@@ -23,7 +23,7 @@ define('ITOP_DESIGN_LATEST_VERSION', '3.2');
  * @used-by utils::GetItopVersionWikiSyntax()
  * @used-by iTopModulesPhpVersionIntegrationTest
  */
-define('ITOP_CORE_VERSION', '3.2.1');
+define('ITOP_CORE_VERSION', '3.2.3');
 
 /**
  * @var string

composer.json

@@ -19,7 +19,7 @@
     "pear/archive_tar": "~1.4.14",
     "pelago/emogrifier": "^7.2.0",
     "psr/log": "^3.0.0",
-    "scssphp/scssphp": "^1.12.1",
+    "scssphp/scssphp": "dev-combodo/1.x",
     "symfony/console": "~6.4.0",
     "symfony/dotenv": "~6.4.0",
     "symfony/framework-bundle": "~6.4.0",
@@ -43,6 +43,10 @@
     {
       "type": "vcs",
       "url": "https://github.com/EsupPortail/phpCAS"
+    },
+    {
+      "type": "vcs",
+      "url": "https://github.com/combodo-itop-libs/scssphp"
     }
   ],
   "suggest": {

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "ceac38f6033afe07b7ab977fa39fe348",
+    "content-hash": "eebbdc6c10a479b0e62fc18d88496f5c",
     "packages": [
         {
             "name": "apereo/phpcas",
@@ -1588,16 +1588,16 @@
         },
         {
             "name": "scssphp/scssphp",
-            "version": "v1.13.0",
+            "version": "dev-combodo/1.x",
             "source": {
                 "type": "git",
-                "url": "https://github.com/scssphp/scssphp.git",
-                "reference": "63d1157457e5554edf00b0c1fabab4c1511d2520"
+                "url": "https://github.com/combodo-itop-libs/scssphp.git",
+                "reference": "dde81c0a39d02e8e6fc81b70269747734e16d526"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/scssphp/scssphp/zipball/63d1157457e5554edf00b0c1fabab4c1511d2520",
-                "reference": "63d1157457e5554edf00b0c1fabab4c1511d2520",
+                "url": "https://api.github.com/repos/combodo-itop-libs/scssphp/zipball/dde81c0a39d02e8e6fc81b70269747734e16d526",
+                "reference": "dde81c0a39d02e8e6fc81b70269747734e16d526",
                 "shasum": ""
             },
             "require": {
@@ -1626,8 +1626,8 @@
             "type": "library",
             "extra": {
                 "bamarni-bin": {
-                    "bin-links": false,
-                    "forward-command": false
+                    "forward-command": false,
+                    "bin-links": false
                 }
             },
             "autoload": {
@@ -1635,7 +1635,11 @@
                     "ScssPhp\\ScssPhp\\": "src/"
                 }
             },
-            "notification-url": "https://packagist.org/downloads/",
+            "autoload-dev": {
+                "psr-4": {
+                    "ScssPhp\\ScssPhp\\Tests\\": "tests/"
+                }
+            },
             "license": [
                 "MIT"
             ],
@@ -1661,10 +1665,9 @@
                 "stylesheet"
             ],
             "support": {
-                "issues": "https://github.com/scssphp/scssphp/issues",
-                "source": "https://github.com/scssphp/scssphp/tree/v1.13.0"
+                "source": "https://github.com/combodo-itop-libs/scssphp/tree/combodo/1.x"
             },
-            "time": "2024-08-17T21:02:11+00:00"
+            "time": "2026-03-23T15:26:59+00:00"
         },
         {
             "name": "soundasleep/html2text",
@@ -5097,7 +5100,8 @@
     "aliases": [],
     "minimum-stability": "stable",
     "stability-flags": {
-        "apereo/phpcas": 20
+        "apereo/phpcas": 20,
+        "scssphp/scssphp": 20
     },
     "prefer-stable": false,
     "prefer-lowest": false,

core/action.class.inc.php

@@ -234,10 +234,11 @@ abstract class Action extends cmdbAbstractObject
 		}
 
 		$oActionFilter = DBObjectSearch::FromOQL($sActionQueryOql, $aActionQueryParams);
+		$oActionFilter->AllowAllData();
 		$oSet = new DBObjectSet($oActionFilter, ['date' => false]);
 
 		$sPanelTitle = Dict::Format('Action:last_executions_tab_panel_title', $sActionQueryLimit);
-		$oExecutionsListBlock = DataTableUIBlockFactory::MakeForResult($oPage, 'action_executions_list', $oSet, ['panel_title' => $sPanelTitle]);
+		$oExecutionsListBlock = DataTableUIBlockFactory::MakeForResult($oPage, 'action_executions_list', $oSet, ['panel_title' => $sPanelTitle, 'display_unauthorized_objects' => true]);
 
 		$oPage->AddUiBlock($oExecutionsListBlock);
 	}

core/attributedef.class.inc.php

@@ -4829,7 +4829,7 @@ class AttributeCaseLog extends AttributeLongText
 		}
 
 		if (strlen($sIndex) > 0) {
-			$aIndex = unserialize($sIndex);
+			$aIndex = utils::Unserialize($sIndex, ['allowed_classes' => false], false);
 			$value = new ormCaseLog($sLog, $aIndex);
 		} else {
 			$value = new ormCaseLog($sLog);
@@ -8990,15 +8990,15 @@ class AttributeStopWatch extends AttributeDefinition
 						switch ($sThresholdCode) {
 							case 'deadline':
 								if ($value) {
-                                    if (is_numeric($value)) {
-                                        if (!is_int($value)) {
-                                            $value = intval($value);
-                                        }
+									if (is_numeric($value)) {
+										if (!is_int($value)) {
+											$value = intval($value);
+										}
 										$sDate = date(AttributeDateTime::GetInternalFormat(), $value);
 										$sRet = AttributeDeadline::FormatDeadline($sDate);
-                                    } else {
-                                        $sRet = $value;
-                                    }
+									} else {
+										$sRet = $value;
+									}
 								} else {
 									$sRet = '';
 								}

core/config.class.inc.php

@@ -29,7 +29,7 @@ define('ITOP_APPLICATION_SHORT', 'iTop');
  *
  * @see ITOP_CORE_VERSION to get iTop core version
  */
-define('ITOP_VERSION', '3.2.0-dev');
+define('ITOP_VERSION', '3.2.3-dev');
 
 define('ITOP_VERSION_NAME', 'Fullmoon');
 define('ITOP_REVISION', 'svn');
@@ -75,6 +75,7 @@ define('DEFAULT_EXT_AUTH_VARIABLE', '$_SERVER[\'REMOTE_USER\']');
 define('DEFAULT_ENCRYPTION_KEY', '@iT0pEncr1pti0n!'); // We'll use a random generated key later (if possible)
 define('DEFAULT_ENCRYPTION_LIB', 'Mcrypt'); // We'll define the best encryption available later
 define('DEFAULT_HASH_ALGO', PASSWORD_DEFAULT);
+
 /**
  * Config
  * configuration data (this class cannot not be localized, because it is responsible for loading the dictionaries)
@@ -869,6 +870,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'ext_auth_variable' => [
+			'type' => 'string',
+			'description' => 'External authentication expression (allowed: $_SERVER[\'key\'], $_COOKIE[\'key\'], $_REQUEST[\'key\'], getallheaders()[\'Header-Name\'])',
+			'default' => '$_SERVER[\'REMOTE_USER\']',
+			'value' => '$_SERVER[\'REMOTE_USER\']',
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		],
 		'login_debug' => [
 			'type' => 'bool',
 			'description' => 'Activate the login FSM debug',
@@ -1603,7 +1612,7 @@ class Config
 			'show_in_conf_sample' => false,
 		],
 		'search_manual_submit' => [
-			'type' => 'array',
+			'type' => 'bool',
 			'description' => 'Force manual submit of search all requests',
 			'default' => false,
 			'value' => true,
@@ -1730,6 +1739,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'security.disable_joined_classes_filter' => [
+			'type'                => 'bool',
+			'description'         => 'If true, scope filters aren\'t applied to joined classes or union classes not directly listed in the SELECT clause.',
+			'default'             => true,
+			'value'               => true,
+			'source_of_value'     => '',
+			'show_in_conf_sample' => false,
+		],
 		'security.hide_administrators' => [
 			'type'                => 'bool',
 			'description'         => 'If true, non-administrator users will not be able to see the administrator accounts, the Administrator profile and the links between the administrator accounts and their profiles.',
@@ -1738,11 +1755,11 @@ class Config
 			'source_of_value'     => '',
 			'show_in_conf_sample' => false,
 		],
-		'security.force_login_when_no_delegated_authentication_endpoints_list' => [
+		'security.disable_exec_forced_login_for_all_enpoints' => [
 			'type'                => 'bool',
-			'description'         => 'If true, when no execution policy is defined, the user will be forced to log in (instead of being automatically logged in with the default profile)',
-			'default'             => false,
-			'value'               => false,
+			'description'         => 'If true, when no delegated authentication module is defined, no login will be forced on modules exec endpoints',
+			'default'             => true,
+			'value'               => true,
 			'source_of_value'     => '',
 			'show_in_conf_sample' => false,
 		],
@@ -1958,11 +1975,6 @@ class Config
 	 */
 	protected $m_sAllowedLoginTypes;
 
-	/**
-	 * @var string Name of the PHP variable in which external authentication information is passed by the web server
-	 */
-	protected $m_sExtAuthVariable;
-
 	/**
 	 * @var string Encryption key used for all attributes of type "encrypted string". Can be set to a random value
 	 *             unless you want to import a database from another iTop instance, in which case you must use
@@ -2035,7 +2047,6 @@ class Config
 		$this->m_bSecureConnectionRequired = DEFAULT_SECURE_CONNECTION_REQUIRED;
 		$this->m_sDefaultLanguage = 'EN US';
 		$this->m_sAllowedLoginTypes = DEFAULT_ALLOWED_LOGIN_TYPES;
-		$this->m_sExtAuthVariable = DEFAULT_EXT_AUTH_VARIABLE;
 		$this->m_aCharsets = [];
 		$this->m_bQueryCacheEnabled = DEFAULT_QUERY_CACHE_ENABLED;
 		$this->m_iPasswordHashAlgo = DEFAULT_HASH_ALGO;
@@ -2189,7 +2200,6 @@ class Config
 
 		$this->m_sDefaultLanguage = isset($MySettings['default_language']) ? trim($MySettings['default_language']) : 'EN US';
 		$this->m_sAllowedLoginTypes = isset($MySettings['allowed_login_types']) ? trim($MySettings['allowed_login_types']) : DEFAULT_ALLOWED_LOGIN_TYPES;
-		$this->m_sExtAuthVariable = isset($MySettings['ext_auth_variable']) ? trim($MySettings['ext_auth_variable']) : DEFAULT_EXT_AUTH_VARIABLE;
 		$this->m_sEncryptionKey = isset($MySettings['encryption_key']) ? trim($MySettings['encryption_key']) : $this->m_sEncryptionKey;
 		$this->m_sEncryptionLibrary = isset($MySettings['encryption_library']) ? trim($MySettings['encryption_library']) : $this->m_sEncryptionLibrary;
 		$this->m_aCharsets = isset($MySettings['csv_import_charsets']) ? $MySettings['csv_import_charsets'] : [];
@@ -2342,9 +2352,73 @@ class Config
 		return explode('|', $this->m_sAllowedLoginTypes);
 	}
 
+	/**
+	 * @return bool|mixed
+	 * @since 3.2.3 return the parsed value instead of an unsecured variable name
+	 */
 	public function GetExternalAuthenticationVariable()
 	{
-		return $this->m_sExtAuthVariable;
+		$sExpression = $this->Get('ext_auth_variable');
+		$aParsed = $this->ParseExternalAuthVariableExpression($sExpression);
+		if ($aParsed === null) {
+			return false;
+		}
+
+		$sKey = $aParsed['key'];
+		switch ($aParsed['type']) {
+			case 'server':
+				return $_SERVER[$sKey] ?? false;
+			case 'cookie':
+				return $_COOKIE[$sKey] ?? false;
+			case 'request':
+				return $_REQUEST[$sKey] ?? false;
+			case 'header':
+				if (!function_exists('getallheaders')) {
+					return false;
+				}
+				$aHeaders = getallheaders();
+				if (!is_array($aHeaders)) {
+					return false;
+				}
+				return $aHeaders[$sKey] ?? false;
+		}
+		return false;
+	}
+
+	/**
+	 * @param $sExpression
+	 * @return array|null
+	 */
+	private function ParseExternalAuthVariableExpression($sExpression)
+	{
+		// If it's a configuration parameter it's probably already trimmed, but just in case
+		$sExpression = trim((string) $sExpression);
+		if ($sExpression === '') {
+			return null;
+		}
+
+		// Match $_SERVER/$_COOKIE/$_REQUEST['key'] with optional whitespace and single/double quotes.
+		if (preg_match('/^\$_(SERVER|COOKIE|REQUEST)\s*\[\s*(["\'])\s*([^"\']+)\2\s*\]\s*$/', $sExpression, $aMatches) === 1) {
+			$sContext = strtoupper($aMatches[1]);
+			$sKey = $aMatches[3];
+			return [
+				'type' => strtolower($sContext),
+				'key' => $sKey,
+				'normalized' => '$_'.$sContext.'[\''.$sKey.'\']',
+			];
+		}
+
+		// Match getallheaders()['Header-Name'] in a case-insensitive way.
+		if (preg_match('/^getallheaders\(\)\s*\[\s*(["\'])\s*([^"\']+)\1\s*\]\s*$/i', $sExpression, $aMatches) === 1) {
+			$sKey = $aMatches[2];
+			return [
+				'type' => 'header',
+				'key' => $sKey,
+				'normalized' => 'getallheaders()[\''.$sKey.'\']',
+			];
+		}
+
+		return null;
 	}
 
 	public function GetCSVImportCharsets()
@@ -2440,7 +2514,7 @@ class Config
 
 	public function SetExternalAuthenticationVariable($sExtAuthVariable)
 	{
-		$this->m_sExtAuthVariable = $sExtAuthVariable;
+		$this->Set('ext_auth_variable', $sExtAuthVariable);
 	}
 
 	public function SetEncryptionKey($sKey)
@@ -2495,7 +2569,6 @@ class Config
 		$aSettings['secure_connection_required'] = $this->m_bSecureConnectionRequired;
 		$aSettings['default_language'] = $this->m_sDefaultLanguage;
 		$aSettings['allowed_login_types'] = $this->m_sAllowedLoginTypes;
-		$aSettings['ext_auth_variable'] = $this->m_sExtAuthVariable;
 		$aSettings['encryption_key'] = $this->m_sEncryptionKey;
 		$aSettings['encryption_library'] = $this->m_sEncryptionLibrary;
 		$aSettings['csv_import_charsets'] = $this->m_aCharsets;
@@ -2600,7 +2673,6 @@ class Config
 			$aOtherValues = [
 				'default_language' => $this->m_sDefaultLanguage,
 				'allowed_login_types' => $this->m_sAllowedLoginTypes,
-				'ext_auth_variable' => $this->m_sExtAuthVariable,
 				'encryption_key' => $this->m_sEncryptionKey,
 				'encryption_library' => $this->m_sEncryptionLibrary,
 				'csv_import_charsets' => $this->m_aCharsets,

core/datamodel.core.xml

@@ -409,7 +409,7 @@
       </php_parent>
       <parent>cmdbAbstractObject</parent>
       <properties>
-        <category>core/cmdb,view_in_gui</category>
+        <category>core/cmdb,grant_by_profile,silo</category>
         <abstract>false</abstract>
         <key_type>autoincrement</key_type>
         <db_table>priv_event_newsroom</db_table>
@@ -888,7 +888,7 @@
         <!-- Generated by toolkit/export-class-to-meta.php -->
         <parent>Event</parent>
         <properties>
-          <category>core/cmdb,view_in_gui</category>
+          <category>core/cmdb,grant_by_profile,silo</category>
         </properties>
         <fields>
           <field id="message" xsi:type="AttributeText"/>

core/dbobjectsearch.class.php

@@ -1925,4 +1925,37 @@ class DBObjectSearch extends DBSearch
 	{
 		return $this->GetCriteria()->ListParameters();
 	}
+
+	/**
+	 * @inheritDoc
+	 * @return DBObjectSearch
+	 */
+	protected function ApplyDataFilters(): DBObjectSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		$oSearch = $this;
+		$aClassesToFilter = $this->GetSelectedClasses();
+
+		// Opt-in for joined classes filtering, otherwise only filter the selected class(es)
+		if (MetaModel::GetConfig()->Get('security.disable_joined_classes_filter') === false) {
+			$aClassesToFilter = $this->GetJoinedClasses();
+		}
+
+		// Apply filter (this is similar to the one in DBSearch but the factorization could make it less readable)
+		foreach ($aClassesToFilter as $sClassAlias => $sClass) {
+			$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
+			if ($oVisibleObjects === false) {
+				$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
+			}
+			if (is_object($oVisibleObjects)) {
+				$oVisibleObjects->AllowAllData();
+				$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
+				$oSearch->SetDataFiltered();
+			}
+		}
+		return $oSearch;
+	}
 }

core/dbsearch.class.php

@@ -1122,21 +1122,7 @@ abstract class DBSearch
 	 */
 	protected function GetSQLQuery($aOrderBy, $aArgs, $aAttToLoad, $aExtendedDataSpec, $iLimitCount, $iLimitStart, $bGetCount, $aGroupByExpr = null, $aSelectExpr = null)
 	{
-		$oSearch = $this;
-		if (!$this->IsAllDataAllowed() && !$this->IsDataFiltered()) {
-			foreach ($this->GetSelectedClasses() as $sClassAlias => $sClass) {
-				$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
-				if ($oVisibleObjects === false) {
-					// Make sure this is a valid search object, saying NO for all
-					$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
-				}
-				if (is_object($oVisibleObjects)) {
-					$oVisibleObjects->AllowAllData();
-					$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
-					$oSearch->SetDataFiltered();
-				}
-			}
-		}
+		$oSearch = $this->ApplyDataFilters();
 
 		if (is_array($aGroupByExpr)) {
 			foreach ($aGroupByExpr as $sAlias => $oGroupByExp) {
@@ -1608,4 +1594,33 @@ abstract class DBSearch
 	 * @return array{\VariableExpression}
 	 */
 	abstract public function GetExpectedArguments(): array;
+
+	/**
+	 * Apply data filters to the search, if needed
+	 *
+	 * @return DBSearch
+	 * @throws CoreException
+	 */
+	protected function ApplyDataFilters(): DBSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		$oSearch = $this;
+		$aClassesToFilter = $this->GetSelectedClasses();
+
+		foreach ($aClassesToFilter as $sClassAlias => $sClass) {
+			$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
+			if ($oVisibleObjects === false) {
+				$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
+			}
+			if (is_object($oVisibleObjects)) {
+				$oVisibleObjects->AllowAllData();
+				$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
+				$oSearch->SetDataFiltered();
+			}
+		}
+		return $oSearch;
+	}
 }

core/dbunionsearch.class.php

@@ -673,4 +673,30 @@ class DBUnionSearch extends DBSearch
 
 		return $aVariableCriteria;
 	}
+
+	/**
+	 * @inheritDoc
+	 * @return DBUnionSearch
+	 */
+	protected function ApplyDataFilters(): DBUnionSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		// Opt-in for joined classes filtering, otherwise fallback on DBSearch filtering
+		if (MetaModel::GetConfig()->Get('security.disable_joined_classes_filter') === true) {
+			return parent::ApplyDataFilters();
+		}
+
+		// Apply filters per sub-search
+		$aFilteredSearches = [];
+		foreach ($this->GetSearches() as $oSubSearch) {
+			// Recursively call ApplyDataFilters on sub-searches
+			$aFilteredSearches[] = $oSubSearch->ApplyDataFilters();
+		}
+
+		$oSearch = new DBUnionSearch($aFilteredSearches);
+		return $oSearch;
+	}
 }

core/event.class.inc.php

@@ -26,7 +26,7 @@ class Event extends DBObject implements iDisplay
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -120,7 +120,7 @@ class EventNotification extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -154,7 +154,7 @@ class EventNotificationEmail extends EventNotification
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -176,7 +176,7 @@ class EventNotificationEmail extends EventNotification
 
 		// Display lists
 		MetaModel::Init_SetZListItems('details', ['date', 'userinfo', 'message', 'trigger_id', 'action_id', 'object_id', 'to', 'cc', 'bcc', 'from', 'subject', 'body', 'attachments']); // Attributes to be displayed for the complete details
-		MetaModel::Init_SetZListItems('list', ['date', 'message', 'to', 'subject', 'attachments']); // Attributes to be displayed for a list
+		MetaModel::Init_SetZListItems('list', ['date', 'message', 'to', 'cc', 'bcc', 'subject', 'attachments']); // Attributes to be displayed for a list
 
 		// Search criteria
 		//		MetaModel::Init_SetZListItems('standard_search', array('name')); // Criteria of the std search form
@@ -190,7 +190,7 @@ class EventIssue extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -284,7 +284,7 @@ class EventWebService extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -319,7 +319,7 @@ class EventRestService extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -354,7 +354,7 @@ class EventLoginUsage extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -392,7 +392,7 @@ class EventOnObject extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",

core/ormdocument.class.inc.php

@@ -350,15 +350,18 @@ class ormDocument
 			if (!is_object($oObj)) {
 				// If access to the document is not granted, check if the access to the host object is allowed
 				$oObj = MetaModel::GetObject($sClass, $id, false, true);
+				$bHasHostRights = false;
 				if ($oObj instanceof Attachment) {
 					$sItemClass = $oObj->Get('item_class');
 					$sItemId = $oObj->Get('item_id');
 					$oHost = MetaModel::GetObject($sItemClass, $sItemId, false, false);
-					if (!is_object($oHost)) {
-						$oObj = null;
+					if (is_object($oHost)) {
+						$bHasHostRights = true;
 					}
 				}
-				if (!is_object($oObj)) {
+
+				// We could neither read the object nor get a host object matching our rights
+				if ($bHasHostRights !== true) {
 					throw new Exception("Invalid id ($id) for class '$sClass' - the object does not exist or you are not allowed to view it");
 				}
 			}

core/userrights.class.inc.php

@@ -1157,7 +1157,7 @@ class UserRights
 			return self::$m_oUser->GetKey();
 		} else {
 			// find the id out of the login string
-			$oUser = self::FindUser($sLogin);
+			$oUser = self::FindUser($sLogin, bAllowDisabledUsers: true);
 			if (is_null($oUser)) {
 				return null;
 			}
@@ -1350,7 +1350,7 @@ class UserRights
 		if (empty($sLogin)) {
 			$oUser = self::$m_oUser;
 		} else {
-			$oUser = self::FindUser($sLogin);
+			$oUser = self::FindUser($sLogin, bAllowDisabledUsers: true);
 		}
 		if (is_null($oUser)) {
 			return '';

css/backoffice/_shame.scss

@@ -39,6 +39,8 @@
 //
 // .site-nav a { color:#BADA55!important; }
 
+$ibo-blockquote--color: $ibo-body-text-color !default;
+
 // N°2847 - Recolor svg illustrations with iTop's primary color
 .ibo-svg-illustration--container > svg *[fill="#6c63ff"]{
 	fill: $ibo-svg-illustration--fill;
@@ -109,3 +111,11 @@ input:checked + .slider:before {
 .slider.round:before {
   border-radius: 7px;
 }
+
+/*
+  Bulma sets blockquote background color through a variable, it affects ckeditor and html display.
+  This rule is needed harmonize the blockquote text color in both contexts.
+ */
+.ibo-is-html-content blockquote {
+  color: $ibo-blockquote--color;
+}

css/backoffice/components/_panel.scss

@@ -185,16 +185,20 @@ $ibo-panel--is-selectable--body--after--font-size: $ibo-font-size-700 !default;
 .ibo-panel--icon-img, .ibo-panel--icon-background { // second class is deprecated, remove it when dealing with N°9317
   width: 100%;
   height: 100%;
+  object-position: center;
+  object-fit: $ibo-panel--icon-img--size--must-contain;
   background-position: center;
   background-repeat: no-repeat;
   background-size: $ibo-panel--icon-img--size--must-contain;
 }
 
 .ibo-panel--icon-img--must-contain, .ibo-panel--icon-background--must-contain { // second class is deprecated, remove it when dealing with N°9317
+  object-fit: $ibo-panel--icon-img--size--must-contain;
   background-size: $ibo-panel--icon-img--size--must-contain;
 }
 
 .ibo-panel--icon-img--must-cover, .ibo-panel--icon-background--must-cover { // second class is deprecated, remove it when dealing with N°9317
+  object-fit: $ibo-panel--icon-img--size--must-cover;
   background-size: $ibo-panel--icon-img--size--must-cover;
 }
 

css/backoffice/components/_search-form.scss

@@ -21,6 +21,8 @@ $ibo-search-form-panel--more-criteria--color: $ibo-color-blue-grey-800 !default;
 $ibo-search-form-panel--more-criteria--background-color: $ibo-color-white-100 !default;
 $ibo-search-form-panel--more-criteria--icon--color: $ibo-color-primary-600 !default;
 $ibo-search-form-panel--more-criteria--border-color: $ibo-search-form-panel--criteria--border-color !default;
+// calc is redundant but avoid SCSS min() from being used instead of CSS min()
+$ibo-search-form-panel--criteria--max-height: calc(min(#{$ibo-size-750}, 50vh)) !default;
 
 $ibo-search-form-panel--items--hover--color: $ibo-color-grey-200 !default;
 
@@ -278,9 +280,10 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 				}
 
 				.sfc_form_group {
-          display: block;
-          margin-top: -1px;
-          z-index: -1;
+                  display: flex;
+                  flex-direction: column;
+                  margin-top: -1px;
+                  z-index: -1;
         }
 			}
 
@@ -346,11 +349,15 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
         display: none;
         max-width: 450px;
         width: max-content;
-        max-height: 520px;
+        max-height: $ibo-search-form-panel--criteria--max-height;
         overflow-x: auto;
         overflow-y: hidden;
 
 				.sfc_fg_operators {
+                    display: flex;
+                    flex-direction: column;
+                    overflow: auto;
+                    min-height: 0;
 					font-size: 12px;
 
 					.sfc_fg_operator {
@@ -387,6 +394,9 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 						}
 
 						.sfc_opc_multichoices {
+                            display: flex;
+                            flex-direction: column;
+                            height: 100%;
 							label > input {
 								vertical-align: text-top;
 								margin-left: $ibo-spacing-0;
@@ -398,7 +408,6 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 							}
 
 							.sfc_opc_mc_items_wrapper {
-								max-height: 415px; /* Must be less than .sfc_form_group:max-height - .sfc_opc_mc_toggler:height - .sfc_opc_mc_filter:height */
 								overflow-y: auto;
 								margin: $ibo-spacing-0 -8px; /* Compensate .sfc_opc_multichoices side padding so the hover style can take the full with */
 
@@ -560,8 +569,14 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 			&.search_form_criteria_enum {
 				.sfc_form_group {
 					.sfc_fg_operator_in {
+                        display: flex;
+                        flex-direction: column;
+                        height: 100%;
+                        min-height: 0;
 						> label {
-							display: inline-block;
+							display: flex;
+                            height: 100%;
+                            min-height: 0;
 							width: 100%;
 							line-height: initial;
 							white-space: nowrap;

css/backoffice/components/_title.scss

@@ -51,19 +51,23 @@ $ibo-title--icon-img--size--must-zoomout: $ibo-title--icon-background--size--mus
   width: 100%;
   height: 100%;
   object-position: center;
+  object-fit: $ibo-title--icon-img--size--must-contain;
   background-size: $ibo-title--icon-img--size--must-contain;
 }
 
 .ibo-title--icon-img--must-contain, .ibo-title--icon-background--must-contain { // second class is deprecated, remove it when dealing with N°9317
+  object-fit: $ibo-title--icon-img--size--must-contain;
   background-size: $ibo-title--icon-img--size--must-contain;
 }
 
 .ibo-title--icon-img--must-cover, .ibo-title--icon-background--must-cover { // second class is deprecated, remove it when dealing with N°9317
+  object-fit: $ibo-title--icon-img--size--must-cover;
   background-size: $ibo-title--icon-img--size--must-cover;
 }
 
 .ibo-title--icon-img--must-zoomout, .ibo-title--icon-background--must-zoomout { // second class is deprecated, remove it when dealing with N°9317
-  background-size: $ibo-title--icon-img--size--must-zoomout;
+  width: $ibo-title--icon-img--size--must-zoomout;
+  height: $ibo-title--icon-img--size--must-zoomout;
 }
 
 .ibo-title--for-object-details {

css/backoffice/components/input/_input-select.scss

@@ -201,8 +201,9 @@ $ibo-input-select--autocomplete-item-image--border: 1px solid $ibo-color-grey-60
 }
 
 // N°7982 Default selectize stylesheet override
+// N°9468 Dropdown content needs to be a few pixel shorter than the dropdown itself to avoid double scrollbar
 .selectize-dropdown-content{
-  max-height: $ibo-input-select-selectize--dropdown--max-height;
+  max-height: calc(#{$ibo-input-select-selectize--dropdown--max-height} - 4px);
 }
 
 .selectize-dropdown.ui-menu .ui-state-active {

css/backoffice/vendors/_bulma-variables-overload.scss

@@ -21,6 +21,7 @@ $text-strong: inherit !default;
  * See https://bulma.io/documentation/elements/content/
  */
 $content-block-margin-bottom: 0 !default;
+$content-blockquote-background-color: $ibo-color-grey-200 !default;
 
 /* Table: Reset style as much as possible to match rich text editor preview, which is the browser's default stylesheet.
  * As there is no way to avoid bulma rules, we simply make them invalid by setting an invalid variable value, the rules will then be ignored by the browser.

datamodels/2.x/authent-cas/module.authent-cas.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-cas/3.2.1',
+	'authent-cas/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/authent-external/module.authent-external.php

@@ -27,7 +27,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-external/3.2.1',
+	'authent-external/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/authent-ldap/module.authent-ldap.php

@@ -7,7 +7,7 @@ if (function_exists('ldap_connect')) {
 
 	SetupWebPage::AddModule(
 		__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-		'authent-ldap/3.2.1',
+		'authent-ldap/3.2.3',
 		[
 			// Identification
 			//

datamodels/2.x/authent-local/module.authent-local.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'authent-local/3.2.1',
+	'authent-local/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/combodo-backoffice-darkmoon-theme/module.combodo-backoffice-darkmoon-theme.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'combodo-backoffice-darkmoon-theme/3.2.1',
+	'combodo-backoffice-darkmoon-theme/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/combodo-backoffice-fullmoon-high-contrast-theme/module.combodo-backoffice-fullmoon-high-contrast-theme.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'combodo-backoffice-fullmoon-high-contrast-theme/3.2.1',
+	'combodo-backoffice-fullmoon-high-contrast-theme/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/combodo-backoffice-fullmoon-protanopia-deuteranopia-theme/module.combodo-backoffice-fullmoon-protanopia-deuteranopia-theme.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'combodo-backoffice-fullmoon-protanopia-deuteranopia-theme/3.2.1',
+	'combodo-backoffice-fullmoon-protanopia-deuteranopia-theme/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/combodo-backoffice-fullmoon-protanopia-deuteranopia-theme/scss/scss-variables.scss

@@ -68,47 +68,47 @@ $ibo-color-information-900: #0f172a !default;
 $ibo-color-information-950: #020617 !default;
 
 
-$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-waiting-state-primary-color: $ibo-color-yellow-700;
-$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-failure-state-primary-color: $ibo-color-orange-800;
-$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200;
-$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700;
+$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-waiting-state-primary-color: $ibo-color-yellow-700 !default;
+$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-failure-state-primary-color: $ibo-color-orange-800 !default;
+$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200 !default;
+$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700 !default;
 
-$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-inactive-state-primary-color: $ibo-color-yellow-700;
-$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100;
+$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-inactive-state-primary-color: $ibo-color-yellow-700 !default;
+$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100 !default;
 
-$ibo-caselog-highlight-color-1: $ibo-color-blue-700;
-$ibo-caselog-highlight-color-2: $ibo-color-yellow-700;
-$ibo-caselog-highlight-color-3: $ibo-color-information-600;
-$ibo-caselog-highlight-color-4: $ibo-color-yellow-500;
-$ibo-caselog-highlight-color-5: $ibo-color-blue-500;
-$ibo-caselog-highlight-color-6: $ibo-color-yellow-300;
-$ibo-caselog-highlight-color-7: $ibo-color-blue-300;
+$ibo-caselog-highlight-color-1: $ibo-color-blue-700 !default;
+$ibo-caselog-highlight-color-2: $ibo-color-yellow-700 !default;
+$ibo-caselog-highlight-color-3: $ibo-color-information-600 !default;
+$ibo-caselog-highlight-color-4: $ibo-color-yellow-500 !default;
+$ibo-caselog-highlight-color-5: $ibo-color-blue-500 !default;
+$ibo-caselog-highlight-color-6: $ibo-color-yellow-300 !default;
+$ibo-caselog-highlight-color-7: $ibo-color-blue-300 !default;
 
-$ibo-input-wrapper--is-error--border-color: $ibo-color-warning-700;
-$ibo-field-validation: $ibo-color-warning-800;
+$ibo-input-wrapper--is-error--border-color: $ibo-color-warning-700 !default;
+$ibo-field-validation: $ibo-color-warning-800 !default;
 
-$ibo-navigation-menu--visual-hint--background-color: $ibo-color-blue-400;
+$ibo-navigation-menu--visual-hint--background-color: $ibo-color-blue-400 !default;
 
-$ibo-wizard-container--background-color: $ibo-color-information-200;
-$ibo-wizard-container--border-color: $ibo-color-information-600;
+$ibo-wizard-container--background-color: $ibo-color-information-200 !default;
+$ibo-wizard-container--border-color: $ibo-color-information-600 !default;
 
-$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-danger-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-danger-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500;
+$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-danger-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-danger-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500 !default;
 
-$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-blue-600;
+$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-blue-600 !default;

datamodels/2.x/combodo-backoffice-fullmoon-tritanopia-theme/module.combodo-backoffice-fullmoon-tritanopia-theme.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'combodo-backoffice-fullmoon-tritanopia-theme/3.2.1',
+	'combodo-backoffice-fullmoon-tritanopia-theme/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/combodo-backoffice-fullmoon-tritanopia-theme/scss/scss-variables.scss

@@ -32,47 +32,47 @@ $ibo-color-information-900: #0f172a !default;
 $ibo-color-information-950: #020617 !default;
 
 
-$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-waiting-state-primary-color: $ibo-color-red-200;
-$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-red-800;
-$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-failure-state-primary-color: $ibo-color-red-800;
-$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200;
-$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700;
+$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-waiting-state-primary-color: $ibo-color-red-200 !default;
+$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-red-800 !default;
+$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-failure-state-primary-color: $ibo-color-red-800 !default;
+$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200 !default;
+$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700 !default;
 
-$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-inactive-state-primary-color: $ibo-color-red-700;
-$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100;
+$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-inactive-state-primary-color: $ibo-color-red-700 !default;
+$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100 !default;
 
-$ibo-caselog-highlight-color-1: $ibo-color-blue-700;
-$ibo-caselog-highlight-color-2: $ibo-color-red-700;
-$ibo-caselog-highlight-color-3: $ibo-color-information-600;
-$ibo-caselog-highlight-color-4: $ibo-color-red-500;
-$ibo-caselog-highlight-color-5: $ibo-color-blue-500;
-$ibo-caselog-highlight-color-6: $ibo-color-red-300;
-$ibo-caselog-highlight-color-7: $ibo-color-blue-300;
+$ibo-caselog-highlight-color-1: $ibo-color-blue-700 !default;
+$ibo-caselog-highlight-color-2: $ibo-color-red-700 !default;
+$ibo-caselog-highlight-color-3: $ibo-color-information-600 !default;
+$ibo-caselog-highlight-color-4: $ibo-color-red-500 !default;
+$ibo-caselog-highlight-color-5: $ibo-color-blue-500 !default;
+$ibo-caselog-highlight-color-6: $ibo-color-red-300 !default;
+$ibo-caselog-highlight-color-7: $ibo-color-blue-300 !default;
 
-$ibo-input-wrapper--is-error--border-color: $ibo-color-pink-700;
-$ibo-field-validation: $ibo-color-pink-800;
+$ibo-input-wrapper--is-error--border-color: $ibo-color-pink-700 !default;
+$ibo-field-validation: $ibo-color-pink-800 !default;
 
-$ibo-navigation-menu--visual-hint--background-color: $ibo-color-pink-600;
+$ibo-navigation-menu--visual-hint--background-color: $ibo-color-pink-600 !default;
 
-$ibo-wizard-container--background-color: $ibo-color-information-200;
-$ibo-wizard-container--border-color: $ibo-color-information-600;
+$ibo-wizard-container--background-color: $ibo-color-information-200 !default;
+$ibo-wizard-container--border-color: $ibo-color-information-600 !default;
 
-$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-pink-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-pink-600;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-400;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500;
+$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-pink-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-pink-600 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-400 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500 !default;
 
-$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-pink-500;
+$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-pink-500 !default;

datamodels/2.x/combodo-db-tools/module.combodo-db-tools.php

@@ -25,7 +25,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'combodo-db-tools/3.2.1',
+	'combodo-db-tools/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-attachments/module.itop-attachments.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-attachments/3.2.1',
+	'itop-attachments/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-backup/module.itop-backup.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-backup/3.2.1',
+	'itop-backup/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-bridge-cmdb-services/module.itop-bridge-cmdb-services.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-cmdb-services/3.2.1',
+	'itop-bridge-cmdb-services/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-bridge-cmdb-ticket/module.itop-bridge-cmdb-ticket.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-cmdb-ticket/3.2.1',
+	'itop-bridge-cmdb-ticket/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-bridge-datacenter-mgmt-services/module.itop-bridge-datacenter-mgmt-services.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-datacenter-mgmt-services/3.2.1',
+	'itop-bridge-datacenter-mgmt-services/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-bridge-endusers-devices-services/module.itop-bridge-endusers-devices-services.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-endusers-devices-services/3.2.1',
+	'itop-bridge-endusers-devices-services/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-bridge-storage-mgmt-services/module.itop-bridge-storage-mgmt-services.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-storage-mgmt-services/3.2.1',
+	'itop-bridge-storage-mgmt-services/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-bridge-virtualization-mgmt-services/module.itop-bridge-virtualization-mgmt-services.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-virtualization-mgmt-services/3.2.1',
+	'itop-bridge-virtualization-mgmt-services/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-bridge-virtualization-storage/module.itop-bridge-virtualization-storage.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-bridge-virtualization-storage/3.2.1',
+	'itop-bridge-virtualization-storage/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-change-mgmt-itil/module.itop-change-mgmt-itil.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-change-mgmt-itil/3.2.1',
+	'itop-change-mgmt-itil/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-change-mgmt/module.itop-change-mgmt.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-change-mgmt/3.2.1',
+	'itop-change-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-config-mgmt/module.itop-config-mgmt.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-config-mgmt/3.2.1',
+	'itop-config-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-config/module.itop-config.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-config/3.2.1',
+	'itop-config/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-core-update/module.itop-core-update.php

@@ -25,7 +25,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-core-update/3.2.1',
+	'itop-core-update/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-datacenter-mgmt/module.itop-datacenter-mgmt.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-datacenter-mgmt/3.2.1',
+	'itop-datacenter-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-endusers-devices/module.itop-endusers-devices.php

@@ -26,7 +26,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-endusers-devices/3.2.1',
+	'itop-endusers-devices/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-faq-light/module.itop-faq-light.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-faq-light/3.2.1',
+	'itop-faq-light/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-files-information/module.itop-files-information.php

@@ -25,7 +25,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-files-information/3.2.1',
+	'itop-files-information/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-full-itil/module.itop-full-itil.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-full-itil/3.2.1',
+	'itop-full-itil/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-hub-connector/ajax.php

@@ -279,11 +279,24 @@ try {
 			$oRuntimeEnv = new RunTimeEnvironment('production', true);
 
 			try {
-				SetupLog::Info('Move to production starts...');
 				$sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
 				if (!file_exists(APPROOT.'data/hub/compile_authent') || $sAuthent !== file_get_contents(APPROOT.'data/hub/compile_authent')) {
 					throw new SecurityException(Dict::S('iTopHub:FailAuthent'));
 				}
+			} catch (Exception $e) {
+				if (file_exists(APPROOT.'data/hub/compile_authent')) {
+					unlink(APPROOT.'data/hub/compile_authent');
+				}
+				// Note: at this point, the dictionnary is not necessarily loaded
+				SetupLog::Error(get_class($e).': '.Dict::S('iTopHub:ConfigurationSafelyReverted')."\n".$e->getMessage());
+				SetupLog::Error('Debug trace: '.$e->getTraceAsString());
+				ReportError($e->getMessage(), $e->getCode());
+				break;
+			}
+
+			try {
+				SetupLog::Info('Move to production starts...');
+
 				unlink(APPROOT.'data/hub/compile_authent');
 				// Load the "production" config file to clone & update it
 				$oConfig = new Config(APPCONF.'production/'.ITOP_CONFIG_FILE);

datamodels/2.x/itop-hub-connector/module.itop-hub-connector.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-hub-connector/3.2.1',
+	'itop-hub-connector/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-incident-mgmt-itil/module.itop-incident-mgmt-itil.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-incident-mgmt-itil/3.2.1',
+	'itop-incident-mgmt-itil/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-knownerror-mgmt/module.itop-knownerror-mgmt.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-knownerror-mgmt/3.2.1',
+	'itop-knownerror-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-oauth-client/module.itop-oauth-client.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-oauth-client/3.2.1',
+	'itop-oauth-client/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-portal-base/module.itop-portal-base.php

@@ -21,7 +21,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-portal-base/3.2.1',
+	'itop-portal-base/3.2.3',
 	[
 	// Identification
 	'label' => 'Portal Development Library',

datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php

@@ -1386,19 +1386,27 @@ class ObjectController extends BrickController
 				if ($oField instanceof DateTimeField) {
 					$oField->SetDateTimePickerWidgetParent($sDateTimePickerWidgetParent);
 				}
-				$sFieldRendererClass = BsLinkedSetFieldRenderer::GetFieldRendererClass($oField);
+
+				// View data
 				$sValue = $oAttDef->GetAsHTML($oNewLink->Get($sAttCode));
+				$aObjectData['attributes']['lnk__'.$sAttCode] = [
+					'object_class'   => $sLinkClass,
+					'object_id'      => $oNewLink->GetKey(),
+					'prefix'         => 'lnk__',
+					'attribute_code' => $sAttCode,
+					'attribute_type' => get_class($oAttDef),
+					'value_html'     => $sValue,
+				];
+
+				// If the field has a renderer we adjust view data
+				$sFieldRendererClass = BsLinkedSetFieldRenderer::GetFieldRendererClass($oField);
 				if ($sFieldRendererClass !== null) {
 					$oFieldRenderer = new $sFieldRendererClass($oField);
 					$oFieldOutput = $oFieldRenderer->Render();
-					$sValue = $oFieldOutput->GetHtml();
+					$aObjectData['attributes']['lnk__'.$sAttCode]['value_html'] = $oFieldOutput->GetHtml();
+					$aObjectData['attributes']['lnk__'.$sAttCode]['css_inline'] = $oFieldOutput->GetCss();
+					$aObjectData['attributes']['lnk__'.$sAttCode]['js_inline'] = $oFieldOutput->GetJs();
 				}
-				$aObjectData['attributes']['lnk__'.$sAttCode] = [
-					'att_code'   => $sAttCode,
-					'value'      => $sValue,
-					'css_inline' => $oFieldOutput->GetCss(),
-					'js_inline'  => $oFieldOutput->GetJs(),
-				];
 			}
 
 			$aData['items'][] = $aObjectData;

datamodels/2.x/itop-portal/module.itop-portal.php

@@ -21,7 +21,7 @@
 /** @noinspection PhpUnhandledExceptionInspection */
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-portal/3.2.1',
+	'itop-portal/3.2.3',
 	[
 	// Identification
 	'label' => 'Enhanced Customer Portal',

datamodels/2.x/itop-problem-mgmt/module.itop-problem-mgmt.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-problem-mgmt/3.2.1',
+	'itop-problem-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-profiles-itil/datamodel.itop-profiles-itil.xml

@@ -186,6 +186,7 @@
       <group id="AdminSysReadOnly" _delta="define">
         <classes>
           <class id="ItopFenceLogin"/>
+          <class id="ModuleInstallation"/>
         </classes>
       </group>
       <group id="AdminSys" _delta="define">
@@ -195,6 +196,11 @@
           <class id="RessourceHybridAuthMenu"/>
         </classes>
       </group>
+      <group id="Event" _delta="define">
+        <classes>
+          <class id="Event"/>
+        </classes>
+      </group>
     </groups>
     <profiles>
       <profile id="117" _delta="define">
@@ -290,6 +296,16 @@
               <action id="stimulus:ev_close">allow</action>
             </actions>
           </group>
+          <group id="Event">
+            <actions>
+              <action id="action:read">allow</action>
+              <action id="action:bulk read">allow</action>
+              <action id="action:write">allow</action>
+              <action id="action:bulk write">allow</action>
+              <action id="action:delete">allow</action>
+              <action id="action:bulk delete">allow</action>
+            </actions>
+          </group>
         </groups>
       </profile>
       <profile id="3" _delta="define">

datamodels/2.x/itop-profiles-itil/module.itop-profiles-itil.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-profiles-itil/3.2.1',
+	'itop-profiles-itil/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-request-mgmt-itil/module.itop-request-mgmt-itil.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-request-mgmt-itil/3.2.1',
+	'itop-request-mgmt-itil/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-request-mgmt/module.itop-request-mgmt.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-request-mgmt/3.2.1',
+	'itop-request-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-service-mgmt-provider/module.itop-service-mgmt-provider.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-service-mgmt-provider/3.2.1',
+	'itop-service-mgmt-provider/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-service-mgmt/module.itop-service-mgmt.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-service-mgmt/3.2.1',
+	'itop-service-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-sla-computation/module.itop-sla-computation.php

@@ -19,7 +19,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-sla-computation/3.2.1',
+	'itop-sla-computation/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-storage-mgmt/module.itop-storage-mgmt.php

@@ -26,7 +26,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-storage-mgmt/3.2.1',
+	'itop-storage-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-structure/module.itop-structure.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-structure/3.2.1',
+	'itop-structure/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-themes-compat/module.itop-themes-compat.php

@@ -6,7 +6,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-themes-compat/3.2.1',
+	'itop-themes-compat/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-tickets/module.itop-tickets.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__,
-	'itop-tickets/3.2.1',
+	'itop-tickets/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-virtualization-mgmt/module.itop-virtualization-mgmt.php

@@ -17,7 +17,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-virtualization-mgmt/3.2.1',
+	'itop-virtualization-mgmt/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/itop-welcome-itil/module.itop-welcome-itil.php

@@ -2,7 +2,7 @@
 
 SetupWebPage::AddModule(
 	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
-	'itop-welcome-itil/3.2.1',
+	'itop-welcome-itil/3.2.3',
 	[
 		// Identification
 		//

datamodels/2.x/version.xml

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <information>
-  <version>3.2.1</version>
+  <version>3.2.3</version>
 </information>

dictionaries/ui/pages/login/fr.dictionary.itop.login.php

@@ -36,7 +36,7 @@ Dict::Add('FR FR', 'French', 'Français', [
 	'UI:ResetPwd-Ready'               => 'Le mot de passe a bien été changé.',
 	'UI:ResetPwd-Login'               => 'Cliquez ici pour vous connecter...',
 
-	'UI:Login:About'                               => ITOP_APPLICATION.' Powered by Combodo~~',
+	'UI:Login:About'                               => ITOP_APPLICATION.' Powered by Combodo',
 	'UI:Login:ChangeYourPassword'                  => 'Changer de mot de passe',
 	'UI:Login:OldPasswordPrompt'                   => 'Ancien mot de passe',
 	'UI:Login:NewPasswordPrompt'                   => 'Nouveau mot de passe',

js/extkeywidget.js

@@ -120,6 +120,7 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 	this.sFormAttCode = sFormAttCode;
 
 	var me = this;
+    const iDropdownContentHeightDifference = 4;
 
 	this.Init = function () {
 		// make sure that the form is clean
@@ -171,7 +172,7 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 			// To avoid dropdown to be cut by the container's overflow hidden rule
 			dropdownParent: 'body',
 			onDropdownOpen: function (oDropdownElem) {
-				me.UpdateDropdownPosition(this.$control, oDropdownElem);
+				me.UpdateDropdownPosition(this.$control, oDropdownElem, this.$dropdown_content);
 			},
 		});
 		let $selectize = $select[0].selectize; // This stores the selectize object to a variable (with name 'selectize')
@@ -314,13 +315,14 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 	};
 
 	/**
-	 * Update the dropdown's position so it always fits in the screen
-	 *
-	 * @param {object} oControlElem jQuery object representing the "control" input (= where the user types) of the external key
-	 * @param {object} oDropdownElem jQuery object representing the results dropdown
-	 * @return {void}
-	 */
-	this.UpdateDropdownPosition = function (oControlElem, oDropdownElem) {
+     * Update the dropdown's position so it always fits in the screen
+     *
+     * @param {object} oControlElem jQuery object representing the "control" input (= where the user types) of the external key
+     * @param {object} oDropdownElem jQuery object representing the results dropdown
+     * @param {object|undefined} oDropdownContentElem
+     * @return {void}
+     */
+	this.UpdateDropdownPosition = function (oControlElem, oDropdownElem, oDropdownContentElem) {
 		// First fix width to ensure it's not too long
 		const fControlWidth = oControlElem.outerWidth();
 		oDropdownElem.css('width', fControlWidth);
@@ -328,6 +330,13 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 		// Then, fix height / position to ensure it's within the viewport
 		const fWindowHeight = window.innerHeight;
 
+        // Clear previously set rule so the comparison is done with dropdown real height
+        oDropdownElem.css('max-height', '');
+
+        if(oDropdownContentElem) {
+            oDropdownContentElem.css('max-height', '');
+        }
+
 		const fControlTopY = oControlElem.offset().top;
 		const fControlHeight = oControlElem.outerHeight();
 
@@ -338,14 +347,38 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 
 		if (fDropdownBottomY > fWindowHeight) {
 			// Set dropdown max-height to 1/3 of the screen, this way we are sure the dropdown will fit in either the top / bottom half of the screen
-			oDropdownElem.css('max-height', '30vh');
+			oDropdownElem.css({
+                maxHeight: '30vh',
+            });
 			fDropdownHeight = oDropdownElem.outerHeight();
 
-			// Position dropdown above input if not enough space on the bottom part of the screen
+            // N°9468 Dropdown content needs to be a few pixel shorter than the dropdown itself to avoid double scrollbar
+            if(oDropdownContentElem) {
+                oDropdownContentElem.css('max-height', `calc(30vh - ${iDropdownContentHeightDifference}px)`);
+            }
+
+			/* Position dropdown above input if not enough space on the bottom part of the screen
+               Doesn't seem to work with selectize as an internal plugin "auto_position" refreshes the top position after
+               this method is called, input set use a custom plugin to avoid fix this issue "plugin_combodo_auto_position"
+               This would need to take the potential 4px difference (iDropdownContentHeightDifference) into account if this is fixed.
+			 */
 			if ((fDropdownTopY / fWindowHeight) > 0.6) {
-				oDropdownElem.css('top', fDropdownTopY - fDropdownHeight - fControlHeight);
-			}
+                oDropdownElem.css({
+                    top: fDropdownTopY - fDropdownHeight - fControlHeight,
+                    borderTop: oDropdownElem.css('border-bottom')
+                });
+            }
+            else {
+                oDropdownElem.css({
+                    borderTop: 'none'
+                })
+            }
 		}
+        else {
+            oDropdownElem.css({
+                borderTop: 'none'
+            })
+        }
 	};
 	this.ManageScroll = function () {
 		if ($('#label_'+me.id).scrollParent()[0].tagName != 'HTML') {

js/field_set.js

@@ -189,11 +189,14 @@ $(function()
 			this.buildData.script_code = '';
 			this.buildData.style_code = '';
 
-			for (var i in oData.updated_fields)
+			for (let i in oData.updated_fields)
 			{
-				var oUpdatedField = oData.updated_fields[i];
-				this.options.fields_list[oUpdatedField.id] = oUpdatedField;
-				this._prepareField(oUpdatedField.id);
+				const oUpdatedField = oData.updated_fields[i];
+				const oPreviousField = this.options.fields_list[oUpdatedField.id];
+				if (!oPreviousField || JSON.stringify(oPreviousField) !== JSON.stringify(oUpdatedField)) {
+					this.options.fields_list[oUpdatedField.id] = oUpdatedField;
+					this._prepareField(oUpdatedField.id);
+				}
 			}
 
 			// Adding code to the dom

js/forms-json-utils.js

@@ -301,88 +301,112 @@ function ValidateField(sFieldId, sPattern, bMandatory, sFormId, nullValue, origi
 	return true; // Do not stop propagation ??
 }
 
-function ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue)
+function EvaluateCKEditorValidation(oOptions)
 {
-	let oField = $('#'+sFieldId);
+	let oField = $('#'+oOptions.sFieldId);
 	if (oField.length === 0) {
 		return false;
 	}
 
-	let oCKEditor = CombodoCKEditorHandler.GetInstanceSynchronous('#'+sFieldId);
+	let oCKEditor = CombodoCKEditorHandler.GetInstanceSynchronous('#'+oOptions.sFieldId);
+	let bValid = true;
+	let sExplain = '';
+	let sTextContent;
+	let sTextOriginalContents;
 
-	var bValid;
-	var sExplain = '';
 	if (oField.prop('disabled')) {
 		bValid = true; // disabled fields are not checked
 	} else {
 		// If the CKEditor is not yet loaded, we need to wait for it to be ready
 		// but as we need this function to be synchronous, we need to call it again when the CKEditor is ready
 		if (oCKEditor === undefined){
-			CombodoCKEditorHandler.GetInstance('#'+sFieldId).then((oCKEditor) => {
-				ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+			CombodoCKEditorHandler.GetInstance('#'+oOptions.sFieldId).then((oCKEditor) => {
+				oOptions.onRetry();
 			});
-			return;
+			return false;
 		}
-		let sTextContent;
-		let sFormattedContent = oCKEditor.getData();
 
-		// Get the contents without the tags
-		// Check if we have a formatted content that is HTML, otherwise we just have plain text, and we can use it directly
+		let sFormattedContent = oCKEditor.getData();
 		sTextContent = $(sFormattedContent).length > 0 ? $(sFormattedContent).text() : sFormattedContent;
 
-		if (sTextContent === '') {
+		if (sTextContent === '')
+		{
 			// No plain text, maybe there is just an image
-			let oImg = $(sFormattedContent).find("img");
-			if (oImg.length !== 0) {
+			let oImg = $(sFormattedContent).find('img');
+			if (oImg.length !== 0)
+			{
 				sTextContent = 'image';
 			}
 		}
 
-		// Get the original value without the tags
-		let oFormattedOriginalContents = (originalValue !== undefined) ? $('<div></div>').html(originalValue) : undefined;
-		let sTextOriginalContents = (oFormattedOriginalContents !== undefined) ? oFormattedOriginalContents.text() : undefined;
+		let oFormattedOriginalContents = (oOptions.sOriginalValue !== undefined) ? $('<div></div>').html(oOptions.sOriginalValue) : undefined;
+		sTextOriginalContents = (oFormattedOriginalContents !== undefined) ? oFormattedOriginalContents.text() : undefined;
 
-		if (bMandatory && (sTextContent === nullValue)) {
-			bValid = false;
-			sExplain = Dict.S('UI:ValueMustBeSet');
-		} else if ((sTextOriginalContents !== undefined) && (sTextContent === sTextOriginalContents)) {
-			bValid = false;
-			if (sTextOriginalContents === nullValue) {
-				sExplain = Dict.S('UI:ValueMustBeSet');
-			} else {
-				// Note: value change check is not working well yet as the HTML to Text conversion is not exactly the same when done from the PHP value or the CKEditor value.
-				sExplain = Dict.S('UI:ValueMustBeChanged');
-			}
-		} else {
-			bValid = true;
+		if (oOptions.validate !== undefined) {
+			let oValidation = oOptions.validate(sTextContent, sTextOriginalContents);
+			bValid = oValidation.bValid;
+			sExplain = oValidation.sExplain;
 		}
-		
-		// Put and event to check the field when the content changes, remove the event right after as we'll call this same function again, and we don't want to call the event more than once (especially not ^2 times on each call)
+
+		// Put an event to check the field when the content changes, remove the event right after as we'll call this same function again, and we don't want to call the event more than once (especially not ^2 times on each call)
 		oCKEditor.model.document.once('change:data', (event) => {
-			ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+			oOptions.onChange();
 		});
 	}
-	
-	ReportFieldValidationStatus(sFieldId, sFormId, bValid, sExplain);
+
+	ReportFieldValidationStatus(oOptions.sFieldId, oOptions.sFormId, bValid, sExplain);
 	return bValid;
 }
 
+function ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue)
+{
+	return EvaluateCKEditorValidation({
+		sFieldId: sFieldId,
+		sFormId: sFormId,
+        sOriginalValue: originalValue,
+		onRetry: function() {
+			ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+		},
+		onChange: function() {
+			ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+		},
+		validate: function(sTextContent, sTextOriginalContents) {
+			var bValid;
+			var sExplain = '';
+			if (bMandatory && (sTextContent === nullValue)) {
+				bValid = false;
+				sExplain = Dict.S('UI:ValueMustBeSet');
+			} else if ((sTextOriginalContents !== undefined) && (sTextContent === sTextOriginalContents)) {
+				bValid = false;
+				if (sTextOriginalContents === nullValue) {
+					sExplain = Dict.S('UI:ValueMustBeSet');
+				} else {
+					// Note: value change check is not working well yet as the HTML to Text conversion is not exactly the same when done from the PHP value or the CKEditor value.
+					sExplain = Dict.S('UI:ValueMustBeChanged');
+				}
+			} else {
+				bValid = true;
+			}
+			return {bValid: bValid, sExplain: sExplain};
+		}
+	});
+}
 function ResetPwd(id)
 {
-	// Reset the values of the password fields
-	$('#'+id).val('*****');
-	$('#'+id+'_confirm').val('*****');
-	// And reset the flag, to tell it that the password remains unchanged
-	$('#'+id+'_changed').val(0);
-	// Visual feedback, None when it's Ok
-	$('#v_'+id).html('');
+    // Reset the values of the password fields
+    $('#'+id).val('*****');
+    $('#'+id+'_confirm').val('*****');
+    // And reset the flag, to tell it that the password remains unchanged
+    $('#'+id+'_changed').val(0);
+    // Visual feedback, None when it's Ok
+    $('#v_'+id).html('');
 }
 
 // Called whenever the content of a one way encrypted password changes
 function PasswordFieldChanged(id)
 {
-	// Set the flag, to tell that the password changed
-	$('#'+id+'_changed').val(1);
+    // Set the flag, to tell that the password changed
+    $('#'+id+'_changed').val(1);
 }
 
 // Special validation function for one way encrypted password fields
@@ -415,37 +439,48 @@ function ValidatePasswordField(id, sFormId)
 // to determine if the field is empty or not
 function ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue)
 {
-	var bValid = true;
-	var sExplain = '';
-	var sTextContent;
-	
-	if ($('#'+sFieldId).prop('disabled'))
-	{
-		bValid = true; // disabled fields are not checked
-	}
-	else
-	{
-		// Get the contents (with tags)
-		// Note: For CaseLog we can't retrieve the formatted contents from CKEditor (unlike in ValidateCKEditorField() method) because of the place holder.
-		sTextContent = $('#' + sFieldId).val();
-		var count = $('#'+sFieldId+'_count').val();
+	return EvaluateCKEditorValidation({
+		sFieldId: sFieldId,
+		sFormId: sFormId,
+		sOriginalValue: originalValue,
+		onRetry: function() {
+			ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue);
+		},
+		onChange: function() {
+			ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue);
+		},
+		validate: function(sTextContent, sTextOriginalContents) {
+			var bValid;
+			var sExplain = '';
+			// CaseLog is special: history count matters when deciding if the field is empty
+			var count = $('#'+sFieldId+'_count').val();
 
-		if (bMandatory && (count == 0) && (sTextContent == nullValue))
-		{
-			// No previous entry and no content typed
-			bValid = false;
-			sExplain = Dict.S('UI:ValueMustBeSet');
+			if (bMandatory && (count == 0) && (sTextContent === nullValue))
+			{
+				// No previous entry and no content typed
+				bValid = false;
+				sExplain = Dict.S('UI:ValueMustBeSet');
+			}
+			else if ((sTextOriginalContents !== undefined) && (sTextContent === sTextOriginalContents))
+			{
+				bValid = false;
+				if (sTextOriginalContents === nullValue)
+				{
+					sExplain = Dict.S('UI:ValueMustBeSet');
+				}
+				else
+				{
+					// Note: value change check is not working well yet as the HTML to Text conversion is not exactly the same when done from the PHP value or the CKEditor value.
+					sExplain = Dict.S('UI:ValueMustBeChanged');
+				}
+			}
+			else
+			{
+				bValid = true;
+			}
+			return {bValid: bValid, sExplain: sExplain};
 		}
-		else if ((originalValue != undefined) && (sTextContent == originalValue))
-		{
-			bValid = false;
-			sExplain = Dict.S('UI:ValueMustBeChanged');
-		}
-	}
-	ReportFieldValidationStatus(sFieldId, sFormId, bValid, '' /* sExplain */);
-
-	// We need to check periodically as CKEditor doesn't trigger our events. More details in UIHTMLEditorWidget::Display() @ line 92
-	setTimeout(function(){ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue);}, 500);
+	});
 }
 
 // Validate the inputs depending on the current setting

js/selectize/plugin_combodo_auto_position.js

@@ -19,10 +19,11 @@ Selectize.define("combodo_auto_position", function (aOptions) {
 
 	// Selectize instance
 	let oSelf = this;
+    const iDropdownContentHeightDifference = 4;
 
 	// Plugin options
 	aOptions = $.extend({
-			maxDropDownHeight: 200,
+			maxDropDownHeight: '200px',
 		},
 		aOptions
 	);
@@ -33,28 +34,47 @@ Selectize.define("combodo_auto_position", function (aOptions) {
 	// Override position dropdown function
 	oSelf.positionDropdown = (function () {
 		return function () {
-			let iRefHeight = oSelf.$dropdown.outerHeight() < aOptions.maxDropDownHeight ?
-				oSelf.$dropdown.outerHeight() : aOptions.maxDropDownHeight;
+            // Clear previously set rules so the comparison is done with dropdown real height
+            oSelf.$dropdown.css({
+                'max-height': '',
+            });
 
-			if(oSelf.$control.offset().top + oSelf.$control.outerHeight() + iRefHeight > window.innerHeight){
+            oSelf.$dropdown_content.css({
+                'max-height': '',
+            });
 
-				oSelf.$dropdown.css({
-					top: oSelf.$control.offset().top - iRefHeight,
-					left: oSelf.$control.offset().left,
+            let iDropdownHeight = oSelf.$dropdown.outerHeight();
+			if(oSelf.$control.offset().top + oSelf.$control.outerHeight() + iDropdownHeight > window.innerHeight){
+
+                // Apply max-height as we are overflowing, that'll allow us to calculate where we should place ourselves later
+                oSelf.$dropdown.css({
+                    maxHeight: `${aOptions.maxDropDownHeight}`,
+                })
+
+                iDropdownHeight = oSelf.$dropdown.outerHeight();
+
+                oSelf.$dropdown.css({
+                    top: oSelf.$control.offset().top - iDropdownHeight + iDropdownContentHeightDifference, // Content will be shorter, so our real height too
+                    left: oSelf.$control.offset().left,
 					width: oSelf.$wrapper.outerWidth(),
-					'max-height': `${aOptions.maxDropDownHeight}px`,
-					'overflow-y': 'auto',
-					'border-top': '1px solid #d0d0d0',
+					overflowY: 'auto',
+                    borderTop : oSelf.$dropdown.css('border-bottom')
 				});
+
+                // N°9468 Dropdown content needs to be a few pixel shorter than the dropdown itself to avoid double scrollbar
+                oSelf.$dropdown_content.css({
+                    'max-height': `calc(${aOptions.maxDropDownHeight} - ${iDropdownContentHeightDifference}px)`
+                });
+
 			}
 			else{
 				oSelf.$dropdown.css({
 					top: oSelf.$control.offset().top + oSelf.$control.outerHeight(),
 					left: oSelf.$control.offset().left,
 					width: oSelf.$wrapper.outerWidth(),
-					'max-height': `${aOptions.maxDropDownHeight}px`,
-					'overflow-y': 'auto'
-				});
+					overflowY: 'auto',
+                    borderTop: 'none'
+            });
 			}
 		};
 	}());

lib/composer/autoload_classmap.php

@@ -193,6 +193,8 @@ return array(
     'Combodo\\iTop\\Application\\Helper\\CKEditorHelper' => $baseDir . '/sources/Application/Helper/CKEditorHelper.php',
     'Combodo\\iTop\\Application\\Helper\\ExportHelper' => $baseDir . '/sources/Application/Helper/ExportHelper.php',
     'Combodo\\iTop\\Application\\Helper\\FormHelper' => $baseDir . '/sources/Application/Helper/FormHelper.php',
+    'Combodo\\iTop\\Application\\Helper\\ImportHelper' => $baseDir . '/sources/Application/Helper/ImportHelper.php',
+    'Combodo\\iTop\\Application\\Helper\\SearchHelper' => $baseDir . '/sources/Application/Helper/SearchHelper.php',
     'Combodo\\iTop\\Application\\Helper\\Session' => $baseDir . '/sources/Application/Helper/Session.php',
     'Combodo\\iTop\\Application\\Helper\\WebResourcesHelper' => $baseDir . '/sources/Application/Helper/WebResourcesHelper.php',
     'Combodo\\iTop\\Application\\Newsroom\\iTopNewsroomProvider' => $baseDir . '/sources/Application/Newsroom/iTopNewsroomProvider.php',

lib/composer/autoload_static.php

@@ -548,6 +548,8 @@ class ComposerStaticInit7f81b4a2a468a061c306af5e447a9a9f
         'Combodo\\iTop\\Application\\Helper\\CKEditorHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/CKEditorHelper.php',
         'Combodo\\iTop\\Application\\Helper\\ExportHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/ExportHelper.php',
         'Combodo\\iTop\\Application\\Helper\\FormHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/FormHelper.php',
+        'Combodo\\iTop\\Application\\Helper\\ImportHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/ImportHelper.php',
+        'Combodo\\iTop\\Application\\Helper\\SearchHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/SearchHelper.php',
         'Combodo\\iTop\\Application\\Helper\\Session' => __DIR__ . '/../..' . '/sources/Application/Helper/Session.php',
         'Combodo\\iTop\\Application\\Helper\\WebResourcesHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/WebResourcesHelper.php',
         'Combodo\\iTop\\Application\\Newsroom\\iTopNewsroomProvider' => __DIR__ . '/../..' . '/sources/Application/Newsroom/iTopNewsroomProvider.php',

lib/composer/installed.json

@@ -1654,17 +1654,17 @@
         },
         {
             "name": "scssphp/scssphp",
-            "version": "v1.13.0",
-            "version_normalized": "1.13.0.0",
+            "version": "dev-combodo/1.x",
+            "version_normalized": "dev-combodo/1.x",
             "source": {
                 "type": "git",
-                "url": "https://github.com/scssphp/scssphp.git",
-                "reference": "63d1157457e5554edf00b0c1fabab4c1511d2520"
+                "url": "https://github.com/combodo-itop-libs/scssphp.git",
+                "reference": "dde81c0a39d02e8e6fc81b70269747734e16d526"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/scssphp/scssphp/zipball/63d1157457e5554edf00b0c1fabab4c1511d2520",
-                "reference": "63d1157457e5554edf00b0c1fabab4c1511d2520",
+                "url": "https://api.github.com/repos/combodo-itop-libs/scssphp/zipball/dde81c0a39d02e8e6fc81b70269747734e16d526",
+                "reference": "dde81c0a39d02e8e6fc81b70269747734e16d526",
                 "shasum": ""
             },
             "require": {
@@ -1687,15 +1687,15 @@
                 "ext-iconv": "Can be used as fallback when ext-mbstring is not available",
                 "ext-mbstring": "For best performance, mbstring should be installed as it is faster than ext-iconv"
             },
-            "time": "2024-08-17T21:02:11+00:00",
+            "time": "2026-03-23T15:26:59+00:00",
             "bin": [
                 "bin/pscss"
             ],
             "type": "library",
             "extra": {
                 "bamarni-bin": {
-                    "bin-links": false,
-                    "forward-command": false
+                    "forward-command": false,
+                    "bin-links": false
                 }
             },
             "installation-source": "dist",
@@ -1704,7 +1704,11 @@
                     "ScssPhp\\ScssPhp\\": "src/"
                 }
             },
-            "notification-url": "https://packagist.org/downloads/",
+            "autoload-dev": {
+                "psr-4": {
+                    "ScssPhp\\ScssPhp\\Tests\\": "tests/"
+                }
+            },
             "license": [
                 "MIT"
             ],
@@ -1730,8 +1734,7 @@
                 "stylesheet"
             ],
             "support": {
-                "issues": "https://github.com/scssphp/scssphp/issues",
-                "source": "https://github.com/scssphp/scssphp/tree/v1.13.0"
+                "source": "https://github.com/combodo-itop-libs/scssphp/tree/combodo/1.x"
             },
             "install-path": "../scssphp/scssphp"
         },

lib/composer/installed.php

@@ -292,9 +292,9 @@
             'dev_requirement' => false,
         ),
         'scssphp/scssphp' => array(
-            'pretty_version' => 'v1.13.0',
-            'version' => '1.13.0.0',
-            'reference' => '63d1157457e5554edf00b0c1fabab4c1511d2520',
+            'pretty_version' => 'dev-combodo/1.x',
+            'version' => 'dev-combodo/1.x',
+            'reference' => 'dde81c0a39d02e8e6fc81b70269747734e16d526',
             'type' => 'library',
             'install_path' => __DIR__ . '/../scssphp/scssphp',
             'aliases' => array(),

lib/scssphp/scssphp/src/Compiler.php

@@ -5052,7 +5052,7 @@ EOL;
      *
      * @return array
      */
-    protected function multiplyMedia(Environment $env = null, $childQueries = null)
+    protected function multiplyMedia(?Environment $env = null, $childQueries = null)
     {
         if (
             ! isset($env) ||
@@ -5144,7 +5144,7 @@ EOL;
      *
      * @return \ScssPhp\ScssPhp\Compiler\Environment
      */
-    protected function pushEnv(Block $block = null)
+    protected function pushEnv(?Block $block = null)
     {
         $env = new Environment();
         $env->parent = $this->env;
@@ -5208,7 +5208,7 @@ EOL;
      *
      * @return void
      */
-    protected function set($name, $value, $shadow = false, Environment $env = null, $valueUnreduced = null)
+    protected function set($name, $value, $shadow = false, ?Environment $env = null, $valueUnreduced = null)
     {
         $name = $this->normalizeName($name);
 
@@ -5314,7 +5314,7 @@ EOL;
      *
      * @return mixed|null
      */
-    public function get($name, $shouldThrow = true, Environment $env = null, $unreduced = false)
+    public function get($name, $shouldThrow = true, ?Environment $env = null, $unreduced = false)
     {
         $normalizedName = $this->normalizeName($name);
         $specialContentKey = static::$namespaces['special'] . 'content';
@@ -5379,7 +5379,7 @@ EOL;
      *
      * @return bool
      */
-    protected function has($name, Environment $env = null)
+    protected function has($name, ?Environment $env = null)
     {
         return ! \is_null($this->get($name, false, $env));
     }

lib/scssphp/scssphp/src/Formatter.php

@@ -272,7 +272,7 @@ abstract class Formatter
      *
      * @return string
      */
-    public function format(OutputBlock $block, SourceMapGenerator $sourceMapGenerator = null)
+    public function format(OutputBlock $block, ?SourceMapGenerator $sourceMapGenerator = null)
     {
         $this->sourceMapGenerator = null;
 

lib/scssphp/scssphp/src/Node/Number.php

@@ -578,7 +578,7 @@ class Number extends Node implements \ArrayAccess, \JsonSerializable
      *
      * @return string
      */
-    public function output(Compiler $compiler = null)
+    public function output(?Compiler $compiler = null)
     {
         $dimension = round($this->dimension, self::PRECISION);
 

lib/scssphp/scssphp/src/Parser.php

@@ -140,7 +140,7 @@ class Parser
      * @param bool                 $cssOnly
      * @param LoggerInterface|null $logger
      */
-    public function __construct($sourceName, $sourceIndex = 0, $encoding = 'utf-8', Cache $cache = null, $cssOnly = false, LoggerInterface $logger = null)
+    public function __construct($sourceName, $sourceIndex = 0, $encoding = 'utf-8', ?Cache $cache = null, $cssOnly = false, ?LoggerInterface $logger = null)
     {
         $this->sourceName       = $sourceName ?: '(stdin)';
         $this->sourceIndex      = $sourceIndex;