N°8806 - code cleanup + test cover

N°8806 - add log when loading MFModule
N°8806 - improve GetMFModulesToCompile to handle extensions and installation choices on all setup that use compileFrom (MTP, CoreUpdate, Hub, DryRemoval)
2026-04-12 05:08:43 +02:00 · 2026-04-10 11:08:53 +02:00 · 2026-04-09 16:31:44 +02:00 · 2026-04-09 14:13:16 +02:00 · 2026-04-09 07:53:52 +02:00 · 2026-04-09 07:53:52 +02:00
992 changed files with 45892 additions and 13481 deletions
--- a/.doc/developers.md
+++ b/.doc/developers.md
@@ -0,0 +1,9 @@
+# Developers
+
+## PHP Code Styles
+We use `PHP CS Fixer` to ensure code formating consistency across PHP codebase.
+You can find the configuration and instructions to run it [here](../tests/php-code-style/README.md).
+
+## PHP Static Analysis
+We use `PHPStan` to ensure code quality and to detect potential bugs in our PHP codebase.
+You can find the configuration and instructions to run it [here](../tests/php-static-analysis/README.md).
--- a/.gitignore
+++ b/.gitignore
@@ -58,6 +58,9 @@ tests/*/vendor/*
 /tests/php-unit-tests/phpunit.xml
 /tests/php-unit-tests/postbuild_integration.xml

+# PHP CS Fixer: Cache file
+/.php-cs-fixer.cache
+

 # Jetbrains
 /.idea/**
--- a/README.md
+++ b/README.md
@@ -73,6 +73,9 @@ iTop development is sponsored, led, and supported by [Combodo][0].

 [0]: https://www.combodo.com

+## Developers
+
+You can find information and instructions about our quality tools and how to run them [here](.doc/developers.md).

 ## Contributors

--- a/application/application.inc.php
+++ b/application/application.inc.php
@@ -16,5 +16,5 @@ require_once(APPROOT.'/application/audit.category.class.inc.php');
 require_once(APPROOT.'/application/audit.domain.class.inc.php');
 require_once(APPROOT.'/application/audit.rule.class.inc.php');
 require_once(APPROOT.'/application/query.class.inc.php');
-require_once(APPROOT.'/setup/moduleinstallation.class.inc.php');
+require_once(APPROOT.'/setup/moduleinstallation/moduleinstallation.class.inc.php');
 require_once(APPROOT.'/application/utils.inc.php');
--- a/application/cmdbabstract.class.inc.php
+++ b/application/cmdbabstract.class.inc.php
@@ -819,6 +819,7 @@ HTML
 				foreach ($aNotificationClasses as $sNotifClass) {
 					$aNotifSearches[$sNotifClass] = DBObjectSearch::FromOQL("SELECT $sNotifClass AS Ev WHERE Ev.object_id = :id AND Ev.object_class = :class");
 					$aNotifSearches[$sNotifClass]->SetInternalParams($aParams);
+					$aNotifSearches[$sNotifClass]->AllowAllData();
 					$oNotifSet = new DBObjectSet($aNotifSearches[$sNotifClass], []);
 					$iNotifsCount += $oNotifSet->Count();
 				}
@@ -832,6 +833,7 @@ HTML
 						'menu' => false,
 						'panel_title' => MetaModel::GetName($sNotifClass),
 						'panel_icon' => MetaModel::GetClassIcon($sNotifClass, false),
+						'display_unauthorized_objects' => true,
 					]);
 				}
 			}
@@ -5632,7 +5634,7 @@ JS
 	 * @return void
 	 * @since 3.1.0
 	 */
-	final public function AddAttributeFlags(string $sAttCode, int $iFlags, string $sTargetState = '', string $sReason = null): void
+	final public function AddAttributeFlags(string $sAttCode, int $iFlags, string $sTargetState = '', ?string $sReason = null): void
 	{
 		if (!isset($this->aAttributesFlags[$sTargetState])) {
 			$this->aAttributesFlags[$sTargetState] = [];
@@ -5655,7 +5657,7 @@ JS
 	 * @return void
 	 * @since 3.1.0
 	 */
-	final public function ForceAttributeFlags(string $sAttCode, int $iFlags, string $sTargetState = '', string $sReason = null): void
+	final public function ForceAttributeFlags(string $sAttCode, int $iFlags, string $sTargetState = '', ?string $sReason = null): void
 	{
 		if (!isset($this->aAttributesFlags[$sTargetState])) {
 			$this->aAttributesFlags[$sTargetState] = [];
@@ -5696,7 +5698,7 @@ JS
 	 * @return void
 	 * @since 3.1.0
 	 */
-	final public function AddInitialAttributeFlags(string $sAttCode, int $iFlags, string $sReason = null)
+	final public function AddInitialAttributeFlags(string $sAttCode, int $iFlags, ?string $sReason = null)
 	{
 		if (!isset($this->aInitialAttributesFlags)) {
 			$this->aInitialAttributesFlags = [];
@@ -5718,7 +5720,7 @@ JS
 	 * @return void
 	 * @since 3.1.0
 	 */
-	final public function ForceInitialAttributeFlags(string $sAttCode, int $iFlags, string $sReason = null)
+	final public function ForceInitialAttributeFlags(string $sAttCode, int $iFlags, ?string $sReason = null)
 	{
 		if (!isset($this->aInitialAttributesFlags)) {
 			$this->aInitialAttributesFlags = [];
--- a/application/dashboard.class.inc.php
+++ b/application/dashboard.class.inc.php
@@ -497,7 +497,7 @@ EOF
 	 * @param array $aExtraParams
 	 * @param bool $bCanEdit
 	 *
-	 * @return \Combodo\iTop\Application\UI\Base\Layout\Dashboard\DashboardLayout
+	 * @return null|\Combodo\iTop\Application\UI\Base\Layout\Dashboard\DashboardLayout
 	 */
 	public function Render($oPage, $bEditMode = false, $aExtraParams = [], $bCanEdit = true)
 	{
@@ -1029,7 +1029,7 @@ EOF
 			    var dashboard = $('.ibo-dashboard#$sDivId')
 				dashboard.block();
 				$.post(GetAbsoluteUrlAppRoot()+'pages/ajax.render.php',
-				   { operation: 'toggle_dashboard', dashboard_id: '$sId', file: '$sFile', extra_params: $sExtraParams, reload_url: '$sReloadURL' },
+				   { operation: 'toggle_dashboard', dashboard_id: '$sId', file: '$sFile', extra_params: $sExtraParams, reload_url: $sReloadURL },
 				   function(data) {
 					 dashboard.html(data);
 					 dashboard.unblock();
--- a/application/displayblock.class.inc.php
+++ b/application/displayblock.class.inc.php
@@ -726,6 +726,10 @@ class DisplayBlock
 				}
 			}

+			if (!$this->m_oFilter->IsAllDataAllowed() && ($aExtraParams['display_unauthorized_objects'] ?? false) === true) {
+				$this->m_oFilter->AllowAllData();
+			}
+
 			$aExtraParams['query_params'] = $this->m_oFilter->GetInternalParams();
 			$this->m_oSet = new CMDBObjectSet($this->m_oFilter, $aOrderBy, $aQueryParams);
 		}
@@ -1379,7 +1383,10 @@ JS

 		// Check the classes that can be read (i.e authorized) by this user...
 		foreach ($aClasses as $sAlias => $sClassName) {
-			if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) != UR_ALLOWED_NO) {
+			if (
+				(UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) !== UR_ALLOWED_NO)
+				|| ($aExtraParams['display_unauthorized_objects'] ?? false) === true
+			) {
 				$aAuthorizedClasses[$sAlias] = $sClassName;
 			}
 		}
--- a/application/exceptions/ForgotPasswordApplicationException.php
+++ b/application/exceptions/ForgotPasswordApplicationException.php
@@ -0,0 +1,10 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+class ForgotPasswordApplicationException extends Exception
+{
+}
--- a/application/exceptions/ForgotPasswordUserInputException.php
+++ b/application/exceptions/ForgotPasswordUserInputException.php
@@ -0,0 +1,10 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+class ForgotPasswordUserInputException extends Exception
+{
+}
--- a/application/forms.class.inc.php
+++ b/application/forms.class.inc.php
@@ -1387,7 +1387,7 @@ class DesignerIconSelectionField extends DesignerFormField
 	public function AddAllowedValue($aValue)
 	{
 		// Add a null value to the list of allowed values
-		$this->aAllowedValues = array_merge([$aValue], $this->aAllowedValues);
+		$this->aAllowedValues = array_merge([$aValue], $this->aAllowedValues ?? [null]);
 	}
 	public function EnableUpload($sIconUploadUrl)
 	{
--- a/application/loginexternal.class.inc.php
+++ b/application/loginexternal.class.inc.php
@@ -75,13 +75,10 @@ class LoginExternal extends AbstractLoginFSMExtension
 	}

 	/**
-	 * @return bool
+	 * @return bool|mixed
 	 */
 	private function GetAuthUser()
 	{
-		$sExtAuthVar = MetaModel::GetConfig()->GetExternalAuthenticationVariable(); // In which variable is the info passed ?
-		eval('$sAuthUser = isset('.$sExtAuthVar.') ? '.$sExtAuthVar.' : false;'); // Retrieve the value
-		/** @var string $sAuthUser */
-		return $sAuthUser; // Retrieve the value
+		return MetaModel::GetConfig()->GetExternalAuthenticationVariable();
 	}
 }
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -221,15 +221,15 @@ class LoginWebPage extends NiceWebPage

 			if ($oUser != null) {
 				if (!MetaModel::IsValidAttCode(get_class($oUser), 'reset_pwd_token')) {
-					throw new Exception(Dict::S('UI:ResetPwd-Error-NotPossible'));
+					throw new ForgotPasswordUserInputException('External accounts do not allow password reset');
 				}
 				if (!$oUser->CanChangePassword()) {
-					throw new Exception(Dict::S('UI:ResetPwd-Error-FixedPwd'));
+					throw new ForgotPasswordUserInputException('The account does not allow password reset');
 				}

 				$sTo = $oUser->GetResetPasswordEmail(); // throws Exceptions if not allowed
 				if ($sTo == '') {
-					throw new Exception(Dict::S('UI:ResetPwd-Error-NoEmail'));
+					throw new ForgotPasswordUserInputException('Missing email address for this account');
 				}

 				// This token allows the user to change the password without knowing the previous one
@@ -255,17 +255,21 @@ class LoginWebPage extends NiceWebPage

 					case EMAIL_SEND_ERROR:
 					default:
-						IssueLog::Error('Failed to send the email with the NEW password for '.$oUser->Get('friendlyname').': '.implode(', ', $aIssues));
-						throw new Exception(Dict::S('UI:ResetPwd-Error-Send'));
+						throw new ForgotPasswordApplicationException('Failed to send the password reset email for '.$oUser->Get('friendlyname').': '.implode(', ', $aIssues));
 				}
 			}

-			$oTwigContext = new LoginTwigRenderer();
-			$aVars = $oTwigContext->GetDefaultVars();
-			$oTwigContext->Render($this, 'forgotpwdsent.html.twig', $aVars);
-		} catch (Exception $e) {
-			$this->DisplayForgotPwdForm(true, $e->getMessage());
+		} catch (ForgotPasswordApplicationException $e) {
+			IssueLog::Error('Failed to process the forgot password request for user "'.$sAuthUser.'" [reason='.get_class($e).']: '.$e->getMessage());
+		} catch (ForgotPasswordUserInputException $e) {
+			IssueLog::Info('Failed to process the forgot password request for user "'.$sAuthUser.'" [reason='.get_class($e).']: '.$e->getMessage());
+		} catch (\Throwable $e) {
+			IssueLog::Error('Unexpected error while processing the forgot password request for user "'.$sAuthUser.'": '.$e->getMessage());
 		}
+
+		$oTwigContext = new LoginTwigRenderer();
+		$aVars = $oTwigContext->GetDefaultVars();
+		$oTwigContext->Render($this, 'forgotpwdsent.html.twig', $aVars);
 	}

 	public function DisplayResetPwdForm($sErrorMessage = null)
--- a/application/newsroomprovider.class.inc.php
+++ b/application/newsroomprovider.class.inc.php
@@ -34,7 +34,7 @@ interface iNewsroomProvider
 	 * @param User $oUser The user for who to check if the provider is applicable.
 	 * return bool
 	 */
-	public function IsApplicable(User $oUser = null);
+	public function IsApplicable(?User $oUser = null);

 	/**
 	 * The human readable (localized) label for this provider
@@ -139,7 +139,7 @@ abstract class NewsroomProviderBase implements iNewsroomProvider
 	 */
 	abstract public function GetViewAllURL();

-	public function IsApplicable(User $oUser = null)
+	public function IsApplicable(?User $oUser = null)
 	{
 		return false;
 	}
--- a/application/query.class.inc.php
+++ b/application/query.class.inc.php
@@ -151,7 +151,7 @@ abstract class Query extends cmdbAbstractObject
 	 * @return string|null
 	 * @since 3.1.0
 	 */
-	abstract public function GetExportUrl(array $aValues = null): ?string;
+	abstract public function GetExportUrl(?array $aValues = null): ?string;

 	/**
 	 * Update last export information.
@@ -227,7 +227,7 @@ class QueryOQL extends Query
 	}

 	/** @inheritdoc */
-	public function GetExportUrl(array $aValues = null): ?string
+	public function GetExportUrl(?array $aValues = null): ?string
 	{
 		try {
 			// retrieve attributes
--- a/application/themehandler.class.inc.php
+++ b/application/themehandler.class.inc.php
@@ -924,11 +924,6 @@ CSS;
 	public static function CloneThemeParameterAndIncludeVersion($aThemeParameters, $bSetupCompilationTimestamp, $aImportsPaths)
 	{
 		$aThemeParametersVariable = [];
-		if (array_key_exists('variables', $aThemeParameters)) {
-			if (is_array($aThemeParameters['variables'])) {
-				$aThemeParametersVariable = array_merge([], $aThemeParameters['variables']);
-			}
-		}

 		if (array_key_exists('variable_imports', $aThemeParameters)) {
 			if (is_array($aThemeParameters['variable_imports'])) {
@@ -936,6 +931,14 @@ CSS;
 			}
 		}

+		// Variables defined in theme XML have the priority over variables defined in XML imports files
+		// They're defined after so they overwrite previous parameters
+		if (array_key_exists('variables', $aThemeParameters)) {
+			if (is_array($aThemeParameters['variables'])) {
+				$aThemeParametersVariable = array_merge($aThemeParametersVariable, $aThemeParameters['variables']);
+			}
+		}
+
 		$aThemeParametersVariable['$version'] = $bSetupCompilationTimestamp;
 		return $aThemeParametersVariable;
 	}
@@ -967,7 +970,9 @@ CSS;
 				}
 			}
 		}
-		array_map(function ($sVariableValue) { return ltrim($sVariableValue); }, $aVariablesResults);
+		array_map(function ($sVariableValue) {
+			return ltrim($sVariableValue);
+		}, $aVariablesResults);
 		return $aVariablesResults;
 	}

--- a/application/ui.linksdirectwidget.class.inc.php
+++ b/application/ui.linksdirectwidget.class.inc.php
@@ -228,7 +228,7 @@ JS
 			<<<HTML
 <form id="ObjectsAddForm_{$this->sInputid}">
    <div id="SearchResultsToAdd_{$this->sInputid}">
-        <div style="background: #fff; border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
+        <div style="border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
    </div>
    <input type="hidden" id="count_{$this->sInputid}" value="0"/>
 </form>
--- a/application/ui.searchformforeignkeys.class.inc.php
+++ b/application/ui.searchformforeignkeys.class.inc.php
@@ -27,6 +27,9 @@ require_once(APPROOT.'/application/displayblock.class.inc.php');

 class UISearchFormForeignKeys
 {
+	private $m_sRemoteClass;
+	private $m_iInputId;
+
 	public function __construct($sTargetClass, $iInputId = null)
 	{
 		$this->m_sRemoteClass = $sTargetClass;
@@ -40,7 +43,7 @@ class UISearchFormForeignKeys
 	 *
 	 * @throws \Exception
 	 */
-	public function ShowModalSearchForeignKeys($oPage, $sTitle)
+	public function ShowModalSearchForeignKeys($oPage)
 	{

 		$oFilter = new DBObjectSearch($this->m_sRemoteClass);
@@ -60,52 +63,17 @@ class UISearchFormForeignKeys
 			]
 		));
 		$sEmptyList = Dict::S('UI:Message:EmptyList:UseSearchForm');
-		$sCancel = Dict::S('UI:Button:Cancel');
-		$sAdd = Dict::S('UI:Button:Add');

 		$oPage->add(
 			<<<HTML
 <form id="ObjectsAddForm_{$this->m_iInputId}">
    <div id="SearchResultsToAdd_{$this->m_iInputId}" style="vertical-align:top;height:100%;overflow:auto;padding:0;border:0;">
-        <div style="background: #fff; border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
+        <div style="border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
    </div>
    <input type="hidden" id="count_{$this->m_iInputId}" value="0"/>
 </form>
 HTML
 		);
-
-		$oPage->add_ready_script(
-			<<<JS
- $('#dlg_{$this->m_iInputId}').dialog({ 
- 			width: $(window).width()*0.8, 
- 			height: $(window).height()*0.8, 
- 			autoOpen: false, 
- 			modal: true, 
- 			resizeStop: oForeignKeysWidget{$this->m_iInputId}.UpdateSizes,
-            buttons: [
-				{
-					text: Dict.S('UI:Button:Cancel'),
-					class: "cancel ibo-is-alternative ibo-is-neutral",
-					click: function() {
-						$('#dlg_{$this->m_iInputId}').dialog('close');
-					}
-				},
-				{
-					text:  Dict.S('UI:Button:Add'),
-					id: 'btn_ok_{$this->m_iInputId}',
-					class: "ok ibo-is-regular ibo-is-primary",
-					click: function() {
-						oForeignKeysWidget{$this->m_iInputId}.DoAddObjects(this.id);							
-					}
-				},
-			],
-
- });
-$('#dlg_{$this->m_iInputId}').dialog('option', {title:'$sTitle'});
-$('#SearchFormToAdd_{$this->m_iInputId} form').on('submit.uilinksWizard', oForeignKeysWidget{$this->m_iInputId}.SearchObjectsToAdd);
-$('#SearchFormToAdd_{$this->m_iInputId}').on('resize', oForeignKeysWidget{$this->m_iInputId}.UpdateSizes);
-JS
-		);
 	}

 	public function GetFullListForeignKeysFromSelection($oPage, $oFullSetFilter)
@@ -119,31 +87,4 @@ JS
 			IssueLog::Error($e->getMessage()."\nDebug trace:\n".$e->getTraceAsString());
 		}
 	}
-
-	/**
-	 * Search for objects to be linked to the current object (i.e "remote" objects)
-	 *
-	 * @param WebPage $oP The page used for the output (usually an AjaxWebPage)
-	 * @param string $sRemoteClass Name of the "remote" class to perform the search on, must be a derived class of m_sRemoteClass
-	 *
-	 * @throws \Exception
-	 */
-	public function ListResultsSearchForeignKeys(WebPage $oP, $sRemoteClass = '')
-	{
-		if ($sRemoteClass != '') {
-			// assert(MetaModel::IsParentClass($this->m_sRemoteClass, $sRemoteClass));
-			$oFilter = new DBObjectSearch($sRemoteClass);
-		} else {
-			// No remote class specified use the one defined in the linkedset
-			$oFilter = new DBObjectSearch($this->m_sRemoteClass);
-		}
-
-		$oBlock = new DisplayBlock($oFilter, 'list', false);
-		$oBlock->Display(
-			$oP,
-			"ResultsToAdd_{$this->m_iInputId}",
-			['menu' => false, 'cssCount' => "#count_{$this->m_iInputId}", 'selection_mode' => true, 'table_id' => "add_{$this->m_iInputId}"]
-		);
-	}
-
 }
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -122,6 +122,11 @@ class utils
 	 * @since 3.0.0
 	 */
 	public const ENUM_SANITIZATION_FILTER_VARIABLE_NAME = 'variable_name';
+	/**
+	 * @var string For module codes (e.g. `itop-portal-base`, `combodo-webhook-integration`, `some-module-code-x.y`, ...)
+	 * @since 3.2.3 3.3.0 N°8554
+	 */
+	public const ENUM_SANITIZATION_FILTER_MODULE_CODE = 'module_code';
 	/**
 	 * @var string
 	 * @since 2.7.10 3.0.0
@@ -181,6 +186,9 @@ class utils

 	protected static function LoadParamFile($sParamFile)
 	{
+		if (utils::RealPath($sParamFile, APPROOT) !== false) {
+			throw new Exception("File '".utils::HtmlEntities($sParamFile)."' should be outside iTop");
+		}
 		if (!file_exists($sParamFile)) {
 			throw new Exception("Could not find the parameter file: '".utils::HtmlEntities($sParamFile)."'");
 		}
@@ -390,6 +398,7 @@ class utils
 	 * @since 2.7.10 N°6606 use the utils::ENUM_SANITIZATION_* const
 	 * @since 2.7.10 N°6606 new case for ENUM_SANITIZATION_FILTER_PHP_CLASS
 	 * @since 3.2.1-1 N°8242 Allow value to be an array for every filter
+	 * @since 3.2.3 3.3.0 N°8554 new case for ENUM_SANITIZATION_FILTER_MODULE_CODE
 	 *
 	 * @link https://www.php.net/manual/en/filter.filters.sanitize.php PHP sanitization filters
 	 */
@@ -477,7 +486,7 @@ class utils
 				);
 				break;

-				// For XML / HTML node id selector
+				// For XML / HTML node selector
 			case static::ENUM_SANITIZATION_FILTER_ELEMENT_SELECTOR:
 				$retValue = filter_var(
 					$value,
@@ -490,6 +499,15 @@ class utils
 				$retValue = preg_replace('/[^a-zA-Z0-9_]/', '', $value);
 				break;

+			case static::ENUM_SANITIZATION_FILTER_MODULE_CODE:
+				// Module codes allow all alphabets letters, numbers, dash and dot characters
+				$retValue = filter_var(
+					$value,
+					FILTER_VALIDATE_REGEXP,
+					['options' => ['regexp' => '/^[\p{L}\d.-]+$/u']]
+				);
+				break;
+
 				// For URL
 			case static::ENUM_SANITIZATION_FILTER_URL:
 				$retValue = filter_var($value, FILTER_SANITIZE_URL);
@@ -958,7 +976,7 @@ class utils
 			return self::$oConfig;
 		}

-		$sProductionEnvConfigPath = self::GetConfigFilePath('production');
+		$sProductionEnvConfigPath = self::GetConfigFilePath(ITOP_DEFAULT_ENV);
 		if (file_exists($sProductionEnvConfigPath)) {
 			$oProductionEnvDiskConfig = new Config($sProductionEnvConfigPath);
 			self::SetConfig($oProductionEnvDiskConfig);
@@ -1284,7 +1302,7 @@ class utils
 	 * @throws \CoreException
 	 * @throws \Exception
 	 */
-	public static function ExecITopScript(string $sScriptName, array $aArguments, string $sAuthUser = null, string $sAuthPwd = null)
+	public static function ExecITopScript(string $sScriptName, array $aArguments, ?string $sAuthUser = null, ?string $sAuthPwd = null)
 	{
 		$aDisabled = explode(', ', ini_get('disable_functions'));
 		if (in_array('exec', $aDisabled)) {
@@ -1374,7 +1392,7 @@ class utils
 	 * @return string A path to a folder into which any module can store cache data
 	 * The corresponding folder is created or cleaned upon code compilation
 	 */
-	public static function GetCachePath(string $sEnvironment = null): string
+	public static function GetCachePath(?string $sEnvironment = null): string
 	{
 		if (is_null($sEnvironment)) {
 			$sEnvironment = MetaModel::GetEnvironment();
@@ -1437,6 +1455,12 @@ class utils

 			case iPopupMenuExtension::MENU_OBJLIST_TOOLKIT:
 				/** @var \DBObjectSet $param */
+
+				// Check if the user has the right to read the objects of this list, otherwise do not propose any action (eg. configure this list, export, etc.)
+				if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_READ, $param) !== UR_ALLOWED_YES) {
+					break;
+				}
+
 				$oAppContext = new ApplicationContext();
 				$sContext = $oAppContext->GetForLink(true);
 				$sDataTableId = is_null($sDataTableId) ? '' : $sDataTableId;
@@ -2081,7 +2105,9 @@ SQL;
 			}

 			// Remove any remaining nulls (for positions that weren't referenced)
-			$aReplacements = array_filter($aReplacements, static function ($val) { return $val !== null; });
+			$aReplacements = array_filter($aReplacements, static function ($val) {
+				return $val !== null;
+			});
 		} else {
 			// For non-positional, we need to map each position
 			$aReplacements = [];
--- a/composer.json
+++ b/composer.json
@@ -4,7 +4,7 @@
  "type": "project",
  "license": "AGPL-3.0-only",
  "require": {
-    "php": ">=8.1.0 <8.4.0",
+    "php": ">=8.1.0 <8.5.0",
    "ext-ctype": "*",
    "ext-dom": "*",
    "ext-gd": "*",
@@ -12,38 +12,43 @@
    "ext-json": "*",
    "ext-mysqli": "*",
    "ext-soap": "*",
-    "apereo/phpcas": "~1.6.0",
-    "firebase/php-jwt": "^6.4.0",
+    "apereo/phpcas": "dev-master",
    "guzzlehttp/guzzle": "^7.5.1",
    "league/oauth2-google": "^4.0.1",
-    "nikic/php-parser": "dev-master",
+    "nikic/php-parser": "^4.14.0",
    "pear/archive_tar": "~1.4.14",
    "pelago/emogrifier": "^7.2.0",
    "psr/log": "^3.0.0",
-    "scssphp/scssphp": "^1.12.1",
-    "soundasleep/html2text": "~2.1",
+    "scssphp/scssphp": "dev-combodo/1.x",
    "symfony/console": "~6.4.0",
    "symfony/dotenv": "~6.4.0",
-    "symfony/form": "^6.4",
    "symfony/framework-bundle": "~6.4.0",
    "symfony/http-foundation": "~6.4.0",
    "symfony/http-kernel": "~6.4.0",
-    "symfony/mailer": "^6.4",
-    "symfony/security-csrf": "^6.4",
+    "symfony/runtime": "~6.4.0",
    "symfony/twig-bundle": "~6.4.0",
-    "symfony/validator" : "^6.4",
+    "symfony/var-dumper": "~6.4.0",
    "symfony/yaml": "~6.4.0",
+    "symfony/mailer": "~6.4.0",
    "tecnickcom/tcpdf": "^6.6.0",
-    "thenetworg/oauth2-azure": "^2.0"
+    "thenetworg/oauth2-azure": "^2.0",
+    "soundasleep/html2text": "~2.1"
  },
  "require-dev": {
+    "symfony/debug-bundle": "~6.4.0",
    "symfony/stopwatch": "~6.4.0",
    "symfony/web-profiler-bundle": "~6.4.0"
  },
-  "repositories": [{
-    "type": "vcs",
-    "url": "https://github.com/Combodo/PHP-Parser"
-  }],
+  "repositories": [
+    {
+      "type": "vcs",
+      "url": "https://github.com/EsupPortail/phpCAS"
+    },
+    {
+      "type": "vcs",
+      "url": "https://github.com/combodo-itop-libs/scssphp"
+    }
+  ],
  "suggest": {
    "ext-libsodium": "Required to use the AttributeEncryptedString.",
    "ext-openssl": "Can be used as a polyfill if libsodium is not installed",
@@ -63,7 +68,10 @@
    },
    "sort-packages": true,
    "classmap-authoritative": true,
-    "platform-check": true
+    "platform-check": true,
+    "allow-plugins": {
+      "symfony/runtime": true
+    }
  },
  "autoload": {
    "classmap": [
@@ -72,6 +80,7 @@
      "sources"
    ],
    "exclude-from-classmap": [
+      "application/twigextension.class.inc.php",
      "core/oql/build/PHP/",
      "core/apc-emulation.php",
      "application/startup.inc.php",
@@ -91,7 +100,7 @@
  "extra": {
    "symfony": {
      "allow-contrib": false,
-      "require": "6.4.*"
+      "require": "3.4.*"
    },
    "runtime": {
      "dotenv_path": "resources/symfony/.env"
--- a/composer.lock
+++ b/composer.lock
--- a/core/action.class.inc.php
+++ b/core/action.class.inc.php
@@ -234,10 +234,11 @@ abstract class Action extends cmdbAbstractObject
 		}

 		$oActionFilter = DBObjectSearch::FromOQL($sActionQueryOql, $aActionQueryParams);
+		$oActionFilter->AllowAllData();
 		$oSet = new DBObjectSet($oActionFilter, ['date' => false]);

 		$sPanelTitle = Dict::Format('Action:last_executions_tab_panel_title', $sActionQueryLimit);
-		$oExecutionsListBlock = DataTableUIBlockFactory::MakeForResult($oPage, 'action_executions_list', $oSet, ['panel_title' => $sPanelTitle]);
+		$oExecutionsListBlock = DataTableUIBlockFactory::MakeForResult($oPage, 'action_executions_list', $oSet, ['panel_title' => $sPanelTitle, 'display_unauthorized_objects' => true]);

 		$oPage->AddUiBlock($oExecutionsListBlock);
 	}
--- a/core/autoload.php
+++ b/core/autoload.php
@@ -24,7 +24,7 @@ MetaModel::IncludeModule('application/user.dashboard.class.inc.php');
 MetaModel::IncludeModule('application/audit.rule.class.inc.php');
 MetaModel::IncludeModule('application/audit.domain.class.inc.php');
 MetaModel::IncludeModule('application/query.class.inc.php');
-MetaModel::IncludeModule('setup/moduleinstallation.class.inc.php');
+MetaModel::IncludeModule('setup/moduleinstallation/moduleinstallation.class.inc.php');

 MetaModel::IncludeModule('core/event.class.inc.php');
 MetaModel::IncludeModule('core/action.class.inc.php');
--- a/core/bulkchange.class.inc.php
+++ b/core/bulkchange.class.inc.php
@@ -199,7 +199,7 @@ class CellStatus_SearchIssue extends CellStatus_Issue
 	 * @param null $sAllowedValues : used for additional message that provides allowed values $sAllowedValues for current class
 	 * @param string|null $sAllowedValuesSearch : used to search all allowed values
 	 */
-	public function __construct($sSerializedSearch, $sReason, $sClass = null, $sAllowedValues = null, string $sAllowedValuesSearch = null)
+	public function __construct($sSerializedSearch, $sReason, $sClass = null, $sAllowedValues = null, ?string $sAllowedValuesSearch = null)
 	{
 		parent::__construct(null, null, $sReason);
 		$this->sSerializedSearch = $sSerializedSearch;
@@ -876,7 +876,7 @@ class BulkChange
 		return $aResults;
 	}

-	protected function CreateObject(&$aResult, $iRow, $aRowData, CMDBChange $oChange = null)
+	protected function CreateObject(&$aResult, $iRow, $aRowData, ?CMDBChange $oChange = null)
 	{
 		$oTargetObj = MetaModel::NewObject($this->m_sClass);

@@ -965,7 +965,7 @@ class BulkChange
 	 * @throws \MySQLException
 	 * @throws \MySQLHasGoneAwayException
 	 */
-	protected function UpdateObject(&$aResult, $iRow, $oTargetObj, $aRowData, CMDBChange $oChange = null)
+	protected function UpdateObject(&$aResult, $iRow, $oTargetObj, $aRowData, ?CMDBChange $oChange = null)
 	{
 		$aResult[$iRow] = $this->PrepareObject($oTargetObj, $aRowData, $aErrors);

@@ -1008,7 +1008,7 @@ class BulkChange
 	 *
 	 * @throws \BulkChangeException
 	 */
-	protected function UpdateMissingObject(&$aResult, $iRow, $oTargetObj, CMDBChange $oChange = null)
+	protected function UpdateMissingObject(&$aResult, $iRow, $oTargetObj, ?CMDBChange $oChange = null)
 	{
 		$aResult[$iRow] = $this->PrepareMissingObject($oTargetObj, $aErrors);

@@ -1043,7 +1043,7 @@ class BulkChange
 		}
 	}

-	public function Process(CMDBChange $oChange = null)
+	public function Process(?CMDBChange $oChange = null)
 	{
 		if ($oChange) {
 			CMDBObject::SetCurrentChange($oChange);
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -20,9 +20,6 @@
 *
 */

-use Combodo\iTop\Config\Validator\iTopConfigAstValidator;
-use Combodo\iTop\Config\Validator\iTopConfigSyntaxValidator;
-
 define('ITOP_APPLICATION', 'iTop');
 define('ITOP_APPLICATION_SHORT', 'iTop');

@@ -78,6 +75,7 @@ define('DEFAULT_EXT_AUTH_VARIABLE', '$_SERVER[\'REMOTE_USER\']');
 define('DEFAULT_ENCRYPTION_KEY', '@iT0pEncr1pti0n!'); // We'll use a random generated key later (if possible)
 define('DEFAULT_ENCRYPTION_LIB', 'Mcrypt'); // We'll define the best encryption available later
 define('DEFAULT_HASH_ALGO', PASSWORD_DEFAULT);
+
 /**
 * Config
 * configuration data (this class cannot not be localized, because it is responsible for loading the dictionaries)
@@ -871,6 +869,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'ext_auth_variable' => [
+			'type' => 'string',
+			'description' => 'External authentication expression (allowed: $_SERVER[\'key\'], $_COOKIE[\'key\'], $_REQUEST[\'key\'], getallheaders()[\'Header-Name\'])',
+			'default' => '$_SERVER[\'REMOTE_USER\']',
+			'value' => '$_SERVER[\'REMOTE_USER\']',
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		],
 		'login_debug' => [
 			'type' => 'bool',
 			'description' => 'Activate the login FSM debug',
@@ -928,7 +934,7 @@ class Config
 			'type' => 'string',
 			'description' => 'Actions that are available as direct buttons next to the "Actions" menu',
 			// examples... not used
-			'default' => 'UI:Menu:Modify,UI:Menu:New',
+			'default' => 'UI:Menu:Modify,UI:Menu:New,UI:Menu:impacts_down,UI:Menu:impacts_up',
 			'value' => 'UI:Menu:Modify',
 			'source_of_value' => '',
 			'show_in_conf_sample' => true,
@@ -1173,8 +1179,8 @@ class Config
 		'tracking_level_linked_set_default' => [
 			'type' => 'integer',
 			'description' => 'Default tracking level if not explicitly set at the attribute level, for AttributeLinkedSet (defaults to NONE in case of a fresh install, LIST otherwise - this to preserve backward compatibility while upgrading from a version older than 2.0.3 - see TRAC #936)',
-			'default' => LINKSET_TRACKING_LIST,
-			'value' => LINKSET_TRACKING_LIST,
+			'default' => LINKSET_TRACKING_NONE,
+			'value' => LINKSET_TRACKING_NONE,
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
@@ -1613,7 +1619,7 @@ class Config
 			'show_in_conf_sample' => false,
 		],
 		'search_manual_submit' => [
-			'type' => 'array',
+			'type' => 'bool',
 			'description' => 'Force manual submit of search all requests',
 			'default' => false,
 			'value' => true,
@@ -1740,6 +1746,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'security.disable_joined_classes_filter' => [
+			'type'                => 'bool',
+			'description'         => 'If true, scope filters aren\'t applied to joined classes or union classes not directly listed in the SELECT clause.',
+			'default'             => true,
+			'value'               => true,
+			'source_of_value'     => '',
+			'show_in_conf_sample' => false,
+		],
 		'security.hide_administrators' => [
 			'type'                => 'bool',
 			'description'         => 'If true, non-administrator users will not be able to see the administrator accounts, the Administrator profile and the links between the administrator accounts and their profiles.',
@@ -1748,6 +1762,14 @@ class Config
 			'source_of_value'     => '',
 			'show_in_conf_sample' => false,
 		],
+		'security.disable_exec_forced_login_for_all_enpoints' => [
+			'type'                => 'bool',
+			'description'         => 'If true, when no delegated authentication module is defined, no login will be forced on modules exec endpoints',
+			'default'             => true,
+			'value'               => true,
+			'source_of_value'     => '',
+			'show_in_conf_sample' => false,
+		],
 		'behind_reverse_proxy' => [
 			'type' => 'bool',
 			'description' => 'If true, then proxies custom header (X-Forwarded-*) are taken into account. Use only if the webserver is not publicly accessible (reachable only by the reverse proxy)',
@@ -1954,11 +1976,6 @@ class Config
 	 */
 	protected $m_sDefaultLanguage;

-	/**
-	 * @var string Name of the PHP variable in which external authentication information is passed by the web server
-	 */
-	protected $m_sExtAuthVariable;
-
 	/**
 	 * @var string Encryption key used for all attributes of type "encrypted string". Can be set to a random value
 	 *             unless you want to import a database from another iTop instance, in which case you must use
@@ -2027,7 +2044,6 @@ class Config
 		$this->m_iFastReloadInterval = DEFAULT_FAST_RELOAD_INTERVAL;
 		$this->m_bSecureConnectionRequired = DEFAULT_SECURE_CONNECTION_REQUIRED;
 		$this->m_sDefaultLanguage = 'EN US';
-		$this->m_sExtAuthVariable = DEFAULT_EXT_AUTH_VARIABLE;
 		$this->m_aCharsets = [];
 		$this->m_bQueryCacheEnabled = DEFAULT_QUERY_CACHE_ENABLED;
 		$this->m_iPasswordHashAlgo = DEFAULT_HASH_ALGO;
@@ -2173,7 +2189,6 @@ class Config
 		$this->m_aModuleSettings = isset($MyModuleSettings) ? $MyModuleSettings : [];

 		$this->m_sDefaultLanguage = isset($MySettings['default_language']) ? trim($MySettings['default_language']) : 'EN US';
-		$this->m_sExtAuthVariable = isset($MySettings['ext_auth_variable']) ? trim($MySettings['ext_auth_variable']) : DEFAULT_EXT_AUTH_VARIABLE;
 		$this->m_sEncryptionKey = isset($MySettings['encryption_key']) ? trim($MySettings['encryption_key']) : $this->m_sEncryptionKey;
 		$this->m_sEncryptionLibrary = isset($MySettings['encryption_library']) ? trim($MySettings['encryption_library']) : $this->m_sEncryptionLibrary;
 		$this->m_aCharsets = isset($MySettings['csv_import_charsets']) ? $MySettings['csv_import_charsets'] : [];
@@ -2335,9 +2350,73 @@ class Config
 		return explode('|', $this->m_aSettings['allowed_login_types']['value']);
 	}

+	/**
+	 * @return bool|mixed
+	 * @since 3.2.3 return the parsed value instead of an unsecured variable name
+	 */
 	public function GetExternalAuthenticationVariable()
 	{
-		return $this->m_sExtAuthVariable;
+		$sExpression = $this->Get('ext_auth_variable');
+		$aParsed = $this->ParseExternalAuthVariableExpression($sExpression);
+		if ($aParsed === null) {
+			return false;
+		}
+
+		$sKey = $aParsed['key'];
+		switch ($aParsed['type']) {
+			case 'server':
+				return $_SERVER[$sKey] ?? false;
+			case 'cookie':
+				return $_COOKIE[$sKey] ?? false;
+			case 'request':
+				return $_REQUEST[$sKey] ?? false;
+			case 'header':
+				if (!function_exists('getallheaders')) {
+					return false;
+				}
+				$aHeaders = getallheaders();
+				if (!is_array($aHeaders)) {
+					return false;
+				}
+				return $aHeaders[$sKey] ?? false;
+		}
+		return false;
+	}
+
+	/**
+	 * @param $sExpression
+	 * @return array|null
+	 */
+	private function ParseExternalAuthVariableExpression($sExpression)
+	{
+		// If it's a configuration parameter it's probably already trimmed, but just in case
+		$sExpression = trim((string) $sExpression);
+		if ($sExpression === '') {
+			return null;
+		}
+
+		// Match $_SERVER/$_COOKIE/$_REQUEST['key'] with optional whitespace and single/double quotes.
+		if (preg_match('/^\$_(SERVER|COOKIE|REQUEST)\s*\[\s*(["\'])\s*([^"\']+)\2\s*\]\s*$/', $sExpression, $aMatches) === 1) {
+			$sContext = strtoupper($aMatches[1]);
+			$sKey = $aMatches[3];
+			return [
+				'type' => strtolower($sContext),
+				'key' => $sKey,
+				'normalized' => '$_'.$sContext.'[\''.$sKey.'\']',
+			];
+		}
+
+		// Match getallheaders()['Header-Name'] in a case-insensitive way.
+		if (preg_match('/^getallheaders\(\)\s*\[\s*(["\'])\s*([^"\']+)\1\s*\]\s*$/i', $sExpression, $aMatches) === 1) {
+			$sKey = $aMatches[2];
+			return [
+				'type' => 'header',
+				'key' => $sKey,
+				'normalized' => 'getallheaders()[\''.$sKey.'\']',
+			];
+		}
+
+		return null;
 	}

 	public function GetCSVImportCharsets()
@@ -2433,7 +2512,7 @@ class Config

 	public function SetExternalAuthenticationVariable($sExtAuthVariable)
 	{
-		$this->m_sExtAuthVariable = $sExtAuthVariable;
+		$this->Set('ext_auth_variable', $sExtAuthVariable);
 	}

 	public function SetEncryptionKey($sKey)
@@ -2487,7 +2566,6 @@ class Config
 		$aSettings['fast_reload_interval'] = $this->m_iFastReloadInterval;
 		$aSettings['secure_connection_required'] = $this->m_bSecureConnectionRequired;
 		$aSettings['default_language'] = $this->m_sDefaultLanguage;
-		$aSettings['ext_auth_variable'] = $this->m_sExtAuthVariable;
 		$aSettings['encryption_key'] = $this->m_sEncryptionKey;
 		$aSettings['encryption_library'] = $this->m_sEncryptionLibrary;
 		$aSettings['csv_import_charsets'] = $this->m_aCharsets;
@@ -2590,7 +2668,6 @@ class Config
 			// Old fashioned remaining values
 			$aOtherValues = [
 				'default_language' => $this->m_sDefaultLanguage,
-				'ext_auth_variable' => $this->m_sExtAuthVariable,
 				'encryption_key' => $this->m_sEncryptionKey,
 				'encryption_library' => $this->m_sEncryptionLibrary,
 				'csv_import_charsets' => $this->m_aCharsets,
@@ -2675,14 +2752,13 @@ class Config
 	 *
 	 * @param array $aParamValues
 	 * @param ?string $sModulesDir
-	 * @param bool $bPreserveModuleSettings
 	 *
 	 * @return void The current object is modified directly
 	 *
 	 * @throws \Exception
 	 * @throws \CoreException
 	 */
-	public function UpdateFromParams($aParamValues, $sModulesDir = null, $bPreserveModuleSettings = false)
+	public function UpdateFromParams($aParamValues, $sModulesDir = null)
 	{
 		if (isset($aParamValues['application_path'])) {
 			$this->Set('app_root_url', $aParamValues['application_path']);
@@ -2730,7 +2806,10 @@ class Config
 		} else {
 			$aSelectedModules = null;
 		}
-		$this->UpdateIncludes($sModulesDir, $aSelectedModules);
+
+		if (! is_null($sModulesDir)) {
+			$this->UpdateIncludes($sModulesDir, $aSelectedModules);
+		}

 		if (isset($aParamValues['source_dir'])) {
 			$this->Set('source_dir', $aParamValues['source_dir']);
@@ -2748,17 +2827,13 @@ class Config
 	 *
 	 * @throws Exception
 	 */
-	public function UpdateIncludes($sModulesDir, $aSelectedModules = null)
+	public function UpdateIncludes(string $sModulesDir, $aSelectedModules = null)
 	{
-		if ($sModulesDir === null) {
-			return;
-		}
-
 		// Initialize the arrays below with default values for the application...
 		$oEmptyConfig = new Config('dummy_file', false); // Do NOT load any config file, just set the default values
 		$aAddOns = $oEmptyConfig->GetAddOns();

-		$aModules = ModuleDiscovery::GetAvailableModules([APPROOT.$sModulesDir]);
+		$aModules = ModuleDiscovery::GetModulesOrderedByDependencies([APPROOT.$sModulesDir]);
 		foreach ($aModules as $sModuleId => $aModuleInfo) {
 			list($sModuleName, $sModuleVersion) = ModuleDiscovery::GetModuleName($sModuleId);
 			if (is_null($aSelectedModules) || in_array($sModuleName, $aSelectedModules)) {
--- a/core/csvbulkexport.class.inc.php
+++ b/core/csvbulkexport.class.inc.php
@@ -5,6 +5,7 @@
 * @license     http://opensource.org/licenses/AGPL-3.0
 */

+use Combodo\iTop\Application\Helper\ExportHelper;
 use Combodo\iTop\Application\UI\Base\Component\FieldSet\FieldSetUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Component\Html\Html;
 use Combodo\iTop\Application\UI\Base\Component\Input\InputUIBlockFactory;
@@ -13,7 +14,6 @@ use Combodo\iTop\Application\UI\Base\Component\Input\Select\SelectUIBlockFactory
 use Combodo\iTop\Application\UI\Base\Component\Panel\PanelUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\MultiColumn\Column\ColumnUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\MultiColumn\MultiColumnUIBlockFactory;
-use Combodo\iTop\Application\Helper\ExportHelper;
 use Combodo\iTop\Application\WebPage\Page;
 use Combodo\iTop\Application\WebPage\WebPage;

@@ -55,6 +55,8 @@ class CSVBulkExport extends TabularBulkExport
 		$this->aStatusInfo['charset'] = strtoupper(utils::ReadParam('charset', 'UTF-8', true, 'raw_data'));
 		$this->aStatusInfo['formatted_text'] = (bool)utils::ReadParam('formatted_text', 0, true);

+		$this->aStatusInfo['ignore_excel_sanitization'] = (bool)utils::ReadParam('ignore_excel_sanitization', 0, true, utils::ENUM_SANITIZATION_FILTER_INTEGER);
+
 		$sDateFormatRadio = utils::ReadParam('csv_date_format_radio', '');
 		switch ($sDateFormatRadio) {
 			case 'default':
@@ -223,6 +225,10 @@ class CSVBulkExport extends TabularBulkExport
 				$oRadioCustom->GetInput()->AddCSSClass('ibo-input-checkbox');
 				$oFieldSetDate->AddSubBlock($oRadioCustom);

+				$oFieldSetSecurity = FieldSetUIBlockFactory::MakeStandard(Dict::S('Core:BulkExport:Security'));
+				$oMulticolumn->AddColumn(ColumnUIBlockFactory::MakeForBlock($oFieldSetSecurity));
+				$oFieldSetSecurity->AddSubBlock(ExportHelper::GetInputForSanitizeExcelExport());
+
 				$oP->add_ready_script(
 					<<<EOF
 $('#form_part_csv_options').on('preview_updated', function() { FormatDatesInPreview('csv', 'csv'); });
@@ -264,6 +270,13 @@ EOF
 			default:
 				$sRet = trim($oObj->GetAsCSV($sAttCode), '"');
 		}
+
+		// If the option to ignore Excel sanitization is not set or explicitly set to false, apply sanitization
+		if (!(array_key_exists('ignore_excel_sanitization', $this->aStatusInfo)) || $this->aStatusInfo['ignore_excel_sanitization'] === false) {
+			return ExportHelper::SanitizeField($sRet, $this->aStatusInfo['text_qualifier'] ?? '');
+		}
+
+		// The option to ignore Excel sanitization is explicitly set to true: return the raw value without sanitization
 		return $sRet;
 	}

@@ -337,6 +350,12 @@ EOF
 							$sField = $oObj->GetAsCSV($sAttCode, $this->aStatusInfo['separator'], $this->aStatusInfo['text_qualifier'], $this->bLocalizeOutput, !$this->aStatusInfo['formatted_text']);
 					}
 				}
+
+				// If the option to ignore Excel sanitization is not set or absent, sanitize the field
+				if (!(array_key_exists('ignore_excel_sanitization', $this->aStatusInfo)) || $this->aStatusInfo['ignore_excel_sanitization'] === false) {
+					$sField = ExportHelper::SanitizeField($sField, $this->aStatusInfo['text_qualifier']);
+				}
+
 				if ($this->aStatusInfo['charset'] != 'UTF-8') {
 					// Note: due to bugs in the glibc library it's safer to call iconv on the smallest possible string
 					// and thus to convert field by field and not the whole row or file at once (see ticket N°991)
--- a/core/datamodel.core.xml
+++ b/core/datamodel.core.xml
@@ -425,7 +425,7 @@
      </php_parent>
      <parent>cmdbAbstractObject</parent>
      <properties>
-        <category>core/cmdb,view_in_gui</category>
+        <category>core/cmdb,grant_by_profile,silo</category>
        <abstract>false</abstract>
        <key_type>autoincrement</key_type>
        <db_table>priv_event_newsroom</db_table>
@@ -904,7 +904,7 @@
        <!-- Generated by toolkit/export-class-to-meta.php -->
        <parent>Event</parent>
        <properties>
-          <category>core/cmdb,view_in_gui</category>
+          <category>core/cmdb,grant_by_profile,silo</category>
        </properties>
        <fields>
          <field id="message" xsi:type="AttributeText"/>
--- a/core/dbobject.class.php
+++ b/core/dbobject.class.php
@@ -2567,7 +2567,7 @@ abstract class DBObject implements iDisplay
 	 *
 	 * @see \RestUtils::FindObjectFromKey for the same check in the REST endpoint
 	 */
-	final public function CheckChangedExtKeysValues(callable $oIsObjectLoadableCallback = null)
+	final public function CheckChangedExtKeysValues(?callable $oIsObjectLoadableCallback = null)
 	{
 		if (is_null($oIsObjectLoadableCallback)) {
 			$oIsObjectLoadableCallback = function ($sClass, $sId) {
@@ -3727,7 +3727,7 @@ abstract class DBObject implements iDisplay
 	 * @throws \MySQLException
 	 * @throws \OQLException
 	 */
-	private function ActivateOnObjectUpdateTriggers(?DBObject $oObject, array $aAttributes = null): void
+	private function ActivateOnObjectUpdateTriggers(?DBObject $oObject, ?array $aAttributes = null): void
 	{
 		if (is_null($oObject)) {
 			return;
@@ -5108,8 +5108,8 @@ abstract class DBObject implements iDisplay
 	protected function GetReferencingObjectsForDeletion($bAllowAllData = false)
 	{
 		$aDependentObjects = [];
-		$aRererencingMe = MetaModel::EnumReferencingClasses(get_class($this));
-		foreach ($aRererencingMe as $sRemoteClass => $aExtKeys) {
+		$aReferencingMe = MetaModel::EnumReferencingClasses(get_class($this));
+		foreach ($aReferencingMe as $sRemoteClass => $aExtKeys) {
 			/** @var \AttributeExternalKey $oExtKeyAttDef */
 			foreach ($aExtKeys as $sExtKeyAttCode => $oExtKeyAttDef) {
 				// skip if external key doesn't require the deletion cascading
--- a/core/dbobjectsearch.class.php
+++ b/core/dbobjectsearch.class.php
@@ -1932,4 +1932,37 @@ class DBObjectSearch extends DBSearch
 	{
 		return $this->GetCriteria()->ListParameters();
 	}
+
+	/**
+	 * @inheritDoc
+	 * @return DBObjectSearch
+	 */
+	protected function ApplyDataFilters(): DBObjectSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		$oSearch = $this;
+		$aClassesToFilter = $this->GetSelectedClasses();
+
+		// Opt-in for joined classes filtering, otherwise only filter the selected class(es)
+		if (MetaModel::GetConfig()->Get('security.disable_joined_classes_filter') === false) {
+			$aClassesToFilter = $this->GetJoinedClasses();
+		}
+
+		// Apply filter (this is similar to the one in DBSearch but the factorization could make it less readable)
+		foreach ($aClassesToFilter as $sClassAlias => $sClass) {
+			$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
+			if ($oVisibleObjects === false) {
+				$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
+			}
+			if (is_object($oVisibleObjects)) {
+				$oVisibleObjects->AllowAllData();
+				$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
+				$oSearch->SetDataFiltered();
+			}
+		}
+		return $oSearch;
+	}
 }
--- a/core/dbsearch.class.php
+++ b/core/dbsearch.class.php
@@ -650,7 +650,7 @@ abstract class DBSearch
 	 *
 	 * @throws OQLException
 	 */
-	public static function FromOQL($sQuery, $aParams = null, ModelReflection $oMetaModel = null)
+	public static function FromOQL($sQuery, $aParams = null, ?ModelReflection $oMetaModel = null)
 	{
 		if (empty($sQuery)) {
 			return null;
@@ -1048,21 +1048,7 @@ abstract class DBSearch
 	 */
 	protected function GetSQLQuery($aOrderBy, $aArgs, $aAttToLoad, $aExtendedDataSpec, $iLimitCount, $iLimitStart, $bGetCount, $aGroupByExpr = null, $aSelectExpr = null)
 	{
-		$oSearch = $this;
-		if (!$this->IsAllDataAllowed() && !$this->IsDataFiltered()) {
-			foreach ($this->GetSelectedClasses() as $sClassAlias => $sClass) {
-				$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
-				if ($oVisibleObjects === false) {
-					// Make sure this is a valid search object, saying NO for all
-					$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
-				}
-				if (is_object($oVisibleObjects)) {
-					$oVisibleObjects->AllowAllData();
-					$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
-					$oSearch->SetDataFiltered();
-				}
-			}
-		}
+		$oSearch = $this->ApplyDataFilters();

 		if (is_array($aGroupByExpr)) {
 			foreach ($aGroupByExpr as $sAlias => $oGroupByExp) {
@@ -1524,4 +1510,33 @@ abstract class DBSearch
 	 * @return array{\VariableExpression}
 	 */
 	abstract public function GetExpectedArguments(): array;
+
+	/**
+	 * Apply data filters to the search, if needed
+	 *
+	 * @return DBSearch
+	 * @throws CoreException
+	 */
+	protected function ApplyDataFilters(): DBSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		$oSearch = $this;
+		$aClassesToFilter = $this->GetSelectedClasses();
+
+		foreach ($aClassesToFilter as $sClassAlias => $sClass) {
+			$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
+			if ($oVisibleObjects === false) {
+				$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
+			}
+			if (is_object($oVisibleObjects)) {
+				$oVisibleObjects->AllowAllData();
+				$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
+				$oSearch->SetDataFiltered();
+			}
+		}
+		return $oSearch;
+	}
 }
--- a/core/dbunionsearch.class.php
+++ b/core/dbunionsearch.class.php
@@ -59,7 +59,7 @@ class DBUnionSearch extends DBSearch
 	public function AllowAllData($bAllowAllData = true)
 	{
 		foreach ($this->aSearches as $oSearch) {
-			$oSearch->AllowAllData();
+			$oSearch->AllowAllData($bAllowAllData);
 		}
 	}

@@ -673,4 +673,30 @@ class DBUnionSearch extends DBSearch

 		return $aVariableCriteria;
 	}
+
+	/**
+	 * @inheritDoc
+	 * @return DBUnionSearch
+	 */
+	protected function ApplyDataFilters(): DBUnionSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		// Opt-in for joined classes filtering, otherwise fallback on DBSearch filtering
+		if (MetaModel::GetConfig()->Get('security.disable_joined_classes_filter') === true) {
+			return parent::ApplyDataFilters();
+		}
+
+		// Apply filters per sub-search
+		$aFilteredSearches = [];
+		foreach ($this->GetSearches() as $oSubSearch) {
+			// Recursively call ApplyDataFilters on sub-searches
+			$aFilteredSearches[] = $oSubSearch->ApplyDataFilters();
+		}
+
+		$oSearch = new DBUnionSearch($aFilteredSearches);
+		return $oSearch;
+	}
 }
--- a/core/designdocument.class.inc.php
+++ b/core/designdocument.class.inc.php
@@ -360,10 +360,10 @@ class DesignElement extends \DOMElement
 	 * @param string $sTagName
 	 * @param string|null $sDefault
 	 *
-	 * @return string
+	 * @return null|string
 	 * @throws \DOMFormatException
 	 */
-	public function GetChildText($sTagName, $sDefault = null)
+	public function GetChildText($sTagName, $sDefault = null): ?string
 	{
 		$sRet = $sDefault;
 		if ($oChild = $this->GetOptionalElement($sTagName)) {
@@ -453,7 +453,7 @@ class DesignElement extends \DOMElement
 	 * @throws Exception
 	 * @since 3.1.2 3.2.0 N°6974
 	 */
-	public static function _FindNode(DOMNode $oParent, DesignElement $oRefNode, string $sSearchId = null): ?DesignElement
+	public static function _FindNode(DOMNode $oParent, DesignElement $oRefNode, ?string $sSearchId = null): ?DesignElement
 	{
 		$oNodes = self::_FindNodes($oParent, $oRefNode, $sSearchId);
 		if ($oNodes instanceof DOMNodeList) {
@@ -477,7 +477,7 @@ class DesignElement extends \DOMElement
 	 * @return \DOMNodeList|false|mixed
 	 * @since 3.1.2 3.2.0 N°6974
 	 */
-	public static function _FindNodes(DOMNode $oParent, DesignElement $oRefNode, string $sSearchId = null)
+	public static function _FindNodes(DOMNode $oParent, DesignElement $oRefNode, ?string $sSearchId = null)
 	{
 		if ($oParent instanceof DOMDocument) {
 			$oDoc = $oParent->firstChild->ownerDocument;
--- a/core/displayablegraph.class.inc.php
+++ b/core/displayablegraph.class.inc.php
@@ -632,7 +632,7 @@ class DisplayableGroupNode extends DisplayableNode
 		$this->aObjects = [];
 	}

-	public function AddObject(DBObject $oObj = null)
+	public function AddObject(?DBObject $oObj = null)
 	{
 		if (is_object($oObj)) {
 			$sPrevClass = $this->GetObjectClass();
--- a/core/event.class.inc.php
+++ b/core/event.class.inc.php
@@ -26,7 +26,7 @@ class Event extends DBObject implements iDisplay
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -120,7 +120,7 @@ class EventNotification extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -156,7 +156,7 @@ class EventNotificationEmail extends EventNotification
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -192,7 +192,7 @@ class EventIssue extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -286,7 +286,7 @@ class EventWebService extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -321,7 +321,7 @@ class EventRestService extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -356,7 +356,7 @@ class EventLoginUsage extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
@@ -394,7 +394,7 @@ class EventOnObject extends Event
 	{
 		$aParams =
 		[
-			"category" => "core/cmdb,view_in_gui",
+			"category" => "core/cmdb,grant_by_profile,silo",
 			"key_type" => "autoincrement",
 			"name_attcode" => "",
 			"state_attcode" => "",
--- a/core/excelbulkexport.class.inc.php
+++ b/core/excelbulkexport.class.inc.php
@@ -5,13 +5,13 @@
 * @license     http://opensource.org/licenses/AGPL-3.0
 */

+use Combodo\iTop\Application\Helper\ExportHelper;
 use Combodo\iTop\Application\UI\Base\Component\FieldSet\FieldSetUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Component\Html\Html;
 use Combodo\iTop\Application\UI\Base\Component\Input\InputUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Component\Panel\PanelUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\MultiColumn\Column\ColumnUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\MultiColumn\MultiColumnUIBlockFactory;
-use Combodo\iTop\Application\Helper\ExportHelper;
 use Combodo\iTop\Application\WebPage\Page;
 use Combodo\iTop\Application\WebPage\WebPage;

@@ -63,6 +63,8 @@ class ExcelBulkExport extends TabularBulkExport
 				// Export from the command line (or scripted) => default format is SQL, as in previous versions of iTop, unless specified otherwise
 				$this->aStatusInfo['date_format'] = utils::ReadParam('date_format', (string)AttributeDateTime::GetSQLFormat(), true, 'raw_data');
 		}
+
+		$this->aStatusInfo['ignore_excel_sanitization'] = (bool)utils::ReadParam('ignore_excel_sanitization', 0, true, utils::ENUM_SANITIZATION_FILTER_INTEGER);
 	}

 	public function EnumFormParts()
@@ -121,6 +123,10 @@ class ExcelBulkExport extends TabularBulkExport
 				$oRadioCustom->GetInput()->AddCSSClass('ibo-input-checkbox');
 				$oFieldSetDate->AddSubBlock($oRadioCustom);

+				$oFieldSetSecurity = FieldSetUIBlockFactory::MakeStandard(Dict::S('Core:BulkExport:Security'));
+				$oMulticolumn->AddColumn(ColumnUIBlockFactory::MakeForBlock($oFieldSetSecurity));
+				$oFieldSetSecurity->AddSubBlock(ExportHelper::GetInputForSanitizeExcelExport());
+
 				$oP->add_ready_script(
 					<<<EOF
 $('#form_part_xlsx_options').on('preview_updated', function() { FormatDatesInPreview('excel', 'xlsx'); });
@@ -216,6 +222,12 @@ EOF
 					}
 				}
 		}
+
+		// If the option to ignore Excel sanitization is not set or absent, sanitize the field
+		if (!(array_key_exists('ignore_excel_sanitization', $this->aStatusInfo)) || $this->aStatusInfo['ignore_excel_sanitization'] === false) {
+			return ExportHelper::SanitizeField($sRet, '');
+		}
+
 		return $sRet;
 	}

--- a/core/inlineimage.class.inc.php
+++ b/core/inlineimage.class.inc.php
@@ -298,6 +298,46 @@ N°8681	 * @param string|null $sHtml The HTML fragment to process
 		return $sHtml;
 	}

+	/**
+	 * Replace <img> tags with a data-img-id attribute by the actual image in base64 representation
+	 * so that the image can be displayed even if the download URL is not accessible (e.g. in unauthenticated approval templates)
+	 *
+	 * @param string $sHtml The HTML fragment to process
+	 *
+	 * @return String The modified HTML
+	 * @since 3.2.3
+	 */
+	public static function ReplaceInlineImagesWithBase64Representation(string $sHtml): String
+	{
+		return preg_replace_callback(
+			'/<img\s+[^>]*'.static::DOM_ATTR_ID.'="(\d+)"[^>]*>/i',
+			function ($matches) {
+
+				// Extract inline image ID from the tag
+				$id = $matches[1];
+
+				try {
+					// Retrieve inline image
+					$oInline = MetaModel::GetObject(InlineImage::class, $id, true, true);
+					$oOrmDocument = $oInline->Get('contents');
+
+					// Replace src image by the base64 representation
+					$sInlineImageAsBase64 = base64_encode($oOrmDocument->GetData());
+					$sDataUri = 'data:'.$oOrmDocument->GetMimeType().';base64,'.$sInlineImageAsBase64;
+					$sImage = preg_replace('/src=["\'][^"\']+["\']/', 'src="'.$sDataUri.'"', $matches[0]);
+
+					// Remove sensitive information (the image ID and secret) from the tag
+					$sImage = preg_replace('/'.static::DOM_ATTR_ID.'="\d+"\s+'.static::DOM_ATTR_SECRET.'="\w+"/', '', $sImage);
+				} catch (Exception $e) {
+					$sImage = '<img src="" alt="'.Dict::S('UI:MissingInlineImage').'">';
+				}
+
+				return $sImage;
+			},
+			$sHtml
+		);
+	}
+
 	/**
 	 * Add an extra attribute data-img-id for images which are based on an actual InlineImage
 	 * so that we can later reconstruct the full "src" URL when needed
--- a/core/log.class.inc.php
+++ b/core/log.class.inc.php
@@ -691,7 +691,7 @@ abstract class LogAPI
 		static::$m_oMockMetaModelConfig = $oMetaModelConfig;
 	}

-	public static function Exception(string $sMessage, throwable $oException, string $sChannel = null, array $aContext = []): void
+	public static function Exception(string $sMessage, throwable $oException, ?string $sChannel = null, array $aContext = []): void
 	{
 		$aErrorLogs = [];
 		$aErrorLogs[] = static::PrepareErrorLog($sMessage, $oException, $aContext);
--- a/core/metamodel.class.php
+++ b/core/metamodel.class.php
@@ -22,6 +22,8 @@ use Combodo\iTop\Application\EventRegister\ApplicationEvents;
 use Combodo\iTop\Core\MetaModel\FriendlyNameType;
 use Combodo\iTop\Service\Events\EventData;
 use Combodo\iTop\Service\Events\EventService;
+use Combodo\iTop\Setup\ModuleDependency\Module;
+use Combodo\iTop\Setup\ModuleDiscovery\ModuleFileReader;

 require_once APPROOT.'core/modulehandler.class.inc.php';
 require_once APPROOT.'core/querymodifier.class.inc.php';
@@ -128,7 +130,7 @@ abstract class MetaModel
 	/** @var array */
 	private static $m_aClassToFile = [];
 	/** @var string */
-	protected static $m_sEnvironment = 'production';
+	protected static $m_sEnvironment = ITOP_DEFAULT_ENV;

 	/**
 	 * Objects currently created/updated.
@@ -462,6 +464,43 @@ abstract class MetaModel
 		return call_user_func([$sClass, 'GetClassDescription'], $sClass);
 	}

+	/**
+	 * @param string $sClass
+	 *
+	 * @return string
+	 * @throws \CoreException
+	 */
+	final public static function GetModuleName($sClass)
+	{
+		try {
+			$oReflectionClass = new ReflectionClass($sClass);
+			$sDir = realpath(dirname($oReflectionClass->getFileName()));
+			$sApproot = realpath(APPROOT);
+			while (($sDir !== $sApproot) && (str_contains($sDir, $sApproot))) {
+				$aFiles = glob("$sDir/module.*.php");
+				if (count($aFiles) > 1) {
+					return 'core';
+				}
+
+				if (count($aFiles) == 0) {
+					$sDir = realpath(dirname($sDir));
+					continue;
+				}
+
+				$sModuleFilePath = $aFiles[0];
+				$aModuleInfo = ModuleFileReader::GetInstance()->ReadModuleFileInformation($sModuleFilePath);
+				$sModuleId = $aModuleInfo[ModuleFileReader::MODULE_INFO_ID];
+				list($sModuleName, ) = ModuleDiscovery::GetModuleName($sModuleId);
+
+				return $sModuleName;
+			}
+		} catch (\Exception $e) {
+			throw new CoreException("Cannot find class module", ['class' => $sClass], '', $e);
+		}
+
+		return 'core';
+	}
+
 	/**
 	 * @param string $sClass
 	 *
@@ -5709,7 +5748,7 @@ abstract class MetaModel
 	 * @throws \DictExceptionUnknownLanguage
 	 * @throws \Exception
 	 */
-	public static function Startup($config, $bModelOnly = false, $bAllowCache = true, $bTraceSourceFiles = false, $sEnvironment = 'production')
+	public static function Startup($config, $bModelOnly = false, $bAllowCache = true, $bTraceSourceFiles = false, $sEnvironment = ITOP_DEFAULT_ENV)
 	{
 		// Startup on a new environment is not supported
 		static $bStarted = false;
--- a/core/oql/build/PHP/ParserGenerator/Data.php
+++ b/core/oql/build/PHP/ParserGenerator/Data.php
@@ -1656,7 +1656,7 @@ class PHP_ParserGenerator_Data
    function emit_code($out, PHP_ParserGenerator_Rule $rp, &$lineno)
    {
        $linecnt = 0;
-        
+
        /* Generate code to do the reduce action */
        if ($rp->code) {
            $this->tplt_linedir($out, $rp->line, $this->filename);
--- a/core/oql/oql-parser.php
+++ b/core/oql/oql-parser.php
@@ -1084,7 +1084,7 @@ static public $yy_action = array(
    function yy_find_shift_action($iLookAhead)
    {
        $stateno = $this->yystack[$this->yyidx]->stateno;
-     
+
        /* if ($this->yyidx < 0) return self::YY_NO_ACTION;  */
        if (!isset(self::$yy_shift_ofst[$stateno])) {
            // no shift actions
@@ -1767,7 +1767,7 @@ throw new OQLParserParseFailureException($this->m_sSourceQuery, $this->m_iLine,
    function yy_syntax_error($yymajor, $TOKEN)
    {
 #line 25 "..\oql-parser.y"
- 
+
 throw new OQLParserSyntaxErrorException($this->m_sSourceQuery, $this->m_iLine, $this->m_iCol, $this->tokenName($yymajor), $TOKEN);
 #line 1779 "..\oql-parser.php"
    }
@@ -1806,7 +1806,7 @@ throw new OQLParserSyntaxErrorException($this->m_sSourceQuery, $this->m_iLine, $
 //        $yyact;            /* The parser action. */
 //        $yyendofinput;     /* True if we are at the end of input */
        $yyerrorhit = 0;   /* True if yymajor has invoked an error */
-        
+
        /* (re)initialize the parser, if necessary */
        if ($this->yyidx === null || $this->yyidx < 0) {
            /* if ($yymajor == 0) return; // not sure why this was here... */
@@ -1819,7 +1819,7 @@ throw new OQLParserSyntaxErrorException($this->m_sSourceQuery, $this->m_iLine, $
            array_push($this->yystack, $x);
        }
        $yyendofinput = ($yymajor==0);
-        
+
        if (self::$yyTraceFILE) {
            fprintf(
                self::$yyTraceFILE,
@@ -1828,7 +1828,7 @@ throw new OQLParserSyntaxErrorException($this->m_sSourceQuery, $this->m_iLine, $
                self::$yyTokenName[$yymajor]
            );
        }
-        
+
        do {
            $yyact = $this->yy_find_shift_action($yymajor);
            if ($yymajor < self::YYERRORSYMBOL
@@ -2002,7 +2002,7 @@ class OQLParser extends OQLParserRaw
 		$this->m_sSourceQuery = $sQuery;
 		// no constructor - parent::__construct();
 	}
-	
+
 	public function doParse($token, $value, $iCurrPosition = 0)
 	{
 		$this->m_iColPrev = $this->m_iCol;
@@ -2016,7 +2016,7 @@ class OQLParser extends OQLParserRaw
 		$this->doParse(0, 0);
 		return $this->my_result;
 	}
-	
+
 	public function __destruct()
 	{
 		// Bug in the original destructor, causing an infinite loop !
--- a/core/ormcaselog.class.inc.php
+++ b/core/ormcaselog.class.inc.php
@@ -370,7 +370,7 @@ class ormCaseLog
 	/**
 	 * Produces an HTML representation, aimed at being used within the iTop framework
 	 */
-	public function GetAsHTML(WebPage $oP = null, $bEditMode = false, $aTransfoHandler = null)
+	public function GetAsHTML(?WebPage $oP = null, $bEditMode = false, $aTransfoHandler = null)
 	{
 		$bPrintableVersion = (utils::ReadParam('printable', '0') == '1');

--- a/core/ormdocument.class.inc.php
+++ b/core/ormdocument.class.inc.php
@@ -350,20 +350,22 @@ class ormDocument
 			if (!is_object($oObj)) {
 				// If access to the document is not granted, check if the access to the host object is allowed
 				$oObj = MetaModel::GetObject($sClass, $id, false, true);
+				$bHasHostRights = false;
 				if ($oObj instanceof Attachment) {
 					$sItemClass = $oObj->Get('item_class');
 					$sItemId = $oObj->Get('item_id');
 					$oHost = MetaModel::GetObject($sItemClass, $sItemId, false, false);
-					if (!is_object($oHost)) {
-						$oObj = null;
+					if (is_object($oHost)) {
+						$bHasHostRights = true;
 					}
 				}
-				if (!is_object($oObj)) {
+
+				// We could neither read the object nor get a host object matching our rights
+				if ($bHasHostRights !== true) {
 					throw new Exception("Invalid id ($id) for class '$sClass' - the object does not exist or you are not allowed to view it");
 				}
 			}
-			if (($sSecretField != null) && ($oObj->Get($sSecretField) != $sSecretValue)) {
-				usleep(200);
+			if (($sSecretField != null) && !hash_equals($oObj->Get($sSecretField), $sSecretValue)) {
 				throw new Exception("Invalid secret for class '$sClass' - the object does not exist or you are not allowed to view it");
 			}
 			/** @var \ormDocument $oDocument */
--- a/core/ormlinkset.class.inc.php
+++ b/core/ormlinkset.class.inc.php
@@ -93,7 +93,7 @@ class ormLinkSet implements iDBObjectSetIterator, Iterator, SeekableIterator
 	 * @param DBObjectSet|null $oOriginalSet
 	 * @throws Exception
 	 */
-	public function __construct($sHostClass, $sAttCode, DBObjectSet $oOriginalSet = null)
+	public function __construct($sHostClass, $sAttCode, ?DBObjectSet $oOriginalSet = null)
 	{
 		$this->sHostClass = $sHostClass;
 		$this->sAttCode = $sAttCode;
@@ -470,17 +470,6 @@ class ormLinkSet implements iDBObjectSetIterator, Iterator, SeekableIterator
 				|| ($this->oOriginalSet->GetFilter()->ToOQL() == $oFellow->oOriginalSet->GetFilter()->ToOQL())) {
 				$bUpdateFromDelta = true;
 			}
-		} else {
-			//@since 3.2.2 N°2364 - API : remove old linkedset persistance
-			/* Goo pattern to use:
-			* $oCISet = $oTicket->Get(‘functioncis_list’);
-			* $oCISet->AddItem(MetaModel::NewObject(‘lnkFunctionCIToTicket’, array(‘ci_id’=> 12345));
-			* $oCISet->RemoveItem(123456);
-			* $oTicket->Set(‘functionalcis_list’, $oCISet);
-			 */
-			if (!ContextTag::Check(ContextTag::TAG_SETUP)) {
-				DeprecatedCallsLog::NotifyDeprecatedPhpMethod('old pattern - please get previous value of the linked set, modify it and set it back to the host object');
-			}
 		}

 		if ($bUpdateFromDelta) {
--- a/css/backoffice/application/bulk/_all.scss
+++ b/css/backoffice/application/bulk/_all.scss
@@ -4,3 +4,4 @@
 */

@import "bulk-modify";
+@import "bulk-export";
--- a/css/backoffice/application/bulk/_bulk-export.scss
+++ b/css/backoffice/application/bulk/_bulk-export.scss
@@ -0,0 +1,10 @@
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+#form_part_csv_options:has(#ibo-sanitize-excel-export--input:checked), #form_part_xlsx_options:has(#ibo-sanitize-excel-export--input:checked){
+  #ibo-sanitize-excel-export--alert {
+    display: none;
+  }
+}
--- a/css/backoffice/blocks-integrations/_all.scss
+++ b/css/backoffice/blocks-integrations/_all.scss
@@ -22,4 +22,6 @@
@import "medallion-with-blocklist";
@import "field-badge-within-datatable";
@import "jquery-blockui-within-dialog";
-@import "jquery-blockui-within-datatable";
+@import "jquery-blockui-within-datatable";
+@import "badge-with-badge";
+@import "extension-details-with-extension-details";
--- a/css/backoffice/blocks-integrations/_badge-with-badge.scss
+++ b/css/backoffice/blocks-integrations/_badge-with-badge.scss
@@ -0,0 +1,10 @@
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+$ibo-badge--spacing-left--with-same-block: $ibo-spacing-200 !default;
+
+.ibo-badge + .ibo-badge {
+  margin-left: $ibo-badge--spacing-left--with-same-block;
+}
--- a/css/backoffice/blocks-integrations/_extension-details-with-extension-details.scss
+++ b/css/backoffice/blocks-integrations/_extension-details-with-extension-details.scss
@@ -0,0 +1,11 @@
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+$ibo-extension-details--margin-top: $ibo-spacing-300 !default;
+
+.ibo-extension-details + .ibo-extension-details,
+.ibo-extension-details--information--description .ibo-extension-details {
+	margin-top: $ibo-extension-details--margin-top;
+}
--- a/css/backoffice/components/_all.scss
+++ b/css/backoffice/components/_all.scss
@@ -33,4 +33,5 @@
@import "field-badge";
@import "file-select";
@import "medallion-icon";
-@import "toast";
+@import "toast";
+@import "badge";
--- a/css/backoffice/components/_badge.scss
+++ b/css/backoffice/components/_badge.scss
@@ -0,0 +1,41 @@
+$ibo-badge--padding-x : $ibo-spacing-200 !default;
+$ibo-badge--padding-y : $ibo-spacing-100 !default;
+$ibo-badge--border-radius : $ibo-border-radius-400 !default;
+
+$ibo-badge-colors: (
+		'primary': ($ibo-color-primary-100, $ibo-color-primary-900),
+		'secondary': ($ibo-color-secondary-100, $ibo-color-secondary-900),
+		'neutral': ($ibo-color-secondary-100, $ibo-color-secondary-900),
+		'information': ($ibo-color-information-100, $ibo-color-information-900),
+		'success': ($ibo-color-success-100, $ibo-color-success-900),
+		'failure': ($ibo-color-danger-100, $ibo-color-danger-900),
+		'warning': ($ibo-color-warning-100,$ibo-color-warning-900),
+		'danger': ($ibo-color-danger-100,$ibo-color-danger-900),
+		'grey' : ($ibo-color-grey-100, $ibo-color-grey-900),
+		'blue-grey': ($ibo-color-blue-grey-100, $ibo-color-blue-grey-900),
+		'blue': ($ibo-color-blue-100, $ibo-color-blue-900),
+		'cyan': ($ibo-color-cyan-100, $ibo-color-cyan-900),
+		'green': ($ibo-color-green-100, $ibo-color-green-900),
+		'orange' : ($ibo-color-orange-100, $ibo-color-orange-900),
+		'red': ($ibo-color-red-100, $ibo-color-red-900),
+		'pink': ($ibo-color-pink-100, $ibo-color-pink-900),
+) !default;
+
+
+
+.ibo-badge {
+	display: inline-block;
+	white-space: nowrap;
+	padding : $ibo-badge--padding-y $ibo-badge--padding-x;
+	border-radius : $ibo-badge--border-radius;
+	@extend %ibo-font-ral-med-50;
+
+	@each $sColor, $aColorValues in $ibo-badge-colors {
+		$bg-color: nth($aColorValues, 1);
+		$text-color: nth($aColorValues, 2);
+		&.ibo-is-#{$sColor} {
+			background-color: $bg-color;
+			color: $text-color;
+		}
+	}
+}
--- a/css/backoffice/components/_panel.scss
+++ b/css/backoffice/components/_panel.scss
@@ -72,9 +72,12 @@ $ibo-panel--icon--spacing--as-medallion--is-sticking: $ibo-panel--icon--spacing-
 $ibo-panel--icon--bottom--as-medallion--is-sticking: -12px !default;
 $ibo-panel--icon--border--as-medallion--is-sticking: 1px $ibo-panel--base-border-style $ibo-panel--base-border-color !default;

-$ibo-panel--icon-background--size--must-contain: contain !default;
-$ibo-panel--icon-background--size--must-cover: cover !default;
-$ibo-panel--icon-background--size--must-zoomout: 66.67% !default;
+$ibo-panel--icon-background--size--must-contain: contain !default; // deprecated, to be removed in favor of $ibo-panel--icon-img--size--must-contain
+$ibo-panel--icon-background--size--must-cover: cover !default; // deprecated, to be removed in favor of $ibo-panel--icon-img--size--must-cover
+$ibo-panel--icon-background--size--must-zoomout: 66.67% !default; // deprecated, to be removed in favor of $ibo-panel--icon-img--size--must-zoomout
+$ibo-panel--icon-img--size--must-contain: $ibo-panel--icon-background--size--must-contain !default; // TODO remove when dealing with N°9317
+$ibo-panel--icon-img--size--must-cover: $ibo-panel--icon-background--size--must-cover !default; // TODO remove when dealing with N°9317
+$ibo-panel--icon-img--size--must-zoomout: $ibo-panel--icon-background--size--must-zoomout !default; // TODO remove when dealing with N°9317

 $ibo-panel--title--font-size--is-sticking: $ibo-font-size-150 !default;
 $ibo-panel--title--color: $ibo-color-grey-900 !default;
@@ -179,24 +182,25 @@ $ibo-panel--is-selectable--body--after--font-size: $ibo-font-size-700 !default;
  min-height: $ibo-panel--icon--size;
 }

-.ibo-panel--icon-background {
+.ibo-panel--icon-img, .ibo-panel--icon-background { // second class is deprecated, remove it when dealing with N°9317
  width: 100%;
  height: 100%;
  background-position: center;
  background-repeat: no-repeat;
-  background-size: $ibo-panel--icon-background--size--must-contain;
+  background-size: $ibo-panel--icon-img--size--must-contain;
 }

-.ibo-panel--icon-background--must-contain {
-  background-size: $ibo-panel--icon-background--size--must-contain;
+.ibo-panel--icon-img--must-contain, .ibo-panel--icon-background--must-contain { // second class is deprecated, remove it when dealing with N°9317
+  background-size: $ibo-panel--icon-img--size--must-contain;
 }

-.ibo-panel--icon-background--must-cover {
-  background-size: $ibo-panel--icon-background--size--must-cover;
+.ibo-panel--icon-img--must-cover, .ibo-panel--icon-background--must-cover { // second class is deprecated, remove it when dealing with N°9317
+  background-size: $ibo-panel--icon-img--size--must-cover;
 }

-.ibo-panel--icon-background--must-zoomout {
-  background-size: $ibo-panel--icon-background--size--must-zoomout;
+.ibo-panel--icon-img--must-zoomout, .ibo-panel--icon-background--must-zoomout { // second class is deprecated, remove it when dealing with N°9317
+  width: $ibo-panel--icon-img--size--must-zoomout;
+  height: $ibo-panel--icon-img--size--must-zoomout;
 }

 .ibo-panel--title {
--- a/css/backoffice/components/_search-form.scss
+++ b/css/backoffice/components/_search-form.scss
@@ -21,6 +21,8 @@ $ibo-search-form-panel--more-criteria--color: $ibo-color-blue-grey-800 !default;
 $ibo-search-form-panel--more-criteria--background-color: $ibo-color-white-100 !default;
 $ibo-search-form-panel--more-criteria--icon--color: $ibo-color-primary-600 !default;
 $ibo-search-form-panel--more-criteria--border-color: $ibo-search-form-panel--criteria--border-color !default;
+// calc is redundant but avoid SCSS min() from being used instead of CSS min()
+$ibo-search-form-panel--criteria--max-height: calc(min(#{$ibo-size-750}, 50vh)) !default;

 $ibo-search-form-panel--items--hover--color: $ibo-color-grey-200 !default;

@@ -278,9 +280,10 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 				}

 				.sfc_form_group {
-          display: block;
-          margin-top: -1px;
-          z-index: -1;
+                  display: flex;
+                  flex-direction: column;
+                  margin-top: -1px;
+                  z-index: -1;
        }
 			}

@@ -346,11 +349,15 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
        display: none;
        max-width: 450px;
        width: max-content;
-        max-height: 520px;
+        max-height: $ibo-search-form-panel--criteria--max-height;
        overflow-x: auto;
        overflow-y: hidden;

 				.sfc_fg_operators {
+                    display: flex;
+                    flex-direction: column;
+                    overflow: auto;
+                    min-height: 0;
 					font-size: 12px;

 					.sfc_fg_operator {
@@ -387,6 +394,9 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 						}

 						.sfc_opc_multichoices {
+                            display: flex;
+                            flex-direction: column;
+                            height: 100%;
 							label > input {
 								vertical-align: text-top;
 								margin-left: $ibo-spacing-0;
@@ -398,7 +408,6 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 							}

 							.sfc_opc_mc_items_wrapper {
-								max-height: 415px; /* Must be less than .sfc_form_group:max-height - .sfc_opc_mc_toggler:height - .sfc_opc_mc_filter:height */
 								overflow-y: auto;
 								margin: $ibo-spacing-0 -8px; /* Compensate .sfc_opc_multichoices side padding so the hover style can take the full with */

@@ -560,8 +569,14 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 			&.search_form_criteria_enum {
 				.sfc_form_group {
 					.sfc_fg_operator_in {
+                        display: flex;
+                        flex-direction: column;
+                        height: 100%;
+                        min-height: 0;
 						> label {
-							display: inline-block;
+							display: flex;
+                            height: 100%;
+                            min-height: 0;
 							width: 100%;
 							line-height: initial;
 							white-space: nowrap;
--- a/css/backoffice/components/_title.scss
+++ b/css/backoffice/components/_title.scss
@@ -11,9 +11,12 @@ $ibo-title--icon--size: 90px !default;
 $ibo-title--icon--size-2: 80px !default;
 $ibo-title--icon--size-3: 70px !default;

-$ibo-title--icon-background--size--must-contain: contain !default;
-$ibo-title--icon-background--size--must-cover: cover !default;
-$ibo-title--icon-background--size--must-zoomout: 66.67% !default;
+$ibo-title--icon-background--size--must-contain: contain !default; // deprecated, to be removed in favor of $ibo-title--icon-img--size--must-contain
+$ibo-title--icon-background--size--must-cover: cover !default; // deprecated, to be removed in favor of $ibo-title--icon-img--size--must-cover
+$ibo-title--icon-background--size--must-zoomout: 66.67% !default; // deprecated, to be removed in favor of $ibo-title--icon-img--size--must-zoomout
+$ibo-title--icon-img--size--must-contain: $ibo-title--icon-background--size--must-contain !default; // TODO remove when dealing with N°9317
+$ibo-title--icon-img--size--must-cover: $ibo-title--icon-background--size--must-cover !default; // TODO remove when dealing with N°9317
+$ibo-title--icon-img--size--must-zoomout: $ibo-title--icon-background--size--must-zoomout !default; // TODO remove when dealing with N°9317


 .ibo-title {
@@ -44,24 +47,23 @@ $ibo-title--icon-background--size--must-zoomout: 66.67% !default;
  min-height: $ibo-title--icon--size-3;
 }

-.ibo-title--icon-background {
+.ibo-title--icon-img, .ibo-title--icon-background { // second class is deprecated, remove it when dealing with N°9317
  width: 100%;
  height: 100%;
-  background-position: center;
-  background-repeat: no-repeat;
-  background-size: $ibo-title--icon-background--size--must-contain;
+  object-position: center;
+  background-size: $ibo-title--icon-img--size--must-contain;
 }

-.ibo-title--icon-background--must-contain {
-  background-size: $ibo-title--icon-background--size--must-contain;
+.ibo-title--icon-img--must-contain, .ibo-title--icon-background--must-contain { // second class is deprecated, remove it when dealing with N°9317
+  background-size: $ibo-title--icon-img--size--must-contain;
 }

-.ibo-title--icon-background--must-cover {
-  background-size: $ibo-title--icon-background--size--must-cover;
+.ibo-title--icon-img--must-cover, .ibo-title--icon-background--must-cover { // second class is deprecated, remove it when dealing with N°9317
+  background-size: $ibo-title--icon-img--size--must-cover;
 }

-.ibo-title--icon-background--must-zoomout {
-  background-size: $ibo-title--icon-background--size--must-zoomout;
+.ibo-title--icon-img--must-zoomout, .ibo-title--icon-background--must-zoomout { // second class is deprecated, remove it when dealing with N°9317
+  background-size: $ibo-title--icon-img--size--must-zoomout;
 }

 .ibo-title--for-object-details {
--- a/css/backoffice/components/input/_input-toggler.scss
+++ b/css/backoffice/components/input/_input-toggler.scss
@@ -8,6 +8,7 @@ $ibo-toggler--wrapper--height: 20px !default;

 $ibo-toggler--slider--border-radius: $ibo-border-radius-900 !default;
 $ibo-toggler--slider--background-color: $ibo-color-secondary-600 !default;
+$ibo-toggler--slider--disabled--background-color: $ibo-color-secondary-200 !default;

 $ibo-toggler--slider--before--left: 3px !default;
 $ibo-toggler--slider--before--bottom: 3px !default;
@@ -17,6 +18,7 @@ $ibo-toggler--slider--before--border-radius: $ibo-border-radius-full !default;
 $ibo-toggler--slider--before--background-color: $ibo-color-grey-100 !default;

 $ibo-toggler--slider--checked--background-color: $ibo-color-primary-600 !default;
+$ibo-toggler--slider--checked-disabled--background-color: $ibo-color-primary-200 !default;
 $ibo-toggler--slider--focus--box-shadow: 0 0 1px $ibo-color-primary-600 !default;

 $ibo-toggler--label--margin-left: 4px !default;
@@ -61,6 +63,13 @@ $ibo-toggler--label--margin-left: 4px !default;
  background-color: $ibo-toggler--slider--checked--background-color;
 }

+.ibo-toggler--wrapper input:disabled + .ibo-toggler--slider {
+  background-color: $ibo-toggler--slider--disabled--background-color;
+}
+.ibo-toggler--wrapper input:checked:disabled + .ibo-toggler--slider {
+  background-color: $ibo-toggler--slider--checked-disabled--background-color;
+}
+
 input:focus + .ibo-toggler--slider {
  box-shadow: $ibo-toggler--slider--focus--box-shadow;
 }
--- a/css/backoffice/layout/_all.scss
+++ b/css/backoffice/layout/_all.scss
@@ -15,3 +15,4 @@
@import "wizard-container/wizard-container";
@import "object/all";
@import "activity-panel/all";
+@import "extension/all";
--- a/css/backoffice/layout/extension/_all.scss
+++ b/css/backoffice/layout/extension/_all.scss
@@ -0,0 +1 @@
+@import "extension-details";
--- a/css/backoffice/layout/extension/_extension-details.scss
+++ b/css/backoffice/layout/extension/_extension-details.scss
@@ -0,0 +1,65 @@
+$ibo-extension-details--information--metadata--padding: $ibo-spacing-200 !default;
+$ibo-extension-details--information--metadata--delimiter: "-" !default;
+$ibo-extension-details--information--metadata--color: $ibo-color-grey-700 !default;
+$ibo-extension-details--actions--button--padding-y: 3px !default;
+$ibo-extension-details--actions--button--padding-x: $ibo-button--padding-x !default;
+
+.ibo-extension-details {
+	display: inline-flex;
+	flex-direction: row;
+	justify-content: space-between;
+	align-items: center;
+	width: 100%;
+}
+
+.ibo-extension-details--information {
+	flex-grow: 1;
+	display: flex;
+	flex-direction: column;
+}
+
+.ibo-extension-details--actions {
+	display: flex;
+}
+
+.ibo-extension-details--information--label {
+	@extend %ibo-font-ral-med-150;
+}
+
+.ibo-extension-details--information--metadata {
+	@extend %ibo-font-ral-med-100;
+	color: $ibo-extension-details--information--metadata--color;
+}
+
+.ibo-extension-details--information--description {
+	@extend %ibo-font-ral-med-100;
+}
+
+.ibo-extension-details--information--metadata span + span:before {
+	content: $ibo-extension-details--information--metadata--delimiter;
+	padding-left: $ibo-extension-details--information--metadata--padding;
+	padding-right: $ibo-extension-details--information--metadata--padding;
+}
+
+//ibo-extension-details can have other ibo-extension-details inside its ibo-extension-details--information--description in the setup. We need to only affect direct children
+.ibo-extension-details:has(>.ibo-extension-details--actions  input:is([type="checkbox"], [type="radio"]):checked){
+	&>.ibo-extension-details--information>.ibo-extension-details--information--label .ibo-badge.unchecked {
+		display: none;
+	}
+}
+//Merging the two lines below with :is([type="checkbox"], [type="radio"]) will generate a warning in scss compiler
+.ibo-extension-details:has(>.ibo-extension-details--actions input[type="checkbox"]:not(:checked)),
+.ibo-extension-details:has(>.ibo-extension-details--actions input[type="radio"]:not(:checked)) {
+	&>.ibo-extension-details--information>.ibo-extension-details--information--label .ibo-badge.checked {
+		display: none;
+	}
+}
+
+
+.ibo-extension-details--actions > button {
+	padding: $ibo-extension-details--actions--button--padding-y $ibo-extension-details--actions--button--padding-x;
+}
+
+.ibo-extension-details--actions:has(.toggler-install:not(:disabled)) .ibo-popover-menu--section a[data-resource-id="force_uninstall"] {
+	display: none;
+}
--- a/css/backoffice/vendors/_selectize.scss
+++ b/css/backoffice/vendors/_selectize.scss
@@ -29,7 +29,7 @@ $ibo-vendors-selectize--element--active--background: $ibo-color-blue-100 !defaul
 $ibo-vendors-selectize--element--active--color: $ibo-color-grey-900 !default;

 $ibo-vendors-selectize--dropdown--background-color: $ibo-vendors-selectize-input--background-color !default;
-$ibo-vendors-selectize--dropdown--color:  $ibo-vendors-selectize-input--color!default;
+$ibo-vendors-selectize--dropdown--color: $ibo-vendors-selectize-input--color !default;

 $ibo-vendors-selectize--header--padding-x: 8px !default;
 $ibo-vendors-selectize--header--padding-y: 5px !default;
--- a/css/setup.css
+++ b/css/setup.css
--- a/css/setup.scss
+++ b/css/setup.scss
@@ -316,29 +316,34 @@ fieldset {
 	background-color: #F7FAFC;
 	padding: 10px;
 	.wiz-choice{
-		&:checked ~ .description {
-			#itop-ticket-mgmt-simple-ticket-enhanced-portal:not(:checked),
-			#itop-ticket-mgmt-itil-enhanced-portal:not(:checked) {
-				~ .description::after {
-					content: "Legacy portal is no longer part of iTop, by leaving this option unchecked your portal users won't be able to access iTop anymore.";
-					display: block;
-					margin-top: 0.5em;
-					font-weight: bold;
-					color: $legacy-portal-removal-text-color;
-				}
-			}
-		}
-		&:not(:checked) ~ label .setup-extension-tag.checked{
+		&:not(:checked) ~ label .checked{
 			display:none;
 		}
-		&:checked ~ label .setup-extension-tag.unchecked{
+		&:checked ~ label .unchecked{
 			display:none;
 		}
 	}
 }

+.ibo-extension-details:has(>.ibo-extension-details--actions>input:checked) {
+	.ibo-extension-details:has(#itop-ticket-mgmt-simple-ticket-enhanced-portal:not(:checked), #itop-ticket-mgmt-itil-enhanced-portal:not(:checked)) {
+		.ibo-extension-details--information--description::after {
+			content: "Legacy portal is no longer part of iTop, by leaving this option unchecked your portal users won't be able to access iTop anymore.";
+			display: block;
+			margin-top: 0.5em;
+			font-weight: bold;
+			color: $legacy-portal-removal-text-color;
+		}
+	}
+}

+.ibo-extension-details--information--metadata{
+	color: $ibo-color-grey-800;
+}

+.choice-disabled {
+	color: $ibo-color-grey-700;
+}

 body {
  font-size: 1.17rem;
@@ -522,10 +527,12 @@ body {
  }
 }

-.ibo-setup-summary-title {
-  font-size: $ibo-font-size-150;
+.ibo-setup-summary-title, .ibo-setup-summary-title:visited, .ibo-setup-summary-title:hover {
+	font-size: $ibo-font-size-150;
+	color: inherit;
 }

+
 #ibo-setup-licenses--components-list {
  background-color: $ibo-color-white-200;
  padding: 12px;
@@ -605,6 +612,7 @@ body {
 	color:#a00000;
 }
 .setup-extension-tag {
+  display: inline-flex;
 	background-color: grey;
 	border-radius: 8px;
 	padding-left: 3px;
@@ -630,6 +638,21 @@ body {
 	}
 }

+.ibo-extension-details {
+	align-items: flex-start;
+}
+.ibo-extension-details--actions input{
+	margin:0.2em 0.5em;
+	width: 12px;
+}
+:not(.ibo-badge) ~ .ibo-badge{
+	margin-left:0.5em;
+}
+.ibo-extension-details--information--label i{
+	font-size : 0.9em;
+	margin-left:0.3em;
+}
+
 .setup--wizard-choice--label + .setup--wizard-choice--more-info {
  margin-left: 0.5rem;
 }
@@ -681,9 +704,6 @@ body {
    overflow: auto;
    text-align: center;
  }
-  #installation_progress {
-    display: none;
-  }
  #fresh_content{
    border: 0;
    min-height: 300px;
--- a/datamodels/2.x/combodo-backoffice-darkmoon-theme/scss/scss-variables.scss
+++ b/datamodels/2.x/combodo-backoffice-darkmoon-theme/scss/scss-variables.scss
--- a/datamodels/2.x/combodo-backoffice-fullmoon-high-contrast-theme/scss/scss-variables.scss
+++ b/datamodels/2.x/combodo-backoffice-fullmoon-high-contrast-theme/scss/scss-variables.scss
--- a/datamodels/2.x/combodo-backoffice-fullmoon-protanopia-deuteranopia-theme/scss/scss-variables.scss
+++ b/datamodels/2.x/combodo-backoffice-fullmoon-protanopia-deuteranopia-theme/scss/scss-variables.scss
@@ -68,47 +68,47 @@ $ibo-color-information-900: #0f172a !default;
 $ibo-color-information-950: #020617 !default;


-$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-waiting-state-primary-color: $ibo-color-yellow-700;
-$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-failure-state-primary-color: $ibo-color-orange-800;
-$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200;
-$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700;
+$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-waiting-state-primary-color: $ibo-color-yellow-700 !default;
+$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-failure-state-primary-color: $ibo-color-orange-800 !default;
+$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200 !default;
+$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700 !default;

-$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-inactive-state-primary-color: $ibo-color-yellow-700;
-$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100;
+$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-inactive-state-primary-color: $ibo-color-yellow-700 !default;
+$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100 !default;

-$ibo-caselog-highlight-color-1: $ibo-color-blue-700;
-$ibo-caselog-highlight-color-2: $ibo-color-yellow-700;
-$ibo-caselog-highlight-color-3: $ibo-color-information-600;
-$ibo-caselog-highlight-color-4: $ibo-color-yellow-500;
-$ibo-caselog-highlight-color-5: $ibo-color-blue-500;
-$ibo-caselog-highlight-color-6: $ibo-color-yellow-300;
-$ibo-caselog-highlight-color-7: $ibo-color-blue-300;
+$ibo-caselog-highlight-color-1: $ibo-color-blue-700 !default;
+$ibo-caselog-highlight-color-2: $ibo-color-yellow-700 !default;
+$ibo-caselog-highlight-color-3: $ibo-color-information-600 !default;
+$ibo-caselog-highlight-color-4: $ibo-color-yellow-500 !default;
+$ibo-caselog-highlight-color-5: $ibo-color-blue-500 !default;
+$ibo-caselog-highlight-color-6: $ibo-color-yellow-300 !default;
+$ibo-caselog-highlight-color-7: $ibo-color-blue-300 !default;

-$ibo-input-wrapper--is-error--border-color: $ibo-color-warning-700;
-$ibo-field-validation: $ibo-color-warning-800;
+$ibo-input-wrapper--is-error--border-color: $ibo-color-warning-700 !default;
+$ibo-field-validation: $ibo-color-warning-800 !default;

-$ibo-navigation-menu--visual-hint--background-color: $ibo-color-blue-400;
+$ibo-navigation-menu--visual-hint--background-color: $ibo-color-blue-400 !default;

-$ibo-wizard-container--background-color: $ibo-color-information-200;
-$ibo-wizard-container--border-color: $ibo-color-information-600;
+$ibo-wizard-container--background-color: $ibo-color-information-200 !default;
+$ibo-wizard-container--border-color: $ibo-color-information-600 !default;

-$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-danger-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-danger-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500;
+$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-danger-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-danger-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500 !default;

-$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-blue-600;
+$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-blue-600 !default;
--- a/datamodels/2.x/combodo-backoffice-fullmoon-tritanopia-theme/scss/scss-variables.scss
+++ b/datamodels/2.x/combodo-backoffice-fullmoon-tritanopia-theme/scss/scss-variables.scss
@@ -32,47 +32,47 @@ $ibo-color-information-900: #0f172a !default;
 $ibo-color-information-950: #020617 !default;


-$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600;
-$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-waiting-state-primary-color: $ibo-color-red-200;
-$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-red-800;
-$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-failure-state-primary-color: $ibo-color-red-800;
-$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200;
-$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700;
+$ibo-lifecycle-new-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-new-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-neutral-state-primary-color: $ibo-color-information-600 !default;
+$ibo-lifecycle-neutral-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-waiting-state-primary-color: $ibo-color-red-200 !default;
+$ibo-lifecycle-waiting-state-secondary-color: $ibo-color-red-800 !default;
+$ibo-lifecycle-success-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-success-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-failure-state-primary-color: $ibo-color-red-800 !default;
+$ibo-lifecycle-failure-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-frozen-state-primary-color: $ibo-color-information-200 !default;
+$ibo-lifecycle-frozen-state-secondary-color: $ibo-color-information-700 !default;

-$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700;
-$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100;
-$ibo-lifecycle-inactive-state-primary-color: $ibo-color-red-700;
-$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100;
+$ibo-lifecycle-active-state-primary-color: $ibo-color-blue-700 !default;
+$ibo-lifecycle-active-state-secondary-color: $ibo-color-white-100 !default;
+$ibo-lifecycle-inactive-state-primary-color: $ibo-color-red-700 !default;
+$ibo-lifecycle-inactive-state-secondary-color: $ibo-color-white-100 !default;

-$ibo-caselog-highlight-color-1: $ibo-color-blue-700;
-$ibo-caselog-highlight-color-2: $ibo-color-red-700;
-$ibo-caselog-highlight-color-3: $ibo-color-information-600;
-$ibo-caselog-highlight-color-4: $ibo-color-red-500;
-$ibo-caselog-highlight-color-5: $ibo-color-blue-500;
-$ibo-caselog-highlight-color-6: $ibo-color-red-300;
-$ibo-caselog-highlight-color-7: $ibo-color-blue-300;
+$ibo-caselog-highlight-color-1: $ibo-color-blue-700 !default;
+$ibo-caselog-highlight-color-2: $ibo-color-red-700 !default;
+$ibo-caselog-highlight-color-3: $ibo-color-information-600 !default;
+$ibo-caselog-highlight-color-4: $ibo-color-red-500 !default;
+$ibo-caselog-highlight-color-5: $ibo-color-blue-500 !default;
+$ibo-caselog-highlight-color-6: $ibo-color-red-300 !default;
+$ibo-caselog-highlight-color-7: $ibo-color-blue-300 !default;

-$ibo-input-wrapper--is-error--border-color: $ibo-color-pink-700;
-$ibo-field-validation: $ibo-color-pink-800;
+$ibo-input-wrapper--is-error--border-color: $ibo-color-pink-700 !default;
+$ibo-field-validation: $ibo-color-pink-800 !default;

-$ibo-navigation-menu--visual-hint--background-color: $ibo-color-pink-600;
+$ibo-navigation-menu--visual-hint--background-color: $ibo-color-pink-600 !default;

-$ibo-wizard-container--background-color: $ibo-color-information-200;
-$ibo-wizard-container--border-color: $ibo-color-information-600;
+$ibo-wizard-container--background-color: $ibo-color-information-200 !default;
+$ibo-wizard-container--border-color: $ibo-color-information-600 !default;

-$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-pink-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-pink-600;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-400;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100;
-$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500;
+$ibo-navigation-menu--notifications--item--new-message-indicator--background-color: $ibo-color-white-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--border: solid 2px $ibo-color-grey-500 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--background-color: $ibo-color-pink-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-1--border: solid 2px $ibo-color-pink-600 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--background-color: $ibo-color-warning-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-2--border: solid 2px $ibo-color-warning-400 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--background-color: $ibo-color-success-100 !default;
+$ibo-navigation-menu--notifications--item--new-message-indicator--is-priority-3--border: solid 2px $ibo-color-success-500 !default;

-$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-pink-500;
+$ibo-notifications--view-all--item--unread--highlight--background-color: $ibo-color-pink-500 !default;
--- a/datamodels/2.x/combodo-data-feature-removal/assets/css/DataFeatureRemoval.css
+++ b/datamodels/2.x/combodo-data-feature-removal/assets/css/DataFeatureRemoval.css
@@ -0,0 +1,9 @@
+/*
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+/*
+ * CSS of the template page
+ */
+
--- a/datamodels/2.x/combodo-data-feature-removal/assets/js/DataFeatureRemoval.js
+++ b/datamodels/2.x/combodo-data-feature-removal/assets/js/DataFeatureRemoval.js
@@ -0,0 +1,9 @@
+/*
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+/*
+ * Javascript file loaded in template page
+ */
+
--- a/datamodels/2.x/combodo-data-feature-removal/composer.json
+++ b/datamodels/2.x/combodo-data-feature-removal/composer.json
@@ -0,0 +1,17 @@
+{
+  "config": {
+    "classmap-authoritative": true
+  },
+  "autoload": {
+    "psr-4": {
+      "Combodo\\iTop\\DataFeatureRemoval\\": "src",
+      "": "src/NoNamespace"
+    }
+  },
+  "name": "combodo/combodo-data-feature-removal",
+  "type": "itop-extension",
+  "description": "iTop Data Feature Removal",
+  "require": {
+    "composer-runtime-api": "^2.0"
+  }
+}
--- a/datamodels/2.x/combodo-data-feature-removal/composer.lock
+++ b/datamodels/2.x/combodo-data-feature-removal/composer.lock
@@ -0,0 +1,20 @@
+{
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
+        "This file is @generated automatically"
+    ],
+    "content-hash": "b862a55cbf5448fb99f0905a4db6529b",
+    "packages": [],
+    "packages-dev": [],
+    "aliases": [],
+    "minimum-stability": "stable",
+    "stability-flags": {},
+    "prefer-stable": false,
+    "prefer-lowest": false,
+    "platform": {
+        "composer-runtime-api": "^2.0"
+    },
+    "platform-dev": {},
+    "plugin-api-version": "2.6.0"
+}
--- a/datamodels/2.x/combodo-data-feature-removal/datamodel.combodo-data-feature-removal.xml
+++ b/datamodels/2.x/combodo-data-feature-removal/datamodel.combodo-data-feature-removal.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<itop_design xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.3">
+  <menus>
+    <menu id="DataFeatureRemovalMenu" xsi:type="WebPageMenuNode" _delta="define">
+      <rank>30</rank>
+      <parent>SystemTools</parent>
+      <url>$pages/exec.php?exec_module=combodo-data-feature-removal&amp;exec_page=index.php&amp;c[menu]=DataFeatureRemovalMenu</url>
+      <enable_admin_only>1</enable_admin_only>
+    </menu>
+  </menus>
+  <module_parameters>
+    <parameters id="combodo-data-feature-removal">
+      <max_count_estimation_for_safe_cleanup>100</max_count_estimation_for_safe_cleanup>
+    </parameters>
+  </module_parameters>
+</itop_design>
--- a/datamodels/2.x/combodo-data-feature-removal/dictionaries/en.dict.combodo-data-feature-removal.php
+++ b/datamodels/2.x/combodo-data-feature-removal/dictionaries/en.dict.combodo-data-feature-removal.php
@@ -0,0 +1,58 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+/**
+ * Localized data
+ */
+
+Dict::Add('EN US', 'English', 'English', [
+	'Menu:DataFeatureRemovalMenu' => 'Features Removal',
+	'combodo-data-feature-removal/Operation:Main/Title' => 'Features Removal',
+
+	'DataFeatureRemoval:Main:Title' => 'Features Removal',
+	'DataFeatureRemoval:Main:SubTitle' => 'Prepare features you want to enable/disable in a future setup',
+	'DataFeatureRemoval:Failure:Title' => 'Feature dry removal errors',
+	'DataFeatureRemoval:Helper:Title' => 'Enable or disable features that are installed in your iTop.',
+	'DataFeatureRemoval:Helper:Desc1' => 'It will prepare the setup step that proceeds to feature enabling or disabling.',
+	'DataFeatureRemoval:Helper:Desc2' => 'Analyze if there are any data or dependency preventing you from enabling/disabling a feature.',
+
+	'DataFeatureRemoval:Features:Title' => 'Features',
+	'DataFeatureRemoval:Analysis:Title' => 'Analysis result',
+	'DataFeatureRemoval:Analysis:SubTitle' => '%1$s element(s) to clean before continuing',
+
+	'DataFeatureRemoval:DeletionPlan:Title' => 'Deletion plan',
+	'DataFeatureRemoval:DeletionPlan:SubTitle' => '%1$s rows to clean before continuing',
+	'DataFeatureRemoval:DoDeletion:Title' => 'Do deletion',
+	'DataFeatureRemoval:DoDeletion:SubTitle' => 'Remove all the entries from the database',
+	'DataFeatureRemoval:DeletionPlan:ToManyOperations' => 'Too many entries to clean',
+
+	'DataFeatureRemoval:Table:Analysis:ClassName' => 'Element to remove',
+	'DataFeatureRemoval:Table:Analysis:FeatureName' => 'Feature name',
+	'DataFeatureRemoval:Table:Analysis:Module' => 'Module name',
+	'DataFeatureRemoval:Table:Analysis:Occurrence' => 'Occurrence',
+
+	'UI:Button:Analyze' => 'Analyze',
+	'UI:Button:ModifyChoices' => 'Modify Choices',
+	'UI:Button:AnalyzeAndSetup' => 'Analyze and go to setup',
+	'UI:Button:PlanDeletion' => 'Prepare deletion plan',
+	'UI:Button:DoDeletion' => 'Delete data',
+	'UI:Button:BackToMain' => 'Back to Feature Removal',
+	'UI:Button:Setup' => 'Back to setup',
+
+	'UI:Action:ForceUninstall' => 'Force uninstall',
+	'UI:Action:MoreInfo' => 'More information',
+
+	'DataFeatureRemoval:Table:Empty' => 'No data to remove',
+
+	'DataFeatureRemoval:Column:Class' => 'Class',
+	'DataFeatureRemoval:Column:DeleteCount' => 'Entries to delete',
+	'DataFeatureRemoval:Column:UpdateCount' => 'Entries to update',
+	'DataFeatureRemoval:Column:Issue' => 'Issue',
+
+	'DataFeatureRemoval:Column:DeletedCount' => 'Deleted entries',
+	'DataFeatureRemoval:Column:UpdatedCount' => 'Updated entries',
+]);
--- a/datamodels/2.x/combodo-data-feature-removal/dictionaries/fr.dict.combodo-data-feature-removal.php
+++ b/datamodels/2.x/combodo-data-feature-removal/dictionaries/fr.dict.combodo-data-feature-removal.php
@@ -0,0 +1,58 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+/**
+* Localized data
+*/
+
+Dict::Add('FR FR', 'French', 'Français', [
+	'Menu:DataFeatureRemovalMenu' => 'Suppression de fonctionnalités',
+	'combodo-data-feature-removal/Operation:Main/Title' => 'Suppression de fonctionnalités',
+
+	'DataFeatureRemoval:Main:Title' => 'Suppression de fonctionnalités',
+	'DataFeatureRemoval:Main:SubTitle' => 'Préparez les fonctionnalités que vous souhaitez activer ou désactiver lors d’une prochaine configuration',
+	'DataFeatureRemoval:Failure:Title' => 'Erreurs lors de la simulation de suppression de fonctionnalités',
+	'DataFeatureRemoval:Helper:Title' => 'Activez ou désactivez les fonctionnalités installées dans votre iTop.',
+	'DataFeatureRemoval:Helper:Desc1' => 'Cette étape prépare l’assistant de configuration à activer ou désactiver des fonctionnalités.',
+	'DataFeatureRemoval:Helper:Desc2' => 'Analyse si des données ou des dépendances empêchent l’activation ou la désactivation d’une fonctionnalité.',
+
+	'DataFeatureRemoval:Features:Title' => 'Fonctionnalités',
+	'DataFeatureRemoval:Analysis:Title' => 'Résultat de l’analyse',
+	'DataFeatureRemoval:Analysis:SubTitle' => '%1$s élément(s) à nettoyer avant de poursuivre',
+
+	'DataFeatureRemoval:DeletionPlan:Title' => 'Plan de suppression',
+	'DataFeatureRemoval:DeletionPlan:SubTitle' => '%1$s ligne(s) à nettoyer avant de poursuivre',
+	'DataFeatureRemoval:DoDeletion:Title' => 'Exécuter la suppression',
+	'DataFeatureRemoval:DoDeletion:SubTitle' => 'Supprime toutes les entrées de la base de données',
+	'DataFeatureRemoval:DeletionPlan:ToManyOperations' => 'Trop d’entrées à nettoyer',
+
+	'DataFeatureRemoval:Table:Analysis:ClassName' => 'Élément à supprimer',
+	'DataFeatureRemoval:Table:Analysis:FeatureName' => 'Fonctionnalité',
+	'DataFeatureRemoval:Table:Analysis:Module' => 'Module',
+	'DataFeatureRemoval:Table:Analysis:Occurrence' => 'Occurrence',
+
+	'UI:Button:Analyze' => 'Analyser',
+	'UI:Button:ModifyChoices' => 'Modifier les choix',
+	'UI:Button:AnalyzeAndSetup' => 'Analyser et ouvrir l’assistant de configuration',
+	'UI:Button:PlanDeletion' => 'Préparer le plan de suppression',
+	'UI:Button:DoDeletion' => 'Supprimer les données',
+	'UI:Button:BackToMain' => 'Retour à la suppression de fonctionnalités',
+	'UI:Button:Setup' => 'Retour à l’assistant de configuration',
+
+	'UI:Action:ForceUninstall' => 'Forcer la désinstallation',
+	'UI:Action:MoreInfo' => 'Plus d’informations',
+
+	'DataFeatureRemoval:Table:Empty' => 'Aucune donnée à supprimer',
+
+	'DataFeatureRemoval:Column:Class' => 'Classe',
+	'DataFeatureRemoval:Column:DeleteCount' => 'Entrées à supprimer',
+	'DataFeatureRemoval:Column:UpdateCount' => 'Entrées à mettre à jour',
+	'DataFeatureRemoval:Column:Issue' => 'Problème',
+
+	'DataFeatureRemoval:Column:DeletedCount' => 'Entrées supprimées',
+	'DataFeatureRemoval:Column:UpdatedCount' => 'Entrées mises à jour',
+]);
--- a/datamodels/2.x/combodo-data-feature-removal/index.php
+++ b/datamodels/2.x/combodo-data-feature-removal/index.php
@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DataFeatureRemoval;
+
+use Combodo\iTop\DataFeatureRemoval\Controller\DataFeatureRemovalController;
+use Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalHelper;
+use Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalLog;
+
+require_once(APPROOT.'application/startup.inc.php');
+
+DataFeatureRemovalLog::Enable();
+
+$oController = new DataFeatureRemovalController(MODULESROOT.DataFeatureRemovalHelper::MODULE_NAME.'/templates', DataFeatureRemovalHelper::MODULE_NAME);
+$oController->SetDefaultOperation('Main');
+$oController->HandleOperation();
--- a/datamodels/2.x/combodo-data-feature-removal/model.combodo-data-feature-removal.php
+++ b/datamodels/2.x/combodo-data-feature-removal/model.combodo-data-feature-removal.php
@@ -0,0 +1,16 @@
+<?php
+
+// PHP Data Model definition file
+
+// WARNING - WARNING - WARNING
+// DO NOT EDIT THIS FILE (unless you know what you are doing)
+//
+// If you provide a datamodel.xxxx.xml file with your module,
+// this file WILL BE overwritten by the compilation of the
+// module (during the setup) if the datamodel.xxxx.xml file
+// contains the definition of new classes or menus.
+//
+// The recommended way to define new classes (for iTop 2.0 and later) is via the XML definition.
+// This file remains in the module's template only for the cases where there is:
+// - either no new class or menu defined in the XML file
+// - or no XML file at all supplied by the module
--- a/datamodels/2.x/combodo-data-feature-removal/module.combodo-data-feature-removal.php
+++ b/datamodels/2.x/combodo-data-feature-removal/module.combodo-data-feature-removal.php
@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+//
+// iTop module definition file
+//
+
+SetupWebPage::AddModule(
+	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
+	'combodo-data-feature-removal/3.3.0',
+	[
+		// Identification
+		//
+		'label' => 'iTop Data Feature Removal',
+		'category' => 'business',
+
+		// Setup
+		//
+		'dependencies' => [
+
+		],
+		'mandatory' => true,
+		'visible' => false,
+
+		// Components
+		//
+		'datamodel' => [
+			'vendor/autoload.php',
+			'model.combodo-data-feature-removal.php', // Contains the PHP code generated by the "compilation" of datamodel.combodo-data-feature-removal.xml
+		],
+		'webservice' => [],
+		'data.struct' => [
+			// add your 'structure' definition XML files here,
+		],
+		'data.sample' => [
+			// add your sample data XML files here,
+		],
+
+		// Documentation
+		//
+		'doc.manual_setup' => '', // hyperlink to manual setup documentation, if any
+		'doc.more_information' => '', // hyperlink to more information, if any
+
+		// Default settings
+		//
+		'settings' => [
+			// Module specific settings go here, if any
+		],
+	]
+);
--- a/datamodels/2.x/combodo-data-feature-removal/src/Controller/DataFeatureRemovalController.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Controller/DataFeatureRemovalController.php
@@ -0,0 +1,257 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DataFeatureRemoval\Controller;
+
+require_once APPROOT.'setup/feature_removal/SetupAudit.php';
+require_once APPROOT.'setup/feature_removal/DryRemovalRuntimeEnvironment.php';
+
+use Combodo\iTop\Application\TwigBase\Controller\Controller;
+use Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalConfig;
+use Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalException;
+use Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalHelper;
+use Combodo\iTop\DataFeatureRemoval\Service\DataFeatureRemoverExtensionService;
+use Combodo\iTop\DataFeatureRemoval\Service\DeletionPlanService;
+use Combodo\iTop\Setup\FeatureRemoval\DryRemovalRuntimeEnvironment;
+use Combodo\iTop\Setup\FeatureRemoval\SetupAudit;
+use Dict;
+use Exception;
+use IssueLog;
+use MetaModel;
+use utils;
+
+class DataFeatureRemovalController extends Controller
+{
+	private array $aSelectedExtensionsForCheck = [];
+	private array $aCountClassesToCleanup = [];
+	private array $aAnalysisDataTable = [];
+	private int $iCount = 0;
+
+	public function OperationMain($sErrorMessage = null): void
+	{
+		$aParams = [];
+
+		$this->ReadRemovedExtensions();
+		$this->AddAnalyzeParams();
+		$aParams['sTransactionId'] = utils::GetNewTransactionId();
+		$aParams['aExtensions'] = $this->GetExtensionsTable();
+		$aParams['aAnalysisDataTable'] = $this->aAnalysisDataTable;
+		$aParams['aClasses'] = array_keys($this->aCountClassesToCleanup);
+		$aParams['DataFeatureRemovalErrorMessage'] = $sErrorMessage;
+		$aParams['bHasData'] = $this->iCount > 0;
+		$aParams['sSetupUrl'] = utils::GetAbsoluteUrlAppRoot().'setup';
+		$aParams['iCount'] = $this->iCount;
+
+		$this->AddLinkedStylesheet(utils::GetAbsoluteUrlModulesRoot().DataFeatureRemovalHelper::MODULE_NAME.'/assets/css/DataFeatureRemoval.css');
+		$this->AddLinkedScript(utils::GetAbsoluteUrlModulesRoot().DataFeatureRemovalHelper::MODULE_NAME.'/assets/js/DataFeatureRemoval.js');
+		$this->DisplayPage($aParams);
+	}
+
+	public function AddAnalyzeParams(): void
+	{
+		$aData = [];
+		$aColumns = [];
+		$this->iCount = 0;
+		foreach ($this->aCountClassesToCleanup as $sClass => $iCount) {
+			$sModuleName = MetaModel::GetModuleName($sClass);
+			$aExtensions = DataFeatureRemoverExtensionService::GetInstance()->GetIncludingExtensions($sModuleName);
+			$sExtensions = implode(' ', $aExtensions);
+			$aColumns = ['ClassName','FeatureName','Module','Occurrence'];
+			$aData[] = [$sClass,$sExtensions,$sModuleName,$iCount];
+			$this->iCount += $iCount;
+		}
+
+		$this->aAnalysisDataTable =  $this->GetTableData('Analysis', $aColumns, $aData);
+	}
+
+	public function OperationAnalyze(): void
+	{
+		$this->ReadRemovedExtensions();
+
+		$this->m_sOperation = 'Main';
+
+		try {
+			if (count($this->aSelectedExtensionsForCheck) > 0) {
+				$this->Analyze();
+			}
+			$this->OperationMain();
+		} catch (Exception $e) {
+			IssueLog::Error(__METHOD__, null, ['stack' => $e->getTraceAsString(), 'exception' => $e->getMessage()]);
+			$this->OperationMain($e->getMessage());
+		}
+	}
+
+	private function Analyze(): void
+	{
+		$sSourceEnv = MetaModel::GetEnvironment();
+		$oDryRemovalRuntimeEnvironment = new DryRemovalRuntimeEnvironment($sSourceEnv, $this->aSelectedExtensionsForCheck);
+		$oDryRemovalRuntimeEnvironment->CompileFrom($sSourceEnv);
+
+		$oSetupAudit = new SetupAudit($sSourceEnv);
+		$aGetRemovedClasses = $oSetupAudit->GetIssues();
+		IssueLog::Debug(__METHOD__, null, ['aGetRemovedClasses' => $aGetRemovedClasses]);
+		$this->aCountClassesToCleanup = $aGetRemovedClasses;
+	}
+
+	public function OperationDeletionPlan(): void
+	{
+		$aParams = [];
+		$this->ValidateTransactionId();
+
+		$aClasses = utils::ReadPostedParam('classes', null, utils::ENUM_SANITIZATION_FILTER_CLASS);
+
+		$aDeletionPlanSummaryEntities = DeletionPlanService::GetInstance()->GetDeletionPlanSummary($aClasses);
+		$aColumns = ['Class', 'DeleteCount' , 'UpdateCount', 'Issue'];
+		$aRows = [];
+		$iQueryCount = 0;
+		foreach ($aDeletionPlanSummaryEntities as $oDeletionPlanSummaryEntity) {
+			$aRows[] = [
+				$oDeletionPlanSummaryEntity->sClass,
+				$oDeletionPlanSummaryEntity->iDeleteCount,
+				$oDeletionPlanSummaryEntity->iUpdateCount,
+				$oDeletionPlanSummaryEntity->sIssue ?? '',
+			];
+			$iQueryCount += $oDeletionPlanSummaryEntity->iDeleteCount;
+			$iQueryCount += $oDeletionPlanSummaryEntity->iUpdateCount;
+		}
+
+		$aParams['sTransactionId'] = utils::GetNewTransactionId();
+		$aParams['aDeletionPlanSummary'] = $this->GetTableData('Extensions', $aColumns, $aRows);
+		$aParams['aClasses'] = $aClasses;
+		$aParams['iQueryCount'] = $iQueryCount;
+		$aParams['bDeletionPossible'] = ($iQueryCount <= DataFeatureRemovalConfig::GetInstance()->Get('max_count_estimation_for_safe_cleanup', 100));
+
+		$this->DisplayPage($aParams);
+	}
+
+	public function OperationDoDeletion(): void
+	{
+		$aParams = [];
+		$this->ValidateTransactionId();
+
+		$aClasses = utils::ReadPostedParam('classes', null, utils::ENUM_SANITIZATION_FILTER_CLASS);
+
+		$aDeletionExecutionSummary = DeletionPlanService::GetInstance()->ExecuteDeletionPlan($aClasses);
+		$aColumns = ['Class', 'DeletedCount' , 'UpdatedCount'];
+		$aRows = [];
+		foreach ($aDeletionExecutionSummary as $oDeletionExecutionSummaryEntity) {
+			$aRows[] = [
+				$oDeletionExecutionSummaryEntity->sClass,
+				$oDeletionExecutionSummaryEntity->iDeleteCount,
+				$oDeletionExecutionSummaryEntity->iUpdateCount,
+			];
+		}
+
+		$aParams['sTransactionId'] = utils::GetNewTransactionId();
+		$aParams['aDeletionExecutionSummary'] = $this->GetTableData('Extensions', $aColumns, $aRows);
+		$this->DisplayPage($aParams);
+	}
+
+	/**
+	 * Get installed extensions from disk
+	 *
+	 * @return array structure for twig datatable
+	 */
+	private function GetExtensionsTable(): array
+	{
+		$aExtensions = [];
+		$aColumns = ['', 'Version', 'Name', 'Code'];
+
+		foreach (DataFeatureRemoverExtensionService::GetInstance()->ReadItopExtensions() as $sCode => $oExtension) {
+			/** @var \iTopExtension $oExtension */
+
+			$sChecked = '';
+			$sDisabledHtml = '';
+			if ($oExtension->bRemovedFromDisk) {
+				$sDisabledHtml = 'disabled=""';
+				$sChecked = 'checked';
+			} elseif (in_array($sCode, $this->aSelectedExtensionsForCheck)) {
+				$sChecked = 'checked';
+			}
+
+			$sLabel = $oExtension->sLabel;
+			$sVersion = $oExtension->sVersion;
+			$sIdEnable = "aExtensions[$sCode][enable]";
+
+			$aExtensions[] = [
+				<<<HTML
+<input type="checkbox" $sDisabledHtml class="extension_check" $sChecked id="$sIdEnable" name="$sIdEnable"/>
+HTML,
+				$sVersion,
+				$sLabel,
+				$sCode,
+			];
+		}
+
+		return $this->GetTableData('Extensions', $aColumns, $aExtensions);
+	}
+
+	private function GetTableData(string $sTableName, array $aColumns, array $aData): array
+	{
+		if (empty($aData)) {
+			return [
+				'Type' => 'Table',
+				'Columns' => [['label' => '']],
+				'Data' => [[ Dict::S('DataFeatureRemoval:Table:Empty')]],
+			];
+		}
+
+		$aNewColumns = [];
+		foreach ($aColumns as $sColumn) {
+			$aNewColumns[] = ['label' => Dict::S("DataFeatureRemoval:Table:$sTableName:$sColumn", Dict::S("DataFeatureRemoval:Column:$sColumn", $sColumn))];
+		}
+		$aColumns = $aNewColumns;
+
+		return [
+			'Type' => 'Table',
+			'Columns' => $aColumns,
+			'Data' => $aData,
+		];
+	}
+
+	/**
+	 * @return void
+	 * @throws \Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalException
+	 */
+	private function ValidateTransactionId(): void
+	{
+		if (empty($_POST)) {
+			return;
+		}
+
+		$sTransactionId = utils::ReadPostedParam('transaction_id', null, utils::ENUM_SANITIZATION_FILTER_TRANSACTION_ID);
+		IssueLog::Debug(__FUNCTION__.": Transaction [$sTransactionId]");
+		if (empty($sTransactionId) || !utils::IsTransactionValid($sTransactionId, false)) {
+			throw new DataFeatureRemovalException(Dict::S("iTopUpdate:Error:InvalidToken"));
+		}
+	}
+
+	/**
+	 * @return void
+	 */
+	public function ReadRemovedExtensions(): void
+	{
+		if (count($this->aSelectedExtensionsForCheck) > 0) {
+			return;
+		}
+
+		$aSelectedExtensionsFromUI = utils::ReadPostedParam('aExtensions', []);
+		foreach ($aSelectedExtensionsFromUI as $sCode => $aData) {
+			$sValue = $aData['enable'] ?? 'off';
+			if (($sValue) === 'on') {
+				$this->aSelectedExtensionsForCheck[] = $sCode;
+			}
+		}
+
+		// Add source removed to check
+		foreach (DataFeatureRemoverExtensionService::GetInstance()->ReadItopExtensions() as $sCode => $oExtension) {
+			if ($oExtension->bRemovedFromDisk) {
+				$this->aSelectedExtensionsForCheck[] = $sCode;
+			}
+		}
+	}
+}
--- a/datamodels/2.x/combodo-data-feature-removal/src/Entity/DeletionPlanSummaryEntity.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Entity/DeletionPlanSummaryEntity.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace Combodo\iTop\DataFeatureRemoval\Entity;
+
+class DeletionPlanSummaryEntity
+{
+	public string $sClass;
+
+	/**
+	 * @var int : DEL_MANUAL|DEL_AUTO|DEL_SILENT|DEL_MOVEUP|DEL_NONE
+	 * @see \AttributeDefinition DEL_xxx
+	 */
+	public int $iMode = 0;
+	public ?string $sIssue = null;
+	public int $iUpdateCount = 0;
+	public int $iDeleteCount = 0;
+
+	/**
+	 * @param string $sClass
+	 */
+	public function __construct(string $sClass)
+	{
+		$this->sClass = $sClass;
+	}
+}
--- a/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalConfig.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalConfig.php
@@ -0,0 +1,52 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DataFeatureRemoval\Helper;
+
+use MetaModel;
+use utils;
+
+class DataFeatureRemovalConfig
+{
+	private static DataFeatureRemovalConfig $oInstance;
+
+	protected function __construct()
+	{
+	}
+
+	final public static function GetInstance(): DataFeatureRemovalConfig
+	{
+		if (!isset(static::$oInstance)) {
+			static::$oInstance = new DataFeatureRemovalConfig();
+		}
+
+		return static::$oInstance;
+	}
+
+	public function Get(string $sParamName, $default = null)
+	{
+		return MetaModel::GetModuleSetting(DataFeatureRemovalHelper::MODULE_NAME, $sParamName, $default);
+	}
+
+	public function GetBoolean(string $sParamName, $default = null): bool
+	{
+		$res = $this->Get($sParamName, $default);
+
+		return boolval($res);
+	}
+
+	public function IsEnabled(): bool
+	{
+		return $this->GetBoolean('enable', false);
+	}
+
+	public function Set(string $sParamName, $value)
+	{
+		$oConfig = utils::GetConfig();
+		$oConfig->SetModuleSetting(DataFeatureRemovalHelper::MODULE_NAME, $sParamName, $value);
+	}
+}
--- a/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalException.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalException.php
@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DataFeatureRemoval\Helper;
+
+use Exception;
+use Throwable;
+
+class DataFeatureRemovalException extends Exception
+{
+	public function __construct(string $message = '', int $code = 0, ?Throwable $previous = null, array $aContext = [])
+	{
+		if (!is_null($previous)) {
+			$sStack = $previous->getTraceAsString();
+			$sError = $previous->getMessage();
+		} else {
+			$sStack = $this->getTraceAsString();
+			$sError = '';
+		}
+
+		$aContext['error'] = $sError;
+		$aContext['stack'] = $sStack;
+		DataFeatureRemovalLog::Error($message, null, $aContext);
+		parent::__construct($message, $code, $previous);
+	}
+}
--- a/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalHelper.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalHelper.php
@@ -0,0 +1,13 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DataFeatureRemoval\Helper;
+
+class DataFeatureRemovalHelper
+{
+	public const MODULE_NAME = 'combodo-data-feature-removal';
+}
--- a/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalLog.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Helper/DataFeatureRemovalLog.php
@@ -0,0 +1,25 @@
+<?php
+
+/**
+ * @copyright   Copyright (C) 2010-2025 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DataFeatureRemoval\Helper;
+
+use LogAPI;
+
+class DataFeatureRemovalLog extends LogAPI
+{
+	public const CHANNEL_DEFAULT = 'DataFeatureRemoval';
+
+	protected static $m_oFileLog = null;
+
+	public static function Enable($sTargetFile = null)
+	{
+		if (empty($sTargetFile)) {
+			$sTargetFile = APPROOT.'log/error.log';
+		}
+		parent::Enable($sTargetFile);
+	}
+}
--- a/datamodels/2.x/combodo-data-feature-removal/src/Service/DataFeatureRemoverExtensionService.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Service/DataFeatureRemoverExtensionService.php
@@ -0,0 +1,80 @@
+<?php
+
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DataFeatureRemoval\Service;
+
+use iTopExtension;
+use iTopExtensionsMap;
+use MetaModel;
+
+class DataFeatureRemoverExtensionService
+{
+	private static DataFeatureRemoverExtensionService $oInstance;
+
+	private array $aItopExtensions = [];
+	private array $aIncludingExtensionsByModuleName = [];
+
+	protected function __construct()
+	{
+	}
+
+	final public static function GetInstance(): DataFeatureRemoverExtensionService
+	{
+		if (!isset(self::$oInstance)) {
+			self::$oInstance = new DataFeatureRemoverExtensionService();
+		}
+
+		return self::$oInstance;
+	}
+
+	final public static function SetInstance(?DataFeatureRemoverExtensionService $oInstance): void
+	{
+		self::$oInstance = $oInstance;
+	}
+
+	/**
+	 * @param string $sModuleName
+	 *
+	 * @return array
+	 * @throws \Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalException
+	 */
+	public function GetIncludingExtensions(string $sModuleName): array
+	{
+		if (count($this->aIncludingExtensionsByModuleName) === 0) {
+			foreach ($this->ReadItopExtensions() as $oExtension) {
+				$aModuleNames = $oExtension->aModules;
+				if (is_array($aModuleNames) && count($aModuleNames) > 0) {
+					foreach ($aModuleNames as $sModule) {
+						$aExtensions = $this->aIncludingExtensionsByModuleName[$sModule] ?? [];
+						$aExtensions[] = $oExtension->sLabel.'/'.$oExtension->sVersion;
+						$this->aIncludingExtensionsByModuleName[$sModule] = $aExtensions;
+					}
+				}
+			}
+		}
+
+		return $this->aIncludingExtensionsByModuleName[$sModuleName] ?? [];
+	}
+
+	/**
+	 * @return iTopExtension[]
+	 */
+	public function ReadItopExtensions(): array
+	{
+		if (count($this->aItopExtensions) === 0) {
+			$oExtensionsMap = new iTopExtensionsMap();
+			$oExtensionsMap->LoadInstalledExtensionsFromDatabase(MetaModel::GetConfig());
+			$this->aItopExtensions = $oExtensionsMap->GetAllExtensionsToDisplayInSetup(true);
+
+			uasort($this->aItopExtensions, function (iTopExtension $oiTopExtension1, iTopExtension $oiTopExtension2) {
+				return strcmp($oiTopExtension1->sLabel, $oiTopExtension2->sLabel);
+			});
+		}
+
+		return $this->aItopExtensions;
+	}
+}
--- a/datamodels/2.x/combodo-data-feature-removal/src/Service/DeletionPlanService.php
+++ b/datamodels/2.x/combodo-data-feature-removal/src/Service/DeletionPlanService.php
@@ -0,0 +1,182 @@
+<?php
+
+namespace Combodo\iTop\DataFeatureRemoval\Service;
+
+use CMDBSource;
+use Combodo\iTop\DataFeatureRemoval\Entity\DeletionPlanSummaryEntity;
+use Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalException;
+use DBObjectSearch;
+use DeletionPlan;
+use MetaModel;
+
+class DeletionPlanService
+{
+	private static DeletionPlanService $oInstance;
+
+	protected function __construct()
+	{
+	}
+
+	final public static function GetInstance(): DeletionPlanService
+	{
+		if (!isset(self::$oInstance)) {
+			self::$oInstance = new DeletionPlanService();
+		}
+
+		return self::$oInstance;
+	}
+
+	final public static function SetInstance(?DeletionPlanService $oInstance): void
+	{
+		self::$oInstance = $oInstance;
+	}
+
+	/**
+	 * Get a summary of the deletion plan computed for the classes.
+	 * The result is used for display
+	 *
+	 * @param array|null $aClasses
+	 *
+	 * @return array<\Combodo\iTop\DataFeatureRemoval\Entity\DeletionPlanSummaryEntity>
+	 * @throws \CoreException
+	 * @throws \CoreUnexpectedValue
+	 * @throws \MySQLException
+	 */
+	public function GetDeletionPlanSummary(?array $aClasses): array
+	{
+		$aSummary = [];
+		if (is_null($aClasses)) {
+			return $aSummary;
+		}
+
+		$oDeletionPlan = $this->GetDeletionPlan($aClasses);
+
+		foreach ($oDeletionPlan->ListUpdates() as $sClass => $aUpdates) {
+			$oDeletionPlanSummaryEntity = new DeletionPlanSummaryEntity($sClass);
+			$oDeletionPlanSummaryEntity->iUpdateCount = count($aUpdates);
+			$aSummary[$sClass] = $oDeletionPlanSummaryEntity;
+		}
+
+		foreach ($oDeletionPlan->ListDeletes() as $sClass => $aDeletes) {
+			$oDeletionPlanSummaryEntity = $aSummary[$sClass] ?? new DeletionPlanSummaryEntity($sClass);
+			$oDeletionPlanSummaryEntity->iDeleteCount = count($aDeletes);
+
+			$aDelete = array_shift($aDeletes);
+			$oDeletionPlanSummaryEntity->iMode = $aDelete['mode'];
+			$oDeletionPlanSummaryEntity->sIssue = $aDelete['issue'] ?? null;
+
+			$aSummary[$sClass] = $oDeletionPlanSummaryEntity;
+		}
+
+		return $aSummary;
+	}
+
+	/**
+	 * @param string $sClass
+	 *
+	 * @return \DBObject[]
+	 * @throws \CoreException
+	 * @throws \CoreUnexpectedValue
+	 * @throws \MySQLException
+	 * @throws \Exception
+	 */
+	private function GetAllObjects(string $sClass): array
+	{
+		$oFilter = new DBObjectSearch($sClass);
+		$oFilter->AllowAllData();
+		$oSet = new \DBObjectSet($oFilter);
+		return $oSet->ToArray();
+	}
+
+	/**
+	 * @param array $aClasses
+	 *
+	 * @return array<\Combodo\iTop\DataFeatureRemoval\Entity\DeletionPlanSummaryEntity>
+	 * @throws \Combodo\iTop\DataFeatureRemoval\Helper\DataFeatureRemovalException
+	 * @throws \CoreException
+	 * @throws \CoreUnexpectedValue
+	 * @throws \MySQLException
+	 */
+	public function ExecuteDeletionPlan(array $aClasses): array
+	{
+		$oDeletionPlan = $this->GetDeletionPlan($aClasses);
+
+		if (count($oDeletionPlan->GetIssues()) > 0) {
+			throw new DataFeatureRemovalException("Deletion Plan cannot be executed due to issues");
+		}
+
+		$aSummary = [];
+		foreach ($oDeletionPlan->ListUpdates() as $sClass => $aToUpdate) {
+			$oDeletionPlanSummaryEntity = $aSummary[$sClass] ?? new DeletionPlanSummaryEntity($sClass);
+
+			foreach ($aToUpdate as $aData) {
+				$oToUpdate = $aData['to_reset'];
+				/** @var \DBObject $oToUpdate */
+				foreach ($aData['attributes'] as $sRemoteExtKey => $aRemoteAttDef) {
+					$oToUpdate->Set($sRemoteExtKey, $aData['values'][$sRemoteExtKey]);
+				}
+				$oToUpdate->DBUpdate();
+				$oDeletionPlanSummaryEntity->iUpdateCount++;
+			}
+
+			$aSummary[$sClass] = $oDeletionPlanSummaryEntity;
+		}
+
+		foreach ($oDeletionPlan->ListDeletes() as $sClass => $aDeletes) {
+			$oDeletionPlanSummaryEntity = $aSummary[$sClass] ?? new DeletionPlanSummaryEntity($sClass);
+
+			foreach ($aDeletes as $sId => $aDelete) {
+				try {
+					CMDBSource::Query('START TRANSACTION');
+					// Delete any existing change tracking about the current object
+					$oFilter = new DBObjectSearch('CMDBChangeOp');
+					$oFilter->AddCondition('objclass', $sClass, '=');
+					$oFilter->AddCondition('objkey', $sId, '=');
+					MetaModel::PurgeData($oFilter);
+
+					// Delete the entry
+					$aClassesToRemove = array_merge(MetaModel::EnumChildClasses($sClass, ENUM_CHILD_CLASSES_ALL), MetaModel::EnumParentClasses($sClass, ENUM_PARENT_CLASSES_EXCLUDELEAF, false));
+					foreach ($aClassesToRemove as $sParentClass) {
+						$oFilter = DBObjectSearch::FromOQL_AllData("SELECT $sParentClass WHERE id=:id");
+						$sQuery = $oFilter->MakeDeleteQuery(['id' => $sId]);
+						CMDBSource::DeleteFrom($sQuery);
+					}
+
+					CMDBSource::Query('COMMIT');
+				} catch (\Exception $e) {
+					\IssueLog::Exception(__METHOD__.': Cleanup failed', $e);
+					CMDBSource::Query('ROLLBACK');
+					throw $e;
+				}
+				$oDeletionPlanSummaryEntity->iDeleteCount++;
+			}
+
+			$aSummary[$sClass] = $oDeletionPlanSummaryEntity;
+		}
+
+		return $aSummary;
+	}
+
+	/**
+	 * Get a deletion plan for all the objects of the classes
+	 *
+	 * @param array $aClasses array of class names to clean
+	 *
+	 * @return \DeletionPlan
+	 * @throws \CoreException
+	 * @throws \CoreUnexpectedValue
+	 * @throws \MySQLException
+	 */
+	public function GetDeletionPlan(array $aClasses): DeletionPlan
+	{
+		$oDeletionPlan = new DeletionPlan();
+		foreach ($aClasses as $sClass) {
+			$aObjects = $this->GetAllObjects($sClass);
+			foreach ($aObjects as $oObject) {
+				$oObject->CheckToDelete($oDeletionPlan);
+			}
+		}
+
+		return $oDeletionPlan;
+	}
+}
--- a/datamodels/2.x/combodo-data-feature-removal/templates/DeletionPlan.html.twig
+++ b/datamodels/2.x/combodo-data-feature-removal/templates/DeletionPlan.html.twig
@@ -0,0 +1,29 @@
+{# @copyright   Copyright (C) 2010-2026 Combodo SARL #}
+{# @license     http://opensource.org/licenses/AGPL-3.0 #}
+
+{% UIPanel ForInformation { sTitle:'DataFeatureRemoval:DeletionPlan:Title'|dict_s, sSubTitle: 'DataFeatureRemoval:DeletionPlan:SubTitle'|dict_format(iQueryCount) } %}
+    {% UIDataTable ForForm { sRef:'aDeletionPlanSummary', aColumns:aDeletionPlanSummary.Columns, aData:aDeletionPlanSummary.Data} %}{% EndUIDataTable %}
+{% EndUIPanel %}
+
+{% if bDeletionPossible %}
+    {% UIForm Standard {} %}
+        {% UIInput ForHidden { sName:'transaction_id', sValue:sTransactionId} %}
+        {% UIInput ForHidden { sName:'operation', sValue:'DoDeletion'} %}
+        {% for sKey, sClass in aClasses %}
+            {% UIInput ForHidden { sName:"classes[" ~ sKey ~ "]", sValue:sClass } %}
+        {% endfor %}
+        {% UIToolbar ForButton {} %}
+            {% UIButton ForPrimaryAction {sLabel:'UI:Button:DoDeletion'|dict_s, sName:'btn_deletion', sId:'btn_deletion', bIsSubmit:true} %}
+        {% EndUIToolbar %}
+    {% EndUIForm %}
+{% else %}
+    {{ 'DataFeatureRemoval:DeletionPlan:ToManyOperations'|dict_s }}
+{% endif %}
+
+{% UIForm Standard {} %}
+    {% UIInput ForHidden { sName:'transaction_id', sValue:sTransactionId} %}
+    {% UIInput ForHidden { sName:'operation', sValue:'Main'} %}
+    {% UIToolbar ForButton {} %}
+        {% UIButton ForPrimaryAction {sLabel:'UI:Button:BackToMain'|dict_s, sName:'btn_back', sId:'btn_back', bIsSubmit:true} %}
+    {% EndUIToolbar %}
+{% EndUIForm %}
--- a/datamodels/2.x/combodo-data-feature-removal/templates/DoDeletion.html.twig
+++ b/datamodels/2.x/combodo-data-feature-removal/templates/DoDeletion.html.twig
@@ -0,0 +1,14 @@
+{# @copyright   Copyright (C) 2010-2026 Combodo SARL #}
+{# @license     http://opensource.org/licenses/AGPL-3.0 #}
+
+{% UIPanel ForInformation { sTitle:'DataFeatureRemoval:DoDeletion:Title'|dict_s, sSubTitle: 'DataFeatureRemoval:DoDeletion:SubTitle'|dict_s } %}
+    {% UIDataTable ForForm { sRef:'aDeletionExecutionSummary', aColumns:aDeletionExecutionSummary.Columns, aData:aDeletionExecutionSummary.Data} %}{% EndUIDataTable %}
+{% EndUIPanel %}
+
+{% UIForm Standard {} %}
+    {% UIInput ForHidden { sName:'transaction_id', sValue:sTransactionId} %}
+    {% UIInput ForHidden { sName:'operation', sValue:'Main'} %}
+    {% UIToolbar ForButton {} %}
+        {% UIButton ForPrimaryAction {sLabel:'UI:Button:BackToMain'|dict_s, sName:'btn_back_to_main', sId:'btn_back_to_main', bIsSubmit:true} %}
+    {% EndUIToolbar %}
+{% EndUIForm %}
--- a/datamodels/2.x/combodo-data-feature-removal/templates/ExtensionRemovalData.html.twig
+++ b/datamodels/2.x/combodo-data-feature-removal/templates/ExtensionRemovalData.html.twig
@@ -0,0 +1,19 @@
+{# @copyright   Copyright (C) 2010-2024 Combodo SAS #}
+{# @license     http://opensource.org/licenses/AGPL-3.0 #}
+
+{% if bHasData %}
+    {% UIPanel Neutral { sTitle:'DataFeatureRemoval:Analysis:Title'|dict_s, sSubTitle: 'DataFeatureRemoval:Analysis:SubTitle'|dict_format(iCount) } %}
+        {% UIDataTable ForForm { sRef:'aAnalysisDataTable', aColumns:aAnalysisDataTable.Columns, aData:aAnalysisDataTable.Data} %}{% EndUIDataTable %}
+    {% EndUIPanel %}
+
+    {% UIForm Standard {} %}
+        {% UIInput ForHidden { sName:'transaction_id', sValue:sTransactionId} %}
+        {% UIInput ForHidden { sName:'operation', sValue:'DeletionPlan'} %}
+        {% for sKey, sClass in aClasses %}
+            {% UIInput ForHidden { sName:"classes[" ~ sKey ~ "]", sValue:sClass } %}
+        {% endfor %}
+        {% UIToolbar ForButton {} %}
+            {% UIButton ForPrimaryAction {sLabel:'UI:Button:PlanDeletion'|dict_s, sName:'btn_plandeletion', sId:'btn_plandeletion', bIsSubmit:true} %}
+        {% EndUIToolbar %}
+    {% EndUIForm %}
+{% endif %}
--- a/datamodels/2.x/combodo-data-feature-removal/templates/Features.html.twig
+++ b/datamodels/2.x/combodo-data-feature-removal/templates/Features.html.twig
@@ -0,0 +1,16 @@
+{# @copyright   Copyright (C) 2010-2024 Combodo SAS #}
+{# @license     http://opensource.org/licenses/AGPL-3.0 #}
+
+
+{% UIForm Standard {} %}
+    {% UIInput ForHidden {sName:'operation', sValue:'Analyze'} %}
+    {% UIInput ForHidden {sName:'transaction_id', sValue:sTransactionId} %}
+
+    {% UIFieldSet Standard {sLegend:'DataFeatureRemoval:Features:Title'|dict_s} %}
+        {% UIDataTable ForForm { sRef:'aExtensions', aColumns:aExtensions.Columns, aData:aExtensions.Data} %}{% EndUIDataTable %}
+    {% EndUIFieldSet %}
+
+    {% UIToolbar ForButton {} %}
+        {% UIButton ForPrimaryAction {sLabel:'UI:Button:Analyze'|dict_s, sName:'btn_apply', sId:'btn_apply', bIsSubmit:true} %}
+    {% EndUIToolbar %}
+{% EndUIForm %}
--- a/datamodels/2.x/combodo-data-feature-removal/templates/Main.html.twig
+++ b/datamodels/2.x/combodo-data-feature-removal/templates/Main.html.twig
@@ -0,0 +1,35 @@
+{# @copyright   Copyright (C) 2010-2025 Combodo SARL #}
+{# @license     http://opensource.org/licenses/AGPL-3.0 #}
+
+{#  Usable variables: #}
+{#     * sTitle => page title #}
+{#     * sMessage => success message #}
+{#     * sError => error message #}
+
+{# DataFeatureRemoval #}
+
+{% UIPanel ForInformation { sTitle:'DataFeatureRemoval:Main:Title'|dict_s, sSubTitle: 'DataFeatureRemoval:Main:SubTitle'|dict_s } %}
+
+    {% UIAlert ForInformation { sTitle:'DataFeatureRemoval:Helper:Title'|dict_s } %}
+        {{ 'DataFeatureRemoval:Helper:Desc1'|dict_s }}<BR>
+        {{ 'DataFeatureRemoval:Helper:Desc2'|dict_s }}
+    {% EndUIAlert %}
+
+    {% if null != DataFeatureRemovalErrorMessage %}
+        <div id="feature_removal_error_msg_div" style="display:block">
+            {% UIAlert ForFailure { sTitle:'DataFeatureRemoval:Failure:Title'|dict_s, sId: 'feature_removal_error_msg', sContent:DataFeatureRemovalErrorMessage } %}
+            {% EndUIAlert %}
+        </div>
+    {% endif %}
+
+    {% include 'Features.html.twig' %}
+    {% include 'ExtensionRemovalData.html.twig' %}
+
+    {% if not bHasData %}
+        {% UIToolbar ForButton {} %}
+            <a href="{{ sSetupUrl }}">
+            {% UIButton ForPrimaryAction {sLabel:'UI:Button:Setup'|dict_s, sName:'btn_setup', sId:'btn_setup', bIsSubmit:false} %}
+            </a>
+        {% EndUIToolbar %}
+    {% endif %}
+{% EndUIPanel %}
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/autoload.php
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/autoload.php
@@ -0,0 +1,22 @@
+<?php
+
+// autoload.php @generated by Composer
+
+if (PHP_VERSION_ID < 50600) {
+    if (!headers_sent()) {
+        header('HTTP/1.1 500 Internal Server Error');
+    }
+    $err = 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL;
+    if (!ini_get('display_errors')) {
+        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
+            fwrite(STDERR, $err);
+        } elseif (!headers_sent()) {
+            echo $err;
+        }
+    }
+    throw new RuntimeException($err);
+}
+
+require_once __DIR__ . '/composer/autoload_real.php';
+
+return ComposerAutoloaderInit4f96a7199e2c0d90e547333758b26464::getLoader();
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/composer/ClassLoader.php
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/composer/ClassLoader.php
@@ -0,0 +1,579 @@
+<?php
+
+/*
+ * This file is part of Composer.
+ *
+ * (c) Nils Adermann <naderman@naderman.de>
+ *     Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Composer\Autoload;
+
+/**
+ * ClassLoader implements a PSR-0, PSR-4 and classmap class loader.
+ *
+ *     $loader = new \Composer\Autoload\ClassLoader();
+ *
+ *     // register classes with namespaces
+ *     $loader->add('Symfony\Component', __DIR__.'/component');
+ *     $loader->add('Symfony',           __DIR__.'/framework');
+ *
+ *     // activate the autoloader
+ *     $loader->register();
+ *
+ *     // to enable searching the include path (eg. for PEAR packages)
+ *     $loader->setUseIncludePath(true);
+ *
+ * In this example, if you try to use a class in the Symfony\Component
+ * namespace or one of its children (Symfony\Component\Console for instance),
+ * the autoloader will first look for the class under the component/
+ * directory, and it will then fallback to the framework/ directory if not
+ * found before giving up.
+ *
+ * This class is loosely based on the Symfony UniversalClassLoader.
+ *
+ * @author Fabien Potencier <fabien@symfony.com>
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ * @see    https://www.php-fig.org/psr/psr-0/
+ * @see    https://www.php-fig.org/psr/psr-4/
+ */
+class ClassLoader
+{
+    /** @var \Closure(string):void */
+    private static $includeFile;
+
+    /** @var string|null */
+    private $vendorDir;
+
+    // PSR-4
+    /**
+     * @var array<string, array<string, int>>
+     */
+    private $prefixLengthsPsr4 = array();
+    /**
+     * @var array<string, list<string>>
+     */
+    private $prefixDirsPsr4 = array();
+    /**
+     * @var list<string>
+     */
+    private $fallbackDirsPsr4 = array();
+
+    // PSR-0
+    /**
+     * List of PSR-0 prefixes
+     *
+     * Structured as array('F (first letter)' => array('Foo\Bar (full prefix)' => array('path', 'path2')))
+     *
+     * @var array<string, array<string, list<string>>>
+     */
+    private $prefixesPsr0 = array();
+    /**
+     * @var list<string>
+     */
+    private $fallbackDirsPsr0 = array();
+
+    /** @var bool */
+    private $useIncludePath = false;
+
+    /**
+     * @var array<string, string>
+     */
+    private $classMap = array();
+
+    /** @var bool */
+    private $classMapAuthoritative = false;
+
+    /**
+     * @var array<string, bool>
+     */
+    private $missingClasses = array();
+
+    /** @var string|null */
+    private $apcuPrefix;
+
+    /**
+     * @var array<string, self>
+     */
+    private static $registeredLoaders = array();
+
+    /**
+     * @param string|null $vendorDir
+     */
+    public function __construct($vendorDir = null)
+    {
+        $this->vendorDir = $vendorDir;
+        self::initializeIncludeClosure();
+    }
+
+    /**
+     * @return array<string, list<string>>
+     */
+    public function getPrefixes()
+    {
+        if (!empty($this->prefixesPsr0)) {
+            return call_user_func_array('array_merge', array_values($this->prefixesPsr0));
+        }
+
+        return array();
+    }
+
+    /**
+     * @return array<string, list<string>>
+     */
+    public function getPrefixesPsr4()
+    {
+        return $this->prefixDirsPsr4;
+    }
+
+    /**
+     * @return list<string>
+     */
+    public function getFallbackDirs()
+    {
+        return $this->fallbackDirsPsr0;
+    }
+
+    /**
+     * @return list<string>
+     */
+    public function getFallbackDirsPsr4()
+    {
+        return $this->fallbackDirsPsr4;
+    }
+
+    /**
+     * @return array<string, string> Array of classname => path
+     */
+    public function getClassMap()
+    {
+        return $this->classMap;
+    }
+
+    /**
+     * @param array<string, string> $classMap Class to filename map
+     *
+     * @return void
+     */
+    public function addClassMap(array $classMap)
+    {
+        if ($this->classMap) {
+            $this->classMap = array_merge($this->classMap, $classMap);
+        } else {
+            $this->classMap = $classMap;
+        }
+    }
+
+    /**
+     * Registers a set of PSR-0 directories for a given prefix, either
+     * appending or prepending to the ones previously set for this prefix.
+     *
+     * @param string              $prefix  The prefix
+     * @param list<string>|string $paths   The PSR-0 root directories
+     * @param bool                $prepend Whether to prepend the directories
+     *
+     * @return void
+     */
+    public function add($prefix, $paths, $prepend = false)
+    {
+        $paths = (array) $paths;
+        if (!$prefix) {
+            if ($prepend) {
+                $this->fallbackDirsPsr0 = array_merge(
+                    $paths,
+                    $this->fallbackDirsPsr0
+                );
+            } else {
+                $this->fallbackDirsPsr0 = array_merge(
+                    $this->fallbackDirsPsr0,
+                    $paths
+                );
+            }
+
+            return;
+        }
+
+        $first = $prefix[0];
+        if (!isset($this->prefixesPsr0[$first][$prefix])) {
+            $this->prefixesPsr0[$first][$prefix] = $paths;
+
+            return;
+        }
+        if ($prepend) {
+            $this->prefixesPsr0[$first][$prefix] = array_merge(
+                $paths,
+                $this->prefixesPsr0[$first][$prefix]
+            );
+        } else {
+            $this->prefixesPsr0[$first][$prefix] = array_merge(
+                $this->prefixesPsr0[$first][$prefix],
+                $paths
+            );
+        }
+    }
+
+    /**
+     * Registers a set of PSR-4 directories for a given namespace, either
+     * appending or prepending to the ones previously set for this namespace.
+     *
+     * @param string              $prefix  The prefix/namespace, with trailing '\\'
+     * @param list<string>|string $paths   The PSR-4 base directories
+     * @param bool                $prepend Whether to prepend the directories
+     *
+     * @throws \InvalidArgumentException
+     *
+     * @return void
+     */
+    public function addPsr4($prefix, $paths, $prepend = false)
+    {
+        $paths = (array) $paths;
+        if (!$prefix) {
+            // Register directories for the root namespace.
+            if ($prepend) {
+                $this->fallbackDirsPsr4 = array_merge(
+                    $paths,
+                    $this->fallbackDirsPsr4
+                );
+            } else {
+                $this->fallbackDirsPsr4 = array_merge(
+                    $this->fallbackDirsPsr4,
+                    $paths
+                );
+            }
+        } elseif (!isset($this->prefixDirsPsr4[$prefix])) {
+            // Register directories for a new namespace.
+            $length = strlen($prefix);
+            if ('\\' !== $prefix[$length - 1]) {
+                throw new \InvalidArgumentException("A non-empty PSR-4 prefix must end with a namespace separator.");
+            }
+            $this->prefixLengthsPsr4[$prefix[0]][$prefix] = $length;
+            $this->prefixDirsPsr4[$prefix] = $paths;
+        } elseif ($prepend) {
+            // Prepend directories for an already registered namespace.
+            $this->prefixDirsPsr4[$prefix] = array_merge(
+                $paths,
+                $this->prefixDirsPsr4[$prefix]
+            );
+        } else {
+            // Append directories for an already registered namespace.
+            $this->prefixDirsPsr4[$prefix] = array_merge(
+                $this->prefixDirsPsr4[$prefix],
+                $paths
+            );
+        }
+    }
+
+    /**
+     * Registers a set of PSR-0 directories for a given prefix,
+     * replacing any others previously set for this prefix.
+     *
+     * @param string              $prefix The prefix
+     * @param list<string>|string $paths  The PSR-0 base directories
+     *
+     * @return void
+     */
+    public function set($prefix, $paths)
+    {
+        if (!$prefix) {
+            $this->fallbackDirsPsr0 = (array) $paths;
+        } else {
+            $this->prefixesPsr0[$prefix[0]][$prefix] = (array) $paths;
+        }
+    }
+
+    /**
+     * Registers a set of PSR-4 directories for a given namespace,
+     * replacing any others previously set for this namespace.
+     *
+     * @param string              $prefix The prefix/namespace, with trailing '\\'
+     * @param list<string>|string $paths  The PSR-4 base directories
+     *
+     * @throws \InvalidArgumentException
+     *
+     * @return void
+     */
+    public function setPsr4($prefix, $paths)
+    {
+        if (!$prefix) {
+            $this->fallbackDirsPsr4 = (array) $paths;
+        } else {
+            $length = strlen($prefix);
+            if ('\\' !== $prefix[$length - 1]) {
+                throw new \InvalidArgumentException("A non-empty PSR-4 prefix must end with a namespace separator.");
+            }
+            $this->prefixLengthsPsr4[$prefix[0]][$prefix] = $length;
+            $this->prefixDirsPsr4[$prefix] = (array) $paths;
+        }
+    }
+
+    /**
+     * Turns on searching the include path for class files.
+     *
+     * @param bool $useIncludePath
+     *
+     * @return void
+     */
+    public function setUseIncludePath($useIncludePath)
+    {
+        $this->useIncludePath = $useIncludePath;
+    }
+
+    /**
+     * Can be used to check if the autoloader uses the include path to check
+     * for classes.
+     *
+     * @return bool
+     */
+    public function getUseIncludePath()
+    {
+        return $this->useIncludePath;
+    }
+
+    /**
+     * Turns off searching the prefix and fallback directories for classes
+     * that have not been registered with the class map.
+     *
+     * @param bool $classMapAuthoritative
+     *
+     * @return void
+     */
+    public function setClassMapAuthoritative($classMapAuthoritative)
+    {
+        $this->classMapAuthoritative = $classMapAuthoritative;
+    }
+
+    /**
+     * Should class lookup fail if not found in the current class map?
+     *
+     * @return bool
+     */
+    public function isClassMapAuthoritative()
+    {
+        return $this->classMapAuthoritative;
+    }
+
+    /**
+     * APCu prefix to use to cache found/not-found classes, if the extension is enabled.
+     *
+     * @param string|null $apcuPrefix
+     *
+     * @return void
+     */
+    public function setApcuPrefix($apcuPrefix)
+    {
+        $this->apcuPrefix = function_exists('apcu_fetch') && filter_var(ini_get('apc.enabled'), FILTER_VALIDATE_BOOLEAN) ? $apcuPrefix : null;
+    }
+
+    /**
+     * The APCu prefix in use, or null if APCu caching is not enabled.
+     *
+     * @return string|null
+     */
+    public function getApcuPrefix()
+    {
+        return $this->apcuPrefix;
+    }
+
+    /**
+     * Registers this instance as an autoloader.
+     *
+     * @param bool $prepend Whether to prepend the autoloader or not
+     *
+     * @return void
+     */
+    public function register($prepend = false)
+    {
+        spl_autoload_register(array($this, 'loadClass'), true, $prepend);
+
+        if (null === $this->vendorDir) {
+            return;
+        }
+
+        if ($prepend) {
+            self::$registeredLoaders = array($this->vendorDir => $this) + self::$registeredLoaders;
+        } else {
+            unset(self::$registeredLoaders[$this->vendorDir]);
+            self::$registeredLoaders[$this->vendorDir] = $this;
+        }
+    }
+
+    /**
+     * Unregisters this instance as an autoloader.
+     *
+     * @return void
+     */
+    public function unregister()
+    {
+        spl_autoload_unregister(array($this, 'loadClass'));
+
+        if (null !== $this->vendorDir) {
+            unset(self::$registeredLoaders[$this->vendorDir]);
+        }
+    }
+
+    /**
+     * Loads the given class or interface.
+     *
+     * @param  string    $class The name of the class
+     * @return true|null True if loaded, null otherwise
+     */
+    public function loadClass($class)
+    {
+        if ($file = $this->findFile($class)) {
+            $includeFile = self::$includeFile;
+            $includeFile($file);
+
+            return true;
+        }
+
+        return null;
+    }
+
+    /**
+     * Finds the path to the file where the class is defined.
+     *
+     * @param string $class The name of the class
+     *
+     * @return string|false The path if found, false otherwise
+     */
+    public function findFile($class)
+    {
+        // class map lookup
+        if (isset($this->classMap[$class])) {
+            return $this->classMap[$class];
+        }
+        if ($this->classMapAuthoritative || isset($this->missingClasses[$class])) {
+            return false;
+        }
+        if (null !== $this->apcuPrefix) {
+            $file = apcu_fetch($this->apcuPrefix.$class, $hit);
+            if ($hit) {
+                return $file;
+            }
+        }
+
+        $file = $this->findFileWithExtension($class, '.php');
+
+        // Search for Hack files if we are running on HHVM
+        if (false === $file && defined('HHVM_VERSION')) {
+            $file = $this->findFileWithExtension($class, '.hh');
+        }
+
+        if (null !== $this->apcuPrefix) {
+            apcu_add($this->apcuPrefix.$class, $file);
+        }
+
+        if (false === $file) {
+            // Remember that this class does not exist.
+            $this->missingClasses[$class] = true;
+        }
+
+        return $file;
+    }
+
+    /**
+     * Returns the currently registered loaders keyed by their corresponding vendor directories.
+     *
+     * @return array<string, self>
+     */
+    public static function getRegisteredLoaders()
+    {
+        return self::$registeredLoaders;
+    }
+
+    /**
+     * @param  string       $class
+     * @param  string       $ext
+     * @return string|false
+     */
+    private function findFileWithExtension($class, $ext)
+    {
+        // PSR-4 lookup
+        $logicalPathPsr4 = strtr($class, '\\', DIRECTORY_SEPARATOR) . $ext;
+
+        $first = $class[0];
+        if (isset($this->prefixLengthsPsr4[$first])) {
+            $subPath = $class;
+            while (false !== $lastPos = strrpos($subPath, '\\')) {
+                $subPath = substr($subPath, 0, $lastPos);
+                $search = $subPath . '\\';
+                if (isset($this->prefixDirsPsr4[$search])) {
+                    $pathEnd = DIRECTORY_SEPARATOR . substr($logicalPathPsr4, $lastPos + 1);
+                    foreach ($this->prefixDirsPsr4[$search] as $dir) {
+                        if (file_exists($file = $dir . $pathEnd)) {
+                            return $file;
+                        }
+                    }
+                }
+            }
+        }
+
+        // PSR-4 fallback dirs
+        foreach ($this->fallbackDirsPsr4 as $dir) {
+            if (file_exists($file = $dir . DIRECTORY_SEPARATOR . $logicalPathPsr4)) {
+                return $file;
+            }
+        }
+
+        // PSR-0 lookup
+        if (false !== $pos = strrpos($class, '\\')) {
+            // namespaced class name
+            $logicalPathPsr0 = substr($logicalPathPsr4, 0, $pos + 1)
+                . strtr(substr($logicalPathPsr4, $pos + 1), '_', DIRECTORY_SEPARATOR);
+        } else {
+            // PEAR-like class name
+            $logicalPathPsr0 = strtr($class, '_', DIRECTORY_SEPARATOR) . $ext;
+        }
+
+        if (isset($this->prefixesPsr0[$first])) {
+            foreach ($this->prefixesPsr0[$first] as $prefix => $dirs) {
+                if (0 === strpos($class, $prefix)) {
+                    foreach ($dirs as $dir) {
+                        if (file_exists($file = $dir . DIRECTORY_SEPARATOR . $logicalPathPsr0)) {
+                            return $file;
+                        }
+                    }
+                }
+            }
+        }
+
+        // PSR-0 fallback dirs
+        foreach ($this->fallbackDirsPsr0 as $dir) {
+            if (file_exists($file = $dir . DIRECTORY_SEPARATOR . $logicalPathPsr0)) {
+                return $file;
+            }
+        }
+
+        // PSR-0 include paths.
+        if ($this->useIncludePath && $file = stream_resolve_include_path($logicalPathPsr0)) {
+            return $file;
+        }
+
+        return false;
+    }
+
+    /**
+     * @return void
+     */
+    private static function initializeIncludeClosure()
+    {
+        if (self::$includeFile !== null) {
+            return;
+        }
+
+        /**
+         * Scope isolated include.
+         *
+         * Prevents access to $this/self from included files.
+         *
+         * @param  string $file
+         * @return void
+         */
+        self::$includeFile = \Closure::bind(static function($file) {
+            include $file;
+        }, null, null);
+    }
+}
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/composer/LICENSE
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/composer/LICENSE
@@ -0,0 +1,21 @@
+
+Copyright (c) Nils Adermann, Jordi Boggiano
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_classmap.php
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_classmap.php
@@ -0,0 +1,18 @@
+<?php
+
+// autoload_classmap.php @generated by Composer
+
+$vendorDir = dirname(__DIR__);
+$baseDir = dirname($vendorDir);
+
+return array(
+    'Combodo\\iTop\\DataFeatureRemoval\\Controller\\DataFeatureRemovalController' => $baseDir . '/src/Controller/DataFeatureRemovalController.php',
+    'Combodo\\iTop\\DataFeatureRemoval\\Entity\\DeletionPlanSummaryEntity' => $baseDir . '/src/Entity/DeletionPlanSummaryEntity.php',
+    'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalConfig' => $baseDir . '/src/Helper/DataFeatureRemovalConfig.php',
+    'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalException' => $baseDir . '/src/Helper/DataFeatureRemovalException.php',
+    'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalHelper' => $baseDir . '/src/Helper/DataFeatureRemovalHelper.php',
+    'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalLog' => $baseDir . '/src/Helper/DataFeatureRemovalLog.php',
+    'Combodo\\iTop\\DataFeatureRemoval\\Service\\DataFeatureRemoverExtensionService' => $baseDir . '/src/Service/DataFeatureRemoverExtensionService.php',
+    'Combodo\\iTop\\DataFeatureRemoval\\Service\\DeletionPlanService' => $baseDir . '/src/Service/DeletionPlanService.php',
+    'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
+);
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_namespaces.php
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_namespaces.php
@@ -0,0 +1,9 @@
+<?php
+
+// autoload_namespaces.php @generated by Composer
+
+$vendorDir = dirname(__DIR__);
+$baseDir = dirname($vendorDir);
+
+return array(
+);
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_psr4.php
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_psr4.php
@@ -0,0 +1,11 @@
+<?php
+
+// autoload_psr4.php @generated by Composer
+
+$vendorDir = dirname(__DIR__);
+$baseDir = dirname($vendorDir);
+
+return array(
+    'Combodo\\iTop\\DataFeatureRemoval\\' => array($baseDir . '/src'),
+    '' => array($baseDir . '/src/NoNamespace'),
+);
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_real.php
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_real.php
@@ -0,0 +1,37 @@
+<?php
+
+// autoload_real.php @generated by Composer
+
+class ComposerAutoloaderInit4f96a7199e2c0d90e547333758b26464
+{
+    private static $loader;
+
+    public static function loadClassLoader($class)
+    {
+        if ('Composer\Autoload\ClassLoader' === $class) {
+            require __DIR__ . '/ClassLoader.php';
+        }
+    }
+
+    /**
+     * @return \Composer\Autoload\ClassLoader
+     */
+    public static function getLoader()
+    {
+        if (null !== self::$loader) {
+            return self::$loader;
+        }
+
+        spl_autoload_register(array('ComposerAutoloaderInit4f96a7199e2c0d90e547333758b26464', 'loadClassLoader'), true, true);
+        self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(__DIR__));
+        spl_autoload_unregister(array('ComposerAutoloaderInit4f96a7199e2c0d90e547333758b26464', 'loadClassLoader'));
+
+        require __DIR__ . '/autoload_static.php';
+        call_user_func(\Composer\Autoload\ComposerStaticInit4f96a7199e2c0d90e547333758b26464::getInitializer($loader));
+
+        $loader->setClassMapAuthoritative(true);
+        $loader->register(true);
+
+        return $loader;
+    }
+}
--- a/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_static.php
+++ b/datamodels/2.x/combodo-data-feature-removal/vendor/composer/autoload_static.php
@@ -0,0 +1,49 @@
+<?php
+
+// autoload_static.php @generated by Composer
+
+namespace Composer\Autoload;
+
+class ComposerStaticInit4f96a7199e2c0d90e547333758b26464
+{
+    public static $prefixLengthsPsr4 = array (
+        'C' => 
+        array (
+            'Combodo\\iTop\\DataFeatureRemoval\\' => 32,
+        ),
+    );
+
+    public static $prefixDirsPsr4 = array (
+        'Combodo\\iTop\\DataFeatureRemoval\\' => 
+        array (
+            0 => __DIR__ . '/../..' . '/src',
+        ),
+    );
+
+    public static $fallbackDirsPsr4 = array (
+        0 => __DIR__ . '/../..' . '/src/NoNamespace',
+    );
+
+    public static $classMap = array (
+        'Combodo\\iTop\\DataFeatureRemoval\\Controller\\DataFeatureRemovalController' => __DIR__ . '/../..' . '/src/Controller/DataFeatureRemovalController.php',
+        'Combodo\\iTop\\DataFeatureRemoval\\Entity\\DeletionPlanSummaryEntity' => __DIR__ . '/../..' . '/src/Entity/DeletionPlanSummaryEntity.php',
+        'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalConfig' => __DIR__ . '/../..' . '/src/Helper/DataFeatureRemovalConfig.php',
+        'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalException' => __DIR__ . '/../..' . '/src/Helper/DataFeatureRemovalException.php',
+        'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalHelper' => __DIR__ . '/../..' . '/src/Helper/DataFeatureRemovalHelper.php',
+        'Combodo\\iTop\\DataFeatureRemoval\\Helper\\DataFeatureRemovalLog' => __DIR__ . '/../..' . '/src/Helper/DataFeatureRemovalLog.php',
+        'Combodo\\iTop\\DataFeatureRemoval\\Service\\DataFeatureRemoverExtensionService' => __DIR__ . '/../..' . '/src/Service/DataFeatureRemoverExtensionService.php',
+        'Combodo\\iTop\\DataFeatureRemoval\\Service\\DeletionPlanService' => __DIR__ . '/../..' . '/src/Service/DeletionPlanService.php',
+        'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
+    );
+
+    public static function getInitializer(ClassLoader $loader)
+    {
+        return \Closure::bind(function () use ($loader) {
+            $loader->prefixLengthsPsr4 = ComposerStaticInit4f96a7199e2c0d90e547333758b26464::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit4f96a7199e2c0d90e547333758b26464::$prefixDirsPsr4;
+            $loader->fallbackDirsPsr4 = ComposerStaticInit4f96a7199e2c0d90e547333758b26464::$fallbackDirsPsr4;
+            $loader->classMap = ComposerStaticInit4f96a7199e2c0d90e547333758b26464::$classMap;
+
+        }, null, ClassLoader::class);
+    }
+}
--- a/datamodels/2.x/combodo-db-tools/bin/rebuildhk.php
+++ b/datamodels/2.x/combodo-db-tools/bin/rebuildhk.php
@@ -10,22 +10,87 @@
 */

 use Combodo\iTop\Core\MetaModel\HierarchicalKey;
+use Combodo\iTop\DBTools\Enum\BinExitCode;
+use Combodo\iTop\DBTools\Exception\AuthenticationException;

-require_once('../../../approot.inc.php');
+// env-xxx folders
+if (file_exists(__DIR__.'/../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../approot.inc.php';
+}
+// datamodel/2.x and data/xxx-modules folders
+elseif (file_exists(__DIR__.'/../../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../../approot.inc.php';
+}
 require_once APPROOT.'application/startup.inc.php';

-foreach (MetaModel::GetClasses() as $sClass) {
-	if (!MetaModel::HasTable($sClass)) {
-		continue;
-	}
+// Prepare output page
+$sPageTitle = "Database maintenance tools - Report";
+$bIsModeCLI = utils::IsModeCLI();
+if ($bIsModeCLI) {
+	$oP = new CLIPage($sPageTitle);

-	foreach (MetaModel::ListAttributeDefs($sClass) as $sAttCode => $oAttDef) {
-		// Check (once) all the attributes that are hierarchical keys
-		if ((MetaModel::GetAttributeOrigin($sClass, $sAttCode) == $sClass) && $oAttDef->IsHierarchicalKey()) {
-			echo "Rebuild hierarchical key $sAttCode from $sClass.\n";
-			HierarchicalKey::Rebuild($sClass, $sAttCode, $oAttDef);
-		}
-	}
+	SetupUtils::CheckPhpAndExtensionsForCli($oP, BinExitCode::FATAL->value);
+} else {
+	$oP = new WebPage($sPageTitle);
 }

-echo "Done\n";
+// Authentication logic
+try {
+	utils::UseParamFile();
+
+	if ($bIsModeCLI) {
+		$sAuthUser = utils::ReadParam('auth_user', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		$sAuthPwd = utils::ReadParam('auth_pwd', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		if (utils::IsNullOrEmptyString($sAuthUser) || utils::IsNullOrEmptyString($sAuthPwd)) {
+			throw new AuthenticationException("Access credentials not provided, usage: php rebuildhk.php --auth_user=<login> --auth_pwd=<password> [--param_file=<file_path>]");
+		}
+		if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd)) {
+			UserRights::Login($sAuthUser);
+		} else {
+			throw new AuthenticationException("Access wrong credentials ('$sAuthUser')");
+		}
+	} else {
+		// Check user rights and prompt if needed
+		LoginWebPage::DoLoginEx(null, true);
+	}
+
+	if (!UserRights::IsAdministrator()) {
+		throw new AuthenticationException("Access restricted to administrators");
+	}
+} catch (AuthenticationException $oException) {
+	$oP->p($oException->getMessage());
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$oP->p("Error: ".$oException->GetMessage());
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
+}
+
+// Business logic
+try {
+	foreach (MetaModel::GetClasses() as $sClass) {
+		if (!MetaModel::HasTable($sClass)) {
+			continue;
+		}
+
+		foreach (MetaModel::ListAttributeDefs($sClass) as $sAttCode => $oAttDef) {
+			// Check (once) all the attributes that are hierarchical keys
+			if ((MetaModel::GetAttributeOrigin($sClass, $sAttCode) == $sClass) && $oAttDef->IsHierarchicalKey()) {
+				$oP->p("Rebuild hierarchical key $sAttCode from $sClass.");
+				HierarchicalKey::Rebuild($sClass, $sAttCode, $oAttDef);
+			}
+		}
+	}
+
+	$oP->p("Done");
+	$oP->output();
+} catch (AuthenticationException $oException) {
+	$oP->p($oException->getMessage());
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$oP->p("Error: ".$oException->GetMessage());
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
+}
--- a/datamodels/2.x/combodo-db-tools/bin/report.php
+++ b/datamodels/2.x/combodo-db-tools/bin/report.php
@@ -5,22 +5,93 @@
 * @license     http://opensource.org/licenses/AGPL-3.0
 */

+use Combodo\iTop\DBTools\Enum\BinExitCode;
+use Combodo\iTop\DBTools\Exception\AuthenticationException;
 use Combodo\iTop\DBTools\Service\DBAnalyzerUtils;

-require_once('../../../approot.inc.php');
-require_once(APPROOT.'application/startup.inc.php');
-
-require_once('../db_analyzer.class.inc.php');
-require_once('../src/Service/DBAnalyzerUtils.php');
-
-$oDBAnalyzer = new DatabaseAnalyzer(0);
-$aResults = $oDBAnalyzer->CheckIntegrity([]);
-
-if (empty($aResults)) {
-	echo "Database OK\n";
-	exit(0);
+// env-xxx folders
+if (file_exists(__DIR__.'/../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../approot.inc.php';
+}
+// datamodel/2.x and data/xxx-modules folders
+elseif (file_exists(__DIR__.'/../../../../approot.inc.php')) {
+	require_once __DIR__.'/../../../../approot.inc.php';
 }

-$sReportFile = DBAnalyzerUtils::GenerateReport($aResults);
+require_once APPROOT.'application/startup.inc.php';
+require_once APPROOT.'application/loginwebpage.class.inc.php';

-echo "Report generated: {$sReportFile}.log\n";
+require_once __DIR__.'/../db_analyzer.class.inc.php';
+
+// Prepare output page
+$sPageTitle = "Database maintenance tools - Report";
+$bIsModeCLI = utils::IsModeCLI();
+if ($bIsModeCLI) {
+	$oP = new CLIPage($sPageTitle);
+
+	SetupUtils::CheckPhpAndExtensionsForCli($oP, BinExitCode::FATAL->value);
+} else {
+	$oP = new WebPage($sPageTitle);
+}
+
+// Authentication logic
+try {
+	utils::UseParamFile();
+
+	if ($bIsModeCLI) {
+		$sAuthUser = utils::ReadParam('auth_user', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		$sAuthPwd = utils::ReadParam('auth_pwd', null, true, utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
+		if (utils::IsNullOrEmptyString($sAuthUser) || utils::IsNullOrEmptyString($sAuthPwd)) {
+			throw new AuthenticationException("Access credentials not provided, usage: php report.php --auth_user=<login> --auth_pwd=<password> [--param_file=<file_path>]");
+		}
+		if (UserRights::CheckCredentials($sAuthUser, $sAuthPwd)) {
+			UserRights::Login($sAuthUser);
+		} else {
+			throw new AuthenticationException("Access wrong credentials ('$sAuthUser')");
+		}
+	} else {
+		// Check user rights and prompt if needed
+		LoginWebPage::DoLoginEx(null, true);
+	}
+
+	if (!UserRights::IsAdministrator()) {
+		throw new AuthenticationException("Access restricted to administrators");
+	}
+} catch (AuthenticationException $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p($sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p("Error: ".$sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
+}
+
+// Business logic
+try {
+	$oDBAnalyzer = new DatabaseAnalyzer(0);
+	$aResults = $oDBAnalyzer->CheckIntegrity([]);
+
+	if (empty($aResults)) {
+		$oP->p("Database OK");
+		$oP->output();
+		exit(BinExitCode::SUCCESS->value);
+	}
+
+	$sReportFile = DBAnalyzerUtils::GenerateReport($aResults);
+
+	$oP->p("Report generated: {$sReportFile}.log");
+	$oP->output();
+} catch (AuthenticationException $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p($sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::ERROR->value);
+} catch (Exception $oException) {
+	$sExceptionMessage = $oP instanceof WebPage ? utils::EscapeHtml($oException->getMessage()) : $oException->getMessage();
+	$oP->p("Error: ".$sExceptionMessage);
+	$oP->output();
+	exit(BinExitCode::FATAL->value);
+}
--- a/datamodels/2.x/combodo-db-tools/composer.json
+++ b/datamodels/2.x/combodo-db-tools/composer.json
@@ -0,0 +1,9 @@
+{
+  "name": "combodo/combodo-db-tools",
+  "license": "AGPL-3.0-only",
+  "autoload": {
+    "psr-4": {
+      "Combodo\\iTop\\DBTools\\": "src/"
+    }
+  }
+}
--- a/datamodels/2.x/combodo-db-tools/composer.lock
+++ b/datamodels/2.x/combodo-db-tools/composer.lock
@@ -0,0 +1,18 @@
+{
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
+        "This file is @generated automatically"
+    ],
+    "content-hash": "38292b9b3a56c6c8776285a17c58034e",
+    "packages": [],
+    "packages-dev": [],
+    "aliases": [],
+    "minimum-stability": "stable",
+    "stability-flags": {},
+    "prefer-stable": false,
+    "prefer-lowest": false,
+    "platform": {},
+    "platform-dev": {},
+    "plugin-api-version": "2.6.0"
+}
--- a/datamodels/2.x/combodo-db-tools/module.combodo-db-tools.php
+++ b/datamodels/2.x/combodo-db-tools/module.combodo-db-tools.php
@@ -43,6 +43,7 @@ SetupWebPage::AddModule(
 		// Components
 		//
 		'datamodel' => [
+			'vendor/autoload.php',
 			'src/Service/DBToolsUtils.php',
 			'src/Service/DBAnalyzerUtils.php',
 		],
--- a/datamodels/2.x/combodo-db-tools/src/Enum/BinExitCode.php
+++ b/datamodels/2.x/combodo-db-tools/src/Enum/BinExitCode.php
@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\DBTools\Enum;
+
+/**
+ * Enum for the exit codes of the bin scripts
+ */
+enum BinExitCode: int
+{
+	case SUCCESS = 0;
+	case ERROR = -1;
+	case FATAL = -2;
+}
--- a/Show More
+++ b/Show More