N°9468 - Fix double scroll down bars in input set

* N°8737 - Fix search criteria dropdown vertical overflow

* Update css/backoffice/components/_search-form.scss

application/loginexternal.class.inc.php

@@ -75,13 +75,10 @@ class LoginExternal extends AbstractLoginFSMExtension
 	}
 
 	/**
-	 * @return bool
+	 * @return bool|mixed
 	 */
 	private function GetAuthUser()
 	{
-		$sExtAuthVar = MetaModel::GetConfig()->GetExternalAuthenticationVariable(); // In which variable is the info passed ?
-		eval('$sAuthUser = isset('.$sExtAuthVar.') ? '.$sExtAuthVar.' : false;'); // Retrieve the value
-		/** @var string $sAuthUser */
-		return $sAuthUser; // Retrieve the value
+		return MetaModel::GetConfig()->GetExternalAuthenticationVariable();
 	}
 }

application/ui.linksdirectwidget.class.inc.php

@@ -228,7 +228,7 @@ JS
 			<<<HTML
 <form id="ObjectsAddForm_{$this->sInputid}">
     <div id="SearchResultsToAdd_{$this->sInputid}">
-        <div style="background: #fff; border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
+        <div style="border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
     </div>
     <input type="hidden" id="count_{$this->sInputid}" value="0"/>
 </form>

application/ui.searchformforeignkeys.class.inc.php

@@ -68,7 +68,7 @@ class UISearchFormForeignKeys
 			<<<HTML
 <form id="ObjectsAddForm_{$this->m_iInputId}">
     <div id="SearchResultsToAdd_{$this->m_iInputId}" style="vertical-align:top;height:100%;overflow:auto;padding:0;border:0;">
-        <div style="background: #fff; border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
+        <div style="border:0; text-align:center; vertical-align:middle;"><p>{$sEmptyList}</p></div>
     </div>
     <input type="hidden" id="count_{$this->m_iInputId}" value="0"/>
 </form>

core/config.class.inc.php

@@ -75,6 +75,7 @@ define('DEFAULT_EXT_AUTH_VARIABLE', '$_SERVER[\'REMOTE_USER\']');
 define('DEFAULT_ENCRYPTION_KEY', '@iT0pEncr1pti0n!'); // We'll use a random generated key later (if possible)
 define('DEFAULT_ENCRYPTION_LIB', 'Mcrypt'); // We'll define the best encryption available later
 define('DEFAULT_HASH_ALGO', PASSWORD_DEFAULT);
+
 /**
  * Config
  * configuration data (this class cannot not be localized, because it is responsible for loading the dictionaries)
@@ -869,6 +870,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'ext_auth_variable' => [
+			'type' => 'string',
+			'description' => 'External authentication expression (allowed: $_SERVER[\'key\'], $_COOKIE[\'key\'], $_REQUEST[\'key\'], getallheaders()[\'Header-Name\'])',
+			'default' => '$_SERVER[\'REMOTE_USER\']',
+			'value' => '$_SERVER[\'REMOTE_USER\']',
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		],
 		'login_debug' => [
 			'type' => 'bool',
 			'description' => 'Activate the login FSM debug',
@@ -1603,7 +1612,7 @@ class Config
 			'show_in_conf_sample' => false,
 		],
 		'search_manual_submit' => [
-			'type' => 'array',
+			'type' => 'bool',
 			'description' => 'Force manual submit of search all requests',
 			'default' => false,
 			'value' => true,
@@ -1730,6 +1739,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'security.disable_joined_classes_filter' => [
+			'type'                => 'bool',
+			'description'         => 'If true, scope filters aren\'t applied to joined classes or union classes not directly listed in the SELECT clause.',
+			'default'             => true,
+			'value'               => true,
+			'source_of_value'     => '',
+			'show_in_conf_sample' => false,
+		],
 		'security.hide_administrators' => [
 			'type'                => 'bool',
 			'description'         => 'If true, non-administrator users will not be able to see the administrator accounts, the Administrator profile and the links between the administrator accounts and their profiles.',
@@ -1738,11 +1755,11 @@ class Config
 			'source_of_value'     => '',
 			'show_in_conf_sample' => false,
 		],
-		'security.force_login_when_no_delegated_authentication_endpoints_list' => [
+		'security.disable_exec_forced_login_for_all_enpoints' => [
 			'type'                => 'bool',
-			'description'         => 'If true, when no execution policy is defined, the user will be forced to log in (instead of being automatically logged in with the default profile)',
-			'default'             => false,
-			'value'               => false,
+			'description'         => 'If true, when no delegated authentication module is defined, no login will be forced on modules exec endpoints',
+			'default'             => true,
+			'value'               => true,
 			'source_of_value'     => '',
 			'show_in_conf_sample' => false,
 		],
@@ -1958,11 +1975,6 @@ class Config
 	 */
 	protected $m_sAllowedLoginTypes;
 
-	/**
-	 * @var string Name of the PHP variable in which external authentication information is passed by the web server
-	 */
-	protected $m_sExtAuthVariable;
-
 	/**
 	 * @var string Encryption key used for all attributes of type "encrypted string". Can be set to a random value
 	 *             unless you want to import a database from another iTop instance, in which case you must use
@@ -2035,7 +2047,6 @@ class Config
 		$this->m_bSecureConnectionRequired = DEFAULT_SECURE_CONNECTION_REQUIRED;
 		$this->m_sDefaultLanguage = 'EN US';
 		$this->m_sAllowedLoginTypes = DEFAULT_ALLOWED_LOGIN_TYPES;
-		$this->m_sExtAuthVariable = DEFAULT_EXT_AUTH_VARIABLE;
 		$this->m_aCharsets = [];
 		$this->m_bQueryCacheEnabled = DEFAULT_QUERY_CACHE_ENABLED;
 		$this->m_iPasswordHashAlgo = DEFAULT_HASH_ALGO;
@@ -2189,7 +2200,6 @@ class Config
 
 		$this->m_sDefaultLanguage = isset($MySettings['default_language']) ? trim($MySettings['default_language']) : 'EN US';
 		$this->m_sAllowedLoginTypes = isset($MySettings['allowed_login_types']) ? trim($MySettings['allowed_login_types']) : DEFAULT_ALLOWED_LOGIN_TYPES;
-		$this->m_sExtAuthVariable = isset($MySettings['ext_auth_variable']) ? trim($MySettings['ext_auth_variable']) : DEFAULT_EXT_AUTH_VARIABLE;
 		$this->m_sEncryptionKey = isset($MySettings['encryption_key']) ? trim($MySettings['encryption_key']) : $this->m_sEncryptionKey;
 		$this->m_sEncryptionLibrary = isset($MySettings['encryption_library']) ? trim($MySettings['encryption_library']) : $this->m_sEncryptionLibrary;
 		$this->m_aCharsets = isset($MySettings['csv_import_charsets']) ? $MySettings['csv_import_charsets'] : [];
@@ -2342,9 +2352,73 @@ class Config
 		return explode('|', $this->m_sAllowedLoginTypes);
 	}
 
+	/**
+	 * @return bool|mixed
+	 * @since 3.2.3 return the parsed value instead of an unsecured variable name
+	 */
 	public function GetExternalAuthenticationVariable()
 	{
-		return $this->m_sExtAuthVariable;
+		$sExpression = $this->Get('ext_auth_variable');
+		$aParsed = $this->ParseExternalAuthVariableExpression($sExpression);
+		if ($aParsed === null) {
+			return false;
+		}
+
+		$sKey = $aParsed['key'];
+		switch ($aParsed['type']) {
+			case 'server':
+				return $_SERVER[$sKey] ?? false;
+			case 'cookie':
+				return $_COOKIE[$sKey] ?? false;
+			case 'request':
+				return $_REQUEST[$sKey] ?? false;
+			case 'header':
+				if (!function_exists('getallheaders')) {
+					return false;
+				}
+				$aHeaders = getallheaders();
+				if (!is_array($aHeaders)) {
+					return false;
+				}
+				return $aHeaders[$sKey] ?? false;
+		}
+		return false;
+	}
+
+	/**
+	 * @param $sExpression
+	 * @return array|null
+	 */
+	private function ParseExternalAuthVariableExpression($sExpression)
+	{
+		// If it's a configuration parameter it's probably already trimmed, but just in case
+		$sExpression = trim((string) $sExpression);
+		if ($sExpression === '') {
+			return null;
+		}
+
+		// Match $_SERVER/$_COOKIE/$_REQUEST['key'] with optional whitespace and single/double quotes.
+		if (preg_match('/^\$_(SERVER|COOKIE|REQUEST)\s*\[\s*(["\'])\s*([^"\']+)\2\s*\]\s*$/', $sExpression, $aMatches) === 1) {
+			$sContext = strtoupper($aMatches[1]);
+			$sKey = $aMatches[3];
+			return [
+				'type' => strtolower($sContext),
+				'key' => $sKey,
+				'normalized' => '$_'.$sContext.'[\''.$sKey.'\']',
+			];
+		}
+
+		// Match getallheaders()['Header-Name'] in a case-insensitive way.
+		if (preg_match('/^getallheaders\(\)\s*\[\s*(["\'])\s*([^"\']+)\1\s*\]\s*$/i', $sExpression, $aMatches) === 1) {
+			$sKey = $aMatches[2];
+			return [
+				'type' => 'header',
+				'key' => $sKey,
+				'normalized' => 'getallheaders()[\''.$sKey.'\']',
+			];
+		}
+
+		return null;
 	}
 
 	public function GetCSVImportCharsets()
@@ -2440,7 +2514,7 @@ class Config
 
 	public function SetExternalAuthenticationVariable($sExtAuthVariable)
 	{
-		$this->m_sExtAuthVariable = $sExtAuthVariable;
+		$this->Set('ext_auth_variable', $sExtAuthVariable);
 	}
 
 	public function SetEncryptionKey($sKey)
@@ -2495,7 +2569,6 @@ class Config
 		$aSettings['secure_connection_required'] = $this->m_bSecureConnectionRequired;
 		$aSettings['default_language'] = $this->m_sDefaultLanguage;
 		$aSettings['allowed_login_types'] = $this->m_sAllowedLoginTypes;
-		$aSettings['ext_auth_variable'] = $this->m_sExtAuthVariable;
 		$aSettings['encryption_key'] = $this->m_sEncryptionKey;
 		$aSettings['encryption_library'] = $this->m_sEncryptionLibrary;
 		$aSettings['csv_import_charsets'] = $this->m_aCharsets;
@@ -2600,7 +2673,6 @@ class Config
 			$aOtherValues = [
 				'default_language' => $this->m_sDefaultLanguage,
 				'allowed_login_types' => $this->m_sAllowedLoginTypes,
-				'ext_auth_variable' => $this->m_sExtAuthVariable,
 				'encryption_key' => $this->m_sEncryptionKey,
 				'encryption_library' => $this->m_sEncryptionLibrary,
 				'csv_import_charsets' => $this->m_aCharsets,

core/dbobjectsearch.class.php

@@ -1925,4 +1925,37 @@ class DBObjectSearch extends DBSearch
 	{
 		return $this->GetCriteria()->ListParameters();
 	}
+
+	/**
+	 * @inheritDoc
+	 * @return DBObjectSearch
+	 */
+	protected function ApplyDataFilters(): DBObjectSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		$oSearch = $this;
+		$aClassesToFilter = $this->GetSelectedClasses();
+
+		// Opt-in for joined classes filtering, otherwise only filter the selected class(es)
+		if (MetaModel::GetConfig()->Get('security.disable_joined_classes_filter') === false) {
+			$aClassesToFilter = $this->GetJoinedClasses();
+		}
+
+		// Apply filter (this is similar to the one in DBSearch but the factorization could make it less readable)
+		foreach ($aClassesToFilter as $sClassAlias => $sClass) {
+			$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
+			if ($oVisibleObjects === false) {
+				$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
+			}
+			if (is_object($oVisibleObjects)) {
+				$oVisibleObjects->AllowAllData();
+				$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
+				$oSearch->SetDataFiltered();
+			}
+		}
+		return $oSearch;
+	}
 }

core/dbsearch.class.php

@@ -1122,21 +1122,7 @@ abstract class DBSearch
 	 */
 	protected function GetSQLQuery($aOrderBy, $aArgs, $aAttToLoad, $aExtendedDataSpec, $iLimitCount, $iLimitStart, $bGetCount, $aGroupByExpr = null, $aSelectExpr = null)
 	{
-		$oSearch = $this;
-		if (!$this->IsAllDataAllowed() && !$this->IsDataFiltered()) {
-			foreach ($this->GetSelectedClasses() as $sClassAlias => $sClass) {
-				$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
-				if ($oVisibleObjects === false) {
-					// Make sure this is a valid search object, saying NO for all
-					$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
-				}
-				if (is_object($oVisibleObjects)) {
-					$oVisibleObjects->AllowAllData();
-					$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
-					$oSearch->SetDataFiltered();
-				}
-			}
-		}
+		$oSearch = $this->ApplyDataFilters();
 
 		if (is_array($aGroupByExpr)) {
 			foreach ($aGroupByExpr as $sAlias => $oGroupByExp) {
@@ -1608,4 +1594,33 @@ abstract class DBSearch
 	 * @return array{\VariableExpression}
 	 */
 	abstract public function GetExpectedArguments(): array;
+
+	/**
+	 * Apply data filters to the search, if needed
+	 *
+	 * @return DBSearch
+	 * @throws CoreException
+	 */
+	protected function ApplyDataFilters(): DBSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		$oSearch = $this;
+		$aClassesToFilter = $this->GetSelectedClasses();
+
+		foreach ($aClassesToFilter as $sClassAlias => $sClass) {
+			$oVisibleObjects = UserRights::GetSelectFilter($sClass, $this->GetModifierProperties('UserRightsGetSelectFilter'));
+			if ($oVisibleObjects === false) {
+				$oVisibleObjects = DBObjectSearch::FromEmptySet($sClass);
+			}
+			if (is_object($oVisibleObjects)) {
+				$oVisibleObjects->AllowAllData();
+				$oSearch = $oSearch->Filter($sClassAlias, $oVisibleObjects);
+				$oSearch->SetDataFiltered();
+			}
+		}
+		return $oSearch;
+	}
 }

core/dbunionsearch.class.php

@@ -673,4 +673,30 @@ class DBUnionSearch extends DBSearch
 
 		return $aVariableCriteria;
 	}
+
+	/**
+	 * @inheritDoc
+	 * @return DBUnionSearch
+	 */
+	protected function ApplyDataFilters(): DBUnionSearch
+	{
+		if ($this->IsAllDataAllowed() || $this->IsDataFiltered()) {
+			return $this;
+		}
+
+		// Opt-in for joined classes filtering, otherwise fallback on DBSearch filtering
+		if (MetaModel::GetConfig()->Get('security.disable_joined_classes_filter') === true) {
+			return parent::ApplyDataFilters();
+		}
+
+		// Apply filters per sub-search
+		$aFilteredSearches = [];
+		foreach ($this->GetSearches() as $oSubSearch) {
+			// Recursively call ApplyDataFilters on sub-searches
+			$aFilteredSearches[] = $oSubSearch->ApplyDataFilters();
+		}
+
+		$oSearch = new DBUnionSearch($aFilteredSearches);
+		return $oSearch;
+	}
 }

css/backoffice/components/_search-form.scss

@@ -21,6 +21,8 @@ $ibo-search-form-panel--more-criteria--color: $ibo-color-blue-grey-800 !default;
 $ibo-search-form-panel--more-criteria--background-color: $ibo-color-white-100 !default;
 $ibo-search-form-panel--more-criteria--icon--color: $ibo-color-primary-600 !default;
 $ibo-search-form-panel--more-criteria--border-color: $ibo-search-form-panel--criteria--border-color !default;
+// calc is redundant but avoid SCSS min() from being used instead of CSS min()
+$ibo-search-form-panel--criteria--max-height: calc(min(#{$ibo-size-750}, 50vh)) !default;
 
 $ibo-search-form-panel--items--hover--color: $ibo-color-grey-200 !default;
 
@@ -278,9 +280,10 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 				}
 
 				.sfc_form_group {
-          display: block;
-          margin-top: -1px;
-          z-index: -1;
+                  display: flex;
+                  flex-direction: column;
+                  margin-top: -1px;
+                  z-index: -1;
         }
 			}
 
@@ -346,11 +349,15 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
         display: none;
         max-width: 450px;
         width: max-content;
-        max-height: 520px;
+        max-height: $ibo-search-form-panel--criteria--max-height;
         overflow-x: auto;
         overflow-y: hidden;
 
 				.sfc_fg_operators {
+                    display: flex;
+                    flex-direction: column;
+                    overflow: auto;
+                    min-height: 0;
 					font-size: 12px;
 
 					.sfc_fg_operator {
@@ -387,6 +394,9 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 						}
 
 						.sfc_opc_multichoices {
+                            display: flex;
+                            flex-direction: column;
+                            height: 100%;
 							label > input {
 								vertical-align: text-top;
 								margin-left: $ibo-spacing-0;
@@ -398,7 +408,6 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 							}
 
 							.sfc_opc_mc_items_wrapper {
-								max-height: 415px; /* Must be less than .sfc_form_group:max-height - .sfc_opc_mc_toggler:height - .sfc_opc_mc_filter:height */
 								overflow-y: auto;
 								margin: $ibo-spacing-0 -8px; /* Compensate .sfc_opc_multichoices side padding so the hover style can take the full with */
 
@@ -560,8 +569,14 @@ $ibo-search-results-area--datatable-scrollhead--border--is-sticking: $ibo-search
 			&.search_form_criteria_enum {
 				.sfc_form_group {
 					.sfc_fg_operator_in {
+                        display: flex;
+                        flex-direction: column;
+                        height: 100%;
+                        min-height: 0;
 						> label {
-							display: inline-block;
+							display: flex;
+                            height: 100%;
+                            min-height: 0;
 							width: 100%;
 							line-height: initial;
 							white-space: nowrap;

css/backoffice/components/input/_input-select.scss

@@ -201,8 +201,9 @@ $ibo-input-select--autocomplete-item-image--border: 1px solid $ibo-color-grey-60
 }
 
 // N°7982 Default selectize stylesheet override
+// N°9468 Dropdown content needs to be a few pixel shorter than the dropdown itself to avoid double scrollbar
 .selectize-dropdown-content{
-  max-height: $ibo-input-select-selectize--dropdown--max-height;
+  max-height: calc(#{$ibo-input-select-selectize--dropdown--max-height} - 4px);
 }
 
 .selectize-dropdown.ui-menu .ui-state-active {

datamodels/2.x/combodo-backoffice-darkmoon-theme/scss/scss-variables.scss

@@ -175,6 +175,7 @@ $ibo-input-select--action-button--color: $ibo-input-select-wrapper--after--color
 $ibo-input-select-selectize--item--active--text-color: $ibo-color-grey-100 !default;
 $ibo-input-select-selectize--item--active--background-color: $ibo-color-grey-500 !default;
 $ibo-input-select--autocomplete-item-image--background-color: $ibo-color-grey-800 !default;
+$ibo-input-date--button--color: $ibo-input-select--action-button--color;
 $ibo-vendors-selectize-input--color: $ibo-body-text-color !default;
 $ibo-vendors-selectize-input--background-color: $ibo-input--background-color !default;
 $ibo-vendors-selectize--input--border-color: $ibo-input--border-color !default;
@@ -222,6 +223,11 @@ $ibo-vendors-datatables--row-highlight--colors:('red': ($ibo-color-red-700),'dan
 
 $ibo-vendors-jqueryui--ui-dialog--background-color: $ibo-color-grey-800 !default;
 $ibo-vendors-jqueryui--ui-dialog-titlebar--border-bottom: solid 1px $ibo-color-grey-500 !default;
+$ibo-vendors-jqueryui--ui-datepicker--background-color: $ibo-color-grey-700 !default;
+$ibo-vendors-jqueryui--ui-datepicker-days--color: $ibo-color-primary-200 !default;
+$ibo-vendors-jqueryui--ui-datepicker-days--highlight--background-color: $ibo-color-primary-800 !default;
+$ibo-vendors-jqueryui--ui-datepicker-days--hover--background-color: $ibo-color-primary-500 !default;
+$ibo-vendors-jqueryui--ui-datepicker-days--active--background-color: $ibo-color-primary-700 !default;
 
 
 

js/extkeywidget.js

@@ -171,7 +171,7 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 			// To avoid dropdown to be cut by the container's overflow hidden rule
 			dropdownParent: 'body',
 			onDropdownOpen: function (oDropdownElem) {
-				me.UpdateDropdownPosition(this.$control, oDropdownElem);
+				me.UpdateDropdownPosition(this.$control, oDropdownElem, this.$dropdown_content);
 			},
 		});
 		let $selectize = $select[0].selectize; // This stores the selectize object to a variable (with name 'selectize')
@@ -320,7 +320,7 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 	 * @param {object} oDropdownElem jQuery object representing the results dropdown
 	 * @return {void}
 	 */
-	this.UpdateDropdownPosition = function (oControlElem, oDropdownElem) {
+	this.UpdateDropdownPosition = function (oControlElem, oDropdownElem, oDropdownContentElem) {
 		// First fix width to ensure it's not too long
 		const fControlWidth = oControlElem.outerWidth();
 		oDropdownElem.css('width', fControlWidth);
@@ -341,6 +341,11 @@ function ExtKeyWidget(id, sTargetClass, sFilter, sTitle, bSelectMode, oWizHelper
 			oDropdownElem.css('max-height', '30vh');
 			fDropdownHeight = oDropdownElem.outerHeight();
 
+            // N°9468 Dropdown content needs to be a few pixel shorter than the dropdown itself to avoid double scrollbar
+            if(oDropdownContentElem) {
+                oDropdownContentElem.css('max-height', 'calc(30vh - 4px)');
+            }
+
 			// Position dropdown above input if not enough space on the bottom part of the screen
 			if ((fDropdownTopY / fWindowHeight) > 0.6) {
 				oDropdownElem.css('top', fDropdownTopY - fDropdownHeight - fControlHeight);

js/field_set.js

@@ -189,11 +189,14 @@ $(function()
 			this.buildData.script_code = '';
 			this.buildData.style_code = '';
 
-			for (var i in oData.updated_fields)
+			for (let i in oData.updated_fields)
 			{
-				var oUpdatedField = oData.updated_fields[i];
-				this.options.fields_list[oUpdatedField.id] = oUpdatedField;
-				this._prepareField(oUpdatedField.id);
+				const oUpdatedField = oData.updated_fields[i];
+				const oPreviousField = this.options.fields_list[oUpdatedField.id];
+				if (!oPreviousField || JSON.stringify(oPreviousField) !== JSON.stringify(oUpdatedField)) {
+					this.options.fields_list[oUpdatedField.id] = oUpdatedField;
+					this._prepareField(oUpdatedField.id);
+				}
 			}
 
 			// Adding code to the dom

js/forms-json-utils.js

@@ -301,88 +301,112 @@ function ValidateField(sFieldId, sPattern, bMandatory, sFormId, nullValue, origi
 	return true; // Do not stop propagation ??
 }
 
-function ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue)
+function EvaluateCKEditorValidation(oOptions)
 {
-	let oField = $('#'+sFieldId);
+	let oField = $('#'+oOptions.sFieldId);
 	if (oField.length === 0) {
 		return false;
 	}
 
-	let oCKEditor = CombodoCKEditorHandler.GetInstanceSynchronous('#'+sFieldId);
+	let oCKEditor = CombodoCKEditorHandler.GetInstanceSynchronous('#'+oOptions.sFieldId);
+	let bValid = true;
+	let sExplain = '';
+	let sTextContent;
+	let sTextOriginalContents;
 
-	var bValid;
-	var sExplain = '';
 	if (oField.prop('disabled')) {
 		bValid = true; // disabled fields are not checked
 	} else {
 		// If the CKEditor is not yet loaded, we need to wait for it to be ready
 		// but as we need this function to be synchronous, we need to call it again when the CKEditor is ready
 		if (oCKEditor === undefined){
-			CombodoCKEditorHandler.GetInstance('#'+sFieldId).then((oCKEditor) => {
-				ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+			CombodoCKEditorHandler.GetInstance('#'+oOptions.sFieldId).then((oCKEditor) => {
+				oOptions.onRetry();
 			});
-			return;
+			return false;
 		}
-		let sTextContent;
-		let sFormattedContent = oCKEditor.getData();
 
-		// Get the contents without the tags
-		// Check if we have a formatted content that is HTML, otherwise we just have plain text, and we can use it directly
+		let sFormattedContent = oCKEditor.getData();
 		sTextContent = $(sFormattedContent).length > 0 ? $(sFormattedContent).text() : sFormattedContent;
 
-		if (sTextContent === '') {
+		if (sTextContent === '')
+		{
 			// No plain text, maybe there is just an image
-			let oImg = $(sFormattedContent).find("img");
-			if (oImg.length !== 0) {
+			let oImg = $(sFormattedContent).find('img');
+			if (oImg.length !== 0)
+			{
 				sTextContent = 'image';
 			}
 		}
 
-		// Get the original value without the tags
-		let oFormattedOriginalContents = (originalValue !== undefined) ? $('<div></div>').html(originalValue) : undefined;
-		let sTextOriginalContents = (oFormattedOriginalContents !== undefined) ? oFormattedOriginalContents.text() : undefined;
+		let oFormattedOriginalContents = (oOptions.sOriginalValue !== undefined) ? $('<div></div>').html(oOptions.sOriginalValue) : undefined;
+		sTextOriginalContents = (oFormattedOriginalContents !== undefined) ? oFormattedOriginalContents.text() : undefined;
 
-		if (bMandatory && (sTextContent === nullValue)) {
-			bValid = false;
-			sExplain = Dict.S('UI:ValueMustBeSet');
-		} else if ((sTextOriginalContents !== undefined) && (sTextContent === sTextOriginalContents)) {
-			bValid = false;
-			if (sTextOriginalContents === nullValue) {
-				sExplain = Dict.S('UI:ValueMustBeSet');
-			} else {
-				// Note: value change check is not working well yet as the HTML to Text conversion is not exactly the same when done from the PHP value or the CKEditor value.
-				sExplain = Dict.S('UI:ValueMustBeChanged');
-			}
-		} else {
-			bValid = true;
+		if (oOptions.validate !== undefined) {
+			let oValidation = oOptions.validate(sTextContent, sTextOriginalContents);
+			bValid = oValidation.bValid;
+			sExplain = oValidation.sExplain;
 		}
-		
-		// Put and event to check the field when the content changes, remove the event right after as we'll call this same function again, and we don't want to call the event more than once (especially not ^2 times on each call)
+
+		// Put an event to check the field when the content changes, remove the event right after as we'll call this same function again, and we don't want to call the event more than once (especially not ^2 times on each call)
 		oCKEditor.model.document.once('change:data', (event) => {
-			ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+			oOptions.onChange();
 		});
 	}
-	
-	ReportFieldValidationStatus(sFieldId, sFormId, bValid, sExplain);
+
+	ReportFieldValidationStatus(oOptions.sFieldId, oOptions.sFormId, bValid, sExplain);
 	return bValid;
 }
 
+function ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue)
+{
+	return EvaluateCKEditorValidation({
+		sFieldId: sFieldId,
+		sFormId: sFormId,
+        sOriginalValue: originalValue,
+		onRetry: function() {
+			ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+		},
+		onChange: function() {
+			ValidateCKEditField(sFieldId, sPattern, bMandatory, sFormId, nullValue, originalValue);
+		},
+		validate: function(sTextContent, sTextOriginalContents) {
+			var bValid;
+			var sExplain = '';
+			if (bMandatory && (sTextContent === nullValue)) {
+				bValid = false;
+				sExplain = Dict.S('UI:ValueMustBeSet');
+			} else if ((sTextOriginalContents !== undefined) && (sTextContent === sTextOriginalContents)) {
+				bValid = false;
+				if (sTextOriginalContents === nullValue) {
+					sExplain = Dict.S('UI:ValueMustBeSet');
+				} else {
+					// Note: value change check is not working well yet as the HTML to Text conversion is not exactly the same when done from the PHP value or the CKEditor value.
+					sExplain = Dict.S('UI:ValueMustBeChanged');
+				}
+			} else {
+				bValid = true;
+			}
+			return {bValid: bValid, sExplain: sExplain};
+		}
+	});
+}
 function ResetPwd(id)
 {
-	// Reset the values of the password fields
-	$('#'+id).val('*****');
-	$('#'+id+'_confirm').val('*****');
-	// And reset the flag, to tell it that the password remains unchanged
-	$('#'+id+'_changed').val(0);
-	// Visual feedback, None when it's Ok
-	$('#v_'+id).html('');
+    // Reset the values of the password fields
+    $('#'+id).val('*****');
+    $('#'+id+'_confirm').val('*****');
+    // And reset the flag, to tell it that the password remains unchanged
+    $('#'+id+'_changed').val(0);
+    // Visual feedback, None when it's Ok
+    $('#v_'+id).html('');
 }
 
 // Called whenever the content of a one way encrypted password changes
 function PasswordFieldChanged(id)
 {
-	// Set the flag, to tell that the password changed
-	$('#'+id+'_changed').val(1);
+    // Set the flag, to tell that the password changed
+    $('#'+id+'_changed').val(1);
 }
 
 // Special validation function for one way encrypted password fields
@@ -415,37 +439,48 @@ function ValidatePasswordField(id, sFormId)
 // to determine if the field is empty or not
 function ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue)
 {
-	var bValid = true;
-	var sExplain = '';
-	var sTextContent;
-	
-	if ($('#'+sFieldId).prop('disabled'))
-	{
-		bValid = true; // disabled fields are not checked
-	}
-	else
-	{
-		// Get the contents (with tags)
-		// Note: For CaseLog we can't retrieve the formatted contents from CKEditor (unlike in ValidateCKEditorField() method) because of the place holder.
-		sTextContent = $('#' + sFieldId).val();
-		var count = $('#'+sFieldId+'_count').val();
+	return EvaluateCKEditorValidation({
+		sFieldId: sFieldId,
+		sFormId: sFormId,
+		sOriginalValue: originalValue,
+		onRetry: function() {
+			ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue);
+		},
+		onChange: function() {
+			ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue);
+		},
+		validate: function(sTextContent, sTextOriginalContents) {
+			var bValid;
+			var sExplain = '';
+			// CaseLog is special: history count matters when deciding if the field is empty
+			var count = $('#'+sFieldId+'_count').val();
 
-		if (bMandatory && (count == 0) && (sTextContent == nullValue))
-		{
-			// No previous entry and no content typed
-			bValid = false;
-			sExplain = Dict.S('UI:ValueMustBeSet');
+			if (bMandatory && (count == 0) && (sTextContent === nullValue))
+			{
+				// No previous entry and no content typed
+				bValid = false;
+				sExplain = Dict.S('UI:ValueMustBeSet');
+			}
+			else if ((sTextOriginalContents !== undefined) && (sTextContent === sTextOriginalContents))
+			{
+				bValid = false;
+				if (sTextOriginalContents === nullValue)
+				{
+					sExplain = Dict.S('UI:ValueMustBeSet');
+				}
+				else
+				{
+					// Note: value change check is not working well yet as the HTML to Text conversion is not exactly the same when done from the PHP value or the CKEditor value.
+					sExplain = Dict.S('UI:ValueMustBeChanged');
+				}
+			}
+			else
+			{
+				bValid = true;
+			}
+			return {bValid: bValid, sExplain: sExplain};
 		}
-		else if ((originalValue != undefined) && (sTextContent == originalValue))
-		{
-			bValid = false;
-			sExplain = Dict.S('UI:ValueMustBeChanged');
-		}
-	}
-	ReportFieldValidationStatus(sFieldId, sFormId, bValid, '' /* sExplain */);
-
-	// We need to check periodically as CKEditor doesn't trigger our events. More details in UIHTMLEditorWidget::Display() @ line 92
-	setTimeout(function(){ValidateCaseLogField(sFieldId, bMandatory, sFormId, nullValue, originalValue);}, 500);
+	});
 }
 
 // Validate the inputs depending on the current setting

js/selectize/plugin_combodo_auto_position.js

@@ -22,7 +22,7 @@ Selectize.define("combodo_auto_position", function (aOptions) {
 
 	// Plugin options
 	aOptions = $.extend({
-			maxDropDownHeight: 200,
+			maxDropDownHeight: '200px',
 		},
 		aOptions
 	);
@@ -33,26 +33,28 @@ Selectize.define("combodo_auto_position", function (aOptions) {
 	// Override position dropdown function
 	oSelf.positionDropdown = (function () {
 		return function () {
-			let iRefHeight = oSelf.$dropdown.outerHeight() < aOptions.maxDropDownHeight ?
-				oSelf.$dropdown.outerHeight() : aOptions.maxDropDownHeight;
-
+			let iRefHeight = oSelf.$dropdown.outerHeight();
 			if(oSelf.$control.offset().top + oSelf.$control.outerHeight() + iRefHeight > window.innerHeight){
 
 				oSelf.$dropdown.css({
 					top: oSelf.$control.offset().top - iRefHeight,
 					left: oSelf.$control.offset().left,
 					width: oSelf.$wrapper.outerWidth(),
-					'max-height': `${aOptions.maxDropDownHeight}px`,
+					'max-height': `${aOptions.maxDropDownHeight}`,
 					'overflow-y': 'auto',
-					'border-top': '1px solid #d0d0d0',
 				});
+
+                // N°9468 Dropdown content needs to be a few pixel shorter than the dropdown itself to avoid double scrollbar
+                oSelf.$dropdown_content.css({
+                    'max-height': `calc(${aOptions.maxDropDownHeight} - 4px)`
+                });
+
 			}
 			else{
 				oSelf.$dropdown.css({
 					top: oSelf.$control.offset().top + oSelf.$control.outerHeight(),
 					left: oSelf.$control.offset().left,
 					width: oSelf.$wrapper.outerWidth(),
-					'max-height': `${aOptions.maxDropDownHeight}px`,
 					'overflow-y': 'auto'
 				});
 			}

lib/composer/autoload_classmap.php

@@ -193,6 +193,7 @@ return array(
     'Combodo\\iTop\\Application\\Helper\\CKEditorHelper' => $baseDir . '/sources/Application/Helper/CKEditorHelper.php',
     'Combodo\\iTop\\Application\\Helper\\ExportHelper' => $baseDir . '/sources/Application/Helper/ExportHelper.php',
     'Combodo\\iTop\\Application\\Helper\\FormHelper' => $baseDir . '/sources/Application/Helper/FormHelper.php',
+    'Combodo\\iTop\\Application\\Helper\\SearchHelper' => $baseDir . '/sources/Application/Helper/SearchHelper.php',
     'Combodo\\iTop\\Application\\Helper\\Session' => $baseDir . '/sources/Application/Helper/Session.php',
     'Combodo\\iTop\\Application\\Helper\\WebResourcesHelper' => $baseDir . '/sources/Application/Helper/WebResourcesHelper.php',
     'Combodo\\iTop\\Application\\Newsroom\\iTopNewsroomProvider' => $baseDir . '/sources/Application/Newsroom/iTopNewsroomProvider.php',

lib/composer/autoload_static.php

@@ -548,6 +548,7 @@ class ComposerStaticInit7f81b4a2a468a061c306af5e447a9a9f
         'Combodo\\iTop\\Application\\Helper\\CKEditorHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/CKEditorHelper.php',
         'Combodo\\iTop\\Application\\Helper\\ExportHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/ExportHelper.php',
         'Combodo\\iTop\\Application\\Helper\\FormHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/FormHelper.php',
+        'Combodo\\iTop\\Application\\Helper\\SearchHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/SearchHelper.php',
         'Combodo\\iTop\\Application\\Helper\\Session' => __DIR__ . '/../..' . '/sources/Application/Helper/Session.php',
         'Combodo\\iTop\\Application\\Helper\\WebResourcesHelper' => __DIR__ . '/../..' . '/sources/Application/Helper/WebResourcesHelper.php',
         'Combodo\\iTop\\Application\\Newsroom\\iTopNewsroomProvider' => __DIR__ . '/../..' . '/sources/Application/Newsroom/iTopNewsroomProvider.php',

pages/UI.php

@@ -5,6 +5,7 @@
  * @license     http://opensource.org/licenses/AGPL-3.0
  */
 
+use Combodo\iTop\Application\Helper\SearchHelper;
 use Combodo\iTop\Application\Helper\Session;
 use Combodo\iTop\Application\TwigBase\Twig\TwigHelper;
 use Combodo\iTop\Application\UI\Base\Component\Button\ButtonUIBlockFactory;
@@ -126,72 +127,6 @@ function SetObjectBreadCrumbEntry(DBObject $oObj, WebPage $oPage)
 	$oPage->SetBreadCrumbEntry("ui-details-$sClass-".$oObj->GetKey(), $oObj->Get('friendlyname'), MetaModel::GetName($sClass).': '.$oObj->Get('friendlyname'), '', $sIcon, $sIconType);
 }
 
-/**
- * Displays the result of a search request
- * @param $oP WebPage Web page for the output
- * @param $oFilter DBSearch The search of objects to display
- * @param $bSearchForm boolean Whether or not to display the search form at the top the page
- * @param $sBaseClass string The base class for the search (can be different from the actual class of the results)
- * @param $sFormat string The format to use for the output: csv or html
- * @param $bDoSearch bool True to display the search results below the search form
- * @param $bSearchFormOpen bool True to display the search form fully expanded (only if $bSearchForm of course)
- * @throws \CoreException
- * @throws \DictExceptionMissingString
- */
-function DisplaySearchSet($oP, $oFilter, $bSearchForm = true, $sBaseClass = '', $sFormat = '', $bDoSearch = true, $bSearchFormOpen = true, $aParams = [])
-{
-	//search block
-	$oBlockForm = null;
-	if ($bSearchForm) {
-		$aParams['open'] = $bSearchFormOpen;
-		if (false === isset($aParams['table_id'])) {
-			$aParams['table_id'] = 'result_1';
-		}
-		if (!empty($sBaseClass)) {
-			$aParams['baseClass'] = $sBaseClass;
-		}
-		$oBlockForm = new DisplayBlock($oFilter, 'search', false /* Asynchronous */, $aParams);
-
-		if (!$bDoSearch) {
-			$oBlockForm->Display($oP, 0);
-		}
-	}
-	if ($bDoSearch) {
-		if (strtolower($sFormat) == 'csv') {
-			$oBlock = new DisplayBlock($oFilter, 'csv', false);
-			// Adjust the size of the Textarea containing the CSV to fit almost all the remaining space
-			$oP->add_ready_script(" $('#1>textarea').height($('#1').parent().height() - $('#0').outerHeight() - 30).width( $('#1').parent().width() - 20);"); // adjust the size of the block
-		} else {
-			$oBlock = new DisplayBlock($oFilter, 'list', false);
-
-			// Breadcrumb
-			//$iCount = $oBlock->GetDisplayedCount();
-			$sPageId = "ui-search-".$oFilter->GetClass();
-			$sLabel = MetaModel::GetName($oFilter->GetClass());
-			$oP->SetBreadCrumbEntry($sPageId, $sLabel, '', '', 'fas fa-search', iTopWebPage::ENUM_BREADCRUMB_ENTRY_ICON_TYPE_CSS_CLASSES);
-		}
-		if ($bSearchForm) {
-			//add search block
-			$sTableId = utils::ReadParam('_table_id_', null, false, 'raw_data');
-			if ($sTableId == '') {
-				$sTableId = 'result_1';
-			}
-			$aExtraParams['table_id'] = $sTableId;
-			$aExtraParams['submit_on_load'] = false;
-			$oUIBlockForm = $oBlockForm->GetDisplay($oP, 'search_1', $aExtraParams);
-			//add result block
-			$oUIBlock = $oBlock->GetDisplay($oP, $sTableId);
-			$oUIBlock->AddCSSClasses(['display_block', 'sf_results_area']);
-			$oUIBlock->AddDataAttribute('target', 'search_results');
-			//$oUIBlockForm->AddSubBlock($oUIBlock);
-			$oP->AddUiBlock($oUIBlockForm);
-			$oUIBlockForm->AddSubBlock($oUIBlock);
-		} else {
-			$oBlock->Display($oP, 1);
-		}
-	}
-}
-
 /**
  * Displays a form (checkboxes) to select the objects for which to apply a given action
  * Only the objects for which the action is valid can be checked. By default all valid objects are checked
@@ -460,7 +395,7 @@ try {
 				$sOQL = "SELECT $sOQLClass $sOQLClause";
 				try {
 					$oFilter = DBObjectSearch::FromOQL($sOQL);
-					DisplaySearchSet($oP, $oFilter, $bSearchForm, $sBaseClass, $sFormat);
+					SearchHelper::DisplaySearchSet($oP, $oFilter, $bSearchForm, $sBaseClass, $sFormat);
 				} catch (CoreException $e) {
 					$oFilter = new DBObjectSearch($sOQLClass);
 					$oSet = new DBObjectSet($oFilter);
@@ -487,7 +422,7 @@ try {
 				}
 				$oP->set_title(Dict::S('UI:SearchResultsPageTitle'));
 				$oFilter =  new DBObjectSearch($sClass);
-				DisplaySearchSet($oP, $oFilter, $bSearchForm, '' /* sBaseClass */, $sFormat, $bDoSearch, true /* Search Form Expanded */);
+				SearchHelper::DisplaySearchSet($oP, $oFilter, $bSearchForm, '' /* sBaseClass */, $sFormat, $bDoSearch, true /* Search Form Expanded */);
 				break;
 
 				///////////////////////////////////////////////////////////////////////////////////////////
@@ -509,7 +444,7 @@ try {
 				//				$sParams = utils::ReadParam('aParams', '{}', false, \utils::ENUM_SANITIZATION_FILTER_RAW_DATA);
 				//				$aParams = json_decode($sParams, true);
 
-				DisplaySearchSet($oP, $oFilter, $bSearchForm, '' /* sBaseClass */, $sFormat); //, true, true, $aParams
+				SearchHelper::DisplaySearchSet($oP, $oFilter, $bSearchForm, '' /* sBaseClass */, $sFormat); //, true, true, $aParams
 				break;
 
 				///////////////////////////////////////////////////////////////////////////////////////////

pages/exec.php

@@ -104,7 +104,7 @@ if ($sTargetPage === false || $sModule === 'core' || $sModule === 'dictionaries'
 $aModuleDelegatedAuthenticationEndpointsList = GetModuleDelegatedAuthenticationEndpoints($sModule);
 // If module doesn't have the delegated authentication endpoints list defined, we rely on the conf. param. to decide if we force login or not.
 if (is_null($aModuleDelegatedAuthenticationEndpointsList)) {
-	$bForceLoginWhenNoDelegatedAuthenticationEndpoints = utils::GetConfig()->Get('security.force_login_when_no_delegated_authentication_endpoints_list');
+	$bForceLoginWhenNoDelegatedAuthenticationEndpoints = !utils::GetConfig()->Get('security.disable_exec_forced_login_for_all_enpoints');
 	if ($bForceLoginWhenNoDelegatedAuthenticationEndpoints) {
 		require_once(APPROOT.'/application/startup.inc.php');
 		LoginWebPage::DoLoginEx();

setup/setuppage.class.inc.php

@@ -36,7 +36,7 @@ class SetupPage extends NiceWebPage
 {
 	public const DEFAULT_PAGE_TEMPLATE_REL_PATH = 'pages/backoffice/setuppage/layout';
 
-	protected const BODY_DATA_GUI_TYPE = 'setup';
+	public const BODY_DATA_GUI_TYPE = 'setup';
 
 	public function __construct($sTitle)
 	{

sources/Application/Helper/SearchHelper.php

@@ -0,0 +1,88 @@
+<?php
+
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\Application\Helper;
+
+use Combodo\iTop\Application\WebPage\iTopWebPage;
+use Combodo\iTop\Application\WebPage\WebPage;
+use DBSearch;
+use DisplayBlock;
+use MetaModel;
+use utils;
+
+class SearchHelper
+{
+	/**
+	 * Displays the result of a search request
+	 * @param $oP WebPage Web page for the output
+	 * @param $oFilter DBSearch The search of objects to display
+	 * @param $bSearchForm boolean Whether or not to display the search form at the top the page
+	 * @param $sBaseClass string The base class for the search (can be different from the actual class of the results)
+	 * @param $sFormat string The format to use for the output: csv or html
+	 * @param $bDoSearch bool True to display the search results below the search form
+	 * @param $bSearchFormOpen bool True to display the search form fully expanded (only if $bSearchForm of course)
+	 * @throws \CoreException
+	 * @throws \DictExceptionMissingString
+	 */
+	public static function DisplaySearchSet($oP, $oFilter, $bSearchForm = true, $sBaseClass = '', $sFormat = '', $bDoSearch = true, $bSearchFormOpen = true, $aParams = []): void
+	{
+		//search block
+		$oBlockForm = null;
+		if ($bSearchForm) {
+			$aParams['open'] = $bSearchFormOpen;
+			if (false === isset($aParams['table_id'])) {
+				$aParams['table_id'] = 'result_1';
+			}
+			if (!empty($sBaseClass)) {
+				$aParams['baseClass'] = $sBaseClass;
+			}
+			$oBlockForm = new DisplayBlock($oFilter, 'search', false /* Asynchronous */, $aParams);
+
+			if (!$bDoSearch) {
+				$oBlockForm->Display($oP, 0);
+			}
+		}
+		if ($bDoSearch) {
+			if (strtolower($sFormat) == 'csv') {
+				$oBlock = new DisplayBlock($oFilter, 'csv', false);
+				// Adjust the size of the Textarea containing the CSV to fit almost all the remaining space
+				$oP->add_ready_script(" $('#1>textarea').height($('#1').parent().height() - $('#0').outerHeight() - 30).width( $('#1').parent().width() - 20);"); // adjust the size of the block
+			} else {
+				$oBlock = new DisplayBlock($oFilter, 'list', false);
+
+				// Breadcrumb
+				//$iCount = $oBlock->GetDisplayedCount();
+				$sPageId = "ui-search-".$oFilter->GetClass();
+				$sLabel = MetaModel::GetName($oFilter->GetClass());
+				$oP->SetBreadCrumbEntry($sPageId, $sLabel, '', '', 'fas fa-search', iTopWebPage::ENUM_BREADCRUMB_ENTRY_ICON_TYPE_CSS_CLASSES);
+			}
+			if ($bSearchForm) {
+				//add search block
+				$sTableId = utils::ReadParam('_table_id_', null, false, 'raw_data');
+				if ($sTableId == '') {
+					$sTableId = 'result_1';
+				}
+				$aExtraParams['table_id'] = $sTableId;
+				$aExtraParams['submit_on_load'] = false;
+				$oUIBlockForm = $oBlockForm->GetDisplay($oP, 'search_1', $aExtraParams);
+
+				// If the class is not high cardinality, we can display the results directly in the same page
+				if (!utils::IsHighCardinality($oFilter->GetClass())) {
+					//add result block
+					$oUIBlock = $oBlock->GetDisplay($oP, $sTableId);
+					$oUIBlock->AddCSSClasses(['display_block', 'sf_results_area']);
+					$oUIBlock->AddDataAttribute('target', 'search_results');
+					$oUIBlockForm->AddSubBlock($oUIBlock);
+				}
+
+				$oP->AddUiBlock($oUIBlockForm);
+			} else {
+				$oBlock->Display($oP, 1);
+			}
+		}
+	}
+}

sources/Application/UI/Base/Layout/ActivityPanel/ActivityPanelFactory.php

@@ -152,6 +152,7 @@ class ActivityPanelFactory
 				if (false === empty($aRelatedTriggersIDs)) {
 					// - Prepare query to retrieve events
 					$oNotifEventsSearch = DBObjectSearch::FromOQL('SELECT EN FROM EventNotification AS EN JOIN Action AS A ON EN.action_id = A.id WHERE EN.trigger_id IN (:triggers_ids) AND EN.object_id = :object_id');
+					$oNotifEventsSearch->AllowAllData();
 					$oNotifEventsSet = new DBObjectSet($oNotifEventsSearch, ['id' => false], ['triggers_ids' => $aRelatedTriggersIDs, 'object_id' => $sObjId]);
 					$oNotifEventsSet->SetLimit(MetaModel::GetConfig()->Get('max_history_length'));
 

sources/Application/WebPage/WebPage.php

@@ -152,7 +152,7 @@ class WebPage implements Page
 	 */
 	public const DEFAULT_PAGE_TEMPLATE_REL_PATH = 'pages/backoffice/webpage/layout';
 
-	protected const BODY_DATA_GUI_TYPE = 'backoffice';
+	public const BODY_DATA_GUI_TYPE = 'backoffice';
 
 	protected $s_title;
 	protected $s_content;

templates/application/links/direct/block-direct-linkset-edit-table/layout.js.twig

@@ -7,6 +7,6 @@ oWidget{{ oUIBlock.oUILinksDirectWidget.GetInputId() }} = $('#{{ oUIBlock.oUILin
     input_name: '{{ oUIBlock.sInputName }}',
     submit_to: '{{ oUIBlock.sSubmitUrl }}',
     oWizardHelper: {{ oUIBlock.sWizHelper }},
-    do_search: '{{ oUIBlock.sJSDoSearch }}'
+    do_search: {{ oUIBlock.sJSDoSearch }}
 });
 {% endapply %}

templates/base/components/input/set/layout.ready.js.twig

@@ -23,7 +23,7 @@ let oWidget{{ oUIBlock.GetId() }} = $('#{{ oUIBlock.GetId() }}').selectize({
         },
         {# PLUGIN combodo auto position  #}
         'combodo_auto_position' : {
-            maxDropDownHeight: 300, {# in px #}
+            maxDropDownHeight: '30vh', {# same value as external key widget #}
         },
         {# PLUGIN combodo add button #}
         {% if oUIBlock.HasAddOptionButton() %}

templates/pages/backoffice/webpage/layout.html.twig

@@ -49,7 +49,7 @@
         {% endfor %}
     {% endblock %}
 </head>
-<body data-gui-type="{{ aPage.sBodyDataGuiType|default('backoffice') }}">
+<body data-gui-type="{{ aPage.sBodyDataGuiType|default(constant('Combodo\\iTop\\Application\\WebPage\\WebPage::BODY_DATA_GUI_TYPE')) }}">
 {% if aPage.isPrintable %}<div class="printable-content" style="width: 27.7cm;">{% endif %}
     {% block iboPageBodyHtml %}
         <div id="ibo-page-container">

tests/php-unit-tests/integration-tests/login-tests/LoginWebPageTest.php

@@ -26,14 +26,14 @@ class LoginWebPageTest extends ItopDataTestCase
 		$this->BackupConfiguration();
 		$sFolderPath = APPROOT.'env-production/extension-with-delegated-authentication-endpoints-list';
 		if (file_exists($sFolderPath)) {
-			throw new Exception("Folder $sFolderPath already exists, please remove it before running the test");
+			$this->RecurseRmdir($sFolderPath);
 		}
 		mkdir($sFolderPath);
 		$this->RecurseCopy(__DIR__.'/extension-with-delegated-authentication-endpoints-list', $sFolderPath);
 
 		$sFolderPath = APPROOT.'env-production/extension-without-delegated-authentication-endpoints-list';
 		if (file_exists($sFolderPath)) {
-			throw new Exception("Folder $sFolderPath already exists, please remove it before running the test");
+			$this->RecurseRmdir($sFolderPath);
 		}
 		mkdir($sFolderPath);
 		$this->RecurseCopy(__DIR__.'/extension-without-delegated-authentication-endpoints-list', $sFolderPath);
@@ -81,8 +81,7 @@ class LoginWebPageTest extends ItopDataTestCase
 
 	public function testUserCanAccessAnyFile()
 	{
-		// generate random login
-		$sUserLogin = 'user-'.date('YmdHis');
+		$sUserLogin = 'user-'.uniqid();
 		$this->CreateUser($sUserLogin, self::$aURP_Profiles['Service Desk Agent'], self::PASSWORD);
 		$this->GivenConfigFileAllowedLoginTypes(explode('|', 'form'));
 
@@ -102,7 +101,7 @@ class LoginWebPageTest extends ItopDataTestCase
 	public function testWithoutDelegatedAuthenticationEndpointsListWithForceLoginConf()
 	{
 		@chmod($this->oConfig->GetLoadedFile(), 0770);
-		$this->oConfig->Set('security.force_login_when_no_delegated_authentication_endpoints_list', true, 'AnythingButEmptyOrUnknownValue'); // 3rd param to write file even if show_in_conf_sample is false
+		$this->oConfig->Set('security.disable_exec_forced_login_for_all_enpoints', false, 'AnythingButEmptyOrUnknownValue'); // 3rd param to write file even if show_in_conf_sample is false
 		$this->oConfig->WriteToFile();
 		@chmod($this->oConfig->GetLoadedFile(), 0444);
 		$sPageContent = $this->CallItopUri(

tests/php-unit-tests/src/BaseTestCase/ItopDataTestCase.php

@@ -1470,4 +1470,19 @@ abstract class ItopDataTestCase extends ItopTestCase
 		@chmod($sConfigPath, 0440);
 		@unlink($this->sConfigTmpBackupFile);
 	}
+	protected function AddLoginModeAndSaveConfiguration(string $sLoginMode): void
+	{
+		$aAllowedLoginTypes = $this->oiTopConfig->GetAllowedLoginTypes();
+		if (!in_array($sLoginMode, $aAllowedLoginTypes)) {
+			$aAllowedLoginTypes[] = $sLoginMode;
+			$this->oiTopConfig->SetAllowedLoginTypes($aAllowedLoginTypes);
+			$this->SaveItopConfFile();
+		}
+	}
+	protected function SaveItopConfFile(): void
+	{
+		@chmod($this->oiTopConfig->GetLoadedFile(), 0770);
+		$this->oiTopConfig->WriteToFile();
+		@chmod($this->oiTopConfig->GetLoadedFile(), 0440);
+	}
 }

tests/php-unit-tests/src/BaseTestCase/ItopTestCase.php

@@ -668,7 +668,7 @@ abstract class ItopTestCase extends KernelTestCase
 		}
 
 		curl_setopt($ch, CURLOPT_URL, $sUrl);
-		curl_setopt($ch, CURLOPT_POST, 1);// set post data to true
+		curl_setopt($ch, CURLOPT_POST, $aCurlOptions[CURLOPT_POST] ?? 1);// set post data to true
 		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 		// Force disable of certificate check as most of dev / test env have a self-signed certificate
 		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
@@ -708,6 +708,16 @@ abstract class ItopTestCase extends KernelTestCase
 	{
 		$sUrl = \MetaModel::GetConfig()->Get('app_root_url')."/$sUri";
 
+		// Add PHP version in header to be able to handle Docker dev environments with automatic PHP version detection (instead of hardcoding the PHP version in the app_root_url)
+		$sPhpVersion = PHP_VERSION;
+		$aPhpVersionParts = explode('.', $sPhpVersion);
+		$sPhpVersionHeaderValue = ($aPhpVersionParts[0] ?? '0').($aPhpVersionParts[1] ?? '0');
+		$aCurlOptions = $aCurlOptions ?? [];
+		$aCurlOptions[CURLOPT_HTTPHEADER] = array_merge(
+			$aCurlOptions[CURLOPT_HTTPHEADER] ?? [],
+			['X-PHP-Version: '.$sPhpVersionHeaderValue]
+		);
+
 		return $this->CallUrl($sUrl, $aPostFields, $aCurlOptions, $bXDebugEnabled);
 	}
 }

tests/php-unit-tests/unitary-tests/application/Helper/SearchHelperTest.php

@@ -0,0 +1,88 @@
+<?php
+
+/*
+ * @copyright   Copyright (C) 2010-2026 Combodo SAS
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+namespace Combodo\iTop\Test\UnitTest\Application\Helper;
+
+use Combodo\iTop\Application\Helper\SearchHelper;
+use Combodo\iTop\Application\WebPage\iTopWebPage;
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use DBSearch;
+use MetaModel;
+
+class SearchHelperTest extends ItopDataTestCase
+{
+	protected static array $aHighCardinalityClasses = [];
+	protected static bool $bSearchManualSubmit = false;
+
+	protected function setUp(): void
+	{
+		parent::setUp();
+		self::$aHighCardinalityClasses = MetaModel::GetConfig()->Get('high_cardinality_classes');
+		self::$bSearchManualSubmit = MetaModel::GetConfig()->Get('search_manual_submit');
+	}
+
+	protected function tearDown(): void
+	{
+		parent::tearDown();
+		MetaModel::GetConfig()->Set('high_cardinality_classes', static::$aHighCardinalityClasses);
+		MetaModel::GetConfig()->Set('search_manual_submit', static::$bSearchManualSubmit);
+	}
+
+	public function testDisplaySearchSetWithNoHighCardinalityClassesAddsResultSubBlock(): void
+	{
+		MetaModel::GetConfig()->Set('high_cardinality_classes', []);
+		MetaModel::GetConfig()->Set('search_manual_submit', false);
+
+		$oP = new iTopWebPage('SearchHelperTest');
+		$oFilter = DBSearch::FromOQL('SELECT UserRequest');
+		SearchHelper::DisplaySearchSet($oP, $oFilter);
+		$oContentLayout = $oP->GetContentLayout();
+		$this->assertTrue($oContentLayout->HasSubBlock('search_1'));
+		$oSearchBlock = $oContentLayout->getSubBlock('search_1');
+		$this->assertTrue($oSearchBlock->HasSubBlock('result_1'));
+
+		if (ob_get_level() > 0) {
+			ob_end_clean();
+		}
+	}
+
+	public function testDisplaySearchSetWithHighCardinalityClassesDoesNotAddResultSubBlock(): void
+	{
+		MetaModel::GetConfig()->Set('high_cardinality_classes', ['UserRequest']);
+		MetaModel::GetConfig()->Set('search_manual_submit', false);
+
+		$oP = new iTopWebPage('SearchHelperTest');
+		$oFilter = DBSearch::FromOQL('SELECT UserRequest');
+		SearchHelper::DisplaySearchSet($oP, $oFilter);
+		$oContentLayout = $oP->GetContentLayout();
+		$this->assertTrue($oContentLayout->HasSubBlock('search_1'));
+		$oSearchBlock = $oContentLayout->getSubBlock('search_1');
+		$this->assertFalse($oSearchBlock->HasSubBlock('result_1'));
+
+		if (ob_get_level() > 0) {
+			ob_end_clean();
+		}
+	}
+
+	public function testDisplaySearchSetWithSearchManualSubmitAndWithoutHighCardinalityClassesDoesNotAddResultSubBlock(): void
+	{
+		MetaModel::GetConfig()->Set('high_cardinality_classes', []);
+		MetaModel::GetConfig()->Set('search_manual_submit', true);
+
+		$oP = new iTopWebPage('SearchHelperTest');
+		$oFilter = DBSearch::FromOQL('SELECT UserRequest');
+		SearchHelper::DisplaySearchSet($oP, $oFilter);
+		$oContentLayout = $oP->GetContentLayout();
+		$this->assertTrue($oContentLayout->HasSubBlock('search_1'));
+		$oSearchBlock = $oContentLayout->getSubBlock('search_1');
+		$this->assertFalse($oSearchBlock->HasSubBlock('result_1'));
+
+		if (ob_get_level() > 0) {
+			ob_end_clean();
+		}
+	}
+}

tests/php-unit-tests/unitary-tests/application/LoginExternalTest.php

@@ -0,0 +1,95 @@
+<?php
+
+/**
+ * Copyright (C) 2010-2024 Combodo SAS
+ *
+ * This file is part of iTop.
+ *
+ * iTop is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * iTop is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with iTop. If not, see <http://www.gnu.org/licenses/>
+ */
+
+namespace Combodo\iTop\Test\UnitTest\Application;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use utils;
+
+class LoginExternalTest extends ItopDataTestCase
+{
+	private $oConfig;
+	private $sOriginalExtAuthVariable;
+
+	protected function setUp(): void
+	{
+		parent::setUp();
+		require_once APPROOT.'application/loginexternal.class.inc.php';
+		$this->oConfig = utils::GetConfig();
+		$this->sOriginalExtAuthVariable = $this->oConfig->Get('ext_auth_variable');
+	}
+
+	protected function tearDown(): void
+	{
+		$this->oConfig->SetExternalAuthenticationVariable($this->sOriginalExtAuthVariable);
+		parent::tearDown();
+	}
+
+	private function CallGetAuthUser()
+	{
+		$oLoginExternal = new \LoginExternal();
+		$oMethod = new \ReflectionMethod(\LoginExternal::class, 'GetAuthUser');
+		$oMethod->setAccessible(true);
+		return $oMethod->invoke($oLoginExternal);
+	}
+
+	public function testGetAuthUserFromServerVariable()
+	{
+		$_SERVER['REMOTE_USER'] = 'alice';
+		$this->oConfig->SetExternalAuthenticationVariable('$_SERVER[\'REMOTE_USER\']');
+
+		$this->assertSame('alice', $this->CallGetAuthUser());
+	}
+
+	public function testGetAuthUserFromCookie()
+	{
+		$_COOKIE['auth_user'] = 'bob';
+		$this->oConfig->SetExternalAuthenticationVariable('$_COOKIE[\'auth_user\']');
+
+		$this->assertSame('bob', $this->CallGetAuthUser());
+	}
+
+	public function testGetAuthUserFromRequest()
+	{
+		$_REQUEST['auth_user'] = 'carol';
+		$this->oConfig->SetExternalAuthenticationVariable('$_REQUEST[\'auth_user\']');
+
+		$this->assertSame('carol', $this->CallGetAuthUser());
+	}
+
+	public function testInvalidExpressionReturnsFalse()
+	{
+		$this->oConfig->SetExternalAuthenticationVariable('$_SERVER[\'HTTP_X_CMD\']) ? print(\'x\') : false; //');
+
+		$this->assertFalse($this->CallGetAuthUser());
+	}
+
+	public function testGetAuthUserFromHeaderWithoutAllowlist()
+	{
+		if (!function_exists('getallheaders')) {
+			$this->markTestSkipped('getallheaders() not available');
+		}
+		$_SERVER['HTTP_X_REMOTE_USER'] = 'CN=header-test';
+		$this->oConfig->SetExternalAuthenticationVariable('getallheaders()[\'X-Remote-User\']');
+
+		$this->assertSame('CN=header-test', $this->CallGetAuthUser());
+	}
+}

tests/php-unit-tests/unitary-tests/core/DBSearchFilterJoinTest.php

@@ -0,0 +1,193 @@
+<?php
+
+namespace Combodo\iTop\Test\UnitTest\Core;
+
+use CMDBSource;
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use DBObjectSearch;
+use DBObjectSet;
+use DBSearch;
+use lnkFunctionalCIToTicket;
+use MetaModel;
+use ormLinkSet;
+use UserRequest;
+use UserRights;
+
+class DBSearchFilterJoinTest extends ItopDataTestCase
+{
+	private const RESTRICTED_PROFILE = 'Configuration Manager';
+	private $aData = [];
+	protected function setUp(): void
+	{
+		parent::setUp();
+		$this->RequireOnceItopFile('application/startup.inc.php');
+		$this->aData = $this->CreateDBSearchFilterTestData();
+		DBSearch::EnableQueryCache(false, false);
+		$this->LoginRestrictedUser($this->aData['allowed_org_id'], self::RESTRICTED_PROFILE);
+
+	}
+
+	protected function tearDown(): void
+	{
+		parent::tearDown();
+	}
+
+	/**
+	 * @dataProvider JoinedAndNestedOqlProvider
+	 */
+	public function testDBSearchFilterAppliedToJoinsWhenEnabled(string $sOql, int $iExpectedCount): void
+	{
+		$this->EnableJoinFilterConfig(true);
+
+		$oSearch = DBObjectSearch::FromOQL($sOql, ['denied_org' => $this->aData['denied_org_name'], 'allowed_org' => $this->aData['allowed_org_name']]);
+		$oSet = new \DBObjectSet($oSearch);
+		CMDBSource::TestQuery($oSearch->MakeSelectQuery());
+		$this->assertEquals($iExpectedCount, $oSet->Count());
+	}
+
+	/**
+	 * @dataProvider JoinedAndNestedOqlProvider
+	 */
+	public function testDBSearchFilterAppliedToJoinsWhenDisabled(string $sOql, int $iExpectedCount, int $iExpectedDisabledCount): void
+	{
+		$this->EnableJoinFilterConfig(false);
+
+		$oSearch = DBObjectSearch::FromOQL($sOql, ['denied_org' => $this->aData['denied_org_name'], 'allowed_org' => $this->aData['allowed_org_name']]);
+		$oSet = new \DBObjectSet($oSearch);
+		CMDBSource::TestQuery($oSearch->MakeSelectQuery());
+		$this->assertEquals($iExpectedDisabledCount, $oSet->Count());
+	}
+
+	/**
+	 * @dataProvider JoinedAndNestedOqlProvider
+	 */
+	public function testAllowAllDataBypassesDBSearchFilterWhenEnabled(string $sOql, int $iExpectedCount, int $iExpectedDisabledCount): void
+	{
+		$this->EnableJoinFilterConfig(true);
+
+		$oSearch = DBObjectSearch::FromOQL($sOql, ['denied_org' => $this->aData['denied_org_name'], 'allowed_org' => $this->aData['allowed_org_name']]);
+		$oSearch->AllowAllData();
+		$oSet = new \DBObjectSet($oSearch);
+		CMDBSource::TestQuery($oSearch->MakeSelectQuery());
+		$this->assertEquals($iExpectedDisabledCount, $oSet->Count());
+	}
+
+	/**
+	 * @dataProvider JoinedAndNestedOqlProvider
+	 */
+	public function testAllowAllDataBypassesDBSearchFilterWhenDisabled(string $sOql, int $iExpectedCount, int $iExpectedDisabledCount): void
+	{
+		$this->EnableJoinFilterConfig(false);
+
+		$oSearch = DBObjectSearch::FromOQL($sOql, ['denied_org' => $this->aData['denied_org_name'], 'allowed_org' => $this->aData['allowed_org_name']]);
+		$oSearch->AllowAllData();
+		$oSet = new \DBObjectSet($oSearch);
+		CMDBSource::TestQuery($oSearch->MakeSelectQuery());
+		$this->assertEquals($iExpectedDisabledCount, $oSet->Count());
+	}
+
+	public function JoinedAndNestedOqlProvider(): array
+	{
+		return [
+			'join-filter-on-org' => [
+				'oql' => "SELECT OSF FROM OSFamily AS OSF JOIN VirtualMachine AS VM ON VM.osfamily_id = OSF.id JOIN Organization AS O ON VM.org_id = O.id WHERE O.name = :denied_org",
+				'expected_filtered_count' => 0,
+				'expected_unfiltered_count' => 1,
+			],
+			'nested-in-select' => [
+				'oql' => "SELECT OSF FROM OSFamily AS OSF WHERE OSF.id IN (SELECT OSF1 FROM OSFamily AS OSF1 JOIN VirtualMachine AS VM ON VM.osfamily_id = OSF1.id JOIN Organization AS O ON VM.org_id = O.id WHERE O.name = :denied_org)",
+				'expected_filtered_count' => 0,
+				'expected_unfiltered_count' => 1,
+
+			],
+			'userrequest-join-person-org' => [
+				'oql' => "SELECT OSF FROM OSFamily AS OSF JOIN VirtualMachine AS VM ON VM.osfamily_id = OSF.id JOIN lnkFunctionalCIToTicket AS L ON L.functionalci_id = VM.id JOIN UserRequest AS UR ON L.ticket_id = UR.id  JOIN Person AS P ON UR.caller_id = P.id JOIN Organization AS O ON P.org_id = O.id WHERE O.name = :denied_org",
+				'expected_filtered_count' => 0,
+				'expected_unfiltered_count' => 1,
+			],
+			'union-join-filter-on-org' => [
+				'oql' => "SELECT OSF FROM OSFamily AS OSF JOIN VirtualMachine AS VM ON VM.osfamily_id = OSF.id JOIN Organization AS O ON VM.org_id = O.id WHERE O.name = :denied_org UNION SELECT OSF2 FROM OSFamily AS OSF2 JOIN VirtualMachine AS VM2 ON VM2.osfamily_id = OSF2.id JOIN Organization AS O2 ON VM2.org_id = O2.id WHERE O2.name = :allowed_org",
+				'expected_filtered_count' => 1,
+				'expected_unfiltered_count' => 2,
+			],
+		];
+	}
+
+	private function EnableJoinFilterConfig(bool $bEnabled): void
+	{
+		$oConfig = MetaModel::GetConfig();
+		$oConfig->Set('security.disable_joined_classes_filter', !$bEnabled);
+	}
+
+	private function CreateDBSearchFilterTestData(): array
+	{
+		$sSuffix = 'DBSearchFilterJoinTest';
+
+		$sAllowedOrgName = 'DBSearchFilterAllowedOrg-'.$sSuffix;
+		$iAllowedOrgId = $this->GivenObjectInDB('Organization', [
+			'name' => $sAllowedOrgName,
+		]);
+
+		$this->debug("Org allowed id: $iAllowedOrgId");
+		$sDeniedOrgName = 'DBSearchFilterDeniedOrg-'.$sSuffix;
+		$iDeniedOrgId = $this->GivenObjectInDB('Organization', [
+			'name' => $sDeniedOrgName,
+		]);
+		$this->debug("Org denied id: $iDeniedOrgId");
+
+		$iDeniedOsFamilyId = $this->GivenObjectInDB('OSFamily', [
+			'name' => 'DBSearchFilterOsFamilyDenied-'.$sSuffix,
+		]);
+
+		$iAllowedOsFamilyId = $this->GivenObjectInDB('OSFamily', [
+			'name' => 'DBSearchFilterOsFamilyAllowed-'.$sSuffix,
+		]);
+
+		$iDeniedVMId = $this->GivenObjectInDB('VirtualMachine', [
+			'name' => 'DBSearchFilterVmDenied-'.$sSuffix,
+			'org_id' => $iDeniedOrgId,
+			'osfamily_id' => $iDeniedOsFamilyId,
+			'virtualhost_id' => 1,
+		]);
+
+		$iVirtualHostId = $this->GivenObjectInDB('Hypervisor', [
+			'name'   => 'DBSearchFilterVHost-'.$sSuffix,
+			'org_id' => $iAllowedOrgId,
+		]);
+
+		$this->GivenObjectInDB('VirtualMachine', [
+			'name' => 'DBSearchFilterVmAllowed-'.$sSuffix,
+			'org_id' => $iAllowedOrgId,
+			'osfamily_id' => $iAllowedOsFamilyId,
+			'virtualhost_id' => $iVirtualHostId,
+		]);
+
+		$oDeniedPerson = $this->CreatePerson('Denied-'.$sSuffix, $iDeniedOrgId);
+
+		$oUserRequest = $this->CreateUserRequest('Denied'.$sSuffix, [
+			'caller_id' => $oDeniedPerson->GetKey(),
+			'org_id' => $iDeniedOrgId,
+		]);
+
+		// Add Virtual Machine to UserRequest lnk
+		$oLinkSet = new ormLinkSet(UserRequest::class, 'functionalcis_list', DBObjectSet::FromScratch(lnkFunctionalCIToTicket::class));
+
+		$oLink = MetaModel::NewObject(lnkFunctionalCIToTicket::class, ['functionalci_id' => $iDeniedVMId]);
+		$oLinkSet->AddItem($oLink);
+
+		$oUserRequest->Set('functionalcis_list', $oLinkSet);
+		$oUserRequest->DBUpdate();
+
+		return [
+			'allowed_org_id' => $iAllowedOrgId,
+			'allowed_org_name' => $sAllowedOrgName,
+			'denied_org_name' => $sDeniedOrgName,
+		];
+	}
+
+	private function LoginRestrictedUser(int $iAllowedOrgId, string $sProfileName): void
+	{
+		$sLogin = $this->GivenUserRestrictedToAnOrganizationInDB($iAllowedOrgId, self::$aURP_Profiles[$sProfileName]);
+		UserRights::Login($sLogin);
+	}
+}

tests/php-unit-tests/unitary-tests/pages/AjaxRenderTest.php

@@ -0,0 +1,180 @@
+<?php
+
+namespace Combodo\iTop\Test\UnitTest\Pages;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use Dict;
+use UserLocal;
+use UserRequest;
+
+class AjaxRenderTest extends ItopDataTestCase
+{
+	public const USE_TRANSACTION = false;
+	public const AUTHENTICATION_PASSWORD = "tagada-Secret,007";
+
+	private static string $sLogin;
+	private static int $iTicketId;
+
+	protected function setUp(): void
+	{
+		parent::setUp();
+		$this->BackupConfiguration();
+		$this->oiTopConfig->Set('log_level_min', 'Error');
+		$this->oiTopConfig->Set('login_debug', true);
+
+		$this->CreateTestOrganization();
+
+		// Add URL authentication mode
+		$this->AddLoginModeAndSaveConfiguration('url');
+
+		// Create ticket
+		$description = date('dmY H:i:s');
+		$oTicket = $this->createObject('UserRequest', [
+			'org_id' => $this->getTestOrgId(),
+			"title" => "Houston, got a problem",
+			"description" => $description,
+		]);
+		self::$iTicketId = $oTicket->GetKey();
+	}
+
+	// Test that if a user with the right permissions tries to acquire the lock on a ticket, it succeeds and returns the correct success message
+	public function testAcquireLockSuccess(): void
+	{
+		$sOutput = $this->CreateSupportAgentUserAndAcquireLock();
+		$this->assertStringContainsString('"success":true', $sOutput);
+	}
+
+	// Test that if a user tries to acquire the lock on an object that does not exist, it fails and logs the correct error message
+	public function testAcquireLockFailsIfObjectDoesNotExist(): void
+	{
+		// Create a user with Support Agent Profile
+		$this->CreateUserWithProfile(self::$aURP_Profiles['Support Agent']);
+
+		// Try to acquire the lock on a non-existent object
+		$sOutput = $this->AcquireLockAsUser(self::$sLogin, 99999999);
+
+		// The output should indicate a fatal error because we hide the existence of the object when it does not exist or is not accessible by the user
+		$this->assertEquals(Dict::S('UI:PageTitle:FatalError'), $sOutput);
+
+		// Check that the error log contains the expected error message about the object not existing
+		$sLastErrorLogLines = $this->GetErrorLogLastLines(APPROOT.'log/error.log', 10);
+		$this->assertStringContainsString(Dict::S('UI:ObjectDoesNotExist'), $sLastErrorLogLines);
+	}
+
+	// Test that if a user tries to acquire the lock on an object for which they don't have modification rights, it fails and logs the correct error message
+	public function testAcquireLockFailsIfUserHasNoModifyRights(): void
+	{
+		// Create a user with a profile without modification rights on UserRequest
+		$this->CreateUserWithProfile(self::$aURP_Profiles['Configuration Manager']);
+
+		// Try to acquire the lock on the ticket
+		$sOutput = $this->AcquireLockAsUser(self::$sLogin, self::$iTicketId);
+
+		// The output should indicate a fatal error because we hide the existence of the object when it does not exist or is not accessible by the user
+		$this->assertEquals(Dict::S('UI:PageTitle:FatalError'), $sOutput);
+
+		// The user should not have the rights to acquire the lock, and an error should be logged
+		$sLastErrorLogLines = $this->GetErrorLogLastLines(APPROOT.'log/error.log', 10);
+		$this->assertStringContainsString(Dict::S('UI:ObjectDoesNotExist'), $sLastErrorLogLines);
+	}
+
+	// Test that if a user tries to acquire the lock on an object that belongs to another organization, it fails and logs the correct error message
+	public function testAcquireLockFailsIfObjectInOtherOrg(): void
+	{
+		// Create an organization and a ticket in this organization
+		$iOtherOrgId = $this->createObject('Organization', ['name' => 'OtherOrg'])->GetKey();
+		$oTicket = $this->createObject('UserRequest', [
+			'org_id' => $iOtherOrgId,
+			'title' => 'Ticket autre org',
+			'description' => 'Test',
+		]);
+
+		// Create a user who only has access to the main test organization
+		$oUser = $this->CreateUserWithProfile(self::$aURP_Profiles['Support Agent']);
+		$oAllowedOrgList = $oUser->Get('allowed_org_list');
+		$oUserOrg = \MetaModel::NewObject('URP_UserOrg', ['allowed_org_id' => $this->getTestOrgId()]);
+		$oAllowedOrgList->AddItem($oUserOrg);
+		$oUser->Set('allowed_org_list', $oAllowedOrgList);
+		$oUser->DBWrite();
+
+		// Try to acquire the lock on the ticket of the other organization
+		$sOutput = $this->AcquireLockAsUser(self::$sLogin, $oTicket->GetKey());
+
+		// The output should indicate a fatal error because we hide the existence of the object when it does not exist or is not accessible by the user
+		$this->assertEquals(Dict::S('UI:PageTitle:FatalError'), $sOutput);
+
+		// The user should not have access to the ticket of the other organization, so an error should be logged
+		$sLastErrorLogLines = $this->GetErrorLogLastLines(APPROOT.'log/error.log', 10);
+		$this->assertStringContainsString(Dict::S('UI:ObjectDoesNotExist'), $sLastErrorLogLines);
+	}
+
+	// Test that if a user has already acquired the lock on an object, another user cannot acquire it and gets the correct error message
+	public function testAcquireLockFailsIfAlreadyLockedByAnotherUser(): void
+	{
+		// First, acquire the lock with a user (User A)
+		$this->CreateSupportAgentUserAndAcquireLock();
+		$sUserALogin = self::$sLogin;
+
+		// Create a second user (User B) who tries to acquire the lock
+		$sOutput = $this->CreateSupportAgentUserAndAcquireLock();
+
+		// The second user should not be able to acquire the lock, and the output should contain the correct error message indicating that the object is already locked by User A
+		$this->assertStringContainsString('"success":false', $sOutput);
+		$this->assertStringContainsString('"message":"'.Dict::Format('UI:CurrentObjectIsSoftLockedBy_User', $sUserALogin).'"', $sOutput);
+	}
+
+	// Helper method to create a user with Support Agent profile and acquire the lock on the ticket
+	private function CreateSupportAgentUserAndAcquireLock(): string
+	{
+		// Create a user with Support Agent Profile
+		$this->CreateUserWithProfile(self::$aURP_Profiles['Support Agent']);
+
+		return $this->AcquireLockAsUser(self::$sLogin, self::$iTicketId);
+	}
+
+	// Helper method to create a user with a specific profile
+	private function CreateUserWithProfile(int $iProfileId): UserLocal
+	{
+		self::$sLogin = uniqid('AjaxRenderTest');
+		return $this->CreateContactlessUser(self::$sLogin, $iProfileId, self::AUTHENTICATION_PASSWORD);
+	}
+
+	// Helper method to acquire the lock on a ticket as a specific user
+	private function AcquireLockAsUser(string $sLogin, int $iTicketId): string
+	{
+		$aGetFields = [
+			'operation' => 'acquire_lock',
+			'auth_user' => $sLogin,
+			'auth_pwd'  => self::AUTHENTICATION_PASSWORD,
+			'obj_class' => UserRequest::class,
+			'obj_key'   => $iTicketId,
+		];
+
+		return $this->CallItopUri(
+			"pages/ajax.render.php?".http_build_query($aGetFields),
+			[],
+			[
+				CURLOPT_HTTPHEADER => ['X-Combodo-Ajax:1'],
+				CURLOPT_POST       => 0,
+			]
+		);
+	}
+
+	// Returns the last lines of the error log containing only errors (Error level)
+	private function GetErrorLogLastLines(string $sErrorLogPath, int $iLineNumbers = 1): string
+	{
+		if (!file_exists($sErrorLogPath)) {
+			return '';
+		}
+
+		$aLines = file($sErrorLogPath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+
+		// Keep only lines containing '| Error |'
+		$aErrorLines = array_filter($aLines, function ($line) {
+			return preg_match('/\|\s*Error\s*\|/', $line);
+		});
+
+		// Return the last requested lines
+		return implode("\n", array_slice($aErrorLines, -$iLineNumbers));
+	}
+}