Merge branch 'develop' into antifascista

Bumps [rubocop-rails](https://github.com/rubocop/rubocop-rails) from 2.12.2 to 2.12.3.
- [Release notes](https://github.com/rubocop/rubocop-rails/releases)
- [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop-rails/compare/v2.12.2...v2.12.3)

.gitlab/merge_request_templates/Default.md

@@ -1,8 +1,9 @@
 ## What does this MR do?
 
-<!-- Is there a lot to say? Consider creating an issue. -->
+<!--Insert the link to a GitHub issue in (), or describe the changes if there is no issue -->
+[Issue Link]()
 
-## Screenshots  <!-- Optional -->
+## Screenshots  <!-- Optional, very helpful for the reviewer colleagues from other teams -->
 
 ### Before
 
@@ -12,7 +13,7 @@
 
 ![alt text](https://example.com/after.png)
 
-## Notes
+## Code Changes
 
 * This MR
   **does**  <!-- KEEP ONLY ONE -->
@@ -58,9 +59,36 @@ How do your performance changes scale on a system of this size?
 they are really big customers, and we want to keep their business!)
 -->
 
-### Follow-up Required  <!-- Optional -->
+### Documentation Follow-up Required?
+
+<!-- Keep one of the two sections -->
 
 <!--
-Does your MR require coordination with the documentation/support teams?
-If so, apply the label and explain here.
+If this MR does change:
+- How the user experiences or uses the application
+  - Visual appearance
+  - Screen flow
+  - Texts
+- How the application is deployed an maintained
+  - Deployment process
+  - System requirements
+  - Command line interfaces
+ -->
+This MR may require follow-up by the documentation team.
+/label ~Documentation
+
+<!--
+Otherwise
 -->
+This MR does not require any follow-up.
+
+## QA Checklist (to be filled by the reviewer)
+
+- [ ] Implementation satisfies specification
+- [ ] Changes confirmed by manual testing
+- [ ] [Code style](https://git.znuny.com/zammad/zammad/-/wikis/Coding-style-guide) is appropriate
+- [ ] Performance will not degrade
+- [ ] Code is properly covered with tests
+- If follow-up by the documentation team is needed:
+  - [ ] Add a comment with this text
+> @<!-- don't treat this as a mention until copied -->MrGeneration please check if this MR requires changes to the documentation. Thanks!

.pkgr.yml

@@ -116,6 +116,6 @@ env:
   - ZAMMAD_RAILS_PORT=3000
   - ZAMMAD_WEBSOCKET_PORT=6042
 services:
-  - postgres
+  - postgres:13
 before_install: contrib/packager.io/preinstall.sh
 after_install: contrib/packager.io/postinstall.sh

.rubocop/default.yml

@@ -6,6 +6,8 @@ require:
   - rubocop-performance
   - rubocop-rails
   - rubocop-rspec
+  - rubocop-inflector
+  - ../config/initializers/inflections.rb
   - ./rubocop_zammad.rb
 
 inherit_from:

.rubocop/todo.yml

@@ -887,10 +887,6 @@ Metrics/PerceivedComplexity:
     - 'test/browser_test_helper.rb'
     - 'test/integration/slack_test.rb'
 
-Rails/AssertNot:
-  Exclude:
-    - 'test/browser/admin_permissions_granular_vs_full_test.rb'
-
 Rails/CreateTableWithTimestamps:
   Exclude:
     - 'db/migrate/20120101000001_create_base.rb'

CHANGELOG.md

@@ -1,7 +1,7 @@
 # Change Log
 
-## [5.0.0](https://github.com/zammad/zammad/tree/5.0.0) (2021-xx-xx)
-[Full Changelog](https://github.com/zammad/zammad/compare/4.1.0...5.0.0)
+## [5.1.0](https://github.com/zammad/zammad/tree/5.1.0) (2021-xx-xx)
+[Full Changelog](https://github.com/zammad/zammad/compare/5.0.0...5.1.0)
 
 **Implemented enhancements:**
 

Gemfile

@@ -198,6 +198,7 @@ group :development, :test do
   gem 'overcommit'
   gem 'rubocop'
   gem 'rubocop-faker'
+  gem 'rubocop-inflector'
   gem 'rubocop-performance'
   gem 'rubocop-rails'
   gem 'rubocop-rspec'

Gemfile.lock

@@ -90,7 +90,7 @@ GEM
       activerecord (>= 4.2)
     addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
-    argon2 (2.0.3)
+    argon2 (2.1.1)
       ffi (~> 1.14)
       ffi-compiler (~> 1.0)
     argon2 (2.0.3-x86_64-linux-musl)
@@ -113,7 +113,7 @@ GEM
       faraday
     async-io (1.32.2)
       async
-    async-pool (0.3.8)
+    async-pool (0.3.9)
       async (>= 1.25)
     autoprefixer-rails (10.3.3.0)
       execjs (~> 2)
@@ -188,7 +188,7 @@ GEM
     docile (1.4.0)
     domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
-    doorkeeper (5.5.3)
+    doorkeeper (5.5.4)
       railties (>= 5)
     dotenv (2.7.6)
     eco (1.0.0)
@@ -302,9 +302,8 @@ GEM
     inflection (1.0.0)
     iniparse (1.5.0)
     interception (0.5)
-    json (2.5.1)
     json (2.5.1-x86_64-linux-musl)
-    jwt (2.2.3)
+    jwt (2.3.0)
     kgio (2.11.4)
     kgio (2.11.4-x86_64-linux-musl)
     koala (3.0.0)
@@ -444,7 +443,7 @@ GEM
       binding_of_caller (~> 1.0)
       pry (~> 0.13)
     public_suffix (4.0.6)
-    puma (4.3.8)
+    puma (4.3.10)
       nio4r (~> 2.0)
     puma (4.3.8-x86_64-linux-musl)
       nio4r (~> 2.0)
@@ -522,15 +521,14 @@ GEM
       rspec-mocks (~> 3.10)
       rspec-support (~> 3.10)
     rspec-support (3.10.2)
-    rszr (0.5.2)
     rszr (0.5.2-x86_64-linux-musl)
-    rubocop (1.21.0)
+    rubocop (1.22.1)
       parallel (~> 1.10)
       parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 1.9.1, < 2.0)
+      rubocop-ast (>= 1.12.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
     rubocop-ast (1.12.0)
@@ -538,10 +536,14 @@ GEM
     rubocop-faker (1.1.0)
       faker (>= 2.12.0)
       rubocop (>= 0.82.0)
+    rubocop-inflector (0.1.1)
+      activesupport
+      rubocop
+      rubocop-rspec
     rubocop-performance (1.11.5)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
-    rubocop-rails (2.12.2)
+    rubocop-rails (2.12.3)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.7.0, < 2.0)
@@ -617,7 +619,7 @@ GEM
     timers (4.3.3)
     tins (1.29.1)
       sync
-    twilio-ruby (5.58.3)
+    twilio-ruby (5.59.0)
       faraday (>= 0.9, < 2.0)
       jwt (>= 1.5, <= 2.5)
       nokogiri (>= 1.6, < 2.0)
@@ -764,6 +766,7 @@ DEPENDENCIES
   rszr (= 0.5.2)
   rubocop
   rubocop-faker
+  rubocop-inflector
   rubocop-performance
   rubocop-rails
   rubocop-rspec
@@ -797,4 +800,4 @@ RUBY VERSION
    ruby 2.7.3p183
 
 BUNDLED WITH
-   2.2.20
+   2.2.27

VERSION

@@ -1 +1 @@
-5.0.x
+5.1.x

app/assets/javascripts/app/controllers/_application_controller/table.coffee

@@ -493,6 +493,25 @@ class App.ControllerTable extends App.Controller
       sortable:   @dndCallback
     ))
 
+  getGroupByKeyName: (object, groupBy) ->
+    reference_key = groupBy + '_id'
+
+    if reference_key of object
+      attribute = _.findWhere(object.constructor.configure_attributes, { name: reference_key })
+
+      return App[attribute.relation]?.find(object[reference_key])?.displayName() || reference_key
+
+    groupBy
+
+  sortObjectKeys: (objects, direction) ->
+    sorted = Object.keys(objects).sort()
+
+    switch direction
+      when 'DESC'
+        sorted.reverse()
+      else
+        sorted
+
   renderTableRows: (sort = false) =>
     if sort is true
       @sortList()
@@ -506,11 +525,11 @@ class App.ControllerTable extends App.Controller
     objectsToShow = @objectsOfPage(@pagerShownPage)
     if @groupBy
       # group by raw (and not printable) value so dates work also
-      objectsGrouped = _.groupBy(objectsToShow, (object) => object[@groupBy])
+      objectsGrouped = _.groupBy(objectsToShow, (object) => object[@getGroupByKeyName(object, @groupBy)])
     else
       objectsGrouped = { '': objectsToShow }
 
-    for groupValue in Object.keys(objectsGrouped).sort()
+    for groupValue in @sortObjectKeys(objectsGrouped, @groupDirection)
       groupObjects = objectsGrouped[groupValue]
 
       for object in groupObjects

app/assets/javascripts/app/controllers/_ui_element/_application_ui_element.coffee

@@ -46,7 +46,7 @@ class App.UiElement.ApplicationUiElement
     result = []
     for row in selection
       if attribute.translate
-        row.name = App.i18n.translateInline(row.name)
+        row.name = App.i18n.translatePlain(row.name)
         if !_.isEmpty(row.children)
           row.children = @getConfigOptionListArray(attribute, row.children)
       result.push row
@@ -65,7 +65,7 @@ class App.UiElement.ApplicationUiElement
       for key in order
         name_new = selection[key]
         if attribute.translate
-          name_new = App.i18n.translateInline(name_new)
+          name_new = App.i18n.translatePlain(name_new)
         attribute.options.push {
           name:  name_new
           value: key
@@ -162,7 +162,7 @@ class App.UiElement.ApplicationUiElement
           nameNew = item.name
 
         if attribute.translate
-          nameNew = App.i18n.translateInline(nameNew)
+          nameNew = App.i18n.translatePlain(nameNew)
 
         row =
           value: item.id,

app/assets/javascripts/app/controllers/_ui_element/core_workflow_condition.coffee

@@ -23,7 +23,7 @@ class App.UiElement.core_workflow_condition extends App.UiElement.ApplicationSel
       organization:
         name: 'Organization'
         model: 'Organization'
-        model_show: ['Organization']
+        model_show: ['User', 'Organization']
       'customer.organization':
         name: 'Organization'
         model: 'Organization'

app/assets/javascripts/app/controllers/_ui_element/core_workflow_perform.coffee

@@ -128,9 +128,10 @@ class App.UiElement.core_workflow_perform extends App.UiElement.ApplicationSelec
   @buildValueConfigMultiple: (config, meta) ->
     if _.contains(['add_option', 'remove_option', 'set_fixed_to'], meta.operator)
       config.multiple = true
+      config.nulloption = true
     else
       config.multiple = false
-    config.nulloption = false
+      config.nulloption = false
     return config
 
   @HasPreCondition: ->

app/assets/javascripts/app/controllers/_ui_element/richtext.coffee

@@ -6,7 +6,7 @@ class App.UiElement.richtext
       attribute.value = attribute.value.text
 
     item = $( App.view('generic/richtext')(attribute: attribute, toolButtons: @toolButtons) )
-    @contenteditable = item.find('[contenteditable]').ce(
+    item.find('[contenteditable]').ce(
       mode:      attribute.type
       maxlength: attribute.maxlength
       buttons:   attribute.buttons
@@ -21,12 +21,12 @@ class App.UiElement.richtext
         new App[plugin.controller](params)
 
     if attribute.upload
-      @attachments = []
+      attachments = []
       item.append( $( App.view('generic/attachment')(attribute: attribute) ) )
 
-      renderFile = (file) =>
+      renderFile = (file) ->
         item.find('.attachments').append(App.view('generic/attachment_item')(file))
-        @attachments.push file
+        attachments.push file
 
       if params && params.attachments
         for file in params.attachments
@@ -46,10 +46,10 @@ class App.UiElement.richtext
       , form.form_id)
 
       # remove items
-      item.find('.attachments').on('click', '.js-delete', (e) =>
+      item.find('.attachments').on('click', '.js-delete', (e) ->
         id = $(e.currentTarget).data('id')
-        @attachments = _.filter(
-          @attachments,
+        attachments = _.filter(
+          attachments,
           (item) ->
             return if item.id.toString() is id.toString()
             item
@@ -71,67 +71,35 @@ class App.UiElement.richtext
           element.empty()
       )
 
-      @progressBar           = item.find('.attachmentUpload-progressBar')
-      @progressText          = item.find('.js-percentage')
-      @attachmentPlaceholder = item.find('.attachmentPlaceholder')
-      @attachmentUpload      = item.find('.attachmentUpload')
-      @attachmentsHolder     = item.find('.attachments')
-      @cancelContainer       = item.find('.js-cancel')
+      App.Delay.set( ->
+        uploader = new App.Html5Upload(
+          uploadUrl:              "#{App.Config.get('api_path')}/attachments"
+          dropContainer:          item.closest('form')
+          cancelContainer:        item.find('.js-cancel')
+          inputField:             item.find('input')
+          data:
+            form_id: item.closest('form').find('[name=form_id]').val()
 
-      u = => html5Upload.initialize(
-        uploadUrl:              "#{App.Config.get('api_path')}/attachments"
-        dropContainer:          item.closest('form').get(0)
-        cancelContainer:        @cancelContainer
-        inputField:             item.find('input').get(0)
-        maxSimultaneousUploads: 1,
-        key:                    'File'
-        data:
-          form_id: item.closest('form').find('[name=form_id]').val()
-        onFileAdded: (file) =>
+          onFileStartCallback: ->
+            item.find('[contenteditable]').trigger('fileUploadStart')
 
-          file.on(
-            onStart: =>
-              @attachmentPlaceholder.addClass('hide')
-              @attachmentUpload.removeClass('hide')
-              @cancelContainer.removeClass('hide')
-              item.find('[contenteditable]').trigger('fileUploadStart')
-              App.Log.debug 'UiElement.richtext', 'upload start'
+          onFileCompletedCallback: (response) ->
+            renderFile(response.data)
+            item.find('input').val('')
+            item.find('[contenteditable]').trigger('fileUploadStop', ['completed'])
 
-            onAborted: =>
-              @attachmentPlaceholder.removeClass('hide')
-              @attachmentUpload.addClass('hide')
-              item.find('input').val('')
-              item.find('[contenteditable]').trigger('fileUploadStop', ['aborted'])
+          onFileAbortedCallback: ->
+            item.find('input').val('')
+            item.find('[contenteditable]').trigger('fileUploadStop', ['aborted'])
 
-            # Called after received response from the server
-            onCompleted: (response) =>
-              response = JSON.parse(response)
+          attachmentPlaceholder: item.find('.attachmentPlaceholder')
+          attachmentUpload:      item.find('.attachmentUpload')
+          progressBar:           item.find('.attachmentUpload-progressBar')
+          progressText:          item.find('.js-percentage')
+        )
 
-              @attachmentPlaceholder.removeClass('hide')
-              @attachmentUpload.addClass('hide')
-
-              # reset progress bar
-              @progressBar.width(parseInt(0) + '%')
-              @progressText.text('')
-
-              renderFile(response.data)
-              item.find('input').val('')
-              item.find('[contenteditable]').trigger('fileUploadStop', ['completed'])
-              App.Log.debug 'UiElement.richtext', 'upload complete', response.data
-
-            # Called during upload progress, first parameter
-            # is decimal value from 0 to 100.
-            onProgress: (progress, fileSize, uploadedBytes) =>
-              @progressBar.width(parseInt(progress) + '%')
-              @progressText.text(parseInt(progress))
-              # hide cancel on 90%
-              if parseInt(progress) >= 90
-                @cancelContainer.addClass('hide')
-              App.Log.debug 'UiElement.richtext', 'uploadProgress ', parseInt(progress)
-
-          )
-      )
-      App.Delay.set(u, 100, undefined, 'form_upload')
+        uploader.render()
+      , 100, undefined, 'form_upload')
 
     item
 

app/assets/javascripts/app/controllers/agent_ticket_create.coffee

@@ -8,7 +8,7 @@ class App.TicketCreate extends App.Controller
   events:
     'click .type-tabs .tab':   'changeFormType'
     'submit form':             'submit'
-    'click .js-cancel':        'cancel'
+    'click .form-controls .js-cancel':        'cancel'
     'click .js-active-toggle': 'toggleButton'
 
   types: {
@@ -184,8 +184,11 @@ class App.TicketCreate extends App.Controller
     @controllerUnbind('ticket_create_rerender', (template) => @renderQueue(template))
 
   changed: =>
+    return true if @hasAttachments()
+
     formCurrent = @formParam( @$('.ticket-create') )
     diff = difference(@formDefault, formCurrent)
+
     return false if !diff || _.isEmpty(diff)
     return true
 
@@ -461,6 +464,9 @@ class App.TicketCreate extends App.Controller
   params: =>
     params = @formParam(@$('.main form'))
 
+  hasAttachments: =>
+    @$('.richtext .attachments .attachment').length > 0
+
   submit: (e) =>
     e.preventDefault()
 
@@ -563,7 +569,7 @@ class App.TicketCreate extends App.Controller
     # save ticket, create article
     # check attachment
     if article['body']
-      if @$('.richtext .attachments .attachment').length < 1
+      if !@hasAttachments()
         matchingWord = App.Utils.checkAttachmentReference(article['body'])
         if matchingWord
           if !confirm(App.i18n.translateContent('You use %s in text but no attachment is attached. Do you want to continue?', matchingWord))

app/assets/javascripts/app/controllers/core_workflow.coffee

@@ -1,6 +1,6 @@
 class CoreWorkflow extends App.ControllerSubContent
   requiredPermission: 'admin.core_workflow'
-  header: 'Core Workflow'
+  header: 'Core Workflows'
   constructor: ->
     super
 
@@ -54,4 +54,4 @@ class CoreWorkflow extends App.ControllerSubContent
     }
     return mapping[screen] || screen
 
-App.Config.set('CoreWorkflowObject', { prio: 1750, parent: '#system', name: 'Core Workflow', target: '#system/core_workflow', controller: CoreWorkflow, permission: ['admin.core_workflow'] }, 'NavBarAdmin')
+App.Config.set('CoreWorkflowObject', { prio: 1750, parent: '#system', name: 'Core Workflows', target: '#system/core_workflow', controller: CoreWorkflow, permission: ['admin.core_workflow'] }, 'NavBarAdmin')

app/assets/javascripts/app/controllers/knowledge_base/public_menu_manager.coffee

@@ -27,11 +27,13 @@ class App.KnowledgeBasePublicMenuManager extends App.Controller
       {
         headline: 'Header menu',
         identifier: 'header',
-        color:      kb.color_header
+        color:      kb.color_header,
+        color_link: kb.color_header_link
       },
       {
         headline: 'Footer menu',
-        identifier: 'footer'
+        identifier: 'footer',
+        color_link: 'hsl(207,12%,50%)'
       }
     ]
 

app/assets/javascripts/app/controllers/ticket_overview.coffee

@@ -1314,7 +1314,7 @@ class Table extends App.Controller
     return if ticketListShow[0] || @permissionCheck('ticket.agent')
 
     tickets_count = user.lifetimeCustomerTicketsCount()
-    @html App.view('customer_not_ticket_exists')(has_any_tickets: tickets_count > 0)
+    @html App.view('customer_not_ticket_exists')(has_any_tickets: tickets_count > 0, is_allowed_to_create_ticket: @Config.get('customer_ticket_create'))
 
     if tickets_count == 0
       @listenTo user, 'refresh', =>

app/assets/javascripts/app/controllers/ticket_zoom.coffee

@@ -200,10 +200,10 @@ class App.TicketZoom extends App.Controller
     formMeta   = data.form_meta
 
     # on the following states we want to rerender the ticket:
-    # - if the object attribute configuration has changed (attribute values, restrictions, filters)
+    # - if the object attribute configuration has changed (attribute values, dependecies, filters)
     # - if the user view has changed (agent/customer)
     # - if the ticket permission has changed (read/write/full)
-    if @view && ( !_.isEqual(@formMeta, formMeta) || @view isnt view || @readable isnt readable || @changeable isnt changeable || @fullable isnt fullable )
+    if @view && ( !_.isEqual(@formMeta.configure_attributes, formMeta.configure_attributes) || !_.isEqual(@formMeta.dependencies, formMeta.dependencies) || !_.isEqual(@formMeta.filter, formMeta.filter) || @view isnt view || @readable isnt readable || @changeable isnt changeable || @fullable isnt fullable )
       @renderDone = false
 
     @view       = view
@@ -214,6 +214,7 @@ class App.TicketZoom extends App.Controller
 
     # render page
     @render(local)
+    App.Event.trigger('ui::ticket::load', data)
 
   meta: =>
 

app/assets/javascripts/app/controllers/ticket_zoom/article_new.coffee

@@ -98,7 +98,7 @@ class App.TicketZoomArticleNew extends App.Controller
     @controllerBind('ui:rerender', =>
       @adjustedTextarea = false
       @defaults         = @ui.taskGet('article')
-      @attachments      = @defaults.attachments
+      @attachments      = @defaults.attachments || []
       @render()
     )
 
@@ -117,7 +117,7 @@ class App.TicketZoomArticleNew extends App.Controller
 
     @tokanice(@type)
 
-    if @defaults.body or @isIE10()
+    if @defaults.body or @attachments.length > 0 or @isIE10()
       @openTextarea(null, true)
 
   tokanice: (type = 'email') ->
@@ -191,82 +191,30 @@ class App.TicketZoomArticleNew extends App.Controller
       maxlength: 150000
     })
 
-    html5Upload.initialize(
-      uploadUrl:       "#{App.Config.get('api_path')}/upload_caches/#{@form_id}"
-      dropContainer:   @$('.article-add').get(0)
-      cancelContainer: @cancelContainer
-      inputField:      @$('.article-attachment input').get(0)
-      key:             'File'
-      maxSimultaneousUploads: 1
-      onFileAdded:            (file) =>
+    new App.Html5Upload(
+      uploadUrl:              "#{App.Config.get('api_path')}/upload_caches/#{@form_id}"
+      dropContainer:          @$('.article-add')
+      cancelContainer:        @cancelContainer
+      inputField:             @$('.article-attachment input')
 
-        file.on(
+      onFileStartCallback: =>
+        @callbackFileUploadStart?()
 
-          onStart: =>
-            @attachmentPlaceholder.addClass('hide')
-            @attachmentUpload.removeClass('hide')
-            @cancelContainer.removeClass('hide')
+      onFileCompletedCallback: (response) =>
+        @attachments.push response.data
+        @renderAttachment(response.data)
+        @$('.article-attachment input').val('')
 
-            if @callbackFileUploadStart
-              @callbackFileUploadStart()
+        @callbackFileUploadStop?()
 
-          onAborted: =>
-            @attachmentPlaceholder.removeClass('hide')
-            @attachmentUpload.addClass('hide')
-            @$('.article-attachment input').val('')
+      onFileAbortedCallback: =>
+        @callbackFileUploadStop?()
 
-            if @callbackFileUploadStop
-              @callbackFileUploadStop()
-
-          # Called after received response from the server
-          onCompleted: (response) =>
-
-            response = JSON.parse(response)
-            @attachments.push response.data
-
-            @attachmentPlaceholder.removeClass('hide')
-            @attachmentUpload.addClass('hide')
-
-            # reset progress bar
-            @progressBar.width(parseInt(0) + '%')
-            @progressText.text('')
-
-            @renderAttachment(response.data)
-            @$('.article-attachment input').val('')
-
-            if @callbackFileUploadStop
-              @callbackFileUploadStop()
-
-          # Called during upload progress, first parameter
-          # is decimal value from 0 to 100.
-          onProgress: (progress, fileSize, uploadedBytes) =>
-            @progressBar.width(parseInt(progress) + '%')
-            @progressText.text(parseInt(progress))
-            # hide cancel on 90%
-            if parseInt(progress) >= 90
-              @cancelContainer.addClass('hide')
-
-          # Called when upload failed
-          onError: (message) =>
-            @attachmentPlaceholder.removeClass('hide')
-            @attachmentUpload.addClass('hide')
-            @$('.article-attachment input').val('')
-
-            if @callbackFileUploadStop
-              @callbackFileUploadStop()
-
-            new App.ControllerModal(
-              head: 'Upload Failed'
-              buttonCancel: 'Cancel'
-              buttonCancelClass: 'btn--danger'
-              buttonSubmit: false
-              message: message
-              shown: true
-              small: true
-              container: @el.closest('.content')
-            )
-        )
-    )
+      attachmentPlaceholder: @attachmentPlaceholder
+      attachmentUpload:      @attachmentUpload
+      progressBar:           @progressBar
+      progressText:          @progressText
+    ).render()
 
     @bindAttachmentDelete()
 

app/assets/javascripts/app/controllers/ticket_zoom/form_handler_core_workflow.coffee

@@ -119,7 +119,9 @@ class App.FormHandlerCoreWorkflow
 
         valueFound = false
         for value in values
-          if value && paramValue
+
+          # false values are valid values e.g. for boolean fields (be careful)
+          if value isnt undefined && paramValue isnt undefined
             if value.toString() == paramValue.toString()
               valueFound = true
               break

app/assets/javascripts/app/controllers/ticket_zoom/sidebar_ticket.coffee

@@ -1,12 +1,21 @@
-class Edit extends App.ControllerObserver
-  model: 'Ticket'
-  observeNot:
-    created_at: true
-    updated_at: true
-  globalRerender: false
+# No usage of a ControllerObserver here because we want to use
+# the data of the ticket zoom ajax request which is using the all=true parameter
+# and contain the core workflow information as well. Without observer we also
+# dont have double rendering because of the zoom (all=true) and observer (full=true) render callback
+class Edit extends App.Controller
+  constructor: (params) ->
+    super
+    @controllerBind('ui::ticket::load', (data) =>
+      return if data.ticket_id.toString() isnt @ticket.id.toString()
 
-  render: (ticket, diff) =>
-    defaults = ticket.attributes()
+      @ticket   = App.Ticket.find(@ticket.id)
+      @formMeta = data.form_meta
+      @render()
+    )
+    @render()
+
+  render: =>
+    defaults = @ticket.attributes()
     delete defaults.article # ignore article infos
     followUpPossible = App.Group.find(defaults.group_id).follow_up_possible
     ticketState = App.TicketState.find(defaults.state_id).name
@@ -16,10 +25,13 @@ class Edit extends App.ControllerObserver
 
     if !_.isEmpty(taskState)
       defaults = _.extend(defaults, taskState)
+      # remove core workflow data because it should trigger a request to get data
+      # for the new ticket + eventually changed task state
+      @formMeta.core_workflow = undefined
 
     if followUpPossible == 'new_ticket' && ticketState != 'closed' ||
        followUpPossible != 'new_ticket' ||
-       @permissionCheck('admin') || ticket.currentView() is 'agent'
+       @permissionCheck('admin') || @ticket.currentView() is 'agent'
       @controllerFormSidebarTicket = new App.ControllerForm(
         elReplace:      @el
         model:          { className: 'Ticket', configure_attributes: @formMeta.configure_attributes || App.Ticket.configure_attributes }
@@ -28,7 +40,7 @@ class Edit extends App.ControllerObserver
         filter:         @formMeta.filter
         formMeta:       @formMeta
         params:         defaults
-        isDisabled:     !ticket.editable()
+        isDisabled:     !@ticket.editable()
         taskKey:        @taskKey
         core_workflow: {
           callbacks: [@markForm]
@@ -44,7 +56,7 @@ class Edit extends App.ControllerObserver
         filter:         @formMeta.filter
         formMeta:       @formMeta
         params:         defaults
-        isDisabled:     ticket.editable()
+        isDisabled:     @ticket.editable()
         taskKey:        @taskKey
         core_workflow: {
           callbacks: [@markForm]
@@ -57,8 +69,8 @@ class Edit extends App.ControllerObserver
     return if @resetBind
     @resetBind = true
     @controllerBind('ui::ticket::taskReset', (data) =>
-      return if data.ticket_id.toString() isnt ticket.id.toString()
-      @render(ticket)
+      return if data.ticket_id.toString() isnt @ticket.id.toString()
+      @render()
     )
 
 class SidebarTicket extends App.Controller
@@ -128,6 +140,7 @@ class SidebarTicket extends App.Controller
 
     @edit = new Edit(
       object_id: @ticket.id
+      ticket:    @ticket
       el:        localEl.find('.edit')
       taskGet:   @taskGet
       formMeta:  @formMeta

app/assets/javascripts/app/lib/app_post/html5_upload.coffee

@@ -0,0 +1,98 @@
+class App.Html5Upload extends App.Controller
+  uploadUrl:              null
+  maxSimultaneousUploads: 1
+  key:                    'File'
+  data:                   null
+
+  onFileStartCallback:     null
+  onFileCompletedCallback: null
+  onFileAbortedCallback:   null
+
+  dropContainer:         null
+  cancelContainer:       null
+  inputField:            null
+  attachmentPlaceholder: null
+  attachmentUpload:      null
+  progressBar:           null
+  progressText:          null
+
+  render: =>
+    html5Upload.initialize(
+      uploadUrl:              @uploadUrl
+      dropContainer:          @dropContainer.get(0)
+      cancelContainer:        @cancelContainer
+      inputField:             @inputField.get(0)
+      maxSimultaneousUploads: @maxSimultaneousUploads
+      key:                    @key
+      data:                   @data
+      onFileAdded:            @onFileAdded
+    )
+
+  onFileAdded: (file) =>
+    file.on(
+      onStart:     @onFileStart
+      onAborted:   @onFileAborted
+      onCompleted: @onFileCompleted
+      onProgress:  @onFileProgress
+      onError:     @onFileError
+    )
+
+  onFileStart: =>
+    @attachmentPlaceholder.addClass('hide')
+    @attachmentUpload.removeClass('hide')
+    @cancelContainer.removeClass('hide')
+
+    App.Log.debug 'Html5Upload', 'upload start'
+    @onFileStartCallback?()
+
+  onFileProgress: (progress, fileSize, uploadedBytes) =>
+    progress = parseInt(progress)
+
+    @progressBar.width(progress + '%')
+    @progressText.text(progress)
+    # hide cancel on 90%
+    if progress >= 90
+      @cancelContainer.addClass('hide')
+
+    App.Log.debug 'Html5Upload', 'uploadProgress ', progress
+
+
+  onFileCompleted: (response) =>
+    response = JSON.parse(response)
+
+    @hideFileUploading()
+    @onFileCompletedCallback?(response)
+
+    App.Log.debug 'Html5Upload', 'upload complete', response.data
+
+  onFileAborted: =>
+    @hideFileUploading()
+    @onFileAbortedCallback?()
+
+    App.Log.debug 'Html5Upload', 'upload aborted'
+
+  onFileError: (message) =>
+    @hideFileUploading()
+    @inputField.val('')
+
+    @callbackFileUploadStop?()
+
+    new App.ControllerModal(
+      head: 'Upload Failed'
+      buttonCancel: 'Cancel'
+      buttonCancelClass: 'btn--danger'
+      buttonSubmit: false
+      message: message || 'Cannot upload file'
+      shown: true
+      small: true
+      container: @inputField.closest('.content')
+    )
+
+    App.Log.debug 'Html5Upload', 'upload error'
+
+  hideFileUploading: =>
+    @attachmentPlaceholder.removeClass('hide')
+    @attachmentUpload.addClass('hide')
+
+    @progressBar.width('0%')
+    @progressText.text('0')

app/assets/javascripts/app/lib/base/html5Upload.js

@@ -255,7 +255,7 @@
                     manager.ajaxUpload(manager.uploadsQueue.shift());
                 }
             };
-            xhr.abort = function (event) {
+            xhr.onabort = function (event) {
                 console.log('Upload abort');
 
                 // Reduce number of active uploads:
@@ -269,6 +269,7 @@
             // Triggered when upload fails:
             xhr.onerror = function () {
                 console.log('Upload failed: ', upload.fileName);
+                upload.events.onError('Upload failed: ' + upload.fileName);
             };
 
             // Append additional data if provided:

app/assets/javascripts/app/models/knowledge_base.coffee

@@ -1,5 +1,5 @@
 class App.KnowledgeBase extends App.Model
-  @configure 'KnowledgeBase', 'iconset', 'color_highlight', 'color_header', 'translation_ids', 'locale_ids', 'homepage_layout', 'category_layout', 'custom_address'
+  @configure 'KnowledgeBase', 'iconset', 'color_highlight', 'color_header', 'color_header_link', 'translation_ids', 'locale_ids', 'homepage_layout', 'category_layout', 'custom_address'
   @extend Spine.Model.Ajax
   @extend App.KnowledgeBaseActions
   @url: @apiPath + '/knowledge_bases'
@@ -148,6 +148,17 @@ class App.KnowledgeBase extends App.Model
           display:    false
           horizontal: true
           shown:      true
+    }, {
+      name: 'color_header_link'
+      display: 'Header Link Color'
+      tag: 'color'
+      style: 'block'
+      null: false
+      screen:
+        admin_style_color_header_link:
+          display:    false
+          horizontal: true
+          shown:      true
     # Layout picker is disabled in V1
     #}, {
     #  name:     'homepage_layout'

app/assets/javascripts/app/models/user.coffee

@@ -344,9 +344,12 @@ class App.User extends App.Model
     @sameOrganization?(requester)
 
   isChangeableBy: (requester) ->
+    # full access for admins
     return true if requester.permission('admin.user')
-    # allow agents to change customers
+    # forbid non-agents to change users
     return false if !requester.permission('ticket.agent')
+    # allow agents to change customers only
+    return false if @permission(['admin.user', 'ticket.agent'])
     @permission('ticket.customer')
 
   isDeleteableBy: (requester) ->

app/assets/javascripts/app/views/customer_not_ticket_exists.jst.eco

@@ -6,11 +6,15 @@
         <% if @has_any_tickets: %>
           <p><%- @T('You have no tickets to display in this overview.') %></p>
         <% else: %>
-          <p><%- @T('You have not created a ticket yet.') %></p>
-          <p><%- @T('The way to communicate with us is this thing called "ticket".') %></p>
-          <p><%- @T('Please click the button below to create your first one.') %></p>
+          <% if @is_allowed_to_create_ticket: %>
+            <p><%- @T('You have not created a ticket yet.') %></p>
+            <p><%- @T('The way to communicate with us is this thing called "ticket".') %></p>
+            <p><%- @T('Please click the button below to create your first one.') %></p>
 
-          <p><a class="btn btn--primary" href="#customer_ticket_new"><%- @T('Create your first ticket') %></a></p>
+            <p><a class="btn btn--primary" href="#customer_ticket_new"><%- @T('Create your first ticket') %></a></p>
+          <% else: %>
+            <p><%- @T('You currently don\'t have any tickets.') %></p>
+          <% end %>
         <% end %>
       </div>
     </div>

app/assets/javascripts/app/views/data_privacy/preview.jst.eco

@@ -14,7 +14,7 @@
   </div>
   <div class="form-group js-sure">
     <h3 class="danger-color"><%- @T('Warning') %></h3>
-    <p class="danger-color"><%- @T('There is no rollback of this deletion possible. If you are absolutely sure to do this, then type in "%s" into the input.', App.i18n.translateInline('delete').toUpperCase()) %></p>
+    <p class="danger-color"><%- @T('There is no rollback of this deletion possible. If you are absolutely sure to do this, then type in "%s" into the input.', App.i18n.translatePlain('delete').toUpperCase()) %></p>
     <%- @sure_html %>
   </div>
 </div>

app/assets/javascripts/app/views/generic/attachment.jst.eco

@@ -17,7 +17,7 @@
         <%- @T('Uploading') %> (<span class="js-percentage">0</span>%) ...
       </div>
       <div class="attachmentUpload-cancel js-cancel">
-        <%- @Icon('diagonal-cross') %></div><%- @T('Cancel Upload') %>
+        <%- @Icon('diagonal-cross') %><%- @T('Cancel Upload') %>
       </div>
     </div>
     <div class="attachmentUpload-progressBar" style="width: 0%"></div>

app/assets/javascripts/app/views/knowledge_base/new_modal.coffee

@@ -26,11 +26,12 @@ class App.KnowledgeBaseNewModal extends App.ControllerModal
       App.UiElement[attribute.tag].prepareParams?(attribute, dom, params)
 
   applyDefaults: (params) ->
-    params['iconset']         = 'FontAwesome'
-    params['color_highlight'] = '#38ae6a'
-    params['color_header']    = '#f9fafb'
-    params['homepage_layout'] = 'grid'
-    params['category_layout'] = 'grid'
+    params['iconset']           = 'FontAwesome'
+    params['color_highlight']   = '#38ae6a'
+    params['color_header']      = '#f9fafb'
+    params['color_header_link'] = 'hsl(206,8%,50%)'
+    params['homepage_layout']   = 'grid'
+    params['category_layout']   = 'grid'
 
   onSubmit: (e) ->
     params = @formParams(@el)

app/assets/javascripts/app/views/knowledge_base/public_menu_manager.jst.eco

@@ -14,7 +14,7 @@
       <div class="kb-menu-preview">
         <div class="label"><%= kb_locale.systemLocale().name %></div>
 
-        <div class="kb-menu-preview-container kb-menu-preview-container--<%= location.identifier %>" style="background-color: <%= location.color %>">
+        <div class="kb-menu-preview-container kb-menu-preview-container--<%= location.identifier %>" style="background-color: <%= location.color %>; color: <%= location.color_link %>;">
           <% menu_items = App.KnowledgeBaseMenuItem.using_kb_locale_location(kb_locale, location.identifier) %>
 
           <% if menu_items.length == 0: %>

app/assets/javascripts/app/views/login.jst.eco

@@ -1,7 +1,7 @@
 <div class="login fullscreen">
   <div class="fullscreen-center">
     <div class="fullscreen-body">
-      <p><%- @T('Login with %s', @C('fqdn')) %></p>
+      <p><%- @T('Log in to %s', @C('fqdn')) %></p>
 
       <% if @C('maintenance_mode'): %>
         <div class="hero-unit alert alert--danger js-maintenanceMode"><%- @T('Zammad is currently in maintenance mode. Only administrators can login. Please wait until the maintenance window is over.') %></div>

app/assets/javascripts/app/views/package.jst.eco

@@ -3,6 +3,11 @@
 </div>
 
 <div class="page-content">
+  <p>
+    <%- @T('The installation of packages comes with security implications, because arbitrary code will be executed in the context of the Zammad application.') %>
+    <br>
+    <%- @T('Only packages from known, trusted and verfied sources should be installed.') %>
+  </p>
   <p>
     <%- @T('After installing, updating or uninstalling packages the following commands need to be executed on the server:') %>
     <ul>
@@ -48,4 +53,4 @@
     <% end %>
     </tbody>
   </table>
-</div>
+</div>

app/assets/stylesheets/zammad.scss

@@ -2661,7 +2661,7 @@ input.has-error {
   }
 
   a {
-    color: hsl(206,8%,50%);
+    color: inherit;
   }
 
   .label {
@@ -7017,8 +7017,8 @@ footer {
   .article-new .textBubble {
     border-color: #b3b3b3;
     border-radius: 5px;
-    padding-left: 0;
-    padding-right: 0;
+    padding-left: 12px;
+    padding-right: 12px;
     cursor: text;
   }
 
@@ -7051,13 +7051,23 @@ footer {
     padding: 10px 0;
     color: #b3b3b3;
     overflow: hidden;
-    @extend .u-unclickable, .u-textTruncate;
+    @extend .u-textTruncate;
   }
 
     .attachments:not(:empty) {
       padding: 9px 5px;
       border-top: 1px solid hsl(0,0%,93%);
-      margin: 6px 0 30px;
+      margin: 6px -12px 30px;
+    }
+
+    .ticket-create .attachments:not(:empty) {
+      margin-left: 0;
+      margin-right: 0;
+      margin-bottom: 56px;
+    }
+
+    .ticket-create .attachment--row {
+      line-height: 1.45;
     }
 
     .attachment.attachment--row {
@@ -8442,6 +8452,10 @@ footer {
 
   .dropdown li.with-category, .dropdown.dropdown--actions li.with-category {
     line-height: 19.5px;
+
+    small {
+      color: #fff !important;
+    }
   }
 
   .dropdown.dropdown--actions li.with-category {

app/controllers/application_controller.rb

@@ -10,8 +10,8 @@ class ApplicationController < ActionController::Base
   include ApplicationController::RendersModels
   include ApplicationController::HasUser
   include ApplicationController::HasResponseExtentions
+  include ApplicationController::HasDownload
   include ApplicationController::PreventsCsrf
-  include ApplicationController::HasSecureContentSecurityPolicyForDownloads
   include ApplicationController::LogsHttpAccess
   include ApplicationController::Authorizes
 end

app/controllers/application_controller/has_download.rb

@@ -0,0 +1,44 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+module ApplicationController::HasDownload
+  extend ActiveSupport::Concern
+
+  included do
+    around_action do |_controller, block|
+
+      subscriber = proc do
+        policy = ActionDispatch::ContentSecurityPolicy.new
+        policy.default_src :none
+
+        # The 'plugin_types' rule is deprecated and should be changed in the future.
+        policy.plugin_types 'application/pdf'
+
+        request.content_security_policy = policy
+      end
+
+      ActiveSupport::Notifications.subscribed(subscriber, 'send_file.action_controller') do
+        ActiveSupport::Notifications.subscribed(subscriber, 'send_data.action_controller') do
+          block.call
+        end
+      end
+    end
+  end
+
+  private
+
+  def file_id
+    @file_id ||= params[:id]
+  end
+
+  def download_file
+    @download_file ||= ::ApplicationController::HasDownload::DownloadFile.new(file_id, disposition: sanitized_disposition)
+  end
+
+  def sanitized_disposition
+    disposition = params.fetch(:disposition, 'inline')
+    valid_disposition = %w[inline attachment]
+    return disposition if valid_disposition.include?(disposition)
+
+    raise Exceptions::Forbidden, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
+  end
+end

app/controllers/application_controller/has_download/download_file.rb

@@ -0,0 +1,54 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class ApplicationController::HasDownload::DownloadFile < SimpleDelegator
+  attr_reader :requested_disposition
+
+  def initialize(id, disposition: 'inline')
+    @requested_disposition = disposition
+
+    super(Store.find(id))
+  end
+
+  def disposition
+    return 'attachment' if forcibly_download_as_binary? || !allowed_inline?
+
+    requested_disposition
+  end
+
+  def content_type
+    return ActiveStorage.binary_content_type if forcibly_download_as_binary?
+
+    file_content_type
+  end
+
+  def content(view_type)
+    return __getobj__.content if view_type.blank? || !preferences[:resizable]
+
+    return content_inline if content_inline? && view_type == 'inline'
+    return content_preview if content_preview? && view_type == 'preview'
+
+    __getobj__.content
+  end
+
+  private
+
+  def allowed_inline?
+    ActiveStorage.content_types_allowed_inline.include?(content_type)
+  end
+
+  def forcibly_download_as_binary?
+    ActiveStorage.content_types_to_serve_as_binary.include?(file_content_type)
+  end
+
+  def file_content_type
+    @file_content_type ||= preferences['Content-Type'] || preferences['Mime-Type'] || ActiveStorage.binary_content_type
+  end
+
+  def content_inline?
+    preferences[:content_inline] == true
+  end
+
+  def content_preview?
+    preferences[:content_preview] == true
+  end
+end

app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb

@@ -1,25 +0,0 @@
-# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
-
-module ApplicationController::HasSecureContentSecurityPolicyForDownloads
-  extend ActiveSupport::Concern
-
-  included do
-
-    around_action do |_controller, block|
-
-      subscriber = proc do
-        policy = ActionDispatch::ContentSecurityPolicy.new
-        policy.default_src :none
-        policy.plugin_types 'application/pdf'
-
-        request.content_security_policy = policy
-      end
-
-      ActiveSupport::Notifications.subscribed(subscriber, 'send_file.action_controller') do
-        ActiveSupport::Notifications.subscribed(subscriber, 'send_data.action_controller') do
-          block.call
-        end
-      end
-    end
-  end
-end

app/controllers/attachments_controller.rb

@@ -6,14 +6,13 @@ class AttachmentsController < ApplicationController
   prepend_before_action :authentication_check_only, only: %i[show destroy]
 
   def show
-    content   = @file.content_preview if params[:preview] && @file.preferences[:content_preview]
-    content ||= @file.content
+    view_type = params[:preview] ? 'preview' : nil
 
     send_data(
-      content,
-      filename:    @file.filename,
-      type:        @file.preferences['Content-Type'] || @file.preferences['Mime-Type'] || 'application/octet-stream',
-      disposition: sanitized_disposition
+      download_file.content(view_type),
+      filename:    download_file.filename,
+      type:        download_file.content_type,
+      disposition: download_file.disposition
     )
   end
 
@@ -52,7 +51,7 @@ class AttachmentsController < ApplicationController
   end
 
   def destroy
-    Store.remove_item(@file.id)
+    Store.remove_item(download_file.id)
 
     render json: {
       success: true,
@@ -72,18 +71,8 @@ class AttachmentsController < ApplicationController
 
   private
 
-  def sanitized_disposition
-    disposition = params.fetch(:disposition, 'inline')
-    valid_disposition = %w[inline attachment]
-    return disposition if valid_disposition.include?(disposition)
-
-    raise Exceptions::Forbidden, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
-  end
-
   def authorize!
-    @file = Store.find(params[:id])
-
-    record = @file&.store_object&.name&.safe_constantize&.find(@file.o_id)
+    record = download_file&.store_object&.name&.safe_constantize&.find(download_file.o_id)
     authorize(record) if record
   rescue Pundit::NotAuthorizedError
     raise ActiveRecord::RecordNotFound

app/controllers/form_controller.rb

@@ -156,7 +156,7 @@ class FormController < ApplicationController
   end
 
   def token_gen(fingerprint)
-    crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32])
+    crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32], serializer: JSON)
     fingerprint = "#{Base64.strict_encode64(Setting.get('fqdn'))}:#{Time.zone.now.to_i}:#{Base64.strict_encode64(fingerprint)}"
     Base64.strict_encode64(crypt.encrypt_and_sign(fingerprint))
   end
@@ -167,7 +167,7 @@ class FormController < ApplicationController
       raise Exceptions::Forbidden
     end
     begin
-      crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32])
+      crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32], serializer: JSON)
       result = crypt.decrypt_and_verify(Base64.decode64(token))
     rescue
       Rails.logger.info 'Invalid token for form!'

app/controllers/ticket_articles_controller.rb

@@ -175,29 +175,11 @@ class TicketArticlesController < ApplicationController
     end
     raise Exceptions::Forbidden, 'Requested file id is not linked with article_id.' if !access
 
-    # find file
-    file = Store.find(params[:id])
-
-    disposition = sanitized_disposition
-
-    content = nil
-    if params[:view].present? && file.preferences[:resizable] == true
-      if file.preferences[:content_inline] == true && params[:view] == 'inline'
-        content = file.content_inline
-      elsif file.preferences[:content_preview] == true && params[:view] == 'preview'
-        content = file.content_preview
-      end
-    end
-
-    if content.blank?
-      content = file.content
-    end
-
     send_data(
-      content,
-      filename:    file.filename,
-      type:        file.preferences['Content-Type'] || file.preferences['Mime-Type'] || 'application/octet-stream',
-      disposition: disposition
+      download_file.content(params[:view]),
+      filename:    download_file.filename,
+      type:        download_file.content_type,
+      disposition: download_file.disposition
     )
   end
 
@@ -278,14 +260,4 @@ class TicketArticlesController < ApplicationController
 
     render json: result
   end
-
-  private
-
-  def sanitized_disposition
-    disposition = params.fetch(:disposition, 'inline')
-    valid_disposition = %w[inline attachment]
-    return disposition if valid_disposition.include?(disposition)
-
-    raise Exceptions::Forbidden, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
-  end
 end

app/controllers/users_controller.rb

@@ -722,31 +722,28 @@ curl http://localhost/api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7 -v -u
 =end
 
   def image
-
     # cache image
     response.headers['Expires']       = 1.year.from_now.httpdate
     response.headers['Cache-Control'] = 'cache, store, max-age=31536000, must-revalidate'
     response.headers['Pragma']        = 'cache'
 
     file = Avatar.get_by_hash(params[:hash])
+
     if file
+      file_content_type = file.preferences['Content-Type'] || file.preferences['Mime-Type']
+
+      return serve_default_image if ActiveStorage.content_types_allowed_inline.exclude?(file_content_type)
+
       send_data(
         file.content,
         filename:    file.filename,
-        type:        file.preferences['Content-Type'] || file.preferences['Mime-Type'],
+        type:        file_content_type,
         disposition: 'inline'
       )
       return
     end
 
-    # serve default image
-    image = 'R0lGODdhMAAwAOMAAMzMzJaWlr6+vqqqqqOjo8XFxbe3t7GxsZycnAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAMAAwAAAEcxDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru98TwuAA+KQAQqJK8EAgBAgMEqmkzUgBIeSwWGZtR5XhSqAULACCoGCJGwlm1MGQrq9RqgB8fm4ZTUgDBIEcRR9fz6HiImKi4yNjo+QkZKTlJWWkBEAOw=='
-    send_data(
-      Base64.decode64(image),
-      filename:    'image.gif',
-      type:        'image/gif',
-      disposition: 'inline'
-    )
+    serve_default_image
   end
 
 =begin
@@ -778,6 +775,11 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
       return
     end
 
+    if ActiveStorage::Variant::WEB_IMAGE_CONTENT_TYPES.exclude?(file_full[:mime_type])
+      render json: { error: 'Mime type is invalid' }, status: :unprocessable_entity
+      return
+    end
+
     begin
       file_resize = StaticAssets.data_url_attributes(params[:avatar_resize])
     rescue
@@ -1061,4 +1063,15 @@ curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content
 
     render json: { message: 'ok' }, status: :created
   end
+
+  def serve_default_image
+    image = 'R0lGODdhMAAwAOMAAMzMzJaWlr6+vqqqqqOjo8XFxbe3t7GxsZycnAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAMAAwAAAEcxDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru98TwuAA+KQAQqJK8EAgBAgMEqmkzUgBIeSwWGZtR5XhSqAULACCoGCJGwlm1MGQrq9RqgB8fm4ZTUgDBIEcRR9fz6HiImKi4yNjo+QkZKTlJWWkBEAOw=='
+
+    send_data(
+      Base64.decode64(image),
+      filename:    'image.gif',
+      type:        'image/gif',
+      disposition: 'inline'
+    )
+  end
 end

app/controllers/webhooks_controller.rb

@@ -4,9 +4,7 @@ class WebhooksController < ApplicationController
   prepend_before_action { authentication_check && authorize! }
 
   def preview
-    access_condition = Ticket.access_condition(current_user, 'read')
-
-    ticket = Ticket.where(access_condition).last
+    ticket = TicketPolicy::ReadScope.new(current_user).resolve.last
 
     render json:   JSON.pretty_generate({
                                           ticket:  TriggerWebhookJob::RecordPayload.generate(ticket),

app/jobs/upload_cache_cleanup_job.rb

@@ -3,6 +3,7 @@
 class UploadCacheCleanupJob < ApplicationJob
   def perform
     taskbar_form_ids = Taskbar.with_form_id.filter_map(&:persisted_form_id)
+    return if store_object_id.blank?
 
     Store.where(store_object_id: store_object_id).where('created_at < ?', 1.month.ago).where.not(o_id: taskbar_form_ids).find_each do |store|
       Store.remove_item(store.id)
@@ -12,6 +13,6 @@ class UploadCacheCleanupJob < ApplicationJob
   private
 
   def store_object_id
-    Store::Object.lookup(name: 'UploadCache').id
+    Store::Object.lookup(name: 'UploadCache')&.id
   end
 end

app/models/application_model/can_associations.rb

@@ -121,7 +121,7 @@ returns
 
     key = "#{self.class}::aws::#{id}"
     cache = Cache.read(key)
-    return cache if cache
+    return filter_unauthorized_attributes(cache) if cache
 
     attributes = self.attributes
     relevant   = %i[has_and_belongs_to_many has_many]
@@ -160,7 +160,7 @@ returns
     filter_attributes(attributes)
 
     Cache.write(key, attributes)
-    attributes
+    filter_unauthorized_attributes(attributes)
   end
 
 =begin
@@ -234,8 +234,7 @@ returns
     end
 
     filter_attributes(attributes)
-
-    attributes
+    filter_unauthorized_attributes(attributes)
   end
 
   def filter_attributes(attributes)
@@ -243,6 +242,10 @@ returns
     attributes.except!('password', 'token', 'tokens', 'token_ids')
   end
 
+  def filter_unauthorized_attributes(attributes)
+    attributes
+  end
+
 =begin
 
 reference if association id check

app/models/avatar.rb

@@ -72,7 +72,6 @@ add avatar by url
 =end
 
   def self.add(data)
-
     # lookups
     if data[:object]
       object_id = ObjectLookup.by_name(data[:object])

app/models/channel/driver/imap.rb

@@ -7,6 +7,8 @@ class Channel::Driver::Imap < Channel::EmailParser
   FETCH_METADATA_TIMEOUT = 2.minutes
   FETCH_MSG_TIMEOUT = 4.minutes
   EXPUNGE_TIMEOUT = 16.minutes
+  DEFAULT_TIMEOUT = 45.seconds
+  CHECK_ONLY_TIMEOUT = 6.seconds
 
   def fetchable?(_channel)
     true
@@ -110,10 +112,7 @@ example
     Rails.logger.info "fetching imap (#{options[:host]}/#{options[:user]} port=#{port},ssl=#{ssl},starttls=#{starttls},folder=#{folder},keep_on_server=#{keep_on_server},auth_type=#{options.fetch(:auth_type, 'LOGIN')})"
 
     # on check, reduce open_timeout to have faster probing
-    check_type_timeout = 45
-    if check_type == 'check'
-      check_type_timeout = 6
-    end
+    check_type_timeout = check_type == 'check' ? CHECK_ONLY_TIMEOUT : DEFAULT_TIMEOUT
 
     timeout(check_type_timeout) do
       @imap = ::Net::IMAP.new(options[:host], port, ssl, nil, false)

app/models/channel/email_parser.rb

@@ -502,7 +502,7 @@ process unprocessable_mails (tmp/unprocessable_mail/*.eml) again
     path = Rails.root.join('tmp/unprocessable_mail')
     files = []
     Dir.glob("#{path}/*.eml") do |entry|
-      ticket, _article, _user, _mail = Channel::EmailParser.new.process(params, IO.binread(entry))
+      ticket, _article, _user, _mail = Channel::EmailParser.new.process(params, File.binread(entry))
       next if ticket.blank?
 
       files.push entry

app/models/core_workflow/attributes.rb

@@ -30,10 +30,26 @@ class CoreWorkflow::Attributes
     end
   end
 
+  def selectable_field?(key)
+    return if key == 'id'
+    return if !@payload['params'].key?(key)
+
+    # some objects have no attributes like "CoreWorkflow"-object as well.
+    # attributes only exists in the frontend so we skip this check
+    return true if object_elements.blank?
+
+    object_elements_hash.key?(key)
+  end
+
   def overwrite_selected(result)
     selected_attributes = selected_only.attributes
     selected_attributes.each_key do |key|
-      next if selected_attributes[key].nil?
+      next if !selectable_field?(key)
+
+      # special behaviour for owner id
+      if key == 'owner_id' && selected_attributes[key].nil?
+        selected_attributes[key] = 1
+      end
 
       result[key.to_sym] = selected_attributes[key]
     end
@@ -55,7 +71,10 @@ class CoreWorkflow::Attributes
     # dont use lookup here because the cache will not
     # know about new attributes and make crashes
     @saved_only ||= payload_class.find_by(id: @payload['params']['id'])
-    @saved_only.dup
+
+    # we use marshal here because clone still uses references and dup can't
+    # detect changes for the rails object
+    Marshal.load(Marshal.dump(@saved_only))
   end
 
   def saved
@@ -68,6 +87,10 @@ class CoreWorkflow::Attributes
     end
   end
 
+  def object_elements_hash
+    @object_elements_hash ||= object_elements.index_by { |x| x[:name] }
+  end
+
   def screen_value(attribute, type)
     attribute[:screens].dig(@payload['screen'], type)
   end

app/models/core_workflow/result/backend.rb

@@ -18,4 +18,26 @@ class CoreWorkflow::Result::Backend
   def result(backend, field, value = nil)
     @result_object.run_backend_value(backend, field, value)
   end
+
+  def saved_value
+
+    # make sure we have a saved object
+    return if @result_object.attributes.saved_only.blank?
+
+    # we only want to have the saved value in the restrictions
+    # if no changes happend to the form. If the users does changes
+    # to the form then also the saved value should get removed
+    return if @result_object.attributes.selected.changed?
+
+    # attribute can be blank e.g. in custom development
+    # or if attribute is only available in the frontend but not
+    # in the backend
+    return if attribute.blank?
+
+    @result_object.attributes.saved_attribute_value(attribute).to_s
+  end
+
+  def attribute
+    @attribute ||= @result_object.attributes.object_elements_hash[field]
+  end
 end

app/models/core_workflow/result/remove_option.rb

@@ -3,8 +3,14 @@
 class CoreWorkflow::Result::RemoveOption < CoreWorkflow::Result::BaseOption
   def run
     @result_object.result[:restrict_values][field] ||= Array(@result_object.payload['params'][field])
-    @result_object.result[:restrict_values][field] -= Array(@perform_config['remove_option'])
+    @result_object.result[:restrict_values][field] -= Array(config_value)
     remove_excluded_param_values
     true
   end
+
+  def config_value
+    result = Array(@perform_config['remove_option'])
+    result -= Array(saved_value)
+    result
+  end
 end

app/models/core_workflow/result/set_fixed_to.rb

@@ -5,21 +5,23 @@ class CoreWorkflow::Result::SetFixedTo < CoreWorkflow::Result::BaseOption
     @result_object.result[:restrict_values][field] = if restriction_set?
                                                        restrict_values
                                                      else
-                                                       replace_values
+                                                       config_value
                                                      end
     remove_excluded_param_values
     true
   end
 
+  def config_value
+    result = Array(@perform_config['set_fixed_to'])
+    result |= Array(saved_value)
+    result
+  end
+
   def restriction_set?
     @result_object.result[:restrict_values][field]
   end
 
   def restrict_values
-    @result_object.result[:restrict_values][field].reject { |v| Array(@perform_config['set_fixed_to']).exclude?(v) }
-  end
-
-  def replace_values
-    Array(@perform_config['set_fixed_to'])
+    @result_object.result[:restrict_values][field].reject { |v| config_value.exclude?(v) }
   end
 end

app/models/group.rb

@@ -12,6 +12,8 @@ class Group < ApplicationModel
   include HasTicketCreateScreenImpact
   include HasSearchIndexBackend
 
+  include Group::Assets
+
   belongs_to :email_address, optional: true
   belongs_to :signature, optional: true
 

app/models/group/assets.rb

@@ -0,0 +1,14 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class Group
+  module Assets
+    extend ActiveSupport::Concern
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      attributes = super
+      attributes.slice('id', 'name', 'active')
+    end
+  end
+end

app/models/knowledge_base.rb

@@ -27,8 +27,9 @@ class KnowledgeBase < ApplicationModel
   validates :category_layout, inclusion: { in: KnowledgeBase::LAYOUTS }
   validates :homepage_layout, inclusion: { in: KnowledgeBase::LAYOUTS }
 
-  validates :color_highlight, presence: true, color: true
-  validates :color_header,    presence: true, color: true
+  validates :color_highlight,   presence: true, color: true
+  validates :color_header,      presence: true, color: true
+  validates :color_header_link, presence: true, color: true
 
   validates :iconset, inclusion: { in: KnowledgeBase::ICONSETS }
 

app/models/object_manager/attribute.rb

@@ -678,7 +678,7 @@ to send no browser reload event, pass false
 
 =begin
 
-where attributes are used by triggers, overviews or schedulers
+where attributes are used in conditions
 
   result = ObjectManager::Attribute.attribute_to_references_hash
 
@@ -696,22 +696,36 @@ where attributes are used by triggers, overviews or schedulers
 =end
 
   def self.attribute_to_references_hash
-    objects = Trigger.select(:name, :condition) + Overview.select(:name, :condition) + Job.select(:name, :condition)
     attribute_list = {}
-    objects.each do |item|
-      item.condition.each do |condition_key, _condition_attributes|
-        attribute_list[condition_key] ||= {}
-        attribute_list[condition_key][item.class.name] ||= []
-        next if attribute_list[condition_key][item.class.name].include?(item.name)
 
-        attribute_list[condition_key][item.class.name].push item.name
+    attribute_to_references_hash_objects
+      .map { |elem| elem.select(:name, :condition) }
+      .flatten
+      .each do |item|
+        item.condition.each do |condition_key, _condition_attributes|
+          attribute_list[condition_key] ||= {}
+          attribute_list[condition_key][item.class.name] ||= []
+          next if attribute_list[condition_key][item.class.name].include?(item.name)
+
+          attribute_list[condition_key][item.class.name].push item.name
+        end
       end
-    end
+
     attribute_list
   end
 
 =begin
 
+models that may reference attributes
+
+=end
+
+  def self.attribute_to_references_hash_objects
+    Models.all.keys.select { |elem| elem.include? ChecksConditionValidation }
+  end
+
+=begin
+
 is certain attribute used by triggers, overviews or schedulers
 
   ObjectManager::Attribute.attribute_used_by_references?('Ticket', 'attribute_name')

app/models/object_manager/element/backend.rb

@@ -43,7 +43,7 @@ class ObjectManager::Element::Backend
   end
 
   def screens
-    attribute.screens.transform_values do |permission_options|
+    @screens ||= attribute.screens.transform_values do |permission_options|
       screen_value(permission_options)
     end
   end

app/models/organization/assets.rb

@@ -70,5 +70,12 @@ returns
       end
       data
     end
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      attributes = super
+      attributes.slice('id', 'name', 'active')
+    end
   end
 end

app/models/package.rb

@@ -263,32 +263,37 @@ subsequently in a separate step.
       )
     end
 
-    # store package
-    if !data[:reinstall]
-      package_db = Package.create(meta)
-      Store.add(
-        object:        'Package',
-        o_id:          package_db.id,
-        data:          package.to_json,
-        filename:      "#{meta[:name]}-#{meta[:version]}.zpm",
-        preferences:   {},
-        created_by_id: UserInfo.current_user_id || 1,
-      )
-    end
+    Transaction.execute do
+      # store package
+      if !data[:reinstall]
+        package_db = Package.create(meta)
+        Store.add(
+          object:        'Package',
+          o_id:          package_db.id,
+          data:          package.to_json,
+          filename:      "#{meta[:name]}-#{meta[:version]}.zpm",
+          preferences:   {},
+          created_by_id: UserInfo.current_user_id || 1,
+        )
+      end
 
-    # write files
-    package['files'].each do |file|
-      permission = file['permission'] || '644'
-      content    = Base64.decode64(file['content'])
-      _write_file(file['location'], permission, content)
-    end
+      # write files
+      package['files'].each do |file|
+        if !allowed_file_path?(file['location'])
+          raise "Can't create file, because of not allowed file location: #{file['location']}!"
+        end
 
-    # update package state
-    package_db.state = 'installed'
-    package_db.save
+        permission = file['permission'] || '644'
+        content    = Base64.decode64(file['content'])
+        _write_file(file['location'], permission, content)
+      end
+
+      # update package state
+      package_db.state = 'installed'
+      package_db.save
+    end
 
     # prebuild assets
-
     package_db
   end
 
@@ -483,4 +488,9 @@ execute all pending package migrations at once
 
     true
   end
+
+  def self.allowed_file_path?(file)
+    file.exclude?('..') && file.exclude?('%2e%2e')
+  end
+  private_class_method :allowed_file_path?
 end

app/models/report/profile.rb

@@ -2,6 +2,7 @@
 
 class Report::Profile < ApplicationModel
   self.table_name = 'report_profiles'
+  include ChecksConditionValidation
   validates :name, presence: true
   store     :condition
 

app/models/role/assets.rb

@@ -60,5 +60,13 @@ returns
       end
       data
     end
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      attributes = super
+      attributes['name'] = "Role_#{id}"
+      attributes.slice('id', 'name', 'group_ids', 'permission_ids', 'active')
+    end
   end
 end

app/models/user.rb

@@ -926,17 +926,16 @@ try to find correct name
     end
 
     # check if login already exists
-    self.login = login.downcase.strip
-    check      = true
-    while check
+    base_login = login.downcase.strip
+
+    alternatives = [nil] + Array(1..20) + [ SecureRandom.uuid ]
+    alternatives.each do |suffix|
+      self.login = "#{base_login}#{suffix}"
       exists = User.find_by(login: login)
-      if exists && exists.id != id
-        self.login = "#{login}#{rand(999)}" # rubocop:disable Zammad/ForbidRand
-      else
-        check = false
-      end
+      return true if !exists || exists.id == id
     end
-    true
+
+    raise Exceptions::UnprocessableEntity, "Invalid user login generation for login #{login}!"
   end
 
   def check_mail_delivery_failed

app/models/user/assets.rb

@@ -110,5 +110,20 @@ returns
       end
       data
     end
+
+    def filter_unauthorized_attributes(attributes)
+      return super if UserInfo.assets.blank? || UserInfo.assets.agent?
+
+      # customer assets for the user session
+      if UserInfo.current_user_id == id
+        attributes = super
+        attributes.except!('web', 'phone', 'mobile', 'fax', 'department', 'street', 'zip', 'city', 'country', 'address', 'note')
+        return attributes
+      end
+
+      # customer assets for other user
+      attributes = super
+      attributes.slice('id', 'firstname', 'lastname', 'image', 'image_source', 'active')
+    end
   end
 end

app/policies/setting_policy.rb

@@ -13,6 +13,7 @@ class SettingPolicy < ApplicationPolicy
   private
 
   def permitted?
+    return false if record.preferences[:protected]
     return true if !record.preferences[:permission]
 
     user.permissions?(record.preferences[:permission])

app/policies/ticket_policy/base_scope.rb

@@ -13,7 +13,7 @@ class TicketPolicy < ApplicationPolicy
       super
     end
 
-    def resolve # rubocop:disable Metrics/AbcSize
+    def resolve # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
       raise NoMethodError, <<~ERR.chomp if instance_of?(TicketPolicy::BaseScope)
         specify an access type using a subclass of TicketPolicy::BaseScope
       ERR
@@ -26,12 +26,19 @@ class TicketPolicy < ApplicationPolicy
         bind.push(user.group_ids_access(self.class::ACCESS_TYPE))
       end
 
-      if user.organization&.shared
-        sql.push('(tickets.customer_id = ? OR tickets.organization_id = ?)')
-        bind.push(user.id, user.organization.id)
-      else
-        sql.push('tickets.customer_id = ?')
-        bind.push(user.id)
+      if user.permissions?('ticket.customer')
+        if user.organization&.shared
+          sql.push('(tickets.customer_id = ? OR tickets.organization_id = ?)')
+          bind.push(user.id, user.organization.id)
+        else
+          sql.push('tickets.customer_id = ?')
+          bind.push(user.id)
+        end
+      end
+
+      # The report permission can access all tickets.
+      if sql.empty? && !user.permissions?('report')
+        sql.push '0 = 1' # Forbid unlimited access for all other permissions.
       end
 
       scope.where sql.join(' OR '), *bind

app/policies/user_policy.rb

@@ -13,11 +13,14 @@ class UserPolicy < ApplicationPolicy
   end
 
   def update?
+    # full access for admins
     return true if user.permissions?('admin.user')
     # forbid non-agents to change users
     return false if !user.permissions?('ticket.agent')
 
-    # allow agents to change customers
+    # allow agents to change customers only
+    return false if record.permissions?(['admin.user', 'ticket.agent'])
+
     record.permissions?('ticket.customer')
   end
 

app/views/knowledge_base/public/_inline_stylesheet.html.erb

@@ -28,4 +28,8 @@
 	.header {
     background-color: <%= knowledge_base.color_header %>;
 	}
+
+  .header .menu-item {
+    color: <%= knowledge_base.color_header_link %>;
+  }
 </style>

config/initializers/html_sanitizer.rb

@@ -5,11 +5,11 @@ Rails.application.config.html_sanitizer_tags_remove_content = %w[
   style
   comment
   meta
+  script
 ]
 
 # content of this tags will will be inserted html quoted
 Rails.application.config.html_sanitizer_tags_quote_content = %w[
-  script
 ]
 
 # only this tags are allowed

config/initializers/inflections.rb

@@ -21,7 +21,7 @@ ActiveSupport::Inflector.inflections(:en) do |inflect|
 
   # Rails thinks the singularized version of knowledge_bases is knowledge_basis?!
   # see: KnowledgeBase.table_name.singularize
-  inflect.singular(%r{(knowledge_base)s$}i, '\1')
+  inflect.irregular 'base', 'bases'
   inflect.acronym 'SMIME'
   inflect.acronym 'GitLab'
   inflect.acronym 'GitHub'

contrib/packager.io/functions

@@ -228,7 +228,7 @@ function create_webserver_config () {
 function setup_elasticsearch () {
   echo "# Configuring Elasticsearch..."
 
-  ES_CONNECTION="$(zammad run rails r "puts Setting.get('es_url')"| tail -n 1 2>> /dev/null)"
+  ES_CONNECTION="$(zammad run rails r "puts '',Setting.get('es_url')"| tail -n 1 2>> /dev/null)"
 
   if [ -z "${ES_CONNECTION}" ]; then
     echo "-- Nevermind, no es_url is set, leaving Elasticsearch untouched ...!"
@@ -273,6 +273,9 @@ function elasticsearch_searchindex_rebuild () {
 
 function update_or_install () {
 
+  echo "# Clear cache..."
+  zammad run rails r Cache.clear
+
   if [ -f ${ZAMMAD_DIR}/config/database.yml ]; then
     update_database
 

db/migrate/20190531180304_initialize_knowledge_base.rb

@@ -8,8 +8,9 @@ class InitializeKnowledgeBase < ActiveRecord::Migration[5.0]
     create_table :knowledge_bases do |t|
       t.string :iconset, limit: 30, null: false
 
-      t.string :color_highlight, limit: 25, null: false
-      t.string :color_header,    limit: 25, null: false
+      t.string :color_highlight,   limit: 25, null: false
+      t.string :color_header,      limit: 25, null: false
+      t.string :color_header_link, limit: 25, null: false
 
       t.string :homepage_layout, null: false
       t.string :category_layout, null: false

db/migrate/20210128131507_init_core_workflow.rb

@@ -75,6 +75,8 @@ class InitCoreWorkflow < ActiveRecord::Migration[5.2]
 
   def fix_pending_time
     pending_time = ObjectManager::Attribute.find_by(name: 'pending_time', object_lookup: ObjectLookup.find_by(name: 'Ticket'))
+    return if pending_time.blank?
+
     pending_time.data_option.delete('required_if')
     pending_time.data_option.delete('shown_if')
     pending_time.save
@@ -83,6 +85,8 @@ class InitCoreWorkflow < ActiveRecord::Migration[5.2]
   def fix_organization_screens
     %w[domain note].each do |name|
       field = ObjectManager::Attribute.find_by(name: name, object_lookup: ObjectLookup.find_by(name: 'Organization'))
+      next if field.blank?
+
       field.screens['create'] ||= {}
       field.screens['create']['-all-'] ||= {}
       field.screens['create']['-all-']['null'] = true
@@ -93,6 +97,8 @@ class InitCoreWorkflow < ActiveRecord::Migration[5.2]
   def fix_user_screens
     %w[email web phone mobile organization_id fax department street zip city country address password vip note role_ids].each do |name|
       field = ObjectManager::Attribute.find_by(name: name, object_lookup: ObjectLookup.find_by(name: 'User'))
+      next if field.blank?
+
       field.screens['create'] ||= {}
       field.screens['create']['-all-'] ||= {}
       field.screens['create']['-all-']['null'] = true

db/migrate/20210830174638_maintenance_improve_setting_preferences.rb

@@ -0,0 +1,15 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class MaintenanceImproveSettingPreferences < ActiveRecord::Migration[6.0]
+  def change
+    return if !Setting.exists?(name: 'system_init_done')
+
+    protected_settings = %w[application_secret]
+
+    protected_settings.each do |name|
+      setting = Setting.find_by(name: name)
+      setting.preferences[:protected] = true
+      setting.save!
+    end
+  end
+end

db/migrate/20210921112300_issue_3751_missing_workflow_screens.rb

@@ -11,6 +11,8 @@ class Issue3751MissingWorkflowScreens < ActiveRecord::Migration[6.0]
   def fix_organization_screens_create
     %w[name shared domain_assignment active].each do |name|
       field = ObjectManager::Attribute.find_by(name: name, object_lookup: ObjectLookup.find_by(name: 'Organization'))
+      next if field.blank?
+
       field.screens['create'] ||= {}
       field.screens['create']['-all-'] ||= {}
       field.screens['create']['-all-']['null'] = false
@@ -21,6 +23,8 @@ class Issue3751MissingWorkflowScreens < ActiveRecord::Migration[6.0]
   def fix_user_screens_create
     %w[firstname lastname active].each do |name|
       field = ObjectManager::Attribute.find_by(name: name, object_lookup: ObjectLookup.find_by(name: 'User'))
+      next if field.blank?
+
       field.screens['create'] ||= {}
       field.screens['create']['-all-'] ||= {}
       field.screens['create']['-all-']['null'] = false

db/migrate/20210923172256_issue_2619_kb_header_link_color.rb

@@ -0,0 +1,11 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class Issue2619KbHeaderLinkColor < ActiveRecord::Migration[6.0]
+  def up
+    return if !Setting.exists?(name: 'system_init_done')
+
+    add_column :knowledge_bases, :color_header_link, :string, limit: 25, null: false, default: 'hsl(206,8%,50%)'
+    change_column_default :knowledge_bases, :color_header_link, nil
+    KnowledgeBase.reset_column_information
+  end
+end

db/migrate/20210929161701_reload_after_core_workflow.rb

@@ -0,0 +1,11 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class ReloadAfterCoreWorkflow < ActiveRecord::Migration[6.0]
+  def up
+
+    # return if it's a new setup
+    return if !Setting.exists?(name: 'system_init_done')
+
+    AppVersion.set(true, 'app_version')
+  end
+end

db/migrate/20211004111501_reload_after_core_workflow_again.rb

@@ -0,0 +1,11 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class ReloadAfterCoreWorkflowAgain < ActiveRecord::Migration[6.0]
+  def up
+
+    # return if it's a new setup
+    return if !Setting.exists?(name: 'system_init_done')
+
+    AppVersion.set(true, 'app_version')
+  end
+end

db/migrate/20211005110047_issue3787_fix_job.rb

@@ -0,0 +1,11 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class Issue3787FixJob < ActiveRecord::Migration[6.0]
+  def change
+
+    # return if it's a new setup
+    return if !Setting.exists?(name: 'system_init_done')
+
+    Scheduler.find_by(name: 'Delete old upload cache entries.').update(error_message: nil, status: nil, active: true)
+  end
+end

db/seeds/settings.rb

@@ -9,6 +9,7 @@ Setting.create_if_not_exists(
   state:       SecureRandom.hex(128),
   preferences: {
     permission: ['admin'],
+    protected:  true,
   },
   frontend:    false
 )

lib/fill_db.rb

@@ -1,7 +1,5 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
 
-require 'faker'
-
 # rubocop:disable Rails/Output
 module FillDb
 
@@ -55,7 +53,7 @@ or if you only want to create 100 tickets
     else
       (1..organizations).each do
         ActiveRecord::Base.transaction do
-          organization = Organization.create!(name: "FillOrganization::#{Faker::Number.number(digits: 6)}", active: true)
+          organization = Organization.create!(name: "FillOrganization::#{counter}", active: true)
           organization_pool.push organization
         end
       end
@@ -72,7 +70,7 @@ or if you only want to create 100 tickets
 
       (1..agents).each do
         ActiveRecord::Base.transaction do
-          suffix = Faker::Number.number(digits: 5).to_s
+          suffix = counter.to_s
           user = User.create_or_update(
             login:     "filldb-agent-#{suffix}",
             firstname: "agent #{suffix}",
@@ -102,7 +100,7 @@ or if you only want to create 100 tickets
 
       (1..customers).each do
         ActiveRecord::Base.transaction do
-          suffix = Faker::Number.number(digits: 5).to_s
+          suffix = counter.to_s
           organization = nil
           if organization_pool.present? && true_or_false.sample
             organization = organization_pool.sample
@@ -132,7 +130,7 @@ or if you only want to create 100 tickets
     else
       (1..groups).each do
         ActiveRecord::Base.transaction do
-          group = Group.create!(name: "FillGroup::#{Faker::Number.number(digits: 6)}", active: true)
+          group = Group.create!(name: "FillGroup::#{counter}", active: true)
           group_pool.push group
           Role.where(name: 'Agent').first.users.where(active: true).each do |user|
             user_groups = user.groups
@@ -150,7 +148,7 @@ or if you only want to create 100 tickets
       (1..overviews).each do
         ActiveRecord::Base.transaction do
           Overview.create!(
-            name:      "Filloverview::#{Faker::Number.number(digits: 6)}",
+            name:      "Filloverview::#{counter}",
             role_ids:  [Role.find_by(name: 'Agent').id],
             condition: {
               'ticket.state_id' => {
@@ -185,7 +183,7 @@ or if you only want to create 100 tickets
         customer = customer_pool.sample
         agent    = agent_pool.sample
         ticket = Ticket.create!(
-          title:         "some title äöüß#{Faker::Number.number(digits: 6)}",
+          title:         "some title äöüß#{counter}",
           group:         group_pool.sample,
           customer:      customer,
           owner:         agent,
@@ -200,8 +198,8 @@ or if you only want to create 100 tickets
           ticket_id:     ticket.id,
           from:          customer.email,
           to:            'some_recipient@example.com',
-          subject:       "some subject#{Faker::Number.number(digits: 6)}",
-          message_id:    "some@id-#{Faker::Number.number(digits: 6)}",
+          subject:       "some subject#{counter}",
+          message_id:    "some@id-#{counter}",
           body:          'some message ...',
           internal:      false,
           sender:        Ticket::Article::Sender.where(name: 'Customer').first,
@@ -214,5 +212,10 @@ or if you only want to create 100 tickets
       end
     end
   end
+
+  def self.counter
+    @counter ||= SecureRandom.random_number(1_000_000)
+    @counter += 1
+  end
 end
 # rubocop:enable Rails/Output

lib/github/http_client.rb

@@ -1,12 +1,14 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
 
+require 'uri'
+
 class GitHub
   class HttpClient
     attr_reader :api_token, :endpoint
 
     def initialize(endpoint, api_token)
       raise 'api_token required' if api_token.blank?
-      raise 'endpoint required' if endpoint.blank?
+      raise 'endpoint required' if endpoint.blank? || endpoint.exclude?('/graphql') || endpoint.scan(URI::DEFAULT_PARSER.make_regexp).blank?
 
       @api_token = api_token
       @endpoint  = endpoint
@@ -30,7 +32,7 @@ class GitHub
 
       if !response.success?
         Rails.logger.error response.error
-        raise "Error while requesting GitHub GraphQL API: #{response.error}"
+        raise 'GitHub request failed! Please have a look at the log file for details'
       end
 
       response.data

lib/gitlab/http_client.rb

@@ -1,12 +1,14 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
 
+require 'uri'
+
 class GitLab
   class HttpClient
     attr_reader :api_token, :endpoint
 
     def initialize(endpoint, api_token)
       raise 'api_token required' if api_token.blank?
-      raise 'endpoint required' if endpoint.blank?
+      raise 'endpoint required' if endpoint.blank? || endpoint.exclude?('/graphql') || endpoint.scan(URI::DEFAULT_PARSER.make_regexp).blank?
 
       @api_token = api_token
       @endpoint = endpoint
@@ -30,7 +32,7 @@ class GitLab
 
       if !response.success?
         Rails.logger.error response.error
-        raise "Error while requesting GitLab GraphQL API: #{response.error}"
+        raise 'GitLab request failed! Please have a look at the log file for details'
       end
 
       response.data

lib/html_sanitizer.rb

@@ -161,8 +161,8 @@ satinize html string based on whiltelist
         # wrap plain-text URLs in <a> tags
         if node.is_a?(Nokogiri::XML::Text) && node.content.present? && node.content.include?(':') && node.ancestors.map(&:name).exclude?('a')
           urls = URI.extract(node.content, LINKABLE_URL_SCHEMES)
-                    .map { |u| u.sub(%r{[,.]$}, '') }      # URI::extract captures trailing dots/commas
-                    .reject { |u| u.match?(%r{^[^:]+:$}) } # URI::extract will match, e.g., 'tel:'
+                    .map { |u| u.sub(%r{[,.]$}, '') } # URI::extract captures trailing dots/commas
+                    .grep_v(%r{^[^:]+:$}) # URI::extract will match, e.g., 'tel:'
 
           next if urls.blank?
 

lib/notification_factory/mailer.rb

@@ -324,7 +324,8 @@ returns
       locale:   data[:locale],
       timezone: data[:timezone],
       template: template[:subject],
-      escape:   false
+      escape:   false,
+      trusted:  true,
     ).render
 
     # strip off the extra newline at the end of the subject to avoid =0A suffixes (see #2726)
@@ -334,7 +335,8 @@ returns
       objects:  data[:objects],
       locale:   data[:locale],
       timezone: data[:timezone],
-      template: template[:body]
+      template: template[:body],
+      trusted:  true,
     ).render
 
     if !data[:raw]
@@ -348,7 +350,8 @@ returns
         objects:  data[:objects],
         locale:   data[:locale],
         timezone: data[:timezone],
-        template: application_template
+        template: application_template,
+        trusted:  true,
       ).render
     end
     {

lib/notification_factory/renderer.rb

@@ -13,7 +13,8 @@ examples how to use
       locale: 'de-de',
       timezone: 'America/Port-au-Prince',
       template: 'some template <b>#{ticket.title}</b> {config.fqdn}',
-      escape: false
+      escape: false,
+      trusted: false, # Allow ERB tags in the template?
     ).render
 
     message_body = NotificationFactory::Renderer.new(
@@ -27,16 +28,20 @@ examples how to use
 
 =end
 
-  def initialize(objects:, template:, locale: nil, timezone: nil, escape: true)
+  def initialize(objects:, template:, locale: nil, timezone: nil, escape: true, trusted: false) # rubocop:disable Metrics/ParameterLists
     @objects  = objects
     @locale   = locale || Locale.default
     @timezone = timezone || Setting.get('timezone_default')
-    @template = NotificationFactory::Template.new(template, escape)
+    @template = NotificationFactory::Template.new(template, escape, trusted)
     @escape = escape
   end
 
   def render
     ERB.new(@template.to_s).result(binding)
+  rescue Exception => e # rubocop:disable Lint/RescueException
+    raise StandardError, e.message if e.is_a? SyntaxError
+
+    raise
   end
 
   # d - data of object

lib/notification_factory/slack.rb

@@ -46,14 +46,16 @@ returns
       locale:   data[:locale],
       timezone: data[:timezone],
       template: template[:subject],
-      escape:   false
+      escape:   false,
+      trusted:  true
     ).render
     message_body = NotificationFactory::Renderer.new(
       objects:  data[:objects],
       locale:   data[:locale],
       timezone: data[:timezone],
       template: template[:body],
-      escape:   false
+      escape:   false,
+      trusted:  true
     ).render
 
     if !data[:raw]
@@ -68,7 +70,8 @@ returns
         locale:   data[:locale],
         timezone: data[:timezone],
         template: application_template,
-        escape:   false
+        escape:   false,
+        trusted:  true
       ).render
     end
     {

lib/notification_factory/template.rb

@@ -9,17 +9,21 @@ examples how to use
     cleaned_template = NotificationFactory::Template.new(
       'some template <b>#{ticket.title}</b> #{config.fqdn}',
       true,
+      false,  # Allow ERB tags in the template?
     ).to_s
 
 =end
 
-  def initialize(template, escape)
+  def initialize(template, escape, trusted)
     @template = template
-    @escape = escape
+    @escape   = escape
+    @trusted  = trusted
   end
 
   def to_s
-    @template.gsub(%r{\#{\s*(.*?)\s*}}m) do
+    result = @template
+    result.gsub!(%r{<%(?!%)}, '<%%') if !@trusted
+    result.gsub(%r{\#{\s*(.*?)\s*}}m) do
       # some browsers start adding HTML tags
       # fixes https://github.com/zammad/zammad/issues/385
       input_template = $1.gsub(%r{\A<.+?>\s*|\s*<.+?>\z}, '')

lib/session_helper.rb

@@ -4,7 +4,7 @@ module SessionHelper
   def self.json_hash(user)
     collections, assets = default_collections(user)
     {
-      session:     user.filter_attributes(user.attributes),
+      session:     user.filter_unauthorized_attributes(user.filter_attributes(user.attributes)),
       models:      models(user),
       collections: collections,
       assets:      assets,

lib/user_info.rb

@@ -7,6 +7,11 @@ module UserInfo
 
   def self.current_user_id=(user_id)
     Thread.current[:user_id] = user_id
+    Thread.current[:assets]  = UserInfo::Assets.new(user_id)
+  end
+
+  def self.assets
+    Thread.current[:assets]
   end
 
   def self.ensure_current_user_id

lib/user_info/assets.rb

@@ -0,0 +1,52 @@
+# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
+
+class UserInfo::Assets
+  LEVEL_CUSTOMER = 1
+  LEVEL_AGENT    = 2
+  LEVEL_ADMIN    = 3
+
+  attr_accessor :current_user_id, :level, :filter_attributes, :user
+
+  def initialize(current_user_id)
+    @current_user_id = current_user_id
+    @user = User.find_by(id: current_user_id) if current_user_id.present?
+
+    set_level
+  end
+
+  def admin?
+    check_level?(UserInfo::Assets::LEVEL_ADMIN)
+  end
+
+  def agent?
+    check_level?(UserInfo::Assets::LEVEL_AGENT)
+  end
+
+  def customer?
+    check_level?(UserInfo::Assets::LEVEL_CUSTOMER)
+  end
+
+  def set_level
+    if user.blank?
+      self.level = nil
+      return
+    end
+
+    self.level = UserInfo::Assets::LEVEL_CUSTOMER
+    Permission.where(id: user.permissions_with_child_ids).each do |permission|
+      case permission.name
+      when %r{^admin\.}
+        self.level = UserInfo::Assets::LEVEL_ADMIN
+        break
+      when 'ticket.agent'
+        self.level = UserInfo::Assets::LEVEL_AGENT
+      end
+    end
+  end
+
+  def check_level?(check)
+    return true if user.blank?
+
+    level >= check
+  end
+end

public/assets/chat/Dockerfile

@@ -0,0 +1,16 @@
+FROM node:8-alpine
+
+ENV GULP_DIR "/tmp/gulp"
+
+RUN apk update && apk add bash
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+CMD bash # If you want to override CMD
+RUN npm install -g gulp
+
+COPY docker-entrypoint.sh /
+
+# enable volume to generate build files into the hosts FS
+VOLUME ["$GULP_DIR"]
+
+# start
+ENTRYPOINT ["/docker-entrypoint.sh"]

public/assets/chat/README.md

@@ -0,0 +1,5 @@
+# Zammad Chat build
+
+This folder contains a `docker` image and the required files to build the Zammad Chat from coffeescript and eco files. This workaround is required for now because of the outdated NodeJS 8 dependency.
+
+The build process can easily be started by executing the `build.sh` file. There is nothing more to it except of having `docker` installed and running.

public/assets/chat/build.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+
+docker build --no-cache -t zammad/chat-build:latest .
+
+docker run --rm -v "$(pwd)/:/tmp/gulp" zammad/chat-build:latest

public/assets/chat/chat-no-jquery.coffee

@@ -762,7 +762,11 @@ do(window) ->
       console.log('p', docType, text)
       if docType is 'html'
         html = document.createElement('div')
-        html.innerHTML = text
+        # can't log because might contain malicious content
+        # @log.debug 'HTML clipboard', text
+        sanitized = DOMPurify.sanitize(text)
+        @log.debug 'sanitized HTML clipboard', sanitized
+        html.innerHTML = sanitized
         match = false
         htmlTmp = text
         regex = new RegExp('<(/w|w)\:[A-Za-z]')

public/assets/chat/chat.coffee

@@ -718,7 +718,9 @@ do($ = window.jQuery, window) ->
           text = text.replace(/<div><\/div>/g, '<div><br></div>')
         console.log('p', docType, text)
         if docType is 'html'
-          html = $("<div>#{text}</div>")
+          sanitized = DOMPurify.sanitize(text)
+          @log.debug 'sanitized HTML clipboard', sanitized
+          html = $("<div>#{sanitized}</div>")
           match = false
           htmlTmp = text
           regex = new RegExp('<(/w|w)\:[A-Za-z]')

public/assets/chat/chat.css

@@ -314,6 +314,7 @@
   line-height: 1.4em;
   font-size: inherit;
   -webkit-appearance: none;
+  -moz-appearance: none;
   appearance: none;
   border: none;
   background: none;
@@ -329,6 +330,7 @@
 
 .zammad-chat-button {
   -webkit-appearance: none;
+  -moz-appearance: none;
   appearance: none;
   font-family: inherit;
   font-size: inherit;
@@ -349,6 +351,7 @@
 
 .zammad-chat-button:disabled,
 .zammad-chat-input:disabled {
+  cursor: not-allowed;
   opacity: 0.3; }
 
 .zammad-chat-is-hidden {

public/assets/chat/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+cd "${GULP_DIR}" || exit
+
+gulp js css no-jquery