Author: sunnavy
Author Date: 2018-08-17 13:12:47 UTC

Cache `clear` output to avoid unnecessary system calls for better performance

Repeatly system calls is expensive enough to slow down the process a lot
when database is huge. In some worst cases, it even could make
rt-importer 1000x slower.

Author: sunnavy
Author Date: 2018-07-27 17:54:30 UTC

Add TotalTimeLeft tests

It's generally copied from total-time-worked.t with tweaked variable names.

Author: sunnavy
Author Date: 2018-07-24 19:31:26 UTC

Make dropzone error mark obvious by using the same red color as error message

Author: Craig Kaiser
Author Date: 2018-07-05 20:10:43 UTC

Only show watcher table header after rights check

Ensure that a user without rights to view groups cannot brute
force group names.

References:
https://forum.bestpractical.com/t/using-groups-to-add-ticket-ccs-bug-or-incorrect-permissions/33085

Author: sunnavy
Author Date: 2018-07-11 17:34:03 UTC

Skip old tests when we didn't filter invalid email addresses

For invalid addresses like "foo\@example.com\nEvil: yes\n\nMalicious",
previously we extracted "foo@example.com", but as we switched to
RT::EmailParser::ParseEmailAddress, we won't extract anything from that
string.

Author: Jim Brandt
Author Date: 2018-06-22 20:46:07 UTC

Add upgrading docs for 4.6

Author: Maureen E. Mirville
Author Date: 2018-06-01 17:04:00 UTC

Add SetCSPHeaders as a config option

Give users the option to enable the HTTP Content Security Policy (CSP) which
helps prevent cross-site scripting (XSS) attacks by blocking potentially
malicious code that could be hidden in inline javascript or styling. Additional
CSP directives can also optionally be added.

Author: Maureen E. Mirville
Author Date: 2018-05-29 18:41:36 UTC

Move inline javascript to share/static directory

In an effort to comply with the new Content Security Policies,
inline javascript has been removed from share/html files, except
those containing perl variables.

Author: sunnavy
Author Date: 2018-05-25 13:51:11 UTC

Option SelectNewTicketQueue to render related elements in ShowLinks or not

It's also useful when people want to include ShowLinks in a form, since
nested form is not allowed and could break HTML badly.

Author: Brian C. Duggan
Author Date: 2018-05-16 22:06:34 UTC

WIP Add high-level secure email documentation

Author: sunnavy
Author Date: 2018-04-25 19:05:46 UTC

Simplify custom field changes in ticket history

Especially for fields with long values, "... changed to ..." is not
quite easy to parse. This change shows a shortcut version by default,
while also provides the full version in a hidden div, of which the
visibility could be toggled via the "Details" link.

Author: sunnavy
Author Date: 2018-04-13 18:57:42 UTC

Use $Config{perlpath} in shebang to make sure path info exists

$^X is "perl" instead of "/usr/bin/perl" on Mac OS(mine is 11.13.4) if
you run perl without path info like "perl -Ilib t/api/safe-run-child-util.t".

In that case, the "#!perl" shebang confused system, and the exec died
with error of "No such file or directory".

Author: sunnavy
Author Date: 2018-04-13 15:35:19 UTC

Fix the file name in the schema missing error message

Previously, there was "$file = $self->GetVersionFile( $dbh, $file )", so
$file could be undef if the version file couldn't be found. Sadly, we
used the same $file in the upcoming missing error message, so we got:

    ERROR: Couldn't find schema file(s) '*'

Author: sunnavy
Author Date: 2018-04-13 00:23:34 UTC

SuperUser is special enough to be highlighted

Author: sunnavy
Author Date: 2018-04-05 11:37:42 UTC

Hide texts in multipart/related only if it has a perferred alternative

In 4a38585f, we added code to handle the following structure:

    multipart/alternative
        text/plain
        multipart/related
            text/html
            image/png

That commit treats "multipart/related" as "multipart/alternative",
assuming "multipart/related" is always under "multiplart/alternative",
which is sadly not always correct, recently we encountered an email with
a structure like:

    multipart/related
        text/plain
        image/png

It doesn't have a corresponding "text/html" alternative, so if user
prefers rich text, only the "image/png" shows up on ticket display page.
This commit fixes it by checking if "multipart/related" is really under
"multiplart/alternative".

Author: sunnavy
Author Date: 2018-04-02 20:40:39 UTC

Don't show empty custom field groupings

For current ShowCustomFieldCustomGroupings, "hide_empty" doesn't work
because it returns div/form blocks even there are no custom fields to
show. This commit fixes it by adding another "hide empty" logic(it also
respects the "MassageCustomFields" callback in ShowCustomFields).

Author: Brian C. Duggan
Author Date: 2018-03-15 20:55:53 UTC

WIP: Make the ticket timer window vertical resize work

Use 'display: table*' styled divs. This allows top and bottom edges of
table-cell styled divs to "stick" to each other, regardless of viewport
height.

Normally, we might use JavaScript to update the the viewport height as the
user resizes the window. But a new-ish CSS length measurement, "vh",
allows divs to change their heights in relation to the viewport height
automatically. This change also converts the ticket timer to use that
length measurement.

The vertical resizing component of this change works well. But
converting the ticket timer divs to use table display style required
breaking the existing styling, like borders and background color. Those
could probably be split up in to gutter-top, gutter-middle, and
gutter-bottom classes to apply to the 'table-header-row',
'table-row', and 'table-footer-row' styled divs.

Author: sunnavy
Author Date: 2018-02-13 19:00:14 UTC

update tests for the shared setting access logic change(no group member limit)

Author: Craig Kaiser
Author Date: 2018-02-05 19:50:19 UTC

Hide Queue if Requestor does not have right to see

It is possible for a User to be a Requestor on a Ticket and not have the
right to view the Tickets Queue. If this is the case, when editing
basics the current Queue cannot be displayed as the dropdown value for
Queue. Thus resulting in the next available Queue being submitted as the
new Queue for the Ticket. This causes unwanted Queue changed to the
Ticket.

Author: sunnavy
Author Date: 2018-02-06 14:04:59 UTC

duplicated ocf sort order tests

Author: Maureen E. Mirville
Author Date: 2017-12-18 14:50:02 UTC

Update tests for 'SeeGroupDashboard' or 'ShowSavedSearches' bug fix

Tests updated for group rights granted on another group (see
previous commit #16698563) bug fix.

Author: Alex Vandiver
Author Date: 2017-11-08 02:30:14 UTC

Add a critical error if DB connections are shared across the fork

rt-server takes pains to close down the database connection before
handing off control to the PSGI server, such that the database
connection is not preserved across the `fork`. DB connections which
are so shared result in undefined behavior -- postgres, for instance,
will reuse the same statement ids on the handle in different
processes, resulting in errors of the form:

    DBD::Pg::st execute failed: ERROR: prepared statement "dbdpg_p4068_1" already exists

However, nothing prevents extensions from recreating the DB connection
during their `to_app` methods -- RT::Extension::REST2-1.00 erroneously
does so, for instance.

While we could force-unset the connections, this would serve as a
continuation of the mostly-silent error. Instead, add an explicit
error which causes server startup to fail, encouraging users to check
for updated versions of plugins which will right the error.

Author: craig
Author Date: 2017-10-16 16:55:04 UTC

Added documentation for Custom Fields categories

Author: Jim Brandt
Author Date: 2017-09-22 15:31:43 UTC

Add docs regarding UniqueValues missing column warning

An upgrade step in 4.3.6 creates a new custom field for
CFs that have a category but no CF defined for the BasedOn
field. Creating the new CF before the new CF columns are
added in the 4.4.2 upgrade fails. Add docs with a workaround
since this should impact relatively few users.

Author: Jim Brandt
Author Date: 2017-09-14 17:35:50 UTC

Add charts_cache timestamp and clear old cache entries

In typical usage, the charts_cache in the session is cleared
as it is used when a chart is displayed. However, for session stores
that don't support locking, multiple requests can access the session
at the same time and cached charts can end up being written back to
the session after they are deleted.

Add a timestamp for charts_cache entries and a function to clear
entries older than one minute. This doesn't solve the root cause,
but it does provide one more opportunity to clear old cache entries
to prevent them for growing for the lifetime of the session.

Author: Alex Vandiver
Author Date: 2017-09-07 09:54:55 UTC

Add a failing test with a subjectAltName SMIME certificate

Many certificates in the wild to not have emailAddress set, but rather
have one or more subjectAltName attributes, with email addresses
therein. Add such a certificate, and a failing test based on it.

Author: Jim Brandt
Author Date: 2017-09-01 19:33:58 UTC

Add > as another character to exclude when parsing a URL anchor

A user reported that for URLs with an anchor (in the form #anchor)
and a trailing >, MakeClicky would include the > in the parsed URL,
creating an incorrect link. Add > to the characters to exclude.

Author: Shawn M Moore
Author Date: 2017-08-15 18:49:11 UTC

Make booleans with RadioStyle use true/false logic

Rather than tri-value

Author: Brian C. Duggan
Author Date: 2017-08-08 19:27:34 UTC

Update Sphinx indexer query to match native indexers.

The MySQL and PostgreSQL indexing queries for full-text search have
been updated to include deleted tickets, HTML content, and exclude
content in email transactions. But the Sphinx query that
rt-setup-fulltext-index prints to stdout wasn't similarly updated. The
user must then install the query from rt-setup-fulltext-index. This
change updates the Sphinx query to match the functionality of the
native indexer queries.

Author: Jim Brandt
Author Date: 2017-07-31 19:07:17 UTC

Pass args through to MassagePortlets callback

Author: Shawn M Moore
Author Date: 2017-07-13 16:22:15 UTC

Fix example config typo

Author: Shawn M Moore
Author Date: 2017-07-03 16:15:08 UTC

Show recipients in "Outgoing email recorded" transactions

This moves the logic to skip rendering the email body in transaction
history from ShowTransaction to ShowTransactionAttachments since we want
the message headers to be rendered.

Fixes: T#32881

Author: Shawn M Moore
Author Date: 2017-06-02 22:25:11 UTC

Enforce SeeCustomRole and ModifyCustomRole

Author: Aaron Kondziela
Author Date: 2017-05-05 00:06:57 UTC

Add schema upgrade templates and upgrade-fulltext tool

Author: Dave Goehrig
Author Date: 2017-04-12 13:24:42 UTC

Fix changing start time based on SLA

When you have multiple SLA levels with different start
times, the SLA's start time was not changing. This patch
removes the check for the ticket's Starts field being set,
but has the downside of the setting of start time will
happen on most transactions.

Fixes: I#32028

Author: Shawn M Moore
Author Date: 2017-03-27 20:51:39 UTC

Add --update-existing to rt-importer

This lets you take updates from the dump for a subset of your record
types.

Author: Jim Brandt
Author Date: 2017-03-14 20:59:32 UTC

Record transaction CF updates even when no update message is provided

Provide a way for transaction CFs to be recorded even when an
update mesage is not provided and TimeWorked isn't updated.
Transaction CFs submitted without other associated transactions
will create a new transaction to record the transaction CF values.

Author: Aaron Kondziela
Author Date: 2017-03-14 04:09:54 UTC

Add AfterUpdate callbacks to Admin section of web UI

The AfterUpdate callbacks support logging, auditing, etc., for changes made
to RT configuration via the Admin section.

Fixes T#180410

Author: Shawn M Moore
Author Date: 2017-02-09 21:26:52 UTC

Skip PJAX for "mark all messages as seen"

There seems to be a bug in jquery-pjax where if RT redirects you to back
to the same URL with an #anchor, pjax ignores it, because the hash is
taken from the request URL, not the response's Location: URL.

Fixes: T#181100

Author: Aaron Kondziela
Author Date: 2016-09-27 01:50:28 UTC

Improve password complexity configuration

This expands the basic MinimumPasswordLength configuration option into a
set of options under the new PasswordPolicy key. The new options allow
checks for a minimum number of various classes of character.

The web interface password fields are longer, to encourage use of a long
passphrase. Some basic guidance for selecting a good password is displayed.
The password requirements, as configured, are displayed to the user when
they are entering a new password.

Fixes: T#161950

Author: Dustin Collins
Author Date: 2016-09-04 01:39:17 UTC

Hide scrip custom code fields when appropriate

The textareas for condition, action prepare, and action commit code
only make sense for scrips that use "User Defined" condition or action.
This commit shows or hides each textarea (using JavaScript) based on
whether the scrip's current configuration will use its contents. This
is meant to reduce user confusion about when these textareas take
effect, and significantly reduce the length of the page in the common
case of no "User Defined" code.

To reinforce to users the relationship between the dropdown and its
custom code textarea(s), we've moved each textarea up into the form,
right below to its dropdown. If the fields were to remain in two
separate sections, then users wouldn't notice the show/hide action at
a distance and would wonder why the textareas appear only some of the
time. This also reduces the perceived complexity of the scrip
create/modify page down to one consistent form, rather than two
confusingly-related sections, each with its own Save Changes button.

In order to ease the transition for custom deployments, a new method
(IsUserEditable) is added to RT::Condition and RT::Action to allow
users to easily inform RT of condition or action objects they have
made user editable.

Add Condition method to RT::ScripCondition for easily obtaining the
RT::Condition object, simillar to the Action method on RT::ScripAction.
Add lazy loading check to RT:ScripAction->Action.

Move module name creation logic into own method on both ScripAction and ScripCondition for convenience.

Now that we've moved the textareas to be inline with the rest of the
form, there arises a new problem where specifying lots of code would
cause the rest of the page (e.g. Template selection) to scroll
offscreen. So adapting the size of the textbox to how many lines are
in the provided code (+3 lines for buffer) has been replaced with a
constant of 6 rows. Users will still be able to use their browser's
textarea resize tool to make the code entry fields longer.

There is no animation for the show/hide actions because jQuery's
slideUp and slideDown animations cannot handle table tags.

Fixes: I#32260

Author: Jim Brandt
Author Date: 2016-09-23 14:09:04 UTC

Move onclick event to Create linked ticket anchor

On assets with a long history, it was possible to click
the Create linked ticket link in the Actions menu before
the page had fully loaded. In these cases, the jQuery
onclick event would not fire and the user would see the HTML
interstitial page rather than the modal for selecting the
queue to create the ticket.

Move the onclick event to the anchor tag itself to make sure
it displays the modal even if the page is not fully loaded.

Author: Shawn M Moore
Author Date: 2016-07-26 20:26:06 UTC

Add missing ColumnMap entries

Discovered by t/api/column-map.t

Fixes: I#22386

Author: Shawn M Moore
Author Date: 2016-07-15 22:18:50 UTC

Finish method docs and comments for RT::Migrate::Importer

Author: Jim Brandt
Author Date: 2016-06-14 17:35:44 UTC

Link multiple assets to a new ticket from asset bulk update

Support creating a ticket from the asset bulk update page
and linking all selected assets to the created ticket. The
list of possible requestors is pulled from roles on all
selected assets.

The user is directed to the ticket create page for any
final updates before creating the ticket.

Author: Dustin Graves
Author Date: 2016-02-25 00:58:41 UTC

add ajax custom field loading and change basics page to use it as proof of concept

Author: Dustin Graves
Author Date: 2015-10-06 21:37:45 UTC

add optional pinned ticket summary display bar to rudder and aileon themes

Fixes: T#157669

Author: sunnavy
Author Date: 2015-06-04 14:09:14 UTC

Email::Address 1.900+ has a fix of uninitialized warning

the warning could be trigged by empty phrases of email addresses in
t/data/emails/crashes-file-based-parser:

    Sender: <noc@rt3.mx.example.com> (Network Operation Center)

which is used in t/mail/sendmail.t and t/mail/sendmail-plaintext.t

Author: Alex Vandiver
Author Date: 2014-10-28 22:50:58 UTC

Simplify WhoHaveRoleRight and WhoHaveGroupRight queries before unioning

Perform a true union in SQL, via a separate 'in' query. This
effectively prevents duplicates in the resultset (which
DBIx::SearchBuilder::Union makes no attempt to do), orders the set as a
whole, and allows the individual queries to be simpler. In particular,
the lack of "DISTINCT" and "ORDER BY" on the WhoHaveGroupRight query on
MySQL causes it to generate a query plan which no longer includes "with
temporary table" (due to the DISTINCT) or "with filesort" (due to the
ORDER BY), and makes better use of indexes (due to the limited number of
columns returned).

This does come at the assumption that duplicates within each of the two
queries are not common -- that is, that users will not have the relevant
right by way of a large number of membership paths.

Author: Alex Vandiver
Author Date: 2015-05-05 04:10:49 UTC

Explicitly note the license and contributing agreement

Author: Alex Vandiver
Author Date: 2015-04-10 00:22:00 UTC

Move standalone t/lifecycles/utils.pl to being an RT::Test

Author: Alex Vandiver
Author Date: 2014-07-09 23:52:25 UTC

Prompt to create missing role groups

Author: Alex Vandiver
Author Date: 2015-04-10 00:38:01 UTC

Re-load any RT::User objects passed into ResolveRoles, as CurrentUser

This prevents possibly-elevated objects that are passed in from being
returned as loaded by anything except the current user.

Author: Alex Vandiver
Author Date: 2014-04-10 22:40:36 UTC

Default the content-transfer-encoding to 8bit

RT sets a content-transfer-encoding of 8bit on the top-level of outgoing
email, in RT::Interface::Email::SendEmail. This sets the default for
the entire message. Unfortunately, MIME::Entity is not aware of this,
and assumes that a lack of content-transfer-encoding header in any
particular part means it should default to 7bit.

These combine, in the case of signed email, to cause the "put a
content-transfer-encoding header" loop to mistakenly believe that a part
with 8bit data is actually 7bit, and thus it is left with no
content-transfer-encoding.

Assume that all unmarked parts are 8bit, as that is what the top-most
header implies anyway. This causes RT to correctly apply a transfer
encoding to 8bit data in signed messages.

Author: Emmanuel Lacour
Author Date: 2014-06-13 12:32:24 UTC

Update LastUpdated/LastUpdatedBy only if there is an update

Author: Alex Vandiver
Author Date: 2015-03-25 22:41:17 UTC

Allow attachments that were only _guessed_ to be encrypted, to fail

Files ending in ".asc" or ".pgp", unclaimed from RFC3156 multiparts or
unpaired with other attachments, were assumed to be encrypted
attachments. However, all the ".asc" or ".pgp" actually implies is
"ASCII-armored PGP data" or "binary PGP data", respectively. This
includes not only encrypted data, but also attached exported public
keys.

When RT attempts to "decrypt" an attached public key (which begins with
"BEGIN PGP PUBLIC KEY BLOCK", not "BEGIN PGP MESSAGE"), GPG responds:

    gpg: decrypt_message failed: Unexpected error

..or, for gpg2:

    gpg: decrypt_message failed: unexpected data

This results in the email sender receiving a "Error: bad encrypted data"
email, which is especially puzzling if their mail did not contain any
encrypted parts.

Content-type is insufficient to accurately distinguish between attached
public keys and attached encrypted data; mail clients often
indiscriminately mark both as "application/octet-stream". Determining
which is contained in the MIME part requires examining the contents of
the part -- which requires loading them into memory, which may be
prohivitive.

Instead, opportunistically attempt to parse such parts, marking them as
"Guessed", and allowing them to silently fail without generating a
confusing message to the end-user.

Author: Alex Vandiver
Author Date: 2015-01-22 06:41:16 UTC

Move normalization into ::Tree

Author: Alex Vandiver
Author Date: 2015-03-31 21:49:31 UTC

Only use CreateTicket line as a CF name if not also a core field

Every field CreateTickets loads is treated as potential CF; so, in the
presence of a "Status" CF, the CF was set, in addition to the core
Status field.

Once a field from %args has been used to fill %ticketargs, remove it,
such that it is not viewed as a potential custom field name. To
accomplish this, handling of "deferred" items (including links and
Status) are moved before CF handling, so they can remove values they
consume.

Status is additionally special; it is both deferred _and_ set in
%ticketargs. As such, it is temporarily put back into %args before
GetDeferred is called.

Fixes: I#18145

Author: Alex Vandiver
Author Date: 2014-12-30 18:13:01 UTC

Always allow role and system groups to be enumerated

Previously, the SeeGroup right controlled RT::Groups results even for
internal groups; this caused the queue rights page for a user with
AdminQueue but not SeeGroup to not list Everyone / Privileged /
Unprivileged, nor the queue role groups.

Allow system groups to always be seen, and role groups to be seen if the
user can see the object the role group is on. This is a broadening of
the privileges that previously existed.

Note that as ->CurrentUserCanSee is not used to ACL ->_Value, this does
not quite enforce a group ACL globally; any explicitly loaded group can
still be examined.

Fixes: I#30416

Author: Jesse Vincent
Author Date: 2015-03-25 02:39:17 UTC

Clean up a few more newlines in our HTML

Author: Alex Vandiver
Author Date: 2015-03-23 23:36:11 UTC

Support Binary and Image CFs in SelfService

Author: Alex Vandiver
Author Date: 2015-03-16 17:16:21 UTC

Drop the severity of known indexing failures to "info"

These failures are known failure mores that cannot easily be addressed.
While the failure merits logging, as they are not unexpected in most
installs, there is no direct solution and they can, in most cases, be
ignored. As such, "info" is a fine log level for a not-unexpected and
unhandle-able error.

Author: Alex Vandiver
Author Date: 2014-04-23 18:39:45 UTC

Leave all CF determination logic to _CustomFieldDecipher

Previously, passing CUSTOMFIELD => 17 would result in TicketSQL
containing CF.{NameOfCF17}, which is extremely unhelpful in the case
where a number was intentionally passed soas to avoid edge cases with
duplicate CF names. As _CustomFieldDecipher has a better variant of CF
name resolution, simply pass CUSTOMFIELD through unmolested; the only
functionality lost is the auto-defaulting of ENTRYAGGREGATOR based on CF
type.

Author: Alex Vandiver
Author Date: 2015-03-05 19:31:04 UTC

Only store text as quoted-printable when the bytes not invalid UTF-8

The existing check for Encode::is_utf8() checks if the UTF8 flag is on
_and_ that the internal representation is consistent. Since the UTF8
flag is almost certainly off, as _EncodeLOB takes bytes, not characters,
this causes the quoted-printable encoding to be chosen even for byte
sequences which are valid UTF-8.

Switch to checking if the byte sequence is valid UTF-8; if so, upgrade
it to characters and store it verbatim. If it is not, then store it as
quoted-printable as before. This increases the set of content which is
stored with encoding "none", which eases direct comprehension of the
data.

Author: Todd Wade
Author Date: 2014-12-04 15:44:41 UTC

show warning on page load and update ticket regardless of errors

Pre-commit code only showed warning after submitting the ticket update, and
prohibited update from proceeding. This change shows the warning on page
entry and allows the update to proceed even if public key for the email
address is not available.

Author: Alex Vandiver
Author Date: 2014-10-07 20:07:39 UTC

Apply squelching information to updates with no messages

Updates from the ticket Reply/Comment page which do not record content,
merely change the status / owner / etc., do not currently respect the
squelching checkboxes, despite showing as if they do. This is because
the squelching information is stored on the Correspond/Comment
transaction, and thus only propagated to other transactions if such was
created.

Even on updates that do not have content, store and respect the
squelching information. This builds upon 4a33c662, which made the
transaction squelching settings apply for the lifetime of the ticket
object.

Author: Thomas Sibley
Author Date: 2012-09-17 23:00:29 UTC

Shredder: Don't push resolvable dependencies onto the stack for wiping

If a dependency is marked VARIABLE (resolvable), require it is handled
by a resolver. The resolver is free to put the object on the stack
explicitly if resolution is not actually possible.

Such objects were often safe because of the accidental side-effects of
modifying the hash iterated by each() and later only calling values()
once. It is cleaner and safer to simply never push them onto the stack
in the first place. This lets you re-use shredder objects, for example,
without inadvertently wiping objects you didn't mean to on the second
call to WipeoutAll.

Author: ruz
Author Date: 2013-08-28 15:35:56 UTC

upgrade script for old quicksearch preferences

Author: ruz
Author Date: 2010-12-11 03:12:24 UTC

UseSQLForACLChecks for RT::Queues