Merge branch 'hotfix/4.2.2' of ssh://172.20.0.1/var/git/espo/backend into hotfix/4.2.2

LDAP: label corrections
LDAP improvements: added possibility to define user objectClass
2026-03-03 20:07:01 +00:00 · 2016-08-15 15:51:40 +03:00 · 2016-08-15 15:51:10 +03:00 · 2016-08-15 15:47:25 +03:00 · 2016-08-15 11:08:45 +03:00 · 2016-08-15 10:50:10 +03:00
1964 changed files with 64830 additions and 18038 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,13 +6,14 @@
 /data/config.php
 /build
 /node_modules
-/client
 /test.php
 /main.html
-/frontend/client/css/espo.css
-/frontend/client/css/espo-vertical.css
-/frontend/client/css/sakura.css
-/frontend/client/css/sakura-vertical.css
+/client/css/espo.css
+/client/css/espo-vertical.css
+/client/css/sakura.css
+/client/css/sakura-vertical.css
+/client/css/violet.css
+/client/css/violet-vertical.css
 /tests/testData/cache/*
 composer.phar
 vendor/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,3 @@
+Before we can merge your pull request you need to accept our CLA [here](https://github.com/espocrm/cla). It's very simple to do.
+
+[Code Style Guidelines](https://github.com/espocrm/espocrm/wiki/Code-Style-Guidelines).
--- a/Gruntfile.js
+++ b/Gruntfile.js
@@ -23,6 +23,7 @@ module.exports = function (grunt) {
    var jsFilesToMinify = [
        'client/lib/jquery-2.1.4.min.js',
        'client/lib/underscore-min.js',
+        'client/lib/es6-promise.min.js',
        'client/lib/backbone-min.js',
        'client/lib/handlebars.js',
        'client/lib/base64.js',
@@ -33,7 +34,7 @@ module.exports = function (grunt) {
        'client/lib/jquery.autocomplete.js',
        'client/lib/bootstrap.min.js',
        'client/lib/bootstrap-datepicker.js',
-        'client/lib/bull.min.js',
+        'client/lib/bull.js',
        'client/src/namespace.js',
        'client/src/exceptions.js',
        'client/src/loader.js',
@@ -64,39 +65,55 @@ module.exports = function (grunt) {
                    yuicompress: true,
                },
                files: {
-                    'frontend/client/css/espo.css': 'frontend/less/espo/main.less',
-                },
-            },
-            sakura: {
-                options: {
-                    yuicompress: true,
-                },
-                files: {
-                    'frontend/client/css/sakura.css': 'frontend/less/sakura/main.less',
-                },
+                    'client/css/espo.css': 'frontend/less/espo/main.less',
+                }
            },
            espoVertical: {
                options: {
                    yuicompress: true,
                },
                files: {
-                    'frontend/client/css/espo-vertical.css': 'frontend/less/espo-vertical/main.less',
+                    'client/css/espo-vertical.css': 'frontend/less/espo-vertical/main.less',
+                }
+            },
+            sakura: {
+                options: {
+                    yuicompress: true,
                },
+                files: {
+                    'client/css/sakura.css': 'frontend/less/sakura/main.less',
+                }
            },
            sakuraVertical: {
                options: {
                    yuicompress: true,
                },
                files: {
-                    'frontend/client/css/sakura-vertical.css': 'frontend/less/sakura-vertical/main.less',
+                    'client/css/sakura-vertical.css': 'frontend/less/sakura-vertical/main.less',
+                }
+            },
+            violet: {
+                options: {
+                    yuicompress: true,
                },
+                files: {
+                    'client/css/violet.css': 'frontend/less/violet/main.less',
+                }
+            },
+            violetVertical: {
+                options: {
+                    yuicompress: true,
+                },
+                files: {
+                    'client/css/violet-vertical.css': 'frontend/less/violet-vertical/main.less',
+                }
            }
        },
        cssmin: {
            minify: {
                files: {
                    'build/tmp/client/css/espo.css': [
-                        'frontend/client/css/espo.css',
+                        'client/css/espo.css',
                    ]
                }
            },
@@ -107,13 +124,13 @@ module.exports = function (grunt) {
                banner: '/*! <%= pkg.name %> <%= grunt.template.today("yyyy-mm-dd") %> */\n',
            },
            'build/tmp/client/espo.min.js': jsFilesToMinify.map(function (item) {
-                return 'frontend/' + item;
+                return '' + item;
            })
        },
        copy: {
            frontendFolders: {
                expand: true,
-                cwd: 'frontend/client',
+                cwd: 'client',
                src: [
                    'src/**',
                    'res/**',
@@ -128,13 +145,13 @@ module.exports = function (grunt) {
                dest: 'build/tmp/client',
            },
            frontendHtml: {
-                src: 'frontend/html/reset.html',
+                src: 'frontend/reset.html',
                dest: 'build/tmp/reset.html'
            },
            frontendLib: {
                expand: true,
                dot: true,
-                cwd: 'frontend/client/lib',
+                cwd: 'client/lib',
                src: '**',
                dest: 'build/tmp/client/lib/',
            },
@@ -147,7 +164,9 @@ module.exports = function (grunt) {
                    'custom/**',
                    'data/.data',
                    'install/**',
+                    'portal/**',
                    'vendor/**',
+                    'html/**',
                    'bootstrap.php',
                    'cron.php',
                    'rebuild.php',
@@ -195,8 +214,11 @@ module.exports = function (grunt) {
                },
                src: [
                    'build/EspoCRM-<%= pkg.version %>/install',
+                    'build/EspoCRM-<%= pkg.version %>/portal',
                    'build/EspoCRM-<%= pkg.version %>/api',
                    'build/EspoCRM-<%= pkg.version %>/api/v1',
+                    'build/EspoCRM-<%= pkg.version %>/api/v1/portal-access',
+                    'build/EspoCRM-<%= pkg.version %>',
                ]
            }
        },
@@ -212,8 +234,12 @@ module.exports = function (grunt) {
                },
                files: [
                    {
-                        src: 'frontend/html/main.html',
-                        dest: 'build/tmp/main.html'
+                        src: 'build/tmp/html/main.html',
+                        dest: 'build/tmp/html/main.html'
+                    },
+                    {
+                        src: 'build/tmp/html/portal.html',
+                        dest: 'build/tmp/html/portal.html'
                    }
                ]
            },
--- a/README.md
+++ b/README.md
@@ -26,9 +26,9 @@ Create an issue [here](https://github.com/espocrm/espocrm/issues) or post on our

 Never update composer dependencies if you are going to contribute code back.

-Now you can build.
+Now you can build. Build will create compiled css files.

-If your repository is accessible via a web server then you can run EspoCRM by url `http://PROJECT_URL/frontend`. To compose a proper config.php and populate database you can run install by opening `http(s)://{YOUR_CRM_URL}/install` location in a browser. Also you need to run build before to have compiled css.
+To compose a proper config.php and populate database you can run install by opening `http(s)://{YOUR_CRM_URL}/install` location in a browser. Then open `data/config.php` file and add `isDeveloperMode => true`.

 ### How to build

--- a/api/v1/portal-access/.htaccess
+++ b/api/v1/portal-access/.htaccess
@@ -0,0 +1,12 @@
+RewriteEngine On
+
+# Some hosts may require you to use the `RewriteBase` directive.
+# If you need to use the `RewriteBase` directive, it should be the
+# absolute physical path to the directory that contains this htaccess file.
+#
+# RewriteBase /
+
+RewriteRule .* - [E=HTTP_ESPO_CGI_AUTH:%{HTTP:Authorization}]
+
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ^ index.php [QSA,L]
--- a/api/v1/portal-access/index.php
+++ b/api/v1/portal-access/index.php
@@ -0,0 +1,39 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+require_once('../../../bootstrap.php');
+
+if (!empty($_GET['portalId'])) {
+    $portalId = $_GET['portalId'];
+} else {
+    $portalId = explode('/', $_SERVER['REQUEST_URI'])[count(explode('/', $_SERVER['SCRIPT_NAME'])) - 1];
+}
+
+$app = new \Espo\Core\Portal\Application($portalId);
+$app->run();
--- a/api/v1/portal-access/web.config
+++ b/api/v1/portal-access/web.config
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+    <system.webServer>
+        <rewrite>
+            <rules>
+                <rule name="rule 1G" stopProcessing="true">
+                    <match url="^"  />
+                    <action type="Rewrite" url="index.php"  appendQueryString="true" />
+				</rule>
+            </rules>
+        </rewrite>
+    </system.webServer>
+
+</configuration>
--- a/application/Espo/Acl/Attachment.php
+++ b/application/Espo/Acl/Attachment.php
@@ -0,0 +1,93 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Acl;
+
+use \Espo\Entities\User as EntityUser;
+use \Espo\ORM\Entity;
+
+class Attachment extends \Espo\Core\Acl\Base
+{
+    public function checkEntityRead(EntityUser $user, Entity $entity, $data)
+    {
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        if ($entity->get('parentType') === 'Settings') {
+            return true;
+        }
+
+        $parent = null;
+        $hasParent = false;
+        if ($entity->get('parentId') && $entity->get('parentType')) {
+            $hasParent = true;
+            $parent = $this->getEntityManager()->getEntity($entity->get('parentType'), $entity->get('parentId'));
+        } else if ($entity->get('relatedId') && $entity->get('relatedType')) {
+            $hasParent = true;
+            $parent = $this->getEntityManager()->getEntity($entity->get('relatedType'), $entity->get('relatedId'));
+        }
+
+        if ($hasParent) {
+            if ($parent) {
+                if ($parent->getEntityType() === 'Note') {
+                    if ($parent->get('parentId') && $parent->get('parentType')) {
+                        $parentOfParent = $this->getEntityManager()->getEntity($parent->get('parentType'), $parent->get('parentId'));
+                        if ($parentOfParent && $this->getAclManager()->checkEntity($user, $parentOfParent)) {
+                            return true;
+                        }
+                    } else {
+                        return true;
+                    }
+                } else {
+                    if ($this->getAclManager()->checkEntity($user, $parent)) {
+                        return true;
+                    }
+                }
+            }
+        } else {
+            return true;
+        }
+
+        if ($this->checkEntity($user, $entity, $data, 'read')) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public function checkIsOwner(EntityUser $user, Entity $entity)
+    {
+        if ($user->id === $entity->get('createdById')) {
+            return true;
+        }
+        return false;
+    }
+}
+
--- a/application/Espo/Acl/Email.php
+++ b/application/Espo/Acl/Email.php
@@ -29,13 +29,13 @@

 namespace Espo\Acl;

-use \Espo\Entities\User;
+use \Espo\Entities\User as EntityUser;
 use \Espo\ORM\Entity;

 class Email extends \Espo\Core\Acl\Base
 {

-    public function checkEntityRead(User $user, Entity $entity, $data)
+    public function checkEntityRead(EntityUser $user, Entity $entity, $data)
    {
        if ($this->checkEntity($user, $entity, $data, 'read')) {
            return true;
@@ -44,8 +44,8 @@ class Email extends \Espo\Core\Acl\Base
        if ($data === false) {
            return false;
        }
-        if (is_array($data)) {
-            if (empty($data['read']) || $data['read'] == 'no') {
+        if (is_object($data)) {
+            if ($data->read === false || $data->read === 'no') {
                return false;
            }
        }
@@ -60,20 +60,62 @@ class Email extends \Espo\Core\Acl\Base
        return false;
    }

-    public function checkIsOwner(User $user, Entity $entity)
+    public function checkIsOwner(EntityUser $user, Entity $entity)
    {
-        if ($entity->has('assignedUserId')) {
-            if ($user->id === $entity->get('assignedUserId')) {
-                return true;
-            }
+        if ($user->id === $entity->get('assignedUserId')) {
+            return true;
        }

        if ($user->id === $entity->get('createdById')) {
            return true;
        }

+        if ($entity->hasLinkMultipleId('assignedUsers', $user->id)) {
+            return true;
+        }
+
        return false;
    }

+    public function checkEntityDelete(EntityUser $user, Entity $entity, $data)
+    {
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        if ($data === false) {
+            return false;
+        }
+
+        if ($data->delete === 'own') {
+            if ($user->id === $entity->get('assignedUserId')) {
+                return true;
+            }
+
+            if ($user->id === $entity->get('createdById')) {
+                return true;
+            }
+
+            $assignedUserIdList = $entity->getLinkMultipleIdList('assignedUsers');
+            if (count($assignedUserIdList) === 1 && $entity->hasLinkMultipleId('assignedUsers', $user->id)) {
+                return true;
+            }
+            return false;
+        }
+
+        if ($this->checkEntity($user, $entity, $data, 'delete')) {
+            return true;
+        }
+
+        if ($data->edit !== 'no' || $data->create !== 'no') {
+            if ($entity->get('createdById') === $user->id) {
+                if ($entity->get('status') !== 'Sent' && $entity->get('status') !== 'Archived') {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
 }

--- a/application/Espo/Acl/EmailFilter.php
+++ b/application/Espo/Acl/EmailFilter.php
@@ -29,12 +29,12 @@

 namespace Espo\Acl;

-use \Espo\Entities\User;
+use \Espo\Entities\User as EntityUser;
 use \Espo\ORM\Entity;

 class EmailFilter extends \Espo\Core\Acl\Base
 {
-    public function checkIsOwner(User $user, Entity $entity)
+    public function checkIsOwner(EntityUser $user, Entity $entity)
    {
        if ($entity->has('parentId') && $entity->has('parentType')) {
            $parentType = $entity->get('parentType');
@@ -42,11 +42,14 @@ class EmailFilter extends \Espo\Core\Acl\Base
            if (!$parentType || !$parentId) return;

            $parent = $this->getEntityManager()->getEntity($parentType, $parentId);
+
+            if ($parent->getEntityType() === 'User') {
+                return $parent->id === $user->id;
+            }
            if ($parent && $parent->has('assignedUserId') && $parent->get('assignedUserId') === $user->id) {
                return true;
            }
        }
-
        return;
    }
 }
--- a/application/Espo/Acl/Notification.php
+++ b/application/Espo/Acl/Notification.php
@@ -0,0 +1,45 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Acl;
+
+use \Espo\Entities\User as EntityUser;
+use \Espo\ORM\Entity;
+
+class Notification extends \Espo\Core\Acl\Base
+{
+    public function checkIsOwner(EntityUser $user, Entity $entity)
+    {
+        if ($user->id === $entity->get('userId')) {
+            return true;
+        }
+        return false;
+    }
+}
+
--- a/application/Espo/Acl/User.php
+++ b/application/Espo/Acl/User.php
@@ -0,0 +1,41 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Acl;
+
+use \Espo\ORM\Entity;
+
+class User extends \Espo\Core\Acl\Base
+{
+    public function checkIsOwner(\Espo\Entities\User $user, Entity $entity)
+    {
+        return $user->id === $entity->id;
+    }
+}
+
--- a/application/Espo/AclPortal/Attachment.php
+++ b/application/Espo/AclPortal/Attachment.php
@@ -0,0 +1,93 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\AclPortal;
+
+use \Espo\Entities\User as EntityUser;
+use \Espo\ORM\Entity;
+
+class Attachment extends \Espo\Core\AclPortal\Base
+{
+    public function checkEntityRead(EntityUser $user, Entity $entity, $data)
+    {
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        if ($entity->get('parentType') === 'Settings') {
+            return true;
+        }
+
+        $parent = null;
+        $hasParent = false;
+        if ($entity->get('parentId') && $entity->get('parentType')) {
+            $hasParent = true;
+            $parent = $this->getEntityManager()->getEntity($entity->get('parentType'), $entity->get('parentId'));
+        } else if ($entity->get('relatedId') && $entity->get('relatedType')) {
+            $hasParent = true;
+            $parent = $this->getEntityManager()->getEntity($entity->get('relatedType'), $entity->get('relatedId'));
+        }
+
+        if ($hasParent) {
+            if ($parent) {
+                if ($parent->getEntityType() === 'Note') {
+                    if ($parent->get('parentId') && $parent->get('parentType')) {
+                        $parentOfParent = $this->getEntityManager()->getEntity($parent->get('parentType'), $parent->get('parentId'));
+                        if ($parentOfParent && $this->getAclManager()->checkEntity($user, $parentOfParent)) {
+                            return true;
+                        }
+                    } else {
+                        return true;
+                    }
+                } else {
+                    if ($this->getAclManager()->checkEntity($user, $parent)) {
+                        return true;
+                    }
+                }
+            }
+        } else {
+            return true;
+        }
+
+        if ($this->checkEntity($user, $entity, $data, 'read')) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public function checkIsOwner(EntityUser $user, Entity $entity)
+    {
+        if ($user->id === $entity->get('createdById')) {
+            return true;
+        }
+        return false;
+    }
+}
+
--- a/application/Espo/AclPortal/Email.php
+++ b/application/Espo/AclPortal/Email.php
@@ -0,0 +1,71 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\AclPortal;
+
+use \Espo\Entities\User as EntityUser;
+use \Espo\ORM\Entity;
+
+class Email extends \Espo\Core\AclPortal\Base
+{
+
+    public function checkEntityRead(EntityUser $user, Entity $entity, $data)
+    {
+        if ($this->checkEntity($user, $entity, $data, 'read')) {
+            return true;
+        }
+
+        if ($data === false) {
+            return false;
+        }
+        if (is_object($data)) {
+            if ($data->read === false || $data->read === 'no') {
+                return false;
+            }
+        }
+
+        if (!$entity->has('usersIds')) {
+            $entity->loadLinkMultipleField('users');
+        }
+        $userIdList = $entity->get('usersIds');
+        if (is_array($userIdList) && in_array($user->id, $userIdList)) {
+            return true;
+        }
+        return false;
+    }
+
+    public function checkIsOwner(EntityUser $user, Entity $entity)
+    {
+        if ($user->id === $entity->get('createdById')) {
+            return true;
+        }
+        return false;
+    }
+}
+
--- a/application/Espo/AclPortal/Notification.php
+++ b/application/Espo/AclPortal/Notification.php
@@ -0,0 +1,45 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\AclPortal;
+
+use \Espo\Entities\User as EntityUser;
+use \Espo\ORM\Entity;
+
+class Notification extends \Espo\Core\AclPortal\Base
+{
+    public function checkIsOwner(EntityUser $user, Entity $entity)
+    {
+        if ($user->id === $entity->get('userId')) {
+            return true;
+        }
+        return false;
+    }
+}
+
--- a/application/Espo/AclPortal/User.php
+++ b/application/Espo/AclPortal/User.php
@@ -0,0 +1,41 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\AclPortal;
+
+use \Espo\ORM\Entity;
+
+class User extends \Espo\Core\AclPortal\Base
+{
+    public function checkIsOwner(\Espo\Entities\User $user, Entity $entity)
+    {
+        return $user->id === $entity->id;
+    }
+}
+
--- a/application/Espo/Controllers/App.php
+++ b/application/Espo/Controllers/App.php
@@ -35,16 +35,33 @@ class App extends \Espo\Core\Controllers\Base
 {
    public function actionUser()
    {
-        $preferences = $this->getPreferences()->toArray();
+        $preferences = $this->getPreferences()->getValues();
        unset($preferences['smtpPassword']);

        $user = $this->getUser();
        if (!$user->has('teamsIds')) {
            $user->loadLinkMultipleField('teams');
        }
+        if ($user->get('isPortalUser')) {
+            $user->loadAccountField();
+            $user->loadLinkMultipleField('accounts');
+        }
+
+        $userData = $user->getValues();
+
+        $emailAddressList = [];
+        foreach ($user->get('emailAddresses') as $emailAddress) {
+            if ($emailAddress->get('invalid')) continue;
+            if ($user->get('emailAddrses') === $emailAddress->get('name')) continue;
+            $emailAddressList[] = $emailAddress->get('name');
+        }
+        if ($user->get('emailAddrses')) {
+            array_unshift($emailAddressList, $user->get('emailAddrses'));
+        }
+        $userData['emailAddressList'] = $emailAddressList;

        return array(
-            'user' => $user->toArray(),
+            'user' => $userData,
            'acl' => $this->getAcl()->getMap(),
            'preferences' => $preferences,
            'token' => $this->getUser()->get('token')
--- a/application/Espo/Controllers/Attachment.php
+++ b/application/Espo/Controllers/Attachment.php
@@ -34,13 +34,16 @@ use \Espo\Core\Exceptions\BadRequest;

 class Attachment extends \Espo\Core\Controllers\Record
 {
-
    public function actionUpload($params, $data, $request)
    {
        if (!$request->isPost()) {
            throw new BadRequest();
        }

+        if (!$this->getAcl()->checkScope('Attachment', 'create')) {
+            throw new Forbidden();
+        }
+
        list($prefix, $contents) = explode(',', $data);
        $contents = base64_decode($contents);

--- a/application/Espo/Controllers/Email.php
+++ b/application/Espo/Controllers/Email.php
@@ -32,12 +32,16 @@ namespace Espo\Controllers;
 use \Espo\Core\Exceptions\BadRequest;
 use \Espo\Core\Exceptions\Forbidden;
 use \Espo\Core\Exceptions\Error;
+use \Espo\Core\Exceptions\NotFound;

 class Email extends \Espo\Core\Controllers\Record
 {
-    public function actionGetCopiedAttachments($params, $data, $request)
+    public function postActionGetCopiedAttachments($params, $data, $request)
    {
-        $id = $request->get('id');
+        if (empty($data['id'])) {
+            throw new BadRequest();
+        }
+        $id = $data['id'];

        return $this->getRecordService()->getCopiedAttachments($id);
    }
@@ -48,22 +52,48 @@ class Email extends \Espo\Core\Controllers\Record
            throw new BadRequest();
        }

+        if (!$this->getAcl()->checkScope('Email')) {
+            throw new Forbidden();
+        }
+
        if (is_null($data['password'])) {
            if ($data['type'] == 'preferences') {
-                if (!$this->getUser()->isAdmin() && $data['id'] != $this->getUser()->id) {
+                if (!$this->getUser()->isAdmin() && $data['id'] !== $this->getUser()->id) {
                    throw new Forbidden();
                }
                $preferences = $this->getEntityManager()->getEntity('Preferences', $data['id']);
                if (!$preferences) {
-                    throw new Error();
+                    throw new NotFound();
                }

-                $data['password'] = $this->getContainer()->get('crypt')->decrypt($preferences->get('smtpPassword'));
+                if (is_null($data['password'])) {
+                    $data['password'] = $this->getContainer()->get('crypt')->decrypt($preferences->get('smtpPassword'));
+                }
+            } else if ($data['type'] == 'emailAccount') {
+                if (!$this->getAcl()->checkScope('EmailAccount')) {
+                    throw new Forbidden();
+                }
+                if (!empty($data['id'])) {
+                    $emailAccount = $this->getEntityManager()->getEntity('EmailAccount', $data['id']);
+                    if (!$emailAccount) {
+                        throw new NotFound();
+                    }
+                    if (!$this->getUser()->isAdmin()) {
+                        if ($emailAccount->get('assigniedUserId') !== $this->getUser()->id) {
+                            throw new Forbidden();
+                        }
+                    }
+                    if (is_null($data['password'])) {
+                        $data['password'] = $this->getContainer()->get('crypt')->decrypt($emailAccount->get('smtpPassword'));
+                    }
+                }
            } else {
                if (!$this->getUser()->isAdmin()) {
                    throw new Forbidden();
                }
-                $data['password'] = $this->getConfig()->get('smtpPassword');
+                if (is_null($data['password'])) {
+                    $data['password'] = $this->getConfig()->get('smtpPassword');
+                }
            }
        }

@@ -158,5 +188,38 @@ class Email extends \Espo\Core\Controllers\Record
        }
        return $this->getRecordService()->retrieveFromTrashByIdList($ids);
    }
+
+    public function getActionGetFoldersNotReadCounts(&$params, $request, $data)
+    {
+        return $this->getRecordService()->getFoldersNotReadCounts();
+    }
+
+    protected function fetchListParamsFromRequest(&$params, $request, $data)
+    {
+        parent::fetchListParamsFromRequest($params, $request, $data);
+
+        $folderId = $request->get('folderId');
+        if ($folderId) {
+            $params['folderId'] = $request->get('folderId');
+        }
+    }
+
+    public function postActionMoveToFolder($params, $data)
+    {
+        if (!empty($data['ids'])) {
+            $ids = $data['ids'];
+        } else {
+            if (!empty($data['id'])) {
+                $ids = [$data['id']];
+            } else {
+                throw new BadRequest();
+            }
+        }
+
+        if (empty($data['folderId'])) {
+            throw new BadRequest();
+        }
+        return $this->getRecordService()->moveToFolderByIdList($ids, $data['folderId']);
+    }
 }

--- a/application/Espo/Controllers/EmailAddress.php
+++ b/application/Espo/Controllers/EmailAddress.php
@@ -25,14 +25,22 @@
 *
 * In accordance with Section 7(b) of the GNU General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
- ************************************************************************/ 
+ ************************************************************************/

 namespace Espo\Controllers;

+use \Espo\Core\Exceptions\Forbidden;
+
 class EmailAddress extends \Espo\Core\Controllers\Record
 {
    public function actionSearchInAddressBook($params, $data, $request)
    {
+        if (!$this->getAcl()->checkScope('Email')) {
+            throw new Forbidden();
+        }
+        if (!$this->getAcl()->checkScope('Email', 'create')) {
+            throw new Forbidden();
+        }
        $q = $request->get('q');
        $limit = intval($request->get('limit'));
        if (empty($limit) || $limit > 30) {
--- a/application/Espo/Controllers/EmailFolder.php
+++ b/application/Espo/Controllers/EmailFolder.php
@@ -0,0 +1,63 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Controllers;
+
+use \Espo\Core\Exceptions\BadRequest;
+
+class EmailFolder extends \Espo\Core\Controllers\Record
+{
+    public function postActionMoveUp($params, $data, $request)
+    {
+        if (empty($data['id'])) {
+            throw new BadRequest();
+        }
+
+        $this->getRecordService()->moveUp($data['id']);
+
+        return true;
+    }
+
+    public function postActionMoveDown($params, $data, $request)
+    {
+        if (empty($data['id'])) {
+            throw new BadRequest();
+        }
+
+        $this->getRecordService()->moveDown($data['id']);
+
+        return true;
+    }
+
+    public function getActionListAll()
+    {
+        return $this->getRecordService()->listAll();
+    }
+}
+
--- a/application/Espo/Controllers/EntityManager.php
+++ b/application/Espo/Controllers/EntityManager.php
@@ -69,20 +69,29 @@ class EntityManager extends \Espo\Core\Controllers\Base
        if (!empty($data['stream'])) {
            $params['stream'] = $data['stream'];
        }
+        if (!empty($data['disabled'])) {
+            $params['disabled'] = $data['disabled'];
+        }
        if (!empty($data['sortBy'])) {
            $params['sortBy'] = $data['sortBy'];
        }
        if (!empty($data['sortDirection'])) {
            $params['asc'] = $data['sortDirection'] === 'asc';
        }
+        if (isset($data['textFilterFields']) && is_array($data['textFilterFields'])) {
+            $params['textFilterFields'] = $data['textFilterFields'];
+        }

        $result = $this->getContainer()->get('entityManagerUtil')->create($name, $type, $params);

        if ($result) {
            $tabList = $this->getConfig()->get('tabList', []);
-            $tabList[] = $name;
-            $this->getConfig()->set('tabList', $tabList);
-            $this->getConfig()->save();
+
+            if (!in_array($name, $tabList)) {
+                $tabList[] = $name;
+                $this->getConfig()->set('tabList', $tabList);
+                $this->getConfig()->save();
+            }

            $this->getContainer()->get('dataManager')->rebuild();
        } else {
--- a/application/Espo/Controllers/ExternalAccount.php
+++ b/application/Espo/Controllers/ExternalAccount.php
@@ -37,6 +37,13 @@ class ExternalAccount extends \Espo\Core\Controllers\Record
 {
    public static $defaultAction = 'list';

+    protected function checkControllerAccess()
+    {
+        if (!$this->getAcl()->checkScope('ExternalAccount')) {
+            throw new Forbidden();
+        }
+    }
+
    public function actionList($params, $data, $request)
    {
        $integrations = $this->getEntityManager()->getRepository('Integration')->find();
--- a/application/Espo/Controllers/I18n.php
+++ b/application/Espo/Controllers/I18n.php
@@ -31,7 +31,6 @@ namespace Espo\Controllers;

 class I18n extends \Espo\Core\Controllers\Base
 {
-
    public function actionRead($params, $data)
    {
        return $this->getContainer()->get('language')->getAll();
--- a/application/Espo/Controllers/Import.php
+++ b/application/Espo/Controllers/Import.php
@@ -43,12 +43,12 @@ class Import extends \Espo\Core\Controllers\Record
        }
    }

-    public function actionPatch($params, $data)
+    public function actionPatch($params, $data, $request)
    {
        throw new BadRequest();
    }

-    public function actionUpdate($params, $data)
+    public function actionUpdate($params, $data, $request)
    {
        throw new BadRequest();
    }
@@ -58,12 +58,12 @@ class Import extends \Espo\Core\Controllers\Record
        throw new BadRequest();
    }

-    public function actionCreateLink($params, $data)
+    public function actionCreateLink($params, $data, $request)
    {
        throw new BadRequest();
    }

-    public function actionRemoveLink($params, $data)
+    public function actionRemoveLink($params, $data, $request)
    {
        throw new BadRequest();
    }
--- a/application/Espo/Controllers/Job.php
+++ b/application/Espo/Controllers/Job.php
@@ -41,17 +41,17 @@ class Job extends \Espo\Core\Controllers\Record
        }
    }

-    public function actionCreate($params, $data)
+    public function actionCreate($params, $data, $request)
    {
        throw new Forbidden();
    }

-    public function actionUpdate($params, $data)
+    public function actionUpdate($params, $data, $request)
    {
        throw new Forbidden();
    }

-    public function actionPatch($params, $data)
+    public function actionPatch($params, $data, $request)
    {
        throw new Forbidden();
    }
@@ -66,12 +66,12 @@ class Job extends \Espo\Core\Controllers\Record
        throw new Forbidden();
    }

-    public function actionCreateLink($params, $data)
+    public function actionCreateLink($params, $data, $request)
    {
        throw new Forbidden();
    }

-    public function actionRemoveLink($params, $data)
+    public function actionRemoveLink($params, $data, $request)
    {
        throw new Forbidden();
    }
--- a/application/Espo/Controllers/Note.php
+++ b/application/Espo/Controllers/Note.php
@@ -25,7 +25,7 @@
 *
 * In accordance with Section 7(b) of the GNU General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
- ************************************************************************/ 
+ ************************************************************************/

 namespace Espo\Controllers;

--- a/application/Espo/Controllers/Notification.php
+++ b/application/Espo/Controllers/Notification.php
@@ -31,23 +31,22 @@ namespace Espo\Controllers;

 use \Espo\Core\Exceptions\Error;

-class Notification extends \Espo\Core\Controllers\Base
+class Notification extends \Espo\Core\Controllers\Record
 {
    public static $defaultAction = 'list';

    public function actionList($params, $data, $request)
    {
-        $scope = $params['scope'];
-        $id = $params['id'];
-
        $userId = $this->getUser()->id;

        $offset = intval($request->get('offset'));
        $maxSize = intval($request->get('maxSize'));
+        $after = $request->get('after');

        $params = array(
            'offset' => $offset,
            'maxSize' => $maxSize,
+            'after' => $after
        );

        $result = $this->getService('Notification')->getList($userId, $params);
@@ -69,5 +68,30 @@ class Notification extends \Espo\Core\Controllers\Base
        $userId = $this->getUser()->id;
        return $this->getService('Notification')->markAllRead($userId);
    }
+
+    public function actionExport($params, $data, $request)
+    {
+        throw new Error();
+    }
+
+    public function actionMassUpdate($params, $data, $request)
+    {
+        throw new Error();
+    }
+
+    public function actionCreateLink($params, $data, $request)
+    {
+        throw new Error();
+    }
+
+    public function actionRemoveLink($params, $data, $request)
+    {
+        throw new Error();
+    }
+
+    public function actionMerge($params, $data, $request)
+    {
+        throw new Error();
+    }
 }

--- a/application/Espo/Controllers/Portal.php
+++ b/application/Espo/Controllers/Portal.php
@@ -0,0 +1,43 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Controllers;
+
+use \Espo\Core\Exceptions\Forbidden;
+
+class Portal extends \Espo\Core\Controllers\Record
+{
+    protected function checkControllerAccess()
+    {
+        $portalPermission = $this->getAcl()->get('portalPermission');
+        if (!$portalPermission || $portalPermission === 'no') {
+            throw new Forbidden();
+        }
+    }
+}
--- a/application/Espo/Controllers/PortalRole.php
+++ b/application/Espo/Controllers/PortalRole.php
@@ -0,0 +1,34 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Controllers;
+
+class PortalRole extends \Espo\Core\Controllers\Record
+{
+}
--- a/application/Espo/Controllers/Preferences.php
+++ b/application/Espo/Controllers/Preferences.php
@@ -88,6 +88,14 @@ class Preferences extends \Espo\Core\Controllers\Base
            throw new BadRequest();
        }

+        if ($this->getAcl()->getLevel('Preferences', 'read') === 'no') {
+            throw new Forbidden();
+        }
+
+        foreach ($this->getAcl()->getScopeForbiddenAttributeList('Preferences', 'edit') as $attribute) {
+            unset($data[$attribute]);
+        }
+
        if (array_key_exists('smtpPassword', $data)) {
            $data['smtpPassword'] = $this->getCrypt()->encrypt($data['smtpPassword']);
        }
@@ -124,9 +132,14 @@ class Preferences extends \Espo\Core\Controllers\Base

        $entity->set('smtpEmailAddress', $user->get('emailAddress'));
        $entity->set('name', $user->get('name'));
+        $entity->set('isPortalUser', $user->get('isPortalUser'));

        $entity->clear('smtpPassword');

+        foreach ($this->getAcl()->getScopeForbiddenAttributeList('Preferences', 'read') as $attribute) {
+            $entity->clear($attribute);
+        }
+
        return $entity->toArray();
    }
 }
--- a/application/Espo/Controllers/Settings.php
+++ b/application/Espo/Controllers/Settings.php
@@ -28,6 +28,7 @@
 ************************************************************************/

 namespace Espo\Controllers;
+
 use \Espo\Core\Exceptions\Error;
 use \Espo\Core\Exceptions\Forbidden;
 use \Espo\Core\Exceptions\BadRequest;
@@ -45,6 +46,9 @@ class Settings extends \Espo\Core\Controllers\Base
                unset($data[$field]);
            }
        }
+
+        $data['jsLibs'] = $this->getMetadata()->get('app.jsLibs');
+
        return $data;
    }

@@ -86,4 +90,23 @@ class Settings extends \Espo\Core\Controllers\Base

        return $this->getConfigData();
    }
+
+    public function postActionTestLdapConnection($params, $data)
+    {
+        if (!$this->getUser()->isAdmin()) {
+            throw new Forbidden();
+        }
+
+        if (!isset($data['password'])) {
+            $data['password'] = $this->getConfig()->get('ldapPassword');
+        }
+
+        $ldapUtils = new \Espo\Core\Utils\Authentication\LDAP\Utils();
+        $options = $ldapUtils->normalizeOptions($data);
+
+        $ldapClient = new \Espo\Core\Utils\Authentication\LDAP\Client($options);
+        $ldapClient->bind(); //an exception if no connection
+
+        return true;
+    }
 }
--- a/application/Espo/Controllers/User.php
+++ b/application/Espo/Controllers/User.php
@@ -55,22 +55,16 @@ class User extends \Espo\Core\Controllers\Record
        return $this->getAclManager()->getMap($user);
    }

-    public function actionChangeOwnPassword($params, $data, $request)
+    public function postActionChangeOwnPassword($params, $data, $request)
    {
-        if (!$request->isPost()) {
-            throw new BadRequest();
-        }
        if (!array_key_exists('password', $data) || !array_key_exists('currentPassword', $data)) {
            throw new BadRequest();
        }
        return $this->getService('User')->changePassword($this->getUser()->id, $data['password'], true, $data['currentPassword']);
    }

-    public function actionChangePasswordByRequest($params, $data, $request)
+    public function postActionChangePasswordByRequest($params, $data, $request)
    {
-        if (!$request->isPost()) {
-            throw new BadRequest();
-        }
        if (empty($data['requestId']) || empty($data['password'])) {
            throw new BadRequest();
        }
@@ -89,23 +83,27 @@ class User extends \Espo\Core\Controllers\Record

        $this->getEntityManager()->removeEntity($p);

-        return $this->getService('User')->changePassword($userId, $data['password']);
+        if ($this->getService('User')->changePassword($userId, $data['password'])) {
+            return array(
+                'url' => $p->get('url')
+            );
+        }
    }

-    public function actionPasswordChangeRequest($params, $data, $request)
+    public function postActionPasswordChangeRequest($params, $data, $request)
    {
-        if (!$request->isPost()) {
-            throw new Forbidden();
-        }
-
        if (empty($data['userName']) || empty($data['emailAddress'])) {
            throw new BadRequest();
        }

        $userName = $data['userName'];
        $emailAddress = $data['emailAddress'];
+        $url = null;
+        if (!empty($data['url'])) {
+            $url = $data['url'];
+        }

-        return $this->getService('User')->passwordChangeRequest($userName, $emailAddress);
+        return $this->getService('User')->passwordChangeRequest($userName, $emailAddress, $url);
    }
 }

--- a/application/Espo/Core/Acl.php
+++ b/application/Espo/Core/Acl.php
@@ -79,19 +79,54 @@ class Acl
        return $this->getAclManager()->checkReadOnlyOwn($this->getUser(), $scope);
    }

-    public function check($subject, $action = null, $isOwner = null, $inTeam = null)
+    public function check($subject, $action = null)
    {
-        return $this->getAclManager()->check($this->getUser(), $subject, $action, $isOwner, $inTeam) ;
+        return $this->getAclManager()->check($this->getUser(), $subject, $action);
    }

-    public function checkScope($scope, $action = null, $isOwner = null, $inTeam = null, $entity = null)
+    public function checkScope($scope, $action = null)
    {
-        return $this->getAclManager()->checkScope($this->getUser(), $scope, $action, $isOwner, $inTeam, $entity) ;
+        return $this->getAclManager()->checkScope($this->getUser(), $scope, $action);
+    }
+
+    public function checkEntity(Entity $entity, $action = 'read')
+    {
+        return $this->getAclManager()->checkEntity($this->getUser(), $entity, $action);
    }

    public function checkUser($permission, User $entity)
    {
        return $this->getAclManager()->checkUser($this->getUser(), $permission, $entity);
    }
+
+    public function checkIsOwner(Entity $entity)
+    {
+        return $this->getAclManager()->checkIsOwner($this->getUser(), $entity);
+    }
+
+    public function checkInTeam(Entity $entity)
+    {
+        return $this->getAclManager()->checkInTeam($this->getUser(), $entity);
+    }
+
+    public function getScopeForbiddenAttributeList($scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        return $this->getAclManager()->getScopeForbiddenAttributeList($this->getUser(), $scope, $action, $thresholdLevel);
+    }
+
+    public function getScopeForbiddenFieldList($scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        return $this->getAclManager()->getScopeForbiddenFieldList($this->getUser(), $scope, $action, $thresholdLevel);
+    }
+
+    public function checkUserPermission($target, $permissionType = 'userPermission')
+    {
+        return $this->getAclManager()->checkUserPermission($this->getUser(), $target, $permissionType);
+    }
+
+    public function checkAssignmentPermission($target)
+    {
+        return $this->getAclManager()->checkAssignmentPermission($this->getUser(), $target);
+    }
 }

--- a/application/Espo/Core/Acl/Base.php
+++ b/application/Espo/Core/Acl/Base.php
@@ -42,6 +42,8 @@ class Base implements Injectable
        'aclManager'
    );

+    protected $scope;
+
    protected $injections = array();

    public function inject($name, $object)
@@ -49,9 +51,10 @@ class Base implements Injectable
        $this->injections[$name] = $object;
    }

-    public function __construct()
+    public function __construct($scope)
    {
        $this->init();
+        $this->scope = $scope;
    }

    protected function init()
@@ -63,6 +66,13 @@ class Base implements Injectable
        return $this->injections[$name];
    }

+    protected function addDependencyList(array $list)
+    {
+        foreach ($list as $item) {
+            $this->addDependency($item);
+        }
+    }
+
    protected function addDependency($name)
    {
        $this->dependencies[] = $name;
@@ -90,27 +100,34 @@ class Base implements Injectable

    public function checkReadOnlyTeam(User $user, $data)
    {
-        if (empty($data) || !is_array($data) || !isset($data['read'])) {
+        if (empty($data) || !is_object($data) || !isset($data->read)) {
            return false;
        }
-        return $data['read'] === 'team';
+        return $data->read === 'team';
    }

    public function checkReadOnlyOwn(User $user, $data)
    {
-        if (empty($data) || !is_array($data) || !isset($data['read'])) {
+        if (empty($data) || !is_object($data) || !isset($data->read)) {
            return false;
        }
-        return $data['read'] === 'own';
+        return $data->read === 'own';
    }

    public function checkEntity(User $user, Entity $entity, $data, $action)
    {
-        return $this->checkScope($user, $data, $entity->getEntityType(), $action, null, null, $entity);
+        if ($user->isAdmin()) {
+            return true;
+        }
+        return $this->checkScope($user, $data, $action, $entity);
    }

-    public function checkScope(User $user, $data, $scope, $action = null, $isOwner = null, $inTeam = null, Entity $entity = null)
+    public function checkScope(User $user, $data, $action = null, Entity $entity = null, $entityAccessData = array())
    {
+        if ($user->isAdmin()) {
+            return true;
+        }
+
        if (is_null($data)) {
            return false;
        }
@@ -120,83 +137,103 @@ class Base implements Injectable
        if ($data === true) {
            return true;
        }
+        if (is_string($data)) {
+            return true;
+        }

-        if (!is_null($action)) {
-            if (array_key_exists($action, $data)) {
-                $value = $data[$action];
+        $isOwner = null;
+        if (isset($entityAccessData['isOwner'])) {
+            $isOwner = $entityAccessData['isOwner'];
+        }
+        $inTeam = null;
+        if (isset($entityAccessData['inTeam'])) {
+            $inTeam = $entityAccessData['inTeam'];
+        }

-                if ($value === 'all' || $value === true) {
-                    return true;
-                }
+        if (is_null($action)) {
+            return true;
+        }

-                if (!$value || $value === 'no') {
-                    return false;
-                }
+        if (!isset($data->$action)) {
+            return true;
+        }

-                if (is_null($isOwner)) {
-                    if ($entity) {
-                        $isOwner = $this->checkIsOwner($user, $entity);
-                    } else {
-                        return true;
-                    }
-                }
+        $value = $data->$action;

-                if ($isOwner) {
-                    if ($value === 'own' || $value === 'team') {
-                        return true;
-                    }
-                }
-                if (is_null($inTeam) && $entity) {
-                    $inTeam = $this->checkInTeam($user, $entity);
-                }
+        if ($value === 'all' || $value === 'yes' || $value === true) {
+            return true;
+        }

-                if ($inTeam) {
-                    if ($value === 'team') {
-                        return true;
-                    }
-                }
-                return false;
+        if (!$value || $value === 'no') {
+            return false;
+        }
+
+        if (is_null($isOwner)) {
+            if ($entity) {
+                $isOwner = $this->checkIsOwner($user, $entity);
+            } else {
+                return true;
            }
        }
-        return true;
+
+        if ($isOwner) {
+            if ($value === 'own' || $value === 'team') {
+                return true;
+            }
+        }
+        if (is_null($inTeam) && $entity) {
+            $inTeam = $this->checkInTeam($user, $entity);
+        }
+
+        if ($inTeam) {
+            if ($value === 'team') {
+                return true;
+            }
+        }
+        return false;
    }

    public function checkIsOwner(User $user, Entity $entity)
    {
-        if ($entity->has('assignedUserId')) {
-            if ($user->id === $entity->get('assignedUserId')) {
-                return true;
+        if ($entity->hasAttribute('assignedUserId')) {
+            if ($entity->has('assignedUserId')) {
+                if ($user->id === $entity->get('assignedUserId')) {
+                    return true;
+                }
            }
-        } else {
+        } else if ($entity->hasAttribute('createdById')) {
            if ($entity->has('createdById')) {
                if ($user->id === $entity->get('createdById')) {
                    return true;
                }
            }
        }
+
+        if ($entity->hasAttribute('assignedUsersIds') && $entity->hasRelation('assignedUsers')) {
+            if ($entity->hasLinkMultipleId('assignedUsers', $user->id)) {
+                return true;
+            }
+        }
+
        return false;
    }

    public function checkInTeam(User $user, Entity $entity)
    {
-        $userTeamIds = $user->get('teamsIds');
+        $userTeamIdList = $user->getLinkMultipleIdList('teams');

-        if (!$entity->hasRelation('teams') || !$entity->hasField('teamsIds')) {
+        if (!$entity->hasRelation('teams') || !$entity->hasAttribute('teamsIds')) {
            return false;
        }

-        if (!$entity->has('teamsIds')) {
-            $entity->loadLinkMultipleField('teams');
-        }
+        $entityTeamIdList = $entity->getLinkMultipleIdList('teams');

-        $teamIds = $entity->get('teamsIds');
-
-        if (empty($teamIds)) {
+        if (empty($entityTeamIdList)) {
            return false;
        }

-        foreach ($userTeamIds as $id) {
-            if (in_array($id, $teamIds)) {
+        foreach ($userTeamIdList as $id) {
+            if (in_array($id, $entityTeamIdList)) {
                return true;
            }
        }
@@ -205,27 +242,32 @@ class Base implements Injectable

    public function checkEntityDelete(User $user, Entity $entity, $data)
    {
-        $result = $this->checkEntity($user, $entity, $data, 'delete');
-        if (!$result) {
-            if (is_array($data)) {
-                if ($data['edit'] != 'no') {
-                    if ($entity->has('createdById') && $entity->get('createdById') == $user->id) {
-                        if (!$entity->has('assignedUserId')) {
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        if ($this->checkEntity($user, $entity, $data, 'delete')) {
+            return true;
+        }
+
+        if (is_object($data)) {
+            if ($data->edit !== 'no' || $data->create !== 'no') {
+                if ($entity->has('createdById') && $entity->get('createdById') == $user->id) {
+                    if (!$entity->has('assignedUserId')) {
+                        return true;
+                    } else {
+                        if (!$entity->get('assignedUserId')) {
+                            return true;
+                        }
+                        if ($entity->get('assignedUserId') == $entity->get('createdById')) {
                            return true;
-                        } else {
-                            if (!$entity->get('assignedUserId')) {
-                                return true;
-                            }
-                            if ($entity->get('assignedUserId') == $entity->get('createdById')) {
-                                return true;
-                            }
                        }
                    }
                }
            }
        }

-        return $result;
+        return false;
    }
 }

--- a/application/Espo/Core/Acl/Table.php
+++ b/application/Espo/Core/Acl/Table.php
@@ -32,54 +32,114 @@ namespace Espo\Core\Acl;
 use \Espo\Core\Exceptions\Error;

 use \Espo\ORM\Entity;
+use \Espo\Entities\User;
+
+use \Espo\Core\Utils\Config;
+use \Espo\Core\Utils\Metadata;
+use \Espo\Core\Utils\FieldManager;
+use \Espo\Core\Utils\File\Manager as FileManager;

 class Table
 {
-    private $data = array(
-        'table' => array()
+    protected $type = 'acl';
+
+    protected $defaultAclType = 'recordAllTeamOwnNo';
+
+    private $data = null;
+
+    protected $cacheFilePath;
+
+    protected $actionList = ['read', 'stream', 'edit', 'delete', 'create'];
+
+    protected $booleanActionList = ['create'];
+
+    protected $levelList = ['yes', 'all', 'team', 'own', 'no'];
+
+    protected $fieldActionList = ['read', 'edit'];
+
+    protected $fieldLevelList = ['yes', 'no'];
+
+    protected $valuePermissionList = ['assignmentPermission', 'userPermission', 'portalPermission'];
+
+    protected $valuePrtmissionHighestLevels = array(
+        'assignmentPermission' => 'all',
+        'userPermission' => 'all',
+        'portalPermission' => 'yes'
    );

-    private $cacheFile;
+    private $fileManager;

-    private $actionList = ['read', 'edit', 'delete'];
+    private $metadata;

-    private $levelList = ['all', 'team', 'own', 'no'];
+    private $fieldManager;

-    protected $fileManager;
+    protected $forbiddenAttributesCache = array();

-    protected $metadata;
+    protected $forbiddenFieldsCache = array();

-    public function __construct(\Espo\Entities\User $user, $config = null, $fileManager = null, $metadata = null)
+    public function __construct(User $user, Config $config = null, FileManager $fileManager = null, Metadata $metadata = null, FieldManager $fieldManager = null)
    {
+        $this->data = (object) [
+            'table' => (object) [],
+            'fieldTable' => (object) [],
+            'fieldTableQuickAccess' => (object) [],
+        ];
+
        $this->user = $user;

        $this->metadata = $metadata;

-        if (!$this->user->isFetched()) {
-            throw new Error();
+        if ($fieldManager) {
+            $this->fieldManager = $fieldManager;
        }

-        $this->user->loadLinkMultipleField('teams');
+        if (!$this->user->isFetched()) {
+            throw new Error('User must be fetched before ACL check.');
+        }

        if ($fileManager) {
            $this->fileManager = $fileManager;
        }
+        $this->valuePermissionList = $this->metadata->get('app.' . $this->type . '.defs.valuePermissionList', $this->valuePermissionList);

-        $this->cacheFile = 'data/cache/application/acl/' . $user->id . '.php';
+        $this->initCacheFilePath();

-        if ($config && $config->get('useCache') && file_exists($this->cacheFile)) {
-            $cached = include $this->cacheFile;
+        if ($config && $config->get('useCache') && file_exists($this->cacheFilePath)) {
+            $cached = include $this->cacheFilePath;
            $this->data = $cached;
-            $this->initSolid();
        } else {
            $this->load();
-            $this->initSolid();
            if ($config && $fileManager && $config->get('useCache')) {
                $this->buildCache();
            }
        }
    }

+    protected function initCacheFilePath()
+    {
+        $this->cacheFilePath = 'data/cache/application/acl/' . $this->getUser()->id . '.php';
+    }
+
+    protected function getUser()
+    {
+        return $this->user;
+    }
+
+    protected function getMetadata()
+    {
+        return $this->metadata;
+    }
+
+    protected function getFieldManager()
+    {
+        return $this->fieldManager;
+    }
+
+    protected function getConfig()
+    {
+        return $this->config;
+    }
+
    public function getMap()
    {
        return $this->data;
@@ -87,8 +147,8 @@ class Table

    public function getScopeData($scope)
    {
-        if (array_key_exists($scope, $this->data['table'])) {
-            $data = $this->data['table'][$scope];
+        if (isset($this->data->table->$scope)) {
+            $data = $this->data->table->$scope;
            if (is_string($data)) {
                $data = $this->getScopeData($data);
                return $data;
@@ -104,17 +164,17 @@ class Table
            return null;
        }

-        if (array_key_exists($permission, $this->data)) {
-            return $this->data[$permission];
+        if (isset($this->data->$permission)) {
+            return $this->data->$permission;
        }
        return null;
    }

    public function getLevel($scope, $action)
    {
-        if (array_key_exists($scope, $this->data['table'])) {
-            if (array_key_exists($action, $this->data['table'][$scope])) {
-                return $this->data['table'][$scope][$action];
+        if (isset($this->data->table->$scope)) {
+            if (isset($this->data->table->$scope->$action)) {
+                return $this->data->table->$scope->$action;
            }
        }
        return false;
@@ -122,48 +182,363 @@ class Table

    private function load()
    {
-        $aclTables = [];
-        $assignmentPermissionList = [];
-        $userPermissionList = [];
-
-        $userRoles = $this->user->get('roles');
-
-        foreach ($userRoles as $role) {
-            $aclTables[] = $role->get('data');
-            $assignmentPermissionList[] = $role->get('assignmentPermission');
-            $userPermissionList[] = $role->get('userPermission');
+        $valuePermissionLists = (object)[];
+        foreach ($this->valuePermissionList as $permission) {
+            $valuePermissionLists->$permission = [];
        }

-        $teams = $this->user->get('teams');
-        foreach ($teams as $team) {
-            $teamRoles = $team->get('roles');
-            foreach ($teamRoles as $role) {
-                $aclTables[] = $role->get('data');
-                $assignmentPermissionList[] = $role->get('assignmentPermission');
-                $userPermissionList[] = $role->get('userPermission');
+        $aclTableList = [];
+        $fieldTableList = [];
+
+        if (!$this->getUser()->isAdmin()) {
+            $roleList = $this->getRoleList();
+
+            foreach ($roleList as $role) {
+                $aclTableList[] = $role->get('data');
+                $fieldTableList[] = $role->get('fieldData');
+                foreach ($this->valuePermissionList as $permission) {
+                    $valuePermissionLists->{$permission}[] = $role->get($permission);
+                }
+            }
+
+            $aclTable = $this->mergeTableList($aclTableList);
+            $fieldTable = $this->mergeFieldTableList($fieldTableList);
+
+            $this->applyDefault($aclTable, $fieldTable);
+            $this->applyDisabled($aclTable, $fieldTable);
+            $this->applyMandatory($aclTable, $fieldTable);
+            $this->applyAdditional($aclTable, $fieldTable, $valuePermissionLists);
+        } else {
+            $aclTable = (object) [];
+            foreach ($this->getScopeList() as $scope) {
+                if ($this->metadata->get("scopes.{$scope}.{$this->type}") === 'boolean') {
+                    $aclTable->$scope = true;
+                } else {
+                    if ($this->metadata->get("scopes.{$scope}.entity")) {
+                        $aclTable->$scope = (object) [];
+                        foreach ($this->actionList as $action) {
+                            $aclTable->$scope->$action = 'all';
+                            if (in_array($action, $this->booleanActionList)) {
+                                $aclTable->$scope->$action = 'yes';
+                            }
+                        }
+                    }
+                }
+            }
+            $fieldTable = (object) [];
+        }
+
+        foreach ($aclTable as $scope => $data) {
+            if (is_string($data)) {
+                if (isset($aclTable->$data)) {
+                    $aclTable->$scope = $aclTable->$data;
+                }
            }
        }

-        $this->data['table'] = $this->merge($aclTables);
+        $this->data->table = $aclTable;
+        $this->data->fieldTable = $fieldTable;

-        $this->data['assignmentPermission'] = $this->mergeValues($assignmentPermissionList, $this->metadata->get('app.acl.valueDefaults.assignmentPermission', 'all'));
-        $this->data['userPermission'] = $this->mergeValues($userPermissionList, $this->metadata->get('app.acl.valueDefaults.userPermission', 'no'));
+        $this->fillFieldTableQuickAccess();
+
+        if (!$this->getUser()->isAdmin()) {
+            foreach ($this->valuePermissionList as $permission) {
+                $this->data->$permission = $this->mergeValueList($valuePermissionLists->$permission, $this->metadata->get('app.'.$this->type.'.default.' . $permission, 'yes'));
+                if ($this->metadata->get('app.'.$this->type.'.mandatory.' . $permission)) {
+                    $this->data->$permission = $this->metadata->get('app.'.$this->type.'.mandatory.' . $permission);
+                }
+            }
+
+        } else {
+            foreach ($this->valuePermissionList as $permission) {
+                if (isset($this->valuePrtmissionHighestLevels[$permission])) {
+                    $this->data->$permission = $this->valuePrtmissionHighestLevels[$permission];
+                    continue;
+                }
+                $this->data->$permission = 'all';
+            }
+        }
    }

-    private function initSolid()
+    protected function getRoleList()
    {
-        if (!$this->metadata) {
+        $roleList = [];
+
+        $userRoleList = $this->getUser()->get('roles');
+        if (!(is_array($userRoleList) || $userRoleList instanceof \Traversable)) {
+            throw new Error();
+        }
+        foreach ($userRoleList as $role) {
+            $roleList[] = $role;
+        }
+
+        $teamList = $this->getUser()->get('teams');
+        if (!(is_array($teamList) || $teamList instanceof \Traversable)) {
+            throw new Error();
+        }
+        foreach ($teamList as $team) {
+            $teamRoleList = $team->get('roles');
+            foreach ($teamRoleList as $role) {
+                $roleList[] = $role;
+            }
+        }
+
+        return $roleList;
+    }
+
+    public function getScopeForbiddenAttributeList($scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        $key = $scope . '_'. $action . '_' . $thresholdLevel;
+        if (isset($this->forbiddenAttributesCache[$key])) {
+            return $this->forbiddenAttributesCache[$key];
+        }
+
+        $fieldTableQuickAccess = $this->data->fieldTableQuickAccess;
+
+        if (!isset($fieldTableQuickAccess->$scope) || !isset($fieldTableQuickAccess->$scope->attributes) || !isset($fieldTableQuickAccess->$scope->attributes->$action)) {
+            $this->forbiddenAttributesCache[$key] = [];
+            return [];
+        }
+
+        $levelList = [];
+        foreach ($this->fieldLevelList as $level) {
+            if (array_search($level, $this->fieldLevelList) >= array_search($thresholdLevel, $this->fieldLevelList)) {
+                $levelList[] = $level;
+            }
+        }
+
+        $attributeList = [];
+
+        foreach ($levelList as $level) {
+            if (!isset($fieldTableQuickAccess->$scope->attributes->$action->$level)) continue;
+            foreach ($fieldTableQuickAccess->$scope->attributes->$action->$level as $attribute) {
+                if (in_array($attribute, $attributeList)) continue;
+                $attributeList[] = $attribute;
+            }
+        }
+
+        $this->forbiddenAttributesCache[$key] = $attributeList;
+
+        return $attributeList;
+    }
+
+    public function getScopeForbiddenFieldList($scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        $key = $scope . '_'. $action . '_' . $thresholdLevel;
+        if (isset($this->forbiddenFieldsCache[$key])) {
+            return $this->forbiddenFieldsCache[$key];
+        }
+
+        $fieldTableQuickAccess = $this->data->fieldTableQuickAccess;
+
+        if (!isset($fieldTableQuickAccess->$scope) || !isset($fieldTableQuickAccess->$scope->fields) || !isset($fieldTableQuickAccess->$scope->fields->$action)) {
+            $this->forbiddenFieldsCache[$key] = [];
+            return [];
+        }
+
+        $levelList = [];
+        foreach ($this->fieldLevelList as $level) {
+            if (array_search($level, $this->fieldLevelList) >= array_search($thresholdLevel, $this->fieldLevelList)) {
+                $levelList[] = $level;
+            }
+        }
+
+        $fieldList = [];
+
+        foreach ($levelList as $level) {
+            if (!isset($fieldTableQuickAccess->$scope->fields->$action->$level)) continue;
+            foreach ($fieldTableQuickAccess->$scope->fields->$action->$level as $field) {
+                if (in_array($field, $fieldList)) continue;
+                $fieldList[] = $field;
+            }
+        }
+
+        $this->forbiddenFieldsCache[$key] = $fieldList;
+
+        return $fieldList;
+    }
+
+    protected function fillFieldTableQuickAccess()
+    {
+        $fieldTable = $this->data->fieldTable;
+
+        $fieldTableQuickAccess = (object) [];
+
+        foreach (get_object_vars($fieldTable) as $scope => $scopeData) {
+            $fieldTableQuickAccess->$scope = (object) [
+                'attributes' => (object) [],
+                'fields' => (object) []
+            ];
+
+            foreach ($this->fieldActionList as $action) {
+                $fieldTableQuickAccess->$scope->attributes->$action = (object) [];
+                $fieldTableQuickAccess->$scope->fields->$action = (object) [];
+                foreach ($this->fieldLevelList as $level) {
+                    $fieldTableQuickAccess->$scope->attributes->$action->$level = [];
+                    $fieldTableQuickAccess->$scope->fields->$action->$level = [];
+                }
+            }
+
+            foreach (get_object_vars($scopeData) as $field => $fieldData) {
+                $attributeList = $this->getFieldManager()->getAttributeList($scope, $field);
+
+                foreach ($this->fieldActionList as $action) {
+                    if (!isset($fieldData->$action)) continue;
+                    foreach ($this->fieldLevelList as $level) {
+                        if ($fieldData->$action === $level) {
+                            $fieldTableQuickAccess->$scope->fields->$action->{$level}[] = $field;
+                            foreach ($attributeList as $attribute) {
+                                $fieldTableQuickAccess->$scope->attributes->$action->{$level}[] = $attribute;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        $this->data->fieldTableQuickAccess = $fieldTableQuickAccess;
+    }
+
+    protected function applyDefault(&$table, &$fieldTable)
+    {
+        if ($this->getUser()->isAdmin()) {
            return;
        }

-        $data = $this->metadata->get('app.acl.solid', array());
+        $data = $this->metadata->get('app.'.$this->type.'.default.scopeLevel', array());

-        foreach ($data as $entityType => $item) {
-            $this->data['table'][$entityType] = $item;
+        foreach ($data as $scope => $item) {
+            if (isset($table->$scope)) continue;
+            $value = $item;
+            if (is_array($item)) {
+                $value = (object) $item;
+            }
+            $table->$scope = $value;
+        }
+
+        $defaultFieldData = $this->metadata->get('app.'.$this->type.'.default.fieldLevel', array());
+
+        foreach ($this->getScopeList() as $scope) {
+            if (isset($table->$scope) && $table->$scope === false) continue;
+            if (!$this->getMetadata()->get('scopes.' . $scope . '.entity')) continue;
+
+            $fieldList = array_keys($this->getMetadata()->get("entityDefs.{$scope}.fields", []));
+
+            $defaultScopeFieldData = $this->metadata->get('app.'.$this->type.'.default.scopeFieldLevel.' . $scope, array());
+
+            foreach (array_merge($defaultFieldData, $defaultScopeFieldData) as $field => $f) {
+                if (!in_array($field, $fieldList)) continue;
+                if (!isset($fieldTable->$scope)) {
+                    $fieldTable->$scope = (object) [];
+                }
+                if (isset($fieldTable->$scope->$field)) continue;
+                $fieldTable->$scope->$field = (object) [];
+                foreach ($this->fieldActionList as $action) {
+                    $level = 'no';
+                    if ($f === true) {
+                        $level = 'yes';
+                    } else {
+                        if (is_array($f) && isset($f[$action])) {
+                            $level = $f[$action];
+                        }
+                    }
+                    $fieldTable->$scope->$field->$action = $level;
+                }
+            }
+        }
+
+        foreach ($this->getScopeWithAclList() as $scope) {
+            if (!isset($table->$scope)) {
+                $aclType = $this->metadata->get('scopes.' . $scope . '.' . $this->type);
+                if ($aclType === true) {
+                    $aclType = $this->defaultAclType;
+                }
+                if (!empty($aclType)) {
+                    $defaultValue = $this->metadata->get('app.'.$this->type.'.scopeLevelTypesDefaults.' . $aclType, $this->metadata->get('app.'.$this->type.'.scopeLevelTypesDefaults.record'));
+                    if (is_array($defaultValue)) {
+                        $defaultValue = (object) $defaultValue;
+                    }
+                    $table->$scope = $defaultValue;
+                }
+            }
        }
    }

-    private function mergeValues(array $list, $defaultValue)
+    protected function applyMandatory(&$table, &$fieldTable)
+    {
+        if ($this->getUser()->isAdmin()) {
+            return;
+        }
+
+        $data = $this->metadata->get('app.'.$this->type.'.mandatory.scopeLevel', array());
+
+        foreach ($data as $scope => $item) {
+            $value = $item;
+            if (is_array($item)) {
+                $value = (object) $item;
+            }
+            $table->$scope = $value;
+        }
+
+        $mandatoryFieldData = $this->metadata->get('app.'.$this->type.'.mandatory.fieldLevel', array());
+
+        foreach ($this->getScopeList() as $scope) {
+            if (isset($table->$scope) && $table->$scope === false) continue;
+            if (!$this->getMetadata()->get('scopes.' . $scope . '.entity')) continue;
+
+            $fieldList = array_keys($this->getMetadata()->get("entityDefs.{$scope}.fields", []));
+
+            $mandatoryScopeFieldData = $this->metadata->get('app.'.$this->type.'.mandatory.scopeFieldLevel.' . $scope, array());
+
+            foreach (array_merge($mandatoryFieldData, $mandatoryScopeFieldData) as $field => $f) {
+                if (!in_array($field, $fieldList)) continue;
+                if (!isset($fieldTable->$scope)) {
+                    $fieldTable->$scope = (object) [];
+                }
+                $fieldTable->$scope->$field = (object) [];
+                foreach ($this->fieldActionList as $action) {
+                    $level = 'no';
+                    if ($f === true) {
+                        $level = 'yes';
+                    } else {
+                        if (is_array($f) && isset($f[$action])) {
+                            $level = $f[$action];
+                        }
+                    }
+                    $fieldTable->$scope->$field->$action = $level;
+                }
+            }
+        }
+    }
+
+    protected function applyDisabled(&$table, &$fieldTable)
+    {
+        if ($this->getUser()->isAdmin()) {
+            return;
+        }
+
+        foreach ($this->getScopeList() as $scope) {
+            if ($this->getMetadata()->get('scopes.' . $scope . '.disabled')) {
+                $table->$scope = false;
+                unset($fieldTable->$scope);
+            }
+        }
+    }
+
+    protected function applyAdditional(&$table, &$fieldTable, &$valuePermissionLists)
+    {
+        if ($this->getUser()->get('isPortalUser')) {
+            foreach ($this->getScopeList() as $scope) {
+                $table->$scope = false;
+                unset($fieldTable->$scope);
+            }
+            foreach ($this->valuePermissionList as $permission) {
+                $valuePermissionLists->{$permission}[] = 'no';
+            }
+        }
+    }
+
+    private function mergeValueList(array $list, $defaultValue)
    {
        $result = null;
        foreach ($list as $level) {
@@ -183,51 +558,74 @@ class Table
        return $result;
    }

-    private function getScopeList()
+    protected function getScopeWithAclList()
    {
        $scopeList = [];
        $scopes = $this->metadata->get('scopes');
        foreach ($scopes as $scope => $d) {
-        	if (!empty($d['acl'])) {
-        		$scopeList[] = $scope;
-        	}
+        	if (empty($d['acl'])) continue;
+        	$scopeList[] = $scope;
        }
        return $scopeList;
    }

-    private function merge($tables)
+    protected function getScopeList()
    {
-        $data = array();
-        $scopeList = $this->getScopeList();
+        $scopeList = [];
+        $scopes = $this->metadata->get('scopes');
+        foreach ($scopes as $scope => $d) {
+            $scopeList[] = $scope;
+        }
+        return $scopeList;
+    }

-        foreach ($tables as $table) {
+    private function mergeTableList(array $tableList)
+    {
+        $data = (object) [];
+        $scopeList = $this->getScopeWithAclList();
+
+        foreach ($tableList as $table) {
            foreach ($scopeList as $scope) {
-            	if (!isset($table->$scope)) {
-            		continue;
-            	}
+            	if (!isset($table->$scope)) continue;
+
            	$row = $table->$scope;

                if ($row == false) {
-                    if (!isset($data[$scope])) {
-                        $data[$scope] = false;
+                    if (!isset($data->$scope)) {
+                        $data->$scope = false;
                    }
                } else if ($row === true) {
-                    $data[$scope] = true;
+                    $data->$scope = true;
                } else {
-                    if (!isset($data[$scope])) {
-                        $data[$scope] = array();
+                    if (!isset($data->$scope)) {
+                        $data->$scope = (object) [];
                    }
-                    if ($data[$scope] == false) {
-                        $data[$scope] = array();
+                    if ($data->$scope === false) {
+                        $data->$scope = (object) [];
                    }

-                    if (is_array($row) || $row instanceof \stdClass) {
-                        foreach ($row as $action => $level) {
-                            if (!isset($data[$scope][$action])) {
-                                $data[$scope][$action] = $level;
+                    if (!is_object($row)) continue;
+
+                    foreach ($this->actionList as $i => $action) {
+                        if (isset($row->$action)) {
+                            $level = $row->$action;
+                            if (!isset($data->$scope->$action)) {
+                                $data->$scope->$action = $level;
                            } else {
-                                if (array_search($data[$scope][$action], $this->levelList) > array_search($level, $this->levelList)) {
-                                    $data[$scope][$action] = $level;
+                                if (array_search($data->$scope->$action, $this->levelList) > array_search($level, $this->levelList)) {
+                                    $data->$scope->$action = $level;
+                                }
+                            }
+                        } else {
+                            if ($i > 0) {
+                                // TODO remove it
+                                $previousAction = $this->actionList[$i - 1];
+                                if (in_array($action, $this->booleanActionList)) {
+                                    $data->$scope->$action = 'yes';
+                                } else {
+                                    if (isset($data->$scope->$previousAction)) {
+                                        $data->$scope->$action = $data->$scope->$previousAction;
+                                    }
                                }
                            }
                        }
@@ -236,24 +634,75 @@ class Table
            }
        }

-        foreach ($scopeList as $scope) {
-        	if (!array_key_exists($scope, $data)) {
-        		$aclType = $this->metadata->get('scopes.' . $scope . '.acl');
-                if ($aclType === true) {
-                    $aclType = 'recordAllTeamOwnNo';
+        return $data;
+    }
+
+    private function mergeFieldTableList(array $tableList)
+    {
+        $data = (object) [];
+        $scopeList = $this->getScopeWithAclList();
+
+        foreach ($tableList as $table) {
+            foreach ($scopeList as $scope) {
+                if (!isset($table->$scope)) continue;
+
+                if (!isset($data->$scope)) {
+                    $data->$scope = (object) [];
                }
-        		if (!empty($aclType)) {
-	        		$data[$scope] = $this->metadata->get('app.acl.defaults.' . $aclType, true);
-        		}
-        	}
+
+                if (!is_object($table->$scope)) continue;
+
+                $fieldList = array_keys($this->getMetadata()->get("entityDefs.{$scope}.fields", []));
+
+                foreach (get_object_vars($table->$scope) as $field => $row) {
+                    if (!is_object($row)) continue;
+
+                    if (!in_array($field, $fieldList)) continue;
+
+                    if (!isset($data->$scope->$field)) {
+                        $data->$scope->$field = (object) [];
+                    }
+
+                    foreach ($this->fieldActionList as $i => $action) {
+                        if (!isset($row->$action)) continue;
+
+                        $level = $row->$action;
+                        if (!isset($data->$scope->$field->$action)) {
+                            $data->$scope->$field->$action = $level;
+                        } else {
+                            if (array_search($data->$scope->$field->$action, $this->fieldLevelList) > array_search($level, $this->fieldLevelList)) {
+                                $data->$scope->$field->$action = $level;
+                            }
+                        }
+                    }
+                }
+            }
        }
+
        return $data;
    }

    private function buildCache()
    {
-        $contents = '<' . '?'. 'php return ' .  var_export($this->data, true)  . ';';
-        $this->fileManager->putContents($this->cacheFile, $contents);
+        $contents = '<' . '?'. 'php return ' .  $this->varExport($this->data)  . ';';
+        $this->fileManager->putContents($this->cacheFilePath, $contents);
+    }
+
+    private function varExport($variable)
+    {
+        if ($variable instanceof \StdClass) {
+            $result = '(object) ' . $this->varExport(get_object_vars($variable), true);
+        } else if (is_array($variable)) {
+            $array = array();
+            foreach ($variable as $key => $value) {
+                $array[] = var_export($key, true).' => ' . $this->varExport($value, true);
+            }
+            $result = '['.implode(', ', $array).']';
+        } else {
+            $result = var_export($variable, true);
+        }
+
+        return $result;
    }
 }

--- a/application/Espo/Core/AclManager.php
+++ b/application/Espo/Core/AclManager.php
@@ -45,6 +45,8 @@ class AclManager

    private $tableHashMap = array();

+    protected $tableClassName = '\\Espo\\Core\\Acl\\Table';
+
    public function __construct(Container $container)
    {
        $this->container = $container;
@@ -56,6 +58,11 @@ class AclManager
        return $this->container;
    }

+    protected function getMetadata()
+    {
+        return $this->metadata;
+    }
+
    public function getImplementation($scope)
    {
        if (empty($this->implementationHashMap[$scope])) {
@@ -75,10 +82,10 @@ class AclManager
            }

            if (class_exists($className)) {
-                $acl = new $className();
+                $acl = new $className($scope);
                $dependencies = $acl->getDependencyList();
                foreach ($dependencies as $name) {
-                    $acl->inject($name, $this->container->get($name));
+                    $acl->inject($name, $this->getContainer()->get($name));
                }
                $this->implementationHashMap[$scope] = $acl;
            } else {
@@ -91,14 +98,18 @@ class AclManager

    protected function getTable(User $user)
    {
-        $key = spl_object_hash($user);
+        $key = $user->id;
+        if (empty($key)) {
+            $key = spl_object_hash($user);
+        }

        if (empty($this->tableHashMap[$key])) {
            $config = $this->getContainer()->get('config');
            $fileManager = $this->getContainer()->get('fileManager');
            $metadata = $this->getContainer()->get('metadata');
+            $fieldManager = $this->getContainer()->get('fieldManager');

-            $this->tableHashMap[$key] = new \Espo\Core\Acl\Table($user, $config, $fileManager, $metadata);
+            $this->tableHashMap[$key] = new $this->tableClassName($user, $config, $fileManager, $metadata, $fieldManager);
        }

        return $this->tableHashMap[$key];
@@ -119,9 +130,6 @@ class AclManager

    public function get(User $user, $permission)
    {
-        if ($user->isAdmin()) {
-            return true;
-        }
        return $this->getTable($user)->get($permission);
    }

@@ -143,46 +151,48 @@ class AclManager
        return $this->getImplementation($scope)->checkReadOnlyOwn($user, $data);
    }

-    public function check(User $user, $subject, $action = null, $isOwner = null, $inTeam = null)
+    public function check(User $user, $subject, $action = null)
    {
-        if ($user->isAdmin()) {
-            return true;
-        }
        if (is_string($subject)) {
-            return $this->checkScope($user, $subject, $action, $isOwner, $inTeam);
+            return $this->checkScope($user, $subject, $action);
        } else {
            $entity = $subject;
            if ($entity instanceof Entity) {
-                $entityType = $entity->getEntityType();
-
-                $impl = $this->getImplementation($entityType);
-                $methodName = 'checkEntity' . ucfirst($action);
-                if (method_exists($impl, $methodName)) {
-                    $data = $this->getTable($user)->getScopeData($entityType);
-                    return $impl->$methodName($user, $entity, $data);
-                }
-
                return $this->checkEntity($user, $entity, $action);
            }
        }
    }

-    public function checkEntity(User $user, Entity $entity, $action)
+    public function checkEntity(User $user, Entity $entity, $action = 'read')
    {
-        if ($user->isAdmin()) {
-            return true;
+        $scope = $entity->getEntityType();
+
+        $data = $this->getTable($user)->getScopeData($scope);
+
+        $impl = $this->getImplementation($scope);
+
+        $methodName = 'checkEntity' . ucfirst($action);
+        if (method_exists($impl, $methodName)) {
+            return $impl->$methodName($user, $entity, $data);
        }
-        $data = $this->getTable($user)->getScopeData($entity->getEntityType());
-        return $this->getImplementation($entity->getEntityType())->checkEntity($user, $entity, $data, $action);
+
+        return $impl->checkEntity($user, $entity, $data, $action);
    }

-    public function checkScope(User $user, $scope, $action = null, $isOwner = null, $inTeam = null, $entity = null)
+    public function checkIsOwner(User $user, Entity $entity)
+    {
+        return $this->getImplementation($entity->getEntityType())->checkIsOwner($user, $entity);
+    }
+
+    public function checkInTeam(User $user, Entity $entity)
+    {
+        return $this->getImplementation($entity->getEntityType())->checkInTeam($user, $entity);
+    }
+
+    public function checkScope(User $user, $scope, $action = null)
    {
-        if ($user->isAdmin()) {
-            return true;
-        }
        $data = $this->getTable($user)->getScopeData($scope);
-        return $this->getImplementation($scope)->checkScope($user, $data, $scope, $action, $isOwner, $inTeam, $entity);
+        return $this->getImplementation($scope)->checkScope($user, $data, $action);
    }

    public function checkUser(User $user, $permission, User $entity)
@@ -213,5 +223,52 @@ class AclManager
        }
        return true;
    }
+
+    public function getScopeForbiddenAttributeList(User $user, $scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        if ($user->isAdmin()) return [];
+        return $this->getTable($user)->getScopeForbiddenAttributeList($scope, $action, $thresholdLevel);
+    }
+
+    public function getScopeForbiddenFieldList(User $user, $scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        if ($user->isAdmin()) return [];
+        return $this->getTable($user)->getScopeForbiddenFieldList($scope, $action, $thresholdLevel);
+    }
+
+    public function checkUserPermission(User $user, $target, $permissionType = 'userPermission')
+    {
+        $permission = $this->get($user, $permissionType);
+
+        if (is_object($target)) {
+            $userId = $target->id;
+        } else {
+            $userId = $target;
+        }
+
+        if ($user->id === $userId) return true;
+
+        if ($permission === 'no') {
+            return false;
+        }
+
+        if ($permission === 'yes') {
+            return true;
+        }
+
+        if ($permission === 'team') {
+            $teamIdList = $user->getLinkMultipleIdList('teams');
+            if (!$this->getContainer()->get('entityManager')->getRepository('User')->checkBelongsToAnyOfTeams($userId, $teamIdList)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    public function checkAssignmentPermission(User $user, $target)
+    {
+        return $this->checkUserPermission($user, $target, 'assignmentPermission');
+    }
 }

--- a/application/Espo/Core/AclPortal/Base.php
+++ b/application/Espo/Core/AclPortal/Base.php
@@ -0,0 +1,212 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\AclPortal;
+
+use \Espo\Entities\User;
+use \Espo\ORM\Entity;
+
+class Base extends \Espo\Core\Acl\Base
+{
+    public function checkScope(User $user, $data, $action = null, Entity $entity = null, $entityAccessData = array())
+    {
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        if (is_null($data)) {
+            return false;
+        }
+        if ($data === false) {
+            return false;
+        }
+        if ($data === true) {
+            return true;
+        }
+        if (is_string($data)) {
+            return true;
+        }
+
+        $isOwner = null;
+        if (isset($entityAccessData['isOwner'])) {
+            $isOwner = $entityAccessData['isOwner'];
+        }
+        $inAccount = null;
+        if (isset($entityAccessData['inAccount'])) {
+            $inAccount = $entityAccessData['inAccount'];
+        }
+        $isOwnContact = null;
+        if (isset($entityAccessData['isOwnContact'])) {
+            $isOwnContact = $entityAccessData['isOwnContact'];
+        }
+
+        if (is_null($action)) {
+            return true;
+        }
+
+        if (!isset($data->$action)) {
+            return true;
+        }
+
+        $value = $data->$action;
+
+        if ($value === 'all' || $value === 'yes' || $value === true) {
+            return true;
+        }
+
+        if (!$value || $value === 'no') {
+            return false;
+        }
+
+        if (is_null($isOwner)) {
+            if ($entity) {
+                $isOwner = $this->checkIsOwner($user, $entity);
+            } else {
+                return true;
+            }
+        }
+
+        if ($isOwner) {
+            if ($value === 'own' || $value === 'account' || $value === 'contact') {
+                return true;
+            }
+        }
+
+        if ($value === 'account') {
+            if (is_null($inAccount) && $entity) {
+                $inAccount = $this->checkInAccount($user, $entity);
+            }
+            if ($inAccount) {
+                return true;
+            }
+        }
+
+        if ($value === 'contact') {
+            if (is_null($isOwnContact) && $entity) {
+                $isOwnContact = $this->checkIsOwnContact($user, $entity);
+            }
+            if ($isOwnContact) {
+                return true;
+            }
+        }
+
+        return false;
+
+    }
+
+    public function checkReadOnlyAccount(User $user, $data)
+    {
+        if (empty($data) || !is_object($data) || !isset($data->read)) {
+            return false;
+        }
+        return $data->read === 'account';
+    }
+
+    public function checkReadOnlyContact(User $user, $data)
+    {
+        if (empty($data) || !is_object($data) || !isset($data->read)) {
+            return false;
+        }
+        return $data->read === 'contact';
+    }
+
+    public function checkIsOwner(User $user, Entity $entity)
+    {
+        if ($entity->hasAttribute('createdById')) {
+            if ($entity->has('createdById')) {
+                if ($user->id === $entity->get('createdById')) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    public function checkInAccount(User $user, Entity $entity)
+    {
+        $accountIdList = $user->getLinkMultipleIdList('accounts');
+        if (count($accountIdList)) {
+            if ($entity->hasAttribute('accountId')) {
+                if (in_array($entity->get('accountId'), $accountIdList)) {
+                    return true;
+                }
+            }
+
+            if ($entity->hasRelation('accounts')) {
+                $repository = $this->getEntityManager()->getRepository($entity->getEntityType());
+                foreach ($accountIdList as $accountId) {
+                    if ($repository->isRelated($entity, 'accounts', $accountId)) {
+                        return true;
+                    }
+                }
+            }
+
+            if ($entity->hasAttribute('parentId') && $entity->hasRelation('parent')) {
+                if ($entity->get('parentType') === 'Account') {
+                    if (in_array($entity->get('parentId'), $accountIdList)) {
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+    public function checkIsOwnContact(User $user, Entity $entity)
+    {
+        $contactId = $user->get('contactId');
+        if ($contactId) {
+            if ($entity->hasAttribute('contactId')) {
+                if ($entity->get('contactId') === $contactId) {
+                    return true;
+                }
+            }
+
+            if ($entity->hasRelation('contacts')) {
+                $repository = $this->getEntityManager()->getRepository($entity->getEntityType());
+                if ($repository->isRelated($entity, 'contacts', $contactId)) {
+                    return true;
+                }
+            }
+
+            if ($entity->hasAttribute('parentId') && $entity->hasRelation('parent')) {
+                if ($entity->get('parentType') === 'Contact') {
+                    if ($entity->get('parentId') === $contactId) {
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+}
+
--- a/application/Espo/Core/AclPortal/Table.php
+++ b/application/Espo/Core/AclPortal/Table.php
@@ -0,0 +1,135 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\AclPortal;
+
+use \Espo\Core\Exceptions\Error;
+
+use \Espo\ORM\Entity;
+use \Espo\Entities\User;
+use \Espo\Entities\Portal;
+
+use \Espo\Core\Utils\Config;
+use \Espo\Core\Utils\Metadata;
+use \Espo\Core\Utils\FieldManager;
+use \Espo\Core\Utils\File\Manager as FileManager;
+
+class Table extends \Espo\Core\Acl\Table
+{
+    protected $type = 'aclPortal';
+
+    protected $portal;
+
+    protected $defaultAclType = 'recordAllOwnNo';
+
+    protected $levelList = ['yes', 'all', 'account', 'contact', 'own', 'no'];
+
+    protected $valuePermissionList = [];
+
+    public function __construct(User $user, Portal $portal, Config $config = null, FileManager $fileManager = null, Metadata $metadata = null, FieldManager $fieldManager = null)
+    {
+        if (empty($portal)) {
+            throw new Error("No portal was passed to AclPortal\\Table constructor.");
+        }
+        $this->portal = $portal;
+        parent::__construct($user, $config, $fileManager, $metadata, $fieldManager);
+    }
+
+    protected function getPortal()
+    {
+        return $this->portal;
+    }
+
+    protected function initCacheFilePath()
+    {
+        $this->cacheFilePath = 'data/cache/application/acl-portal/'.$this->getPortal()->id.'/' . $this->getUser()->id . '.php';
+    }
+
+    protected function getRoleList()
+    {
+        $roleList = [];
+
+        $userRoleList = $this->getUser()->get('portalRoles');
+        if (!(is_array($userRoleList) || $userRoleList instanceof \Traversable)) {
+            throw new Error();
+        }
+        foreach ($userRoleList as $role) {
+            $roleList[] = $role;
+        }
+
+        $portalRoleList = $this->getPortal()->get('portalRoles');
+        if (!(is_array($portalRoleList) || $portalRoleList instanceof \Traversable)) {
+            throw new Error();
+        }
+        foreach ($portalRoleList as $role) {
+            $roleList[] = $role;
+        }
+
+        return $roleList;
+    }
+
+    protected function getScopeWithAclList()
+    {
+        $scopeList = [];
+        $scopes = $this->getMetadata()->get('scopes');
+        foreach ($scopes as $scope => $d) {
+            if (empty($d['acl'])) continue;
+            if (empty($d['aclPortal'])) continue;
+            $scopeList[] = $scope;
+        }
+        return $scopeList;
+    }
+
+    protected function applyDefault(&$table, &$fieldTable)
+    {
+        parent::applyDefault($table, $fieldTable);
+
+        foreach ($this->getScopeList() as $scope) {
+            if (!isset($table->$scope)) {
+                $table->$scope = false;
+            }
+        }
+    }
+
+    protected function applyDisabled(&$table, &$fieldTable)
+    {
+        foreach ($this->getScopeList() as $scope) {
+            $d = $this->getMetadata()->get('scopes.' . $scope);
+            if (!empty($d['disabled']) || !empty($d['portalDisabled'])) {
+                $table->$scope = false;
+                unset($fieldTable->$scope);
+            }
+        }
+    }
+
+    protected function applyAdditional(&$table, &$fieldTable, &$valuePermissionLists)
+    {
+    }
+}
+
--- a/application/Espo/Core/Application.php
+++ b/application/Espo/Core/Application.php
@@ -33,26 +33,28 @@ class Application
 {
    private $metadata;

-    private $container;
+    protected $container;

    private $slim;

    private $auth;

-    /**
-     * Constructor
-     */
    public function __construct()
    {
-        $this->container = new Container();
-
        date_default_timezone_set('UTC');

-        $GLOBALS['log'] = $this->container->get('log');
+        $this->initContainer();
+
+        $GLOBALS['log'] = $this->getContainer()->get('log');

        $this->initAutoloads();
    }

+    protected function initContainer()
+    {
+        $this->container = new Container();
+    }
+
    public function getSlim()
    {
        if (empty($this->slim)) {
@@ -69,12 +71,9 @@ class Application
        return $this->metadata;
    }

-    protected function getAuth()
+    protected function createAuth()
    {
-        if (empty($this->auth)) {
-            $this->auth = new \Espo\Core\Utils\Auth($this->container);
-        }
-        return $this->auth;
+        return new \Espo\Core\Utils\Auth($this->container);
    }

    public function getContainer()
@@ -91,19 +90,10 @@ class Application

    public function runClient()
    {
-        $config = $this->getContainer()->get('config');
-        $themeManager = $this->getContainer()->get('themeManager');
-
-        $html = file_get_contents('main.html');
-        $html = str_replace('{{cacheTimestamp}}', $config->get('cacheTimestamp', 0), $html);
-        $html = str_replace('{{useCache}}', $config->get('useCache') ? 'true' : 'false' , $html);
-        $html = str_replace('{{stylesheet}}', $themeManager->getStylesheet(), $html);
-        $html = str_replace('{{runScript}}', 'app.start();' , $html);
-        echo $html;
-        exit;
+        $this->getContainer()->get('clientManager')->display();
    }

-    public function runEntryPoint($entryPoint)
+    public function runEntryPoint($entryPoint, $data = array(), $final = false)
    {
        if (empty($entryPoint)) {
            throw new \Error();
@@ -112,18 +102,27 @@ class Application
        $slim = $this->getSlim();
        $container = $this->getContainer();

-        $slim->get('/', function() {});
-        $slim->post('/', function() {});
+        $slim->any('.*', function() {});

        $entryPointManager = new \Espo\Core\EntryPointManager($container);

        try {
-            $auth = $this->getAuth();
-            $apiAuth = new \Espo\Core\Utils\Api\Auth($auth, $entryPointManager->checkAuthRequired($entryPoint), true);
+            $authRequired = $entryPointManager->checkAuthRequired($entryPoint);
+            $authNotStrict = $entryPointManager->checkNotStrictAuth($entryPoint);
+            if ($authRequired && !$authNotStrict) {
+                if (!$final && $portalId = $this->detectedPortalId()) {
+                    $app = new \Espo\Core\Portal\Application($portalId);
+                    $app->setBasePath($this->getBasePath());
+                    $app->runEntryPoint($entryPoint, $data, true);
+                    exit;
+                }
+            }
+            $auth = new \Espo\Core\Utils\Auth($this->container, $authNotStrict);
+            $apiAuth = new \Espo\Core\Utils\Api\Auth($auth, $authRequired, true);
            $slim->add($apiAuth);

-            $slim->hook('slim.before.dispatch', function () use ($entryPoint, $entryPointManager, $container) {
-                $entryPointManager->run($entryPoint);
+            $slim->hook('slim.before.dispatch', function () use ($entryPoint, $entryPointManager, $container, $data) {
+                $entryPointManager->run($entryPoint, $data);
            });

            $slim->run();
@@ -134,7 +133,7 @@ class Application

    public function runCron()
    {
-        $auth = $this->getAuth();
+        $auth = $this->createAuth();
        $auth->useNoAuth(true);

        $cronManager = new \Espo\Core\CronManager($this->container);
@@ -164,20 +163,25 @@ class Application
        return false;
    }

+    protected function createApiAuth($auth)
+    {
+        return new \Espo\Core\Utils\Api\Auth($auth);
+    }
+
    protected function routeHooks()
    {
        $container = $this->getContainer();
        $slim = $this->getSlim();

        try {
-            $auth = $this->getAuth();
+            $auth = $this->createAuth();
        } catch (\Exception $e) {
            $container->get('output')->processError($e->getMessage(), $e->getCode());
        }

-        $apiAuth = new \Espo\Core\Utils\Api\Auth($auth);
-        $this->getSlim()->add($apiAuth);
+        $apiAuth = $this->createApiAuth($auth);

+        $this->getSlim()->add($apiAuth);
        $this->getSlim()->hook('slim.before.dispatch', function () use ($slim, $container) {

            $route = $slim->router()->getCurrentRoute();
@@ -237,13 +241,19 @@ class Application
        });
    }

-    protected function initRoutes()
+    protected function getRouteList()
    {
        $routes = new \Espo\Core\Utils\Route($this->getContainer()->get('config'), $this->getMetadata(), $this->getContainer()->get('fileManager'));
-        $crudList = array_keys( $this->getContainer()->get('config')->get('crud') );

-        foreach ($routes->getAll() as $route) {

+        return $routes->getAll();
+    }
+
+    protected function initRoutes()
+    {
+        $crudList = array_keys($this->getContainer()->get('config')->get('crud'));
+
+        foreach ($this->getRouteList() as $route) {
            $method = strtolower($route['method']);
            if (!in_array($method, $crudList)) {
                $GLOBALS['log']->error('Route: Method ['.$method.'] does not exist. Please check your route ['.$route['route'].']');
@@ -288,5 +298,37 @@ class Application

        $classLoader->register(true);
    }
+
+    public function setBasePath($basePath)
+    {
+        $this->getContainer()->get('clientManager')->setBasePath($basePath);
+    }
+
+    public function getBasePath()
+    {
+        return $this->getContainer()->get('clientManager')->getBasePath();
+    }
+
+    public function detectedPortalId()
+    {
+        if (!empty($_GET['portalId'])) {
+            return $_GET['portalId'];
+        }
+        if (!empty($_COOKIE['auth-token'])) {
+            $token = $this->getContainer()->get('entityManager')->getRepository('AuthToken')->where(array('token' => $_COOKIE['auth-token']))->findOne();
+
+            if ($token && $token->get('portalId')) {
+                return $token->get('portalId');
+            }
+        }
+        return null;
+    }
+
+    public function setupSystemUser()
+    {
+        $user = $this->getContainer()->get('entityManager')->getEntity('User', 'system');
+        $this->getContainer()->setUser($user);
+        $this->getContainer()->get('entityManager')->setUser($user);
+    }
 }

--- a/application/Espo/Core/Container.php
+++ b/application/Espo/Core/Container.php
@@ -28,6 +28,7 @@
 ************************************************************************/

 namespace Espo\Core;
+
 class Container
 {

@@ -39,7 +40,6 @@ class Container
     */
    public function __construct()
    {
-
    }

    public function get($name)
@@ -47,7 +47,15 @@ class Container
        if (empty($this->data[$name])) {
            $this->load($name);
        }
-        return $this->data[$name];
+        if (isset($this->data[$name])) {
+            return $this->data[$name];
+        }
+        return null;
+    }
+
+    protected function set($name, $obj)
+    {
+        $this->data[$name] = $obj;
    }

    private function load($name)
@@ -115,53 +123,54 @@ class Container
        return $this;
    }

-    private function loadSlim()
+    protected function loadSlim()
    {
        return new \Espo\Core\Utils\Api\Slim();
    }

-    private function loadFileManager()
+    protected function loadFileManager()
    {
        return new \Espo\Core\Utils\File\Manager(
            $this->get('config')
        );
    }

-    private function loadPreferences()
+    protected function loadPreferences()
    {
        return $this->get('entityManager')->getEntity('Preferences', $this->get('user')->id);
    }

-    private function loadConfig()
+    protected function loadConfig()
    {
        return new \Espo\Core\Utils\Config(
            new \Espo\Core\Utils\File\Manager()
        );
    }

-    private function loadHookManager()
+    protected function loadHookManager()
    {
        return new \Espo\Core\HookManager(
            $this
        );
    }

-    private function loadOutput()
+    protected function loadOutput()
    {
        return new \Espo\Core\Utils\Api\Output(
            $this->get('slim')
        );
    }

-    private function loadMailSender()
+    protected function loadMailSender()
    {
        $className = $this->getServiceClassName('mailSernder', '\\Espo\\Core\\Mail\\Sender');
        return new $className(
-            $this->get('config')
+            $this->get('config'),
+            $this->get('entityManager')
        );
    }

-    private function loadDateTime()
+    protected function loadDateTime()
    {
        return new \Espo\Core\Utils\DateTime(
            $this->get('config')->get('dateFormat'),
@@ -170,7 +179,7 @@ class Container
        );
    }

-    private function loadNumber()
+    protected function loadNumber()
    {
        return new \Espo\Core\Utils\Number(
            $this->get('config')->get('decimalMark'),
@@ -178,24 +187,26 @@ class Container
        );
    }

-    private function loadServiceFactory()
+    protected function loadServiceFactory()
    {
        return new \Espo\Core\ServiceFactory(
            $this
        );
    }

-    private function loadSelectManagerFactory()
+    protected function loadSelectManagerFactory()
    {
        return new \Espo\Core\SelectManagerFactory(
            $this->get('entityManager'),
            $this->get('user'),
            $this->get('acl'),
-            $this->get('metadata')
+            $this->get('aclManager'),
+            $this->get('metadata'),
+            $this->get('config')
        );
    }

-    private function loadMetadata()
+    protected function loadMetadata()
    {
        return new \Espo\Core\Utils\Metadata(
            $this->get('config'),
@@ -203,15 +214,16 @@ class Container
        );
    }

-    private function loadLayout()
+    protected function loadLayout()
    {
        return new \Espo\Core\Utils\Layout(
            $this->get('fileManager'),
-            $this->get('metadata')
+            $this->get('metadata'),
+            $this->get('user')
        );
    }

-    private function loadAclManager()
+    protected function loadAclManager()
    {
        $className = $this->getServiceClassName('acl', '\\Espo\\Core\\AclManager');
        return new $className(
@@ -219,7 +231,7 @@ class Container
        );
    }

-    private function loadAcl()
+    protected function loadAcl()
    {
        $className = $this->getServiceClassName('acl', '\\Espo\\Core\\Acl');
        return new $className(
@@ -228,7 +240,7 @@ class Container
        );
    }

-    private function loadSchema()
+    protected function loadSchema()
    {
        return new \Espo\Core\Utils\Database\Schema\Schema(
            $this->get('config'),
@@ -239,7 +251,7 @@ class Container
        );
    }

-    private function loadClassParser()
+    protected function loadClassParser()
    {
        return new \Espo\Core\Utils\File\ClassParser(
            $this->get('fileManager'),
@@ -248,7 +260,7 @@ class Container
        );
    }

-    private function loadLanguage()
+    protected function loadLanguage()
    {
        return new \Espo\Core\Utils\Language(
            $this->get('fileManager'),
@@ -258,36 +270,37 @@ class Container
        );
    }

-    private function loadCrypt()
+    protected function loadCrypt()
    {
        return new \Espo\Core\Utils\Crypt(
            $this->get('config')
        );
    }

-    private function loadScheduledJob()
+    protected function loadScheduledJob()
    {
        return new \Espo\Core\Utils\ScheduledJob(
            $this
        );
    }

-    private function loadDataManager()
+    protected function loadDataManager()
    {
        return new \Espo\Core\DataManager(
            $this
        );
    }

-    private function loadFieldManager()
+    protected function loadFieldManager()
    {
        return new \Espo\Core\Utils\FieldManager(
            $this->get('metadata'),
-            $this->get('language')
+            $this->get('language'),
+            $this
        );
    }

-    private function loadThemeManager()
+    protected function loadThemeManager()
    {
        return new \Espo\Core\Utils\ThemeManager(
            $this->get('config'),
@@ -295,9 +308,17 @@ class Container
        );
    }

-    public function setUser($user)
+    protected function loadClientManager()
    {
-        $this->data['user'] = $user;
+        return new \Espo\Core\Utils\ClientManager(
+            $this->get('config'),
+            $this->get('themeManager')
+        );
+    }
+
+    public function setUser(\Espo\Entities\User $user)
+    {
+        $this->set('user', $user);
    }
 }

--- a/application/Espo/Core/ControllerManager.php
+++ b/application/Espo/Core/ControllerManager.php
@@ -119,7 +119,7 @@ class ControllerManager
            $controller->$afterMethodName($params, $data, $request);
        }

-        if (is_array($result) || is_bool($result)) {
+        if (is_array($result) || is_bool($result) || $result instanceof \StdClass) {
            return \Espo\Core\Utils\Json::encode($result);
        }

--- a/application/Espo/Core/Controllers/Record.php
+++ b/application/Espo/Core/Controllers/Record.php
@@ -64,7 +64,7 @@ class Record extends Base
        return $service;
    }

-    public function actionRead($params)
+    public function actionRead($params, $data, $request)
    {
        $id = $params['id'];
        $entity = $this->getRecordService()->getEntity($id);
@@ -87,7 +87,7 @@ class Record extends Base
            throw new BadRequest();
        }

-        if (!$this->getAcl()->check($this->name, 'edit')) {
+        if (!$this->getAcl()->check($this->name, 'create')) {
            throw new Forbidden();
        }

@@ -128,12 +128,10 @@ class Record extends Base
        $where = $request->get('where');
        $offset = $request->get('offset');
        $maxSize = $request->get('maxSize');
-        $asc = $request->get('asc') === 'true';
+        $asc = $request->get('asc', 'true') === 'true';
        $sortBy = $request->get('sortBy');
        $q = $request->get('q');
-        $primaryFilter = $request->get('primaryFilter');
        $textFilter = $request->get('textFilter');
-        $boolFilterList = $request->get('boolFilterList');

        if (empty($maxSize)) {
            $maxSize = self::MAX_SIZE_LIMIT;
@@ -151,12 +149,8 @@ class Record extends Base
            'q' => $q,
            'textFilter' => $textFilter
        );
-        if ($request->get('primaryFilter')) {
-            $params['primaryFilter'] = $request->get('primaryFilter');
-        }
-        if ($request->get('boolFilterList')) {
-            $params['boolFilterList'] = $request->get('boolFilterList');
-        }
+
+        $this->fetchListParamsFromRequest($params, $request, $data);

        $result = $this->getRecordService()->findEntities($params);

@@ -166,6 +160,16 @@ class Record extends Base
        );
    }

+    protected function fetchListParamsFromRequest(&$params, $request, $data)
+    {
+        if ($request->get('primaryFilter')) {
+            $params['primaryFilter'] = $request->get('primaryFilter');
+        }
+        if ($request->get('boolFilterList')) {
+            $params['boolFilterList'] = $request->get('boolFilterList');
+        }
+    }
+
    public function actionListLinked($params, $data, $request)
    {
        $id = $params['id'];
@@ -174,7 +178,7 @@ class Record extends Base
        $where = $request->get('where');
        $offset = $request->get('offset');
        $maxSize = $request->get('maxSize');
-        $asc = $request->get('asc') === 'true';
+        $asc = $request->get('asc', 'true') === 'true';
        $sortBy = $request->get('sortBy');
        $q = $request->get('q');
        $textFilter = $request->get('textFilter');
@@ -195,12 +199,8 @@ class Record extends Base
            'q' => $q,
            'textFilter' => $textFilter
        );
-        if ($request->get('primaryFilter')) {
-            $params['primaryFilter'] = $request->get('primaryFilter');
-        }
-        if ($request->get('boolFilterList')) {
-            $params['boolFilterList'] = $request->get('boolFilterList');
-        }
+
+        $this->fetchListParamsFromRequest($params, $request, $data);

        $result = $this->getRecordService()->findLinkedEntities($id, $link, $params);

@@ -292,7 +292,6 @@ class Record extends Base
            $params['where'] = $where;
        }
        if (array_key_exists('ids', $data)) {
-            $where = json_decode(json_encode($data['where']), true);
            $params['ids'] = $data['ids'];
        }

@@ -321,18 +320,18 @@ class Record extends Base
            $where = json_decode(json_encode($data['where']), true);
            return $this->getRecordService()->linkEntityMass($id, $link, $where);
        } else {
-            $foreignIds = array();
+            $foreignIdList = array();
            if (isset($data['id'])) {
-                $foreignIds[] = $data['id'];
+                $foreignIdList[] = $data['id'];
            }
            if (isset($data['ids']) && is_array($data['ids'])) {
                foreach ($data['ids'] as $foreignId) {
-                    $foreignIds[] = $foreignId;
+                    $foreignIdList[] = $foreignId;
                }
            }

            $result = false;
-            foreach ($foreignIds as $foreignId) {
+            foreach ($foreignIdList as $foreignId) {
                if ($this->getRecordService()->linkEntity($id, $link, $foreignId)) {
                    $result = true;
                }
@@ -386,7 +385,7 @@ class Record extends Base
        if (!$request->isPut()) {
            throw new BadRequest();
        }
-        if (!$this->getAcl()->check($this->name, 'read')) {
+        if (!$this->getAcl()->check($this->name, 'stream')) {
            throw new Forbidden();
        }
        $id = $params['id'];
@@ -411,17 +410,34 @@ class Record extends Base
            throw new BadRequest();
        }

-        if (empty($data['targetId']) || empty($data['sourceIds']) || !is_array($data['sourceIds'])) {
+        if (empty($data['targetId']) || empty($data['sourceIds']) || !is_array($data['sourceIds']) || !($data['attributes'] instanceof \StdClass)) {
            throw new BadRequest();
        }
        $targetId = $data['targetId'];
        $sourceIds = $data['sourceIds'];
+        $attributes = get_object_vars($data['attributes']);

        if (!$this->getAcl()->check($this->name, 'edit')) {
            throw new Forbidden();
        }

-        return $this->getRecordService()->merge($targetId, $sourceIds);
+        return $this->getRecordService()->merge($targetId, $sourceIds, $attributes);
+    }
+
+    public function postActionGetDuplicateAttributes($params, $data, $request)
+    {
+        if (empty($data['id'])) {
+            throw new BadRequest();
+        }
+
+        if (!$this->getAcl()->check($this->name, 'create')) {
+            throw new Forbidden();
+        }
+        if (!$this->getAcl()->check($this->name, 'read')) {
+            throw new Forbidden();
+        }
+
+        return $this->getRecordService()->getDuplicateAttributes($data['id']);
    }
 }

--- a/application/Espo/Core/Controllers/RecordTree.php
+++ b/application/Espo/Core/Controllers/RecordTree.php
@@ -37,7 +37,6 @@ use \Espo\Core\Utils\Util;

 class RecordTree extends Record
 {
-
    public static $defaultAction = 'list';

    protected $defaultRecordServiceName = 'RecordTree';
@@ -51,9 +50,11 @@ class RecordTree extends Record
        $where = $request->get('where');
        $parentId = $request->get('parentId');
        $maxDepth = $request->get('maxDepth');
+        $onlyNotEmpty = $request->get('onlyNotEmpty');

        $collection = $this->getRecordService()->getTree($parentId, array(
-            'where' => $where
+            'where' => $where,
+            'onlyNotEmpty' => $onlyNotEmpty
        ), 0, $maxDepth);
        return array(
            'list' => $collection->toArray(),
--- a/application/Espo/Core/CronManager.php
+++ b/application/Espo/Core/CronManager.php
@@ -35,15 +35,21 @@ use Espo\Core\Exceptions\NotFound;
 class CronManager
 {
    private $container;
+
    private $config;
+
    private $fileManager;
+
    private $entityManager;

    private $scheduledJobUtil;

    const PENDING = 'Pending';
+
    const RUNNING = 'Running';
+
    const SUCCESS = 'Success';
+
    const FAILED = 'Failed';

    protected $lastRunTime = 'data/cache/application/cronLastRunTime.php';
@@ -149,19 +155,15 @@ class CronManager

        $this->setLastRunTime(time());

-        $entityManager = $this->getEntityManager();
-
-        $cronJob = $this->getCronJob();
-        $cronScheduledJob = $this->getCronScheduledJob();
-
-        //Check scheduled jobs and create related jobs
+        $this->getCronJob()->markFailedJobs();
+        $this->getCronJob()->updateFailedJobAttempts();
        $this->createJobsFromScheduledJobs();
+        $this->getCronJob()->removePendingJobDuplicates();

-        $pendingJobs = $cronJob->getPendingJobs();
+        $pendingJobList = $this->getCronJob()->getPendingJobList();

-        foreach ($pendingJobs as $job) {
-
-            $jobEntity = $entityManager->getEntity('Job', $job['id']);
+        foreach ($pendingJobList as $job) {
+            $jobEntity = $this->getEntityManager()->getEntity('Job', $job['id']);

            if (!isset($jobEntity)) {
                $GLOBALS['log']->error('CronManager: empty Job entity ['.$job['id'].'].');
@@ -169,7 +171,7 @@ class CronManager
            }

            $jobEntity->set('status', self::RUNNING);
-            $entityManager->saveEntity($jobEntity);
+            $this->getEntityManager()->saveEntity($jobEntity);

            $isSuccess = true;

@@ -187,11 +189,10 @@ class CronManager
            $status = $isSuccess ? self::SUCCESS : self::FAILED;

            $jobEntity->set('status', $status);
-            $entityManager->saveEntity($jobEntity);
+            $this->getEntityManager()->saveEntity($jobEntity);

-            //set status in the schedulerJobLog
            if (!empty($job['scheduled_job_id'])) {
-                $cronScheduledJob->addLogRecord($job['scheduled_job_id'], $status);
+                $this->getCronScheduledJob()->addLogRecord($job['scheduled_job_id'], $status, null, $job['target_id'], $job['target_type']);
            }
        }
    }
@@ -213,12 +214,20 @@ class CronManager
        }

        $jobClass = new $className($this->container);
-        $method = $this->getScheduledJobUtil()->getMethodName();
+        $method = 'run';
        if (!method_exists($jobClass, $method)) {
            throw new NotFound();
        }

-        $jobClass->$method();
+        $data = null;
+        if (!empty($job['data'])) {
+            $data = $job['data'];
+            if (Json::isJSON($data)) {
+                $data = Json::decode($data, true);
+            }
+        }
+
+        $jobClass->$method($data, $job['target_id'], $job['target_type']);
    }

    /**
@@ -248,7 +257,7 @@ class CronManager
            $data = Json::decode($data, true);
        }

-        $service->$serviceMethod($data);
+        $service->$serviceMethod($data, $job['target_id'], $job['target_type']);
    }

    /**
@@ -258,55 +267,62 @@ class CronManager
     */
    protected function createJobsFromScheduledJobs()
    {
-        $entityManager = $this->getEntityManager();
+        $activeScheduledJobList = $this->getCronScheduledJob()->getActiveScheduledJobList();

-        $activeScheduledJobs = $this->getCronScheduledJob()->getActiveJobs();
+        $runningScheduledJobIdList = $this->getCronJob()->getRunningScheduledJobIdList();

-        $cronJob = $this->getCronJob();
-        $runningScheduledJobs = $cronJob->getActiveJobs('scheduled_job_id', self::RUNNING, PDO::FETCH_COLUMN);
+        $createdJobIdList = array();
+        foreach ($activeScheduledJobList as $scheduledJob) {
+            $scheduling = $scheduledJob['scheduling'];

-        $createdJobs = array();
-        foreach ($activeScheduledJobs as $scheduledJob) {
-
-            if (in_array($scheduledJob['id'], $runningScheduledJobs)) {
+            try {
+                $cronExpression = \Cron\CronExpression::factory($scheduling);
+            } catch (\Exception $e) {
+                $GLOBALS['log']->error('CronManager (ScheduledJob ['.$scheduledJob['id'].']): Scheduling string error - '. $e->getMessage() . '.');
                continue;
            }

-            $scheduling = $scheduledJob['scheduling'];
-
-            $cronExpression = \Cron\CronExpression::factory($scheduling);
-
            try {
-                $prevDate = $cronExpression->getPreviousRunDate()->format('Y-m-d H:i:s');
+                $previousDate = $cronExpression->getPreviousRunDate()->format('Y-m-d H:i:s');
            } catch (\Exception $e) {
-                $GLOBALS['log']->error('CronManager: ScheduledJob ['.$scheduledJob['id'].']: CronExpression - Impossible CRON expression ['.$scheduling.']');
+                $GLOBALS['log']->error('CronManager (ScheduledJob ['.$scheduledJob['id'].']): Unsupported CRON expression ['.$scheduling.']');
                continue;
            }

            if ($cronExpression->isDue()) {
-                $prevDate = date('Y-m-d H:i:s');
+                $previousDate = date('Y-m-d H:i:s');
            }

-            $existsJob = $cronJob->getJobByScheduledJob($scheduledJob['id'], $prevDate);
+            $existingJob = $this->getCronJob()->getJobByScheduledJob($scheduledJob['id'], $previousDate);
+            if ($existingJob) continue;

-            if (!isset($existsJob) || empty($existsJob)) {
-                //create a new job
-                $jobEntity = $entityManager->getEntity('Job');
-                $jobEntity->set(array(
-                    'name' => $scheduledJob['name'],
-                    'status' => self::PENDING,
-                    'scheduledJobId' => $scheduledJob['id'],
-                    'executeTime' => $prevDate,
-                    'method' => $scheduledJob['job'],
-                ));
-                $jobEntityId = $entityManager->saveEntity($jobEntity);
-                if (!empty($jobEntityId)) {
-                    $createdJobs[] = $jobEntityId;
+            $className = $this->getScheduledJobUtil()->get($scheduledJob['job']);
+            if ($className) {
+                if (method_exists($className, 'prepare')) {
+                    $implementation = new $className($this->container);
+                    $implementation->prepare($scheduledJob, $previousDate);
+                    continue;
                }
            }
+
+            if (in_array($scheduledJob['id'], $runningScheduledJobIdList)) {
+                continue;
+            }
+
+            $jobEntity = $this->getEntityManager()->getEntity('Job');
+            $jobEntity->set(array(
+                'name' => $scheduledJob['name'],
+                'status' => self::PENDING,
+                'scheduledJobId' => $scheduledJob['id'],
+                'executeTime' => $previousDate,
+                'method' => $scheduledJob['job']
+            ));
+            $this->getEntityManager()->saveEntity($jobEntity);
+
+            $createdJobIdList[] = $jobEntity->id;
        }

-        return $createdJobs;
+        return $createdJobIdList;
    }
 }

--- a/application/Espo/Core/EntryPointManager.php
+++ b/application/Espo/Core/EntryPointManager.php
@@ -81,7 +81,16 @@ class EntryPointManager
        return $className::$authRequired;
    }

-    public function run($name)
+    public function checkNotStrictAuth($name)
+    {
+        $className = $this->getClassName($name);
+        if (!$className) {
+            throw new NotFound();
+        }
+        return $className::$notStrictAuth;
+    }
+
+    public function run($name, $data = array())
    {
        $className = $this->getClassName($name);
        if (!$className) {
@@ -89,7 +98,7 @@ class EntryPointManager
        }
        $entryPoint = new $className($this->container);

-        $entryPoint->run();
+        $entryPoint->run($data);
    }

    protected function getClassName($name)
--- a/application/Espo/Core/EntryPoints/Base.php
+++ b/application/Espo/Core/EntryPoints/Base.php
@@ -39,6 +39,8 @@ abstract class Base

    public static $authRequired = true;

+    public static $notStrictAuth = false;
+
    protected function getContainer()
    {
        return $this->container;
@@ -94,12 +96,15 @@ abstract class Base
        return $this->getContainer()->get('language');
    }

+    protected function getClientManager()
+    {
+        return $this->getContainer()->get('clientManager');
+    }
+
    public function __construct(Container $container)
    {
        $this->container = $container;
    }

-    abstract public function run();
-
 }

--- a/application/Espo/Core/HookManager.php
+++ b/application/Espo/Core/HookManager.php
@@ -131,7 +131,7 @@ class HookManager
            }
            return $hook;
        }
-        $GLOBALS['log']->error("Hook class '{$name}' does not exist.");
+        $GLOBALS['log']->error("Hook class '{$className}' does not exist.");
    }

    /**
--- a/application/Espo/Core/Hooks/Base.php
+++ b/application/Espo/Core/Hooks/Base.php
@@ -29,15 +29,16 @@

 namespace Espo\Core\Hooks;

-use \Espo\Core\Interfaces\Injectable;
+use Espo\Core\Interfaces\Injectable;

 abstract class Base implements Injectable
 {
    protected $dependencies = array(
+        'container',
        'entityManager',
        'config',
        'metadata',
-        'acl',
+        'aclManager',
        'user',
    );

@@ -59,6 +60,13 @@ abstract class Base implements Injectable
        return $this->dependencies;
    }

+    protected function addDependencyList(array $list)
+    {
+        foreach ($list as $item) {
+            $this->addDependency($item);
+        }
+    }
+
    protected function addDependency($name)
    {
        $this->dependencies[] = $name;
@@ -74,29 +82,39 @@ abstract class Base implements Injectable
        $this->injections[$name] = $object;
    }

+    protected function getContainer()
+    {
+        return $this->getInjection('container');
+    }
+
    protected function getEntityManager()
    {
-        return $this->injections['entityManager'];
+        return $this->getInjection('entityManager');
    }

    protected function getUser()
    {
-        return $this->injections['user'];
+        return $this->getInjection('user');
    }

    protected function getAcl()
    {
-        return $this->injections['acl'];
+        return $this->getContainer()->get('acl');
+    }
+
+    protected function getAclManager()
+    {
+        return $this->getInjection('aclManager');
    }

    protected function getConfig()
    {
-        return $this->injections['config'];
+        return $this->getInjection('config');
    }

    protected function getMetadata()
    {
-        return $this->injections['metadata'];
+        return $this->getInjection('metadata');
    }

    protected function getRepository()
--- a/application/Espo/Core/Htmlizer/Htmlizer.php
+++ b/application/Espo/Core/Htmlizer/Htmlizer.php
@@ -46,11 +46,19 @@ class Htmlizer

    protected $config;

-    public function __construct(FileManager $fileManager, DateTime $dateTime, Number $number)
+    protected $acl;
+
+    public function __construct(FileManager $fileManager, DateTime $dateTime, Number $number, $acl = null)
    {
        $this->fileManager = $fileManager;
        $this->dateTime = $dateTime;
        $this->number = $number;
+        $this->acl = $acl;
+    }
+
+    protected function getAcl()
+    {
+        return $this->acl;
    }

    protected function formatNumber($value)
@@ -68,20 +76,25 @@ class Htmlizer
        return $value;
    }

-    protected function getDataFromEntity(Entity $entity)
+    protected function getDataFromEntity(Entity $entity, $skipLinks = false)
    {
        $data = $entity->toArray();

-
-
        $fieldDefs = $entity->getFields();
        $fieldList = array_keys($fieldDefs);

+        $forbidenAttributeList = [];
+
+        if ($this->getAcl()) {
+            $forbidenAttributeList = $this->getAcl()->getScopeForbiddenAttributeList($entity->getEntityType(), 'read');
+        }
+
        foreach ($fieldList as $field) {
-            $type = null;
-            if (!empty($fieldDefs[$field]['type'])) {
-                $type = $fieldDefs[$field]['type'];
-            }
+            if (in_array($field, $forbidenAttributeList)) continue;
+
+
+            $type = $entity->getAttributeType($field);
+
            if ($type == Entity::DATETIME) {
                if (!empty($data[$field])) {
                    $data[$field] = $this->dateTime->convertSystemDateTime($data[$field]);
@@ -116,6 +129,8 @@ class Htmlizer
                        $data[$field][$k] = $this->format($data[$field][$k]);
                    }
                }
+            } else if ($type === Entity::PASSWORD) {
+                unset($data[$field]);
            }

            if (array_key_exists($field, $data)) {
@@ -123,19 +138,52 @@ class Htmlizer
            }
        }

+        if (!$skipLinks) {
+            $relationDefs = $entity->getRelations();
+            foreach ($entity->getRelationList() as $relation) {
+                if (
+                    !empty($relationDefs[$relation]['type'])
+                    &&
+                    ($entity->getRelationType($relation) === 'belongsTo' || $entity->getRelationType($relation) === 'belongsToParent')
+                ) {
+                    $relatedEntity = $entity->get($relation);
+                    if (!$relatedEntity) continue;
+                    if ($this->getAcl()) {
+                        if (!$this->getAcl()->check($relatedEntity, 'read')) continue;
+                    }
+
+                    $data[$relation] = $this->getDataFromEntity($relatedEntity, true);
+                }
+            }
+        }
+
        return $data;
    }

-    public function render(Entity $entity, $template)
+    public function render(Entity $entity, $template, $id = null, $additionalData = array(), $skipLinks = false)
    {
        $code = \LightnCandy::compile($template);
-        $id = uniqid('', true);
-        $fileName = 'data/cache/template-' . $id;
-        $this->fileManager->putContents($fileName, $code);
-        $renderer = include($fileName);
-        $this->fileManager->removeFile($fileName);

-        $data = $this->getDataFromEntity($entity);
+        $toRemove = false;
+        if ($id === null) {
+            $id = uniqid('', true);
+            $toRemove = true;
+        }
+
+        $fileName = 'data/cache/templates/' . $id . '.php';
+
+        $this->fileManager->putContents($fileName, $code);
+        $renderer = $this->fileManager->getPhpContents($fileName);
+
+        if ($toRemove) {
+            $this->fileManager->removeFile($fileName);
+        }
+
+        $data = $this->getDataFromEntity($entity, $skipLinks);
+
+        foreach ($additionalData as $k => $value) {
+            $data[$k] = $value;
+        }

        $html = $renderer($data);

--- a/application/Espo/Core/Interfaces/Injectable.php
+++ b/application/Espo/Core/Interfaces/Injectable.php
@@ -25,14 +25,14 @@
 *
 * In accordance with Section 7(b) of the GNU General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
- ************************************************************************/ 
+ ************************************************************************/

 namespace Espo\Core\Interfaces;

 interface Injectable
 {
    public function getDependencyList();
-    
+
    public function inject($name, $object);
 }

--- a/application/Espo/Core/Jobs/Base.php
+++ b/application/Espo/Core/Jobs/Base.php
@@ -70,7 +70,5 @@ abstract class Base
        $this->container = $container;
    }

-    abstract public function run();
-
 }

--- a/application/Espo/Core/Loaders/EmailFilterManager.php
+++ b/application/Espo/Core/Loaders/EmailFilterManager.php
@@ -0,0 +1,43 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Loaders;
+
+class EmailFilterManager extends Base
+{
+    public function load()
+    {
+        $emailFilterManager = new \Espo\Core\Utils\EmailFilterManager(
+            $this->getContainer()->get('entityManager')
+        );
+
+        return $emailFilterManager;
+    }
+}
+
--- a/application/Espo/Core/Loaders/EntityManager.php
+++ b/application/Espo/Core/Loaders/EntityManager.php
@@ -40,6 +40,7 @@ class EntityManager extends Base
            'port' => $config->get('database.port'),
            'dbname' => $config->get('database.dbname'),
            'user' => $config->get('database.user'),
+            'charset' => $config->get('database.charset', 'utf8'),
            'password' => $config->get('database.password'),
            'metadata' => $this->getContainer()->get('metadata')->getOrmMetadata(),
            'repositoryFactoryClassName' => '\\Espo\\Core\\ORM\\RepositoryFactory',
--- a/application/Espo/Core/Mail/FiltersMatcher.php
+++ b/application/Espo/Core/Mail/FiltersMatcher.php
@@ -39,8 +39,14 @@ class FiltersMatcher

    }

-    public function match(Email $email, $filterList = [])
+    public function match(Email $email, $subject, $skipBody = false)
    {
+        if (is_array($subject) || $subject instanceof \Traversable) {
+            $filterList = $subject;
+        } else {
+            $filterList = [$subject];
+        }
+
        foreach ($filterList as $filter) {
            if ($filter->get('from')) {
                if ($this->matchString(strtolower($filter->get('from')), strtolower($email->get('from')))) {
@@ -63,11 +69,24 @@ class FiltersMatcher
                }
            }
        }
+
+        if (!$skipBody) {
+            if ($this->matchBody($email, $filterList)) {
+                return true;
+            }
+        }
+
        return false;
    }

-    public function matchBody(Email $email, $filterList = [])
+    public function matchBody(Email $email, $subject)
    {
+        if (is_array($subject) || $subject instanceof \Traversable) {
+            $filterList = $subject;
+        } else {
+            $filterList = [$subject];
+        }
+
        foreach ($filterList as $filter) {
            if ($filter->get('bodyContains')) {
                $phraseList = $filter->get('bodyContains');
--- a/application/Espo/Core/Mail/Importer.php
+++ b/application/Espo/Core/Mail/Importer.php
@@ -38,16 +38,13 @@ class Importer
 {
    private $entityManager;

-    private $fileManager;
-
    private $config;

    private $filtersMatcher;

-    public function __construct($entityManager, $fileManager, $config)
+    public function __construct($entityManager, $config)
    {
        $this->entityManager = $entityManager;
-        $this->fileManager = $fileManager;
        $this->config = $config;
        $this->filtersMatcher = new FiltersMatcher();
    }
@@ -56,42 +53,43 @@ class Importer
    {
        return $this->entityManager;
    }
+
    protected function getConfig()
    {
        return $this->config;
    }

-    protected function getFileManager()
-    {
-        return $this->fileManager;
-    }
-
    protected function getFiltersMatcher()
    {
        return $this->filtersMatcher;
    }

-    public function importMessage($message, $userId = null, $teamsIdList = [], $userIdList = [], $filterList = [])
+    public function importMessage($message, $assignedUserId = null, $teamsIdList = [], $userIdList = [], $filterList = [], $fetchOnlyHeader = false, $folderData = null)
    {
        try {
            $email = $this->getEntityManager()->getEntity('Email');

+            $email->set('isBeingImported', true);
+
            $subject = $message->subject;
-            if ($subject !== '0' && empty($subject)) {
+            if ($subject !== '0' && empty(trim($subject))) {
                $subject = '(No Subject)';
            }

            $email->set('isHtml', false);
            $email->set('name', $subject);
            $email->set('status', 'Archived');
-            $email->set('attachmentsIds', array());
-            if ($userId) {
-                $email->set('assignedUserId', $userId);
+            $email->set('attachmentsIds', []);
+            if ($assignedUserId) {
+                $email->set('assignedUserId', $assignedUserId);
+                $email->addLinkMultipleId('assignedUsers', $assignedUserId);
            }
            $email->set('teamsIds', $teamsIdList);

            if (!empty($userIdList)) {
-                $email->set('usersIds', $userIdList);
+                foreach ($userIdList as $uId) {
+                    $email->addLinkMultipleId('users', $uId);
+                }
            }

            $fromArr = $this->getAddressListFromMessage($message, 'from');
@@ -111,10 +109,15 @@ class Importer
            $email->set('cc', implode(';', $ccArr));
            $email->set('replyTo', implode(';', $replyToArr));

-            if ($this->getFiltersMatcher()->match($email, $filterList)) {
-                return false;
+            if ($folderData) {
+                foreach ($folderData as $uId => $folderId) {
+                    $email->setLinkMultipleColumn('users', 'folderId', $uId, $folderId);
+                }
            }

+            if ($this->getFiltersMatcher()->match($email, $filterList, true)) {
+                return false;
+            }

            if (isset($message->messageId) && !empty($message->messageId)) {
                $email->set('messageId', $message->messageId);
@@ -127,21 +130,23 @@ class Importer
            }

            if ($duplicate = $this->findDuplicate($email)) {
-            	$duplicate->loadLinkMultipleField('users');
-            	$usersIds = $duplicate->get('usersIds');
-                if ($userId) {
-                    if (!in_array($userId, $usersIds)) {
-            	       $usersIds[] = $userId;
-                    }
+                if ($assignedUserId) {
+                    $duplicate->addLinkMultipleId('users', $assignedUserId);
+                    $duplicate->addLinkMultipleId('assignedUsers', $assignedUserId);
                }
                if (!empty($userIdList)) {
-                    foreach ($userIdList as $additionalUserId) {
-                        if (!in_array($additionalUserId, $usersIds)) {
-                            $usersIds[] = $additionalUserId;
-                        }
+                    foreach ($userIdList as $uId) {
+                        $duplicate->addLinkMultipleId('users', $uId);
                    }
                }
-            	$duplicate->set('usersIds', $usersIds);
+
+                if ($folderData) {
+                    foreach ($folderData as $uId => $folderId) {
+                        $email->setLinkMultipleColumn('users', 'folderId', $uId, $folderId);
+                    }
+                }
+
+                $duplicate->set('isBeingImported', true);

            	$this->getEntityManager()->saveEntity($duplicate);

@@ -150,7 +155,7 @@ class Importer
                        $this->getEntityManager()->getRepository('Email')->relate($duplicate, 'teams', $teamId);
                    }
                }
-                return false;
+                return $duplicate;
            }

            if (isset($message->date)) {
@@ -172,32 +177,42 @@ class Importer

            $inlineIds = array();

-            if ($message->isMultipart()) {
-                foreach (new \RecursiveIteratorIterator($message) as $part) {
-                    $this->importPartDataToEmail($email, $part, $inlineIds);
+            if (!$fetchOnlyHeader) {
+                if ($message->isMultipart()) {
+                    foreach (new \RecursiveIteratorIterator($message) as $part) {
+                        $this->importPartDataToEmail($email, $part, $inlineIds);
+                    }
+                } else {
+                    $this->importPartDataToEmail($email, $message, $inlineIds, 'text/plain');
+                }
+
+                if (!$email->get('body') && $email->get('bodyPlain')) {
+                    $email->set('body', $email->get('bodyPlain'));
+                }
+
+                $body = $email->get('body');
+                if (!empty($body)) {
+                    foreach ($inlineIds as $cid => $attachmentId) {
+                        if (strpos($body, 'cid:' . $cid) !== false) {
+                            $body = str_replace('cid:' . $cid, '?entryPoint=attachment&amp;id=' . $attachmentId, $body);
+                        } else {
+                            $email->addLinkMultipleId('attachments', $attachmentId);
+                        }
+                    }
+                    $email->set('body', $body);
+                }
+
+                if ($this->getFiltersMatcher()->matchBody($email, $filterList)) {
+                    return false;
                }
            } else {
-                $this->importPartDataToEmail($email, $message, $inlineIds, 'text/plain');
-            }
-
-            if (!$email->get('body') && $email->get('bodyPlain')) {
-                $email->set('body', $email->get('bodyPlain'));
-            }
-
-            $body = $email->get('body');
-            if (!empty($body)) {
-                foreach ($inlineIds as $cid => $attachmentId) {
-                    $body = str_replace('cid:' . $cid, '?entryPoint=attachment&amp;id=' . $attachmentId, $body);
-                }
-                $email->set('body', $body);
-            }
-
-            if ($this->getFiltersMatcher()->matchBody($email, $filterList)) {
-                return false;
+                $email->set('body', '(Not fetched)');
+                $email->set('isHtml', false);
            }

            $parentFound = false;

+            $replied = null;
            if (isset($message->inReplyTo) && !empty($message->inReplyTo)) {
                $arr = explode(' ', $message->inReplyTo);
                $inReplyTo = $arr[0];
@@ -247,6 +262,15 @@ class Importer
                }
            }

+            if (!$parentFound) {
+                if ($replied && $replied->get('parentId') && $replied->get('parentType')) {
+                    $parentFound = $this->getEntityManager()->getEntity($replied->get('parentType'), $replied->get('parentId'));
+                    if ($parentFound) {
+                        $email->set('parentType', $replied->get('parentType'));
+                        $email->set('parentId', $replied->get('parentId'));
+                    }
+                }
+            }
            if (!$parentFound) {
                $from = $email->get('from');
                if ($from) {
@@ -358,6 +382,8 @@ class Importer
                } else if (strpos(strtolower($part->ContentDisposition), 'inline') === 0) {
                    $contentDisposition = 'inline';
                }
+            } else if (isset($part->contentID)) {
+                $contentDisposition = 'inline';
            }

            if (empty($type)) {
@@ -401,7 +427,6 @@ class Importer
                $contentId = null;

                if ($contentDisposition) {
-
                    if ($contentDisposition === 'attachment') {
                        $fileName = $this->fetchFileNameFromContentDisposition($part->ContentDisposition);
                        if ($fileName) {
@@ -442,13 +467,10 @@ class Importer
                    $content = base64_decode($content);
                }

-                $attachment->set('size', strlen($content));
+                $attachment->set('contents', $content);

                $this->getEntityManager()->saveEntity($attachment);

-                $path = 'data/upload/' . $attachment->id;
-                $this->getFileManager()->putContents($path, $content);
-
                if ($disposition == 'attachment') {
                    $attachmentsIds = $email->get('attachmentsIds');
                    $attachmentsIds[] = $attachment->id;
@@ -460,24 +482,61 @@ class Importer
        } catch (\Exception $e) {}
    }

-    protected function fetchFileNameFromContentDisposition($contentDisposition)
+    protected function decodeAttachmentFileName($fileName)
    {
-        $m = array();
-        if (preg_match('/filename="?([^"]+)"?/i', $contentDisposition, $m)) {
-            $fileName = $m[1];
-            return $fileName;
-        } else if (preg_match('/filename\*="?([^"]+)"?/i', $contentDisposition, $m)) {
-            $fileName = $m[1];
-            if ($fileName && stripos($fileName, "''") !== false) {
-                list($encoding, $fileName) = explode("''", $fileName);
-                $fileName = rawurldecode($fileName);
-                if (strtoupper($encoding) !== 'UTF-8') {
+        if ($fileName && stripos($fileName, "''") !== false) {
+            list($encoding, $fileName) = explode("''", $fileName);
+            $fileName = rawurldecode($fileName);
+            if (strtoupper($encoding) !== 'UTF-8') {
+                if ($encoding) {
                    $fileName = mb_convert_encoding($fileName, 'UTF-8', $encoding);
                }
-                return $fileName;
            }
        }
-        return false;
+        return $fileName;
+    }
+
+    protected function fetchFileNameFromContentDisposition($contentDisposition)
+    {
+        $contentDisposition = preg_replace('/\\\\"/', "{{_!Q!U!O!T!E!_}}", $contentDisposition);
+
+        $fileName = false;
+        $m = array();
+
+        if (preg_match('/filename="([^"]+)";?/i', $contentDisposition, $m)) {
+            $fileName = $m[1];
+        } else if (preg_match('/filename=([^";]+);?/i', $contentDisposition, $m)) {
+            $fileName = $m[1];
+        } else if (preg_match('/filename\*="([^"]+)";?/i', $contentDisposition, $m)) {
+            $fileName = $m[1];
+            $fileName = $this->decodeAttachmentFileName($fileName);
+        } else if (preg_match('/filename\*=([^";]+);?/i', $contentDisposition, $m)) {
+            $fileName = $m[1];
+            $fileName = $this->decodeAttachmentFileName($fileName);
+        } else {
+            $fileName = '';
+            foreach (['0', '1'] as $i) {
+                if (preg_match('/filename\*'.$i.'[\*]?="([^"]+)";?/i', $contentDisposition, $m)) {
+                    $part = $m[1];
+                    $fileName .= $part;
+                } else if (preg_match('/filename\*'.$i.'[\*]?=([^";]+);?/i', $contentDisposition, $m)) {
+                    $part = $m[1];
+                    $fileName .= $part;
+                }
+            }
+
+            if ($fileName === '') {
+                $fileName = null;
+            } else {
+                $fileName = $this->decodeAttachmentFileName($fileName);
+            }
+        }
+
+        if ($fileName) {
+            $fileName = str_replace('{{_!Q!U!O!T!E!_}}', '"', $fileName);
+        }
+
+        return $fileName;
    }

    protected function getContentFromPart($part)
--- a/application/Espo/Core/Mail/Mail/Storage/Message.php
+++ b/application/Espo/Core/Mail/Mail/Storage/Message.php
@@ -34,6 +34,7 @@ use Zend\Mail\Header\HeaderInterface;
 use Zend\Mime;
 use Zend\Mail\Storage\Exception;
 use Zend\Mail\Storage\AbstractStorage;
+use Zend\Stdlib\ErrorHandler;

 class Message extends \Zend\Mail\Storage\Message
 {
--- a/application/Espo/Core/Mail/Sender.php
+++ b/application/Espo/Core/Mail/Sender.php
@@ -45,18 +45,31 @@ class Sender
 {
    protected $config;

+    protected $entityManager;
+
    protected $transport;

    protected $isGlobal = false;

    protected $params = array();

-    public function __construct($config)
+    public function __construct($config, $entityManager)
    {
        $this->config = $config;
+        $this->entityManager = $entityManager;
        $this->useGlobal();
    }

+    protected function getConfig()
+    {
+        return $this->config;
+    }
+
+    protected function getEntityManager()
+    {
+        return $this->entityManager;
+    }
+
    public function resetParams()
    {
        $this->params = array();
@@ -91,10 +104,10 @@ class Sender
            $opts['connection_config']['ssl'] = strtolower($params['security']);
        }

-        if (in_array('fromName', $params)) {
+        if (array_key_exists('fromName', $params)) {
            $this->params['fromName'] = $params['fromName'];
        }
-        if (in_array('fromAddress', $params)) {
+        if (array_key_exists('fromAddress', $params)) {
            $this->params['fromAddress'] = $params['fromAddress'];
        }

@@ -235,7 +248,7 @@ class Sender

        if (!empty($attachmentCollection)) {
            foreach ($attachmentCollection as $a) {
-                $fileName = 'data/upload/' . $a->id;
+                $fileName = $this->getEntityManager()->getRepository('Attachment')->getFilePath($a);
                $attachment = new MimePart(file_get_contents($fileName));
                $attachment->disposition = Mime::DISPOSITION_ATTACHMENT;
                $attachment->encoding = Mime::ENCODING_BASE64;
@@ -249,7 +262,7 @@ class Sender

        if (!empty($attachmentInlineCollection)) {
            foreach ($attachmentInlineCollection as $a) {
-                $fileName = 'data/upload/' . $a->id;
+                $fileName = $this->getEntityManager()->getRepository('Attachment')->getFilePath($a);
                $attachment = new MimePart(file_get_contents($fileName));
                $attachment->disposition = Mime::DISPOSITION_INLINE;
                $attachment->encoding = Mime::ENCODING_BASE64;
@@ -327,15 +340,12 @@ class Sender
        $message->setEncoding('UTF-8');

        try {
-            $rand = mt_rand(1000, 9999);
-
-            if ($email->get('parentType') && $email->get('parentId')) {
-                $messageId = '' . $email->get('parentType') .'/' . $email->get('parentId') . '/' . time() . '/' . $rand . '@espo';
+            $messageId = $email->get('messageId');
+            if (empty($messageId) || !is_string($messageId) || strlen($messageId) < 4) {
+                $messageId = $this->generateMessageId($email);
+                $email->set('messageId', '<' . $messageId . '>');
            } else {
-                $messageId = '' . md5($email->get('name')) . '/' . time() . '/' . $rand .  '@espo';
-            }
-            if ($email->get('isSystem')) {
-                $messageId .= '-system';
+                $messageId = substr($messageId, 1, strlen($messageId) - 2);
            }

            $messageIdHeader = new \Zend\Mail\Header\MessageId();
@@ -344,7 +354,6 @@ class Sender

            $this->transport->send($message);

-            $email->set('messageId', '<' . $messageId . '>');
            $email->set('status', 'Sent');
            $email->set('dateSent', date("Y-m-d H:i:s"));
        } catch (\Exception $e) {
@@ -353,5 +362,21 @@ class Sender

        $this->useGlobal();
    }
+
+    static public function generateMessageId(Email $email)
+    {
+        $rand = mt_rand(1000, 9999);
+
+        if ($email->get('parentType') && $email->get('parentId')) {
+            $messageId = '' . $email->get('parentType') .'/' . $email->get('parentId') . '/' . time() . '/' . $rand . '@espo';
+        } else {
+            $messageId = '' . md5($email->get('name')) . '/' . time() . '/' . $rand .  '@espo';
+        }
+        if ($email->get('isSystem')) {
+            $messageId .= '-system';
+        }
+
+        return $messageId;
+    }
 }

--- a/application/Espo/Core/Notificators/Base.php
+++ b/application/Espo/Core/Notificators/Base.php
@@ -53,6 +53,13 @@ class Base implements Injectable
    {
    }

+    protected function addDependencyList(array $list)
+    {
+        foreach ($list as $item) {
+            $this->addDependency($item);
+        }
+    }
+
    protected function addDependency($name)
    {
        $this->dependencies[] = $name;
--- a/application/Espo/Core/ORM/Entity.php
+++ b/application/Espo/Core/ORM/Entity.php
@@ -34,43 +34,168 @@ class Entity extends \Espo\ORM\Entity

    public function loadLinkMultipleField($field, $columns = null)
    {
-        if ($this->hasRelation($field) && $this->hasField($field . 'Ids')) {
+        if (!$this->hasRelation($field) || !$this->hasAttribute($field . 'Ids')) return;

-            $defs = array();
-            if (!empty($columns)) {
-                $defs['additionalColumns'] = $columns;
-            }
+        $defs = array();
+        if (!empty($columns)) {
+            $defs['additionalColumns'] = $columns;
+        }

-            $collection = $this->get($field, $defs);
-            $ids = array();
-            $names = new \stdClass();
-            $types = new \stdClass();
-            if (!empty($columns)) {
-                $columnsData = new \stdClass();
-            }
+        $collection = $this->get($field, $defs);
+        $ids = array();
+        $names = new \stdClass();
+        $types = new \stdClass();
+        if (!empty($columns)) {
+            $columnsData = new \stdClass();
+        }

-            if ($collection) {
-                foreach ($collection as $e) {
-                    $id = $e->id;
-                    $ids[] = $id;
-                    $names->$id = $e->get('name');
-                    $types->$id = $e->get('type');
-                    if (!empty($columns)) {
-                        $columnsData->$id = new \stdClass();
-                        foreach ($columns as $column => $f) {
-                            $columnsData->$id->$column = $e->get($f);
-                        }
+        if ($collection) {
+            foreach ($collection as $e) {
+                $id = $e->id;
+                $ids[] = $id;
+                $names->$id = $e->get('name');
+                $types->$id = $e->get('type');
+                if (!empty($columns)) {
+                    $columnsData->$id = new \stdClass();
+                    foreach ($columns as $column => $f) {
+                        $columnsData->$id->$column = $e->get($f);
                    }
                }
            }
+        }

-            $this->set($field . 'Ids', $ids);
-            $this->set($field . 'Names', $names);
-            $this->set($field . 'Types', $types);
-            if (!empty($columns)) {
-                $this->set($field . 'Columns', $columnsData);
+        $this->set($field . 'Ids', $ids);
+        $this->set($field . 'Names', $names);
+        $this->set($field . 'Types', $types);
+        if (!empty($columns)) {
+            $this->set($field . 'Columns', $columnsData);
+        }
+    }
+
+    public function loadLinkField($field)
+    {
+        if (!$this->hasRelation($field) || !$this->hasAttribute($field . 'Id')) return;
+        if ($this->getRelationType($field) !== 'hasOne' && $this->getRelationType($field) !== 'belongsTo') return;
+
+        $entity = $this->get($field);
+
+        $entityId = null;
+        $entityName = null;
+        if ($entity) {
+            $entityId = $entity->id;
+            $entityName = $entity->get('name');
+        }
+
+        $this->set($field . 'Id', $entityId);
+        $this->set($field . 'Name', $entityName);
+    }
+
+    public function getLinkMultipleColumn($field, $column, $id)
+    {
+        $columnsField = $field . 'Columns';
+
+        if (!$this->has($columnsField)) {
+            return;
+        }
+        $columns = $this->get($columnsField);
+        if ($columns instanceof \StdClass) {
+            if (isset($columns->$id)) {
+                if (isset($columns->$id->$column)) {
+                    return $columns->$id->$column;
+                }
            }
        }
    }
+
+    public function setLinkMultipleColumn($field, $column, $id, $value)
+    {
+        $columnsField = $field . 'Columns';
+        if (!$this->hasField($columnsField)) {
+            return;
+        }
+        $object = $this->get($columnsField);
+        if (!isset($object) || !($object instanceof \StdClass)) {
+            $object = (object) [];
+        }
+        if (!isset($object->$id)) {
+            $object->$id = (object) [];
+        }
+        if (!isset($object->$id->$column)) {
+            $object->$id->$column = (object) [];
+        }
+
+        $object->$id->$column = $value;
+        $this->set($columnsField, $object);
+    }
+
+    public function setLinkMultipleIdList($field, array $idList)
+    {
+        $idsField = $field . 'Ids';
+        $this->set($idsField, $idList);
+    }
+
+    public function addLinkMultipleId($field, $id)
+    {
+        $idsField = $field . 'Ids';
+
+        if (!$this->hasField($idsField)) return;
+
+        if (!$this->has($idsField)) {
+            if (!$this->isNew()) {
+                $this->loadLinkMultipleField($field);
+            } else {
+                $this->set($idsField, []);
+            }
+        }
+        if (!$this->has($idsField)) {
+            return;
+        }
+        $idList = $this->get($idsField);
+        if (!in_array($id, $idList)) {
+            $idList[] = $id;
+            $this->set($idsField, $idList);
+        }
+    }
+
+    public function getLinkMultipleIdList($field)
+    {
+        $idsField = $field . 'Ids';
+
+        if (!$this->hasAttribute($idsField)) return null;
+
+        if (!$this->has($idsField)) {
+            if (!$this->isNew()) {
+                $this->loadLinkMultipleField($field);
+            }
+        }
+        $valueList = $this->get($idsField);
+        if (empty($valueList)) {
+            return [];
+        }
+        return $valueList;
+    }
+
+    public function hasLinkMultipleId($field, $id)
+    {
+        $idsField = $field . 'Ids';
+
+        if (!$this->hasAttribute($idsField)) return null;
+
+        if (!$this->has($idsField)) {
+            if (!$this->isNew()) {
+                $this->loadLinkMultipleField($field);
+            }
+        }
+
+        if (!$this->has($idsField)) {
+            return;
+        }
+
+        $idList = $this->get($idsField);
+        if (in_array($id, $idList)) {
+            return true;
+        }
+        return false;
+    }
 }

--- a/application/Espo/Core/ORM/Repositories/RDB.php
+++ b/application/Espo/Core/ORM/Repositories/RDB.php
@@ -47,6 +47,18 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable

    private $restoreData = null;

+    protected function addDependency($name)
+    {
+        $this->dependencies[] = $name;
+    }
+
+    protected function addDependencyList(array $list)
+    {
+        foreach ($list as $item) {
+            $this->addDependency($item);
+        }
+    }
+
    public function inject($name, $object)
    {
        $this->injections[$name] = $object;
@@ -67,6 +79,16 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
        return $this->getInjection('metadata');
    }

+    public function __construct($entityType, EntityManager $entityManager, EntityFactory $entityFactory)
+    {
+        parent::__construct($entityType, $entityManager, $entityFactory);
+        $this->init();
+    }
+
+    protected function init()
+    {
+    }
+
    public function handleSelectParams(&$params)
    {
        $this->handleEmailAddressParams($params);
@@ -76,7 +98,7 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable

    protected function handleCurrencyParams(&$params)
    {
-        $entityName = $this->entityName;
+        $entityType = $this->entityType;

        $metadata = $this->getMetadata();

@@ -84,7 +106,7 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
            return;
        }

-        $defs = $metadata->get('entityDefs.' . $entityName);
+        $defs = $metadata->get('entityDefs.' . $entityType);

        foreach ($defs['fields'] as $field => $d) {
            if (isset($d['type']) && $d['type'] == 'currency') {
@@ -96,7 +118,7 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
                }
                $alias = Util::toUnderScore($field) . "_currency_alias";
                $params['customJoin'] .= "
-                    LEFT JOIN currency AS `{$alias}` ON {$alias}.id = ".Util::toUnderScore($entityName).".".Util::toUnderScore($field)."_currency
+                    LEFT JOIN currency AS `{$alias}` ON {$alias}.id = ".Util::toUnderScore($entityType).".".Util::toUnderScore($field)."_currency
                ";
            }
        }
@@ -105,9 +127,9 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable

    protected function handleEmailAddressParams(&$params)
    {
-        $entityName = $this->entityName;
+        $entityType = $this->entityType;

-        $defs = $this->getEntityManager()->getMetadata()->get($entityName);
+        $defs = $this->getEntityManager()->getMetadata()->get($entityType);
        if (!empty($defs['relations']) && array_key_exists('emailAddresses', $defs['relations'])) {
            if (empty($params['leftJoins'])) {
                $params['leftJoins'] = array();
@@ -127,9 +149,9 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable

    protected function handlePhoneNumberParams(&$params)
    {
-        $entityName = $this->entityName;
+        $entityType = $this->entityType;

-        $defs = $this->getEntityManager()->getMetadata()->get($entityName);
+        $defs = $this->getEntityManager()->getMetadata()->get($entityType);
        if (!empty($defs['relations']) && array_key_exists('phoneNumbers', $defs['relations'])) {
            if (empty($params['leftJoins'])) {
                $params['leftJoins'] = array();
@@ -150,13 +172,13 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
    protected function beforeRemove(Entity $entity, array $options = array())
    {
        parent::beforeRemove($entity, $options);
-        $this->getEntityManager()->getHookManager()->process($this->entityName, 'beforeRemove', $entity, $options);
+        $this->getEntityManager()->getHookManager()->process($this->entityType, 'beforeRemove', $entity, $options);

        $nowString = date('Y-m-d H:i:s', time());
-        if ($entity->hasField('modifiedAt')) {
+        if ($entity->hasAttribute('modifiedAt')) {
            $entity->set('modifiedAt', $nowString);
        }
-        if ($entity->hasField('modifiedById')) {
+        if ($entity->hasAttribute('modifiedById')) {
            $entity->set('modifiedById', $this->getEntityManager()->getUser()->id);
        }
    }
@@ -164,14 +186,14 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
    protected function afterRemove(Entity $entity, array $options = array())
    {
        parent::afterRemove($entity, $options);
-        $this->getEntityManager()->getHookManager()->process($this->entityName, 'afterRemove', $entity, $options);
+        $this->getEntityManager()->getHookManager()->process($this->entityType, 'afterRemove', $entity, $options);
    }

    public function remove(Entity $entity, array $options = array())
    {
        $result = parent::remove($entity, $options);
        if ($result) {
-            $this->getEntityManager()->getHookManager()->process($this->entityName, 'afterRemove', $entity, $options);
+            $this->getEntityManager()->getHookManager()->process($this->entityType, 'afterRemove', $entity, $options);
        }
        return $result;
    }
@@ -180,7 +202,7 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
    {
        parent::beforeSave($entity, $options);

-        $this->getEntityManager()->getHookManager()->process($this->entityName, 'beforeSave', $entity, $options);
+        $this->getEntityManager()->getHookManager()->process($this->entityType, 'beforeSave', $entity, $options);
    }

    protected function afterSave(Entity $entity, array $options = array())
@@ -191,11 +213,12 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
        }
        parent::afterSave($entity, $options);

-        $this->handleEmailAddressSave($entity);
-        $this->handlePhoneNumberSave($entity);
-        $this->handleSpecifiedRelations($entity);
+        $this->processEmailAddressSave($entity);
+        $this->processPhoneNumberSave($entity);
+        $this->processSpecifiedRelationsSave($entity);
+        $this->processFileFieldsSave($entity);

-        $this->getEntityManager()->getHookManager()->process($this->entityName, 'afterSave', $entity, $options);
+        $this->getEntityManager()->getHookManager()->process($this->entityType, 'afterSave', $entity, $options);
    }

    public function save(Entity $entity, array $options = array())
@@ -208,14 +231,18 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
                $entity->set('id', Util::generateId());
            }

-            if ($entity->hasField('createdAt')) {
-                $entity->set('createdAt', $nowString);
+            if ($entity->hasAttribute('createdAt')) {
+                if (empty($options['import']) || !$entity->has('createdAt')) {
+                    $entity->set('createdAt', $nowString);
+                }
            }
-            if ($entity->hasField('modifiedAt')) {
+            if ($entity->hasAttribute('modifiedAt')) {
                $entity->set('modifiedAt', $nowString);
            }
-            if ($entity->hasField('createdById')) {
-                $entity->set('createdById', $this->entityManager->getUser()->id);
+            if ($entity->hasAttribute('createdById')) {
+                if (empty($options['import']) || !$entity->has('createdById')) {
+                    $entity->set('createdById', $this->entityManager->getUser()->id);
+                }
            }

            if ($entity->has('modifiedById')) {
@@ -227,22 +254,27 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
            $entity->clear('modifiedById');
        } else {
            if (empty($options['silent'])) {
-                if ($entity->hasField('modifiedAt')) {
+                if ($entity->hasAttribute('modifiedAt')) {
                    $entity->set('modifiedAt', $nowString);
                }
-                if ($entity->hasField('modifiedById')) {
+                if ($entity->hasAttribute('modifiedById')) {
                    $entity->set('modifiedById', $this->entityManager->getUser()->id);
                }
            }

            if ($entity->has('createdById')) {
-                $restoreData['createdById'] = $entity->get('createdById');
+                if (empty($options['import'])) {
+                    $restoreData['createdById'] = $entity->get('createdById');
+                    $entity->clear('createdById');
+                }
            }
+
            if ($entity->has('createdAt')) {
-                $restoreData['createdAt'] = $entity->get('createdAt');
+                if (empty($options['import'])) {
+                    $restoreData['createdAt'] = $entity->get('createdAt');
+                    $entity->clear('createdAt');
+                }
            }
-            $entity->clear('createdById');
-            $entity->clear('createdAt');
        }
        $this->restoreData = $restoreData;

@@ -251,30 +283,51 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
        return $result;
    }

-    protected function handleEmailAddressSave(Entity $entity)
+    protected function processFileFieldsSave(Entity $entity)
    {
-        if ($entity->hasRelation('emailAddresses') && $entity->hasField('emailAddress')) {
+        foreach ($entity->getRelations() as $name => $defs) {
+            if (!isset($defs['type']) || !isset($defs['entity'])) continue;
+            if (!($defs['type'] === $entity::BELONGS_TO && $defs['entity'] === 'Attachment')) continue;
+
+            $attribute = $name . 'Id';
+            if (!$entity->hasAttribute($attribute)) continue;
+            if (!$entity->get($attribute)) continue;
+            if (!$entity->isAttributeChanged($attribute)) continue;
+
+            $attachment = $this->getEntityManager()->getEntity('Attachment', $entity->get($attribute));
+            if (!$attachment) continue;
+            $attachment->set(array(
+                'relatedId' => $entity->id,
+                'relatedType' => $entity->getEntityType()
+            ));
+            $this->getEntityManager()->saveEntity($attachment);
+        }
+    }
+
+    protected function processEmailAddressSave(Entity $entity)
+    {
+        if ($entity->hasRelation('emailAddresses') && $entity->hasAttribute('emailAddress')) {
            $emailAddressRepository = $this->getEntityManager()->getRepository('EmailAddress')->storeEntityEmailAddress($entity);
        }
    }

-    protected function handlePhoneNumberSave(Entity $entity)
+    protected function processPhoneNumberSave(Entity $entity)
    {
-        if ($entity->hasRelation('phoneNumbers') && $entity->hasField('phoneNumber')) {
+        if ($entity->hasRelation('phoneNumbers') && $entity->hasAttribute('phoneNumber')) {
            $emailAddressRepository = $this->getEntityManager()->getRepository('PhoneNumber')->storeEntityPhoneNumber($entity);
        }
    }

-    protected function handleSpecifiedRelations(Entity $entity)
+    protected function processSpecifiedRelationsSave(Entity $entity)
    {
-        $relationTypes = array($entity::HAS_MANY, $entity::MANY_MANY, $entity::HAS_CHILDREN);
+        $relationTypeList = [$entity::HAS_MANY, $entity::MANY_MANY, $entity::HAS_CHILDREN];
        foreach ($entity->getRelations() as $name => $defs) {
-            if (in_array($defs['type'], $relationTypes)) {
+            if (in_array($defs['type'], $relationTypeList)) {
                $fieldName = $name . 'Ids';
                $columnsFieldsName = $name . 'Columns';

-                if ($entity->has($fieldName) || $entity->has($columnsFieldsName)) {

+                if ($entity->has($fieldName) || $entity->has($columnsFieldsName)) {
                    if ($this->getMetadata()->get("entityDefs." . $entity->getEntityType() . ".fields.{$name}.noSave")) {
                        continue;
                    }
@@ -330,15 +383,16 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
                            } else {
                                if (!empty($columns)) {
                                    foreach ($columns as $columnName => $columnField) {
-                                        if ($columnData->$id->$columnName != $existingColumnsData->$id->$columnName) {
-                                            $toUpdateIds[] = $id;
+                                        if (isset($columnData->$id)) {
+                                            if ($columnData->$id->$columnName !== $existingColumnsData->$id->$columnName) {
+                                                $toUpdateIds[] = $id;
+                                            }
                                        }
                                    }
                                }
                            }
                        }

-
                        foreach ($specifiedIds as $id) {
                            if (!in_array($id, $existingIds)) {
                                $data = null;
@@ -359,6 +413,42 @@ class RDB extends \Espo\ORM\Repositories\RDB implements Injectable
                        }
                    }
                }
+            } else if ($defs['type'] === $entity::HAS_ONE) {
+                if (empty($defs['entity']) || empty($defs['foreignKey'])) continue;
+
+                if ($this->getMetadata()->get("entityDefs." . $entity->getEntityType() . ".fields.{$name}.noSave")) {
+                    continue;
+                }
+
+                $foreignEntityType = $defs['entity'];
+                $foreignKey = $defs['foreignKey'];
+                $idFieldName = $name . 'Id';
+                $nameFieldName = $name . 'Name';
+
+                if (!$entity->has($idFieldName)) continue;
+
+                $where = array();
+                $where[$foreignKey] = $entity->id;
+                $previousForeignEntity = $this->getEntityManager()->getRepository($foreignEntityType)->where($where)->findOne();
+                if ($previousForeignEntity) {
+                    $entity->setFetched($idFieldName, $previousForeignEntity->id);
+                    if ($previousForeignEntity->id !== $entity->get($idFieldName)) {
+                        $previousForeignEntity->set($foreignKey, null);
+                        $this->getEntityManager()->saveEntity($previousForeignEntity);
+                    }
+                } else {
+                    $entity->setFetched($idFieldName, null);
+                }
+
+                if ($entity->get($idFieldName)) {
+                    $newForeignEntity = $this->getEntityManager()->getEntity($foreignEntityType, $entity->get($idFieldName));
+                    if ($newForeignEntity) {
+                        $newForeignEntity->set($foreignKey, $entity->id);
+                        $this->getEntityManager()->saveEntity($newForeignEntity);
+                    } else {
+                        $entity->set($idFieldName, null);
+                    }
+                }
            }
        }
    }
--- a/application/Espo/Core/ORM/Repository.php
+++ b/application/Espo/Core/ORM/Repository.php
@@ -31,12 +31,18 @@ namespace Espo\Core\ORM;

 use \Espo\Core\Interfaces\Injectable;

+use \Espo\ORM\EntityFactory;
+
 abstract class Repository extends \Espo\ORM\Repository implements Injectable
 {
    protected $dependencies = array();

    protected $injections = array();

+    protected function init()
+    {
+    }
+
    public function inject($name, $object)
    {
        $this->injections[$name] = $object;
@@ -51,5 +57,23 @@ abstract class Repository extends \Espo\ORM\Repository implements Injectable
    {
        return $this->dependencies;
    }
+
+    protected function addDependencyList(array $list)
+    {
+        foreach ($list as $item) {
+            $this->addDependency($item);
+        }
+    }
+
+    protected function addDependency($name)
+    {
+        $this->dependencies[] = $name;
+    }
+
+    public function __construct($entityType, EntityManager $entityManager, EntityFactory $entityFactory)
+    {
+        parent::__construct($entityType, $entityManager, $entityFactory);
+        $this->init();
+    }
 }

--- a/application/Espo/Core/Portal/Acl.php
+++ b/application/Espo/Core/Portal/Acl.php
@@ -0,0 +1,57 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Portal;
+
+use \Espo\ORM\Entity;
+use \Espo\Entities\User;
+
+class Acl extends \Espo\Core\Acl
+{
+    public function checkReadOnlyAccount($scope)
+    {
+        return $this->getAclManager()->checkReadOnlyAccount($this->getUser(), $scope);
+    }
+
+    public function checkReadOnlyContact($scope)
+    {
+        return $this->getAclManager()->checkReadOnlyContact($this->getUser(), $scope);
+    }
+
+    public function checkInAccount(Entity $entity)
+    {
+        return $this->getAclManager()->checkInAccount($this->getUser(), $entity);
+    }
+
+    public function checkIsOwnContact(Entity $entity)
+    {
+        return $this->getAclManager()->checkIsOwnContact($this->getUser(), $entity);
+    }
+}
+
--- a/application/Espo/Core/Portal/AclManager.php
+++ b/application/Espo/Core/Portal/AclManager.php
@@ -0,0 +1,258 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Portal;
+
+use \Espo\ORM\Entity;
+use \Espo\Entities\User;
+use \Espo\Core\Utils\Util;
+
+class AclManager extends \Espo\Core\AclManager
+{
+    protected $tableClassName = '\\Espo\\Core\\AclPortal\\Table';
+
+    private $mainManager = null;
+
+    private $portal = null;
+
+    public function getImplementation($scope)
+    {
+        if (empty($this->implementationHashMap[$scope])) {
+            $normalizedName = Util::normilizeClassName($scope);
+
+            $className = '\\Espo\\Custom\\AclPortal\\' . $normalizedName;
+            if (!class_exists($className)) {
+                $moduleName = $this->getMetadata()->getScopeModuleName($scope);
+                if ($moduleName) {
+                    $className = '\\Espo\\Modules\\' . $moduleName . '\\AclPortal\\' . $normalizedName;
+                } else {
+                    $className = '\\Espo\\AclPortal\\' . $normalizedName;
+                }
+                if (!class_exists($className)) {
+                    $className = '\\Espo\\Core\\AclPortal\\Base';
+                }
+            }
+
+            if (class_exists($className)) {
+                $acl = new $className($scope);
+                $dependencies = $acl->getDependencyList();
+                foreach ($dependencies as $name) {
+                    $acl->inject($name, $this->getContainer()->get($name));
+                }
+                $this->implementationHashMap[$scope] = $acl;
+            } else {
+                throw new Error();
+            }
+        }
+
+        return $this->implementationHashMap[$scope];
+    }
+
+    public function setMainManager($mainManager)
+    {
+        $this->mainManager = $mainManager;
+    }
+
+    protected function getMainManager()
+    {
+        return $this->mainManager;
+    }
+
+    public function setPortal($portal)
+    {
+        $this->portal = $portal;
+    }
+
+    protected function getPortal()
+    {
+        if ($this->portal) {
+            return $this->portal;
+        }
+        return $this->getContainer()->get('portal');
+    }
+
+    protected function getTable(User $user)
+    {
+        $key = $user->id;
+        if (empty($key)) {
+            $key = spl_object_hash($user);
+        }
+
+        if (empty($this->tableHashMap[$key])) {
+            $config = $this->getContainer()->get('config');
+            $fileManager = $this->getContainer()->get('fileManager');
+            $metadata = $this->getContainer()->get('metadata');
+            $fieldManager = $this->getContainer()->get('fieldManager');
+            $portal = $this->getPortal();
+
+            $this->tableHashMap[$key] = new $this->tableClassName($user, $portal, $config, $fileManager, $metadata, $fieldManager);
+        }
+
+        return $this->tableHashMap[$key];
+    }
+
+    public function checkReadOnlyAccount(User $user, $scope)
+    {
+        if ($user->isAdmin()) {
+            return false;
+        }
+        $data = $this->getTable($user)->getScopeData($scope);
+        return $this->getImplementation($scope)->checkReadOnlyAccount($user, $data);
+    }
+
+    public function checkReadOnlyContact(User $user, $scope)
+    {
+        if ($user->isAdmin()) {
+            return false;
+        }
+        $data = $this->getTable($user)->getScopeData($scope);
+        return $this->getImplementation($scope)->checkReadOnlyContact($user, $data);
+    }
+
+    public function checkInAccount(User $user, Entity $entity, $action)
+    {
+        return $this->getImplementation($entity->getEntityType())->checkInAccount($user, $entity);
+    }
+
+    public function checkIsOwnContact(User $user, Entity $entity, $action)
+    {
+        return $this->getImplementation($entity->getEntityType())->checkIsOwnContact($user, $entity);
+    }
+
+    public function getMap(User $user)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->getMap($user);
+        }
+        return parent::getMap($user);
+    }
+
+    public function getLevel(User $user, $scope, $action)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->getLevel($user, $scope, $action);
+        }
+        return parent::getLevel($user, $scope, $action);
+    }
+
+    public function get(User $user, $permission)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->get($user, $permission);
+        }
+        return parent::get($user, $permission);
+    }
+
+    public function checkReadOnlyTeam(User $user, $permission)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->checkReadOnlyTeam($user, $permission);
+        }
+        return false;
+    }
+
+    public function checkReadOnlyOwn(User $user, $permission)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->checkReadOnlyOwn($user, $permission);
+        }
+        return false;
+    }
+
+    public function check(User $user, $subject, $action = null)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->check($user, $subject, $action);
+        }
+        return parent::check($user, $subject, $action);
+    }
+
+    public function checkEntity(User $user, Entity $entity, $action = 'read')
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->checkEntity($user, $entity, $action);
+        }
+        return parent::checkEntity($user, $entity, $action);
+    }
+
+    public function checkIsOwner(User $user, Entity $entity)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->checkIsOwner($user, $entity);
+        }
+        return parent::checkIsOwner($user, $entity);
+    }
+
+    public function checkInTeam(User $user, Entity $entity)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->checkInTeam($user, $entity);
+        }
+        return parent::checkInTeam($user, $entity);
+    }
+
+    public function checkScope(User $user, $scope, $action = null)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->checkScope($user, $scope, $action);
+        }
+        return parent::checkScope($user, $scope, $action);
+    }
+
+    public function checkUser(User $user, $permission, User $entity)
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->checkUser($user, $permission, $entity);
+        }
+        return parent::checkUser($user, $permission, $entity);
+    }
+
+    public function getScopeForbiddenAttributeList(User $user, $scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->getScopeForbiddenAttributeList($user, $scope, $action, $thresholdLevel);
+        }
+        return parent::getScopeForbiddenAttributeList($user, $scope, $action, $thresholdLevel);
+    }
+
+    public function getScopeForbiddenFieldList(User $user, $scope, $action = 'read', $thresholdLevel = 'no')
+    {
+        if ($this->checkUserIsNotPortal($user)) {
+            return $this->getMainManager()->getScopeForbiddenFieldList($user, $scope, $action, $thresholdLevel);
+        }
+        return parent::getScopeForbiddenFieldList($user, $scope, $action, $thresholdLevel);
+    }
+
+    protected function checkUserIsNotPortal($user)
+    {
+        return !$user->get('isPortalUser');
+    }
+
+}
+
--- a/application/Espo/Core/Portal/Application.php
+++ b/application/Espo/Core/Portal/Application.php
@@ -0,0 +1,104 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Portal;
+
+use \Espo\Core\Exceptions\Error;
+use \Espo\Core\Exceptions\NotFound;
+use \Espo\Core\Exceptions\Forbidden;
+
+class Application extends \Espo\Core\Application
+{
+    public function __construct($portalId)
+    {
+        date_default_timezone_set('UTC');
+
+        $this->initContainer();
+
+        if (empty($portalId)) {
+            throw new Error("Portal id was not passed to ApplicationPortal.");
+        }
+
+        $GLOBALS['log'] = $this->getContainer()->get('log');
+
+        $portal = $this->getContainer()->get('entityManager')->getEntity('Portal', $portalId);
+
+        if (!$portal) {
+            $portal = $this->getContainer()->get('entityManager')->getRepository('Portal')->where(array(
+                'customId' => $portalId
+            ))->findOne();
+        }
+
+        if (!$portal) {
+            throw new NotFound();
+        }
+        if (!$portal->get('isActive')) {
+            throw new Forbidden("Portal is not active.");
+        }
+
+        $this->portal = $portal;
+
+        $this->getContainer()->setPortal($portal);
+
+        $this->initAutoloads();
+    }
+
+    protected function getPortal()
+    {
+        return $this->portal;
+    }
+
+    protected function initContainer()
+    {
+        $this->container = new Container();
+    }
+
+    protected function getRouteList()
+    {
+        $routeList = parent::getRouteList();
+        foreach ($routeList as $i => $route) {
+            if (isset($route['route'])) {
+                if ($route['route']{0} !== '/') {
+                    $route['route'] = '/' . $route['route'];
+                }
+                $route['route'] = '/:portalId' . $route['route'];
+            }
+            $routeList[$i] = $route;
+        }
+        return $routeList;
+    }
+
+    public function runClient()
+    {
+        $this->getContainer()->get('clientManager')->display(null, 'html/portal.html', array(
+            'portalId' => $this->getPortal()->id
+        ));
+    }
+}
+
--- a/application/Espo/Core/Portal/Container.php
+++ b/application/Espo/Core/Portal/Container.php
@@ -0,0 +1,141 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Portal;
+
+class Container extends \Espo\Core\Container
+{
+    protected function getServiceClassName($name, $default)
+    {
+        $metadata = $this->get('metadata');
+        $className = $metadata->get('app.serviceContainerPortal.classNames.' . $name, $default);
+        return $className;
+    }
+
+    protected function getServiceMainClassName($name, $default)
+    {
+        $metadata = $this->get('metadata');
+        $className = $metadata->get('app.serviceContainer.classNames.' . $name, $default);
+        return $className;
+    }
+
+    protected function loadAclManager()
+    {
+        $className = $this->getServiceClassName('aclManager', '\\Espo\\Core\\Portal\\AclManager');
+        $mainClassName = $this->getServiceMainClassName('aclManager', '\\Espo\\Core\\AclManager');
+
+        $obj = new $className(
+            $this->get('container')
+        );
+        $objMain = new $mainClassName(
+            $this->get('container')
+        );
+        $obj->setMainManager($objMain);
+
+        return $obj;
+    }
+
+    protected function loadAcl()
+    {
+        $className = $this->getServiceClassName('acl', '\\Espo\\Core\\Portal\\Acl');
+        return new $className(
+            $this->get('aclManager'),
+            $this->get('user')
+        );
+    }
+
+    protected function loadThemeManager()
+    {
+        return new \Espo\Core\Portal\Utils\ThemeManager(
+            $this->get('config'),
+            $this->get('metadata'),
+            $this->get('portal')
+        );
+    }
+
+    protected function loadLayout()
+    {
+        return new \Espo\Core\Portal\Utils\Layout(
+            $this->get('fileManager'),
+            $this->get('metadata'),
+            $this->get('user')
+        );
+    }
+
+    protected function loadLanguage()
+    {
+        $language = new \Espo\Core\Portal\Utils\Language(
+            $this->get('fileManager'),
+            $this->get('config'),
+            $this->get('metadata'),
+            $this->get('preferences')
+        );
+        $language->setPortal($this->get('portal'));
+        return $language;
+    }
+
+    public function setPortal(\Espo\Entities\Portal $portal)
+    {
+        $this->set('portal', $portal);
+
+        $data = array();
+        foreach ($this->get('portal')->getSettingsAttributeList() as $attribute) {
+            $data[$attribute] = $this->get('portal')->get($attribute);
+        }
+        if (empty($data['language'])) {
+            unset($data['language']);
+        }
+        if (empty($data['theme'])) {
+            unset($data['theme']);
+        }
+        if (empty($data['timeZone'])) {
+            unset($data['timeZone']);
+        }
+        if (empty($data['dateFormat'])) {
+            unset($data['dateFormat']);
+        }
+        if (empty($data['timeFormat'])) {
+            unset($data['timeFormat']);
+        }
+        if (isset($data['weekStart']) && $data['weekStart'] === -1) {
+            unset($data['weekStart']);
+        }
+        if (array_key_exists('weekStart', $data) && is_null($data['weekStart'])) {
+            unset($data['weekStart']);
+        }
+        if (empty($data['defaultCurrency'])) {
+            unset($data['defaultCurrency']);
+        }
+
+        foreach ($data as $attribute => $value) {
+            $this->get('config')->set($attribute, $value, true);
+        }
+    }
+}
+
--- a/application/Espo/Core/Portal/Utils/Language.php
+++ b/application/Espo/Core/Portal/Utils/Language.php
@@ -0,0 +1,46 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Portal\Utils;
+
+use \Espo\Entities\Portal;
+
+class Language extends \Espo\Core\Utils\Language
+{
+
+    public function setPortal($portal)
+    {
+        if ($portal->get('language') !== '' && $portal->get('language')) {
+            if (!$this->getPreferences()->get('language')) {
+                $this->setLanguage($portal->get('language'));
+            }
+        }
+    }
+
+}
--- a/application/Espo/Core/Portal/Utils/Layout.php
+++ b/application/Espo/Core/Portal/Utils/Layout.php
@@ -0,0 +1,129 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Portal\Utils;
+
+use \Espo\Core\Utils\Util;
+use \Espo\Core\Utils\Json;
+
+class Layout extends \Espo\Core\Utils\Layout
+{
+    public function get($scope, $name)
+    {
+        $scope = $this->sanitizeInput($scope);
+        $name = $this->sanitizeInput($name);
+
+        if (isset($this->changedData[$scope][$name])) {
+            return Json::encode($this->changedData[$scope][$name]);
+        }
+
+        $fileFullPath = Util::concatPath($this->getLayoutPath($scope, true), 'portal/' . $name . '.json');
+
+        if (!file_exists($fileFullPath)) {
+            $fileFullPath = Util::concatPath($this->getLayoutPath($scope), 'portal/' . $name . '.json');
+        }
+        if (!file_exists($fileFullPath)) {
+            $fileFullPath = Util::concatPath($this->getLayoutPath($scope, true), $name . '.json');
+        }
+        if (!file_exists($fileFullPath)) {
+            $fileFullPath = Util::concatPath($this->getLayoutPath($scope), $name . '.json');
+        }
+
+
+        if (!file_exists($fileFullPath)) {
+            $defaultPath = $this->params['defaultsPath'];
+            $fileFullPath = Util::concatPath(Util::concatPath($defaultPath, 'layouts'), $name . '.json' );
+
+            if (!file_exists($fileFullPath)) {
+                return false;
+            }
+        }
+
+        return $this->getFileManager()->getContents($fileFullPath);
+    }
+
+
+    public function set($data, $scope, $name)
+    {
+        $scope = $this->sanitizeInput($scope);
+        $name = $this->sanitizeInput($name);
+
+        if (empty($scope) || empty($name)) {
+            return false;
+        }
+
+        $this->changedData[$scope][$name] = $data;
+    }
+
+    public function resetToDefault($scope, $name)
+    {
+        $scope = $this->sanitizeInput($scope);
+        $name = $this->sanitizeInput($name);
+
+        $filePath = 'custom/Espo/Custom/Resources/layouts/' . $scope . '/' . $name . '.json';
+        if ($this->getFileManager()->isFile($filePath)) {
+            $this->getFileManager()->removeFile($filePath);
+        }
+        if (!empty($this->changedData[$scope]) && !empty($this->changedData[$scope][$name])) {
+            unset($this->changedData[$scope][$name]);
+        }
+        return $this->get($scope, $name);
+    }
+
+    /**
+     * Save changes
+     *
+     * @return bool
+     */
+    public function save()
+    {
+        $result = true;
+
+        if (!empty($this->changedData)) {
+            foreach ($this->changedData as $scope => $rowData) {
+                foreach ($rowData as $layoutName => $layoutData) {
+                    if (empty($scope) || empty($layoutName)) {
+                        continue;
+                    }
+                    $layoutPath = $this->getLayoutPath($scope, true);
+                    $data = Json::encode($layoutData, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE);
+
+                    $result &= $this->getFileManager()->putContents(array($layoutPath, $layoutName.'.json'), $data);
+                }
+            }
+        }
+
+        if ($result == true) {
+            $this->clearChanges();
+        }
+
+        return (bool) $result;
+    }
+
+}
--- a/application/Espo/Core/Portal/Utils/ThemeManager.php
+++ b/application/Espo/Core/Portal/Utils/ThemeManager.php
@@ -0,0 +1,56 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Portal\Utils;
+
+use \Espo\Entities\Portal;
+
+use \Espo\Core\Utils\Config;
+use \Espo\Core\Utils\Metadata;
+
+class ThemeManager extends \Espo\Core\Utils\ThemeManager
+{
+    public function __construct(Config $config, Metadata $metadata, Portal $portal)
+    {
+        $this->config = $config;
+        $this->metadata = $metadata;
+        $this->portal = $portal;
+    }
+
+    public function getName()
+    {
+        $theme = $this->portal->get('theme');
+        if (!$theme) {
+            $theme = $this->defaultName;
+        }
+        return $theme;
+    }
+}
+
+
--- a/application/Espo/Core/Repositories/CategoryTree.php
+++ b/application/Espo/Core/Repositories/CategoryTree.php
@@ -29,11 +29,11 @@

 namespace Espo\Core\Repositories;

-use \Espo\Core\Entities\CategoryTreeItem as Entity;
+use \Espo\ORM\Entity;

 class CategoryTree extends \Espo\Core\ORM\Repositories\RDB
 {
-	public function afterSave(Entity $entity, $options)
+	protected function afterSave(Entity $entity, array $options = array())
 	{
 		parent::afterSave($entity, $options);

@@ -86,7 +86,7 @@ class CategoryTree extends \Espo\Core\ORM\Repositories\RDB
 		}
 	}

-	public function afterRemove(Entity $entity, $options)
+	protected function afterRemove(Entity $entity, array $options = array())
 	{
 		parent::afterRemove($entity, $options);

--- a/application/Espo/Core/SelectManagerFactory.php
+++ b/application/Espo/Core/SelectManagerFactory.php
@@ -43,12 +43,14 @@ class SelectManagerFactory

    private $metadata;

-    public function __construct($entityManager, \Espo\Entities\User $user, Acl $acl, $metadata)
+    public function __construct($entityManager, \Espo\Entities\User $user, Acl $acl, AclManager $aclManager, Utils\Metadata $metadata, Utils\Config $config)
    {
        $this->entityManager = $entityManager;
        $this->user = $user;
        $this->acl = $acl;
+        $this->aclManager = $aclManager;
        $this->metadata = $metadata;
+        $this->config = $config;
    }

    public function create($entityType)
@@ -68,7 +70,7 @@ class SelectManagerFactory
            }
        }

-        $selectManager = new $className($this->entityManager, $this->user, $this->acl, $this->metadata);
+        $selectManager = new $className($this->entityManager, $this->user, $this->acl, $this->aclManager, $this->metadata, $this->config);
        $selectManager->setEntityType($entityType);

        return $selectManager;
--- a/application/Espo/Core/SelectManagers/Base.php
+++ b/application/Espo/Core/SelectManagers/Base.php
@@ -30,8 +30,12 @@
 namespace Espo\Core\SelectManagers;

 use \Espo\Core\Exceptions\Error;
+use \Espo\Core\Exceptions\Forbidden;

 use \Espo\Core\Acl;
+use \Espo\Core\AclManager;
+use \Espo\Core\Utils\Metadata;
+use \Espo\Core\Utils\Config;

 class Base
 {
@@ -47,19 +51,25 @@ class Base

    protected $metadata;

+    private $config;
+
    private $seed = null;

    private $userTimeZone = null;

+    protected $additionalFilterTypeList = ['linkedWith', 'inCategory', 'isUserFromTeams'];
+
    const MIN_LENGTH_FOR_CONTENT_SEARCH = 4;

-    public function __construct($entityManager, \Espo\Entities\User $user, Acl $acl, $metadata)
+    public function __construct($entityManager, \Espo\Entities\User $user, Acl $acl, AclManager $aclManager, Metadata $metadata, Config $config)
    {
        $this->entityManager = $entityManager;
        $this->user = $user;
        $this->acl = $acl;
+        $this->aclManager = $aclManager;

        $this->metadata = $metadata;
+        $this->config = $config;
    }

    protected function getEntityManager()
@@ -67,6 +77,11 @@ class Base
        return $this->entityManager;
    }

+    protected function getMetadata()
+    {
+        return $this->metadata;
+    }
+
    protected function getUser()
    {
        return $this->user;
@@ -77,6 +92,16 @@ class Base
        return $this->acl;
    }

+    protected function getConfig()
+    {
+        return $this->config;
+    }
+
+    protected function getAclManager()
+    {
+        return $this->aclManager;
+    }
+
    public function setEntityType($entityType)
    {
        $this->entityType = $entityType;
@@ -97,27 +122,39 @@ class Base
        }
    }

-    protected function order($sortBy, $asc, &$result)
+    protected function order($sortBy, $desc = false, &$result)
    {
        if (!empty($sortBy)) {
            $result['orderBy'] = $sortBy;
-            $type = $this->metadata->get("entityDefs.{$this->entityType}.fields." . $result['orderBy'] . ".type");
-            if ($type == 'link') {
+            $type = $this->getMetadata()->get(['entityDefs', $this->getEntityType(), 'fields', $sortBy, 'type']);
+            if ($type === 'link') {
                $result['orderBy'] .= 'Name';
-            } else if ($type == 'linkParent') {
+            } else if ($type === 'linkParent') {
                $result['orderBy'] .= 'Type';
+            } else if ($type === 'enum') {
+                $list = $this->getMetadata()->get(['entityDefs', $this->getEntityType(), 'fields', $sortBy, 'options']);
+                if ($list && is_array($list) && count($list)) {
+                    if ($this->getMetadata()->get(['entityDefs', $this->getEntityType(), 'fields', $sortBy, 'isSorted'])) {
+                        $list = asort($list);
+                    }
+                    if ($desc) {
+                        $list = array_reverse($list);
+                    }
+                    $result['orderBy'] = 'LIST:' . $sortBy . ':' . implode(',', $list);
+                    return;
+                }
            }
        }
-        if ($asc) {
+        if (!$desc) {
            $result['order'] = 'ASC';
        } else {
            $result['order'] = 'DESC';
        }
    }

-    protected function getTextFilterFields()
+    protected function getTextFilterFieldList()
    {
-        return $this->metadata->get("entityDefs.{$this->entityType}.collection.textFilterFields", array('name'));
+        return $this->getMetadata()->get("entityDefs.{$this->entityType}.collection.textFilterFields", ['name']);
    }

    protected function getSeed()
@@ -157,127 +194,151 @@ class Base
            }
        }

-        $linkedWith = array();
-        $inCategory = array();

-        $ignoreList = ['linkedWith', 'inCategory', 'bool', 'primary'];
+        $ignoreTypeList = array_merge(['bool', 'primary'], $this->additionalFilterTypeList);
+
+        $additionalFilters = array();
        foreach ($where as $item) {
-            if (!in_array($item['type'], $ignoreList)) {
+            $type = $item['type'];
+            if (!in_array($type, $ignoreTypeList)) {
                $part = $this->getWherePart($item);
                if (!empty($part)) {
                    $whereClause[] = $part;
                }
            } else {
-                if ($item['type'] == 'linkedWith' && !empty($item['value'])) {
-                    $linkedWith[$item['field']] = $item['value'];
-                } else if ($item['type'] == 'inCategory' && !empty($item['value'])) {
-                    $inCategory[$item['field']] = $item['value'];
+                if (in_array($type, $this->additionalFilterTypeList)) {
+                    if (!empty($item['value'])) {
+                        $methodName = 'apply' . ucfirst($type);
+
+                        if (method_exists($this, $methodName)) {;
+                            $this->$methodName($item['field'], $item['value'], $result);
+                        }
+                    }
                }
            }
        }

        $result['whereClause'] = array_merge($result['whereClause'], $whereClause);
-
-        if (!empty($linkedWith)) {
-            $this->handleLinkedWith($linkedWith, $result);
-        }
-        if (!empty($inCategory)) {
-            $this->handleInCategory($inCategory, $result);
-        }
    }

-    protected function handleLinkedWith($linkedWith, &$result)
+    protected function applyLinkedWith($link, $idsValue, &$result)
    {
-        $joins = [];
-
        $part = array();
-        foreach ($linkedWith as $link => $idsValue) {
-            if (is_array($idsValue) && count($idsValue) == 1) {
-                $idsValue = $idsValue[0];
-            }

-            $relDefs = $this->getSeed()->getRelations();
+        if (is_array($idsValue) && count($idsValue) == 1) {
+            $idsValue = $idsValue[0];
+        }

-            if (!empty($relDefs[$link])) {
-                $defs = $relDefs[$link];
-                if ($defs['type'] == 'manyMany') {
-                    $joins[] = $link;
-                    if (!empty($defs['midKeys'])) {
-                        $key = $defs['midKeys'][1];
-                        $part[$link . 'Middle.' . $key] = $idsValue;
-                    }
-                } else if ($defs['type'] == 'belongsTo') {
-                    if (!empty($defs['key'])) {
-                        $key = $defs['key'];
-                        $part[$key] = $idsValue;
-                    }
-                }
+        $seed = $this->getSeed();
+
+        if (!$seed->hasRelation($link)) return;
+
+        $relDefs = $this->getSeed()->getRelations();
+
+        $relationType = $seed->getRelationType($link);
+
+        $defs = $relDefs[$link];
+        if ($relationType == 'manyMany') {
+            $this->addJoin($link, $result);
+            $midKeys = $seed->getRelationParam($link, 'midKeys');
+
+            if (!empty($midKeys)) {
+                $key = $midKeys[1];
+                $part[$link . 'Middle.' . $key] = $idsValue;
            }
+        } else if ($relationType== 'belongsTo') {
+            $key = $seed->getRelationParam($link, 'key');
+            if (!empty($key)) {
+                $part[$key] = $idsValue;
+            }
+        } else {
+            return;
        }

        if (!empty($part)) {
            $result['whereClause'][] = $part;
        }
-        $result['joins'] = array_merge($result['joins'], $joins);
-        $result['joins'] = array_unique($result['joins']);
-        $result['distinct'] = true;
+
+        $this->setDistinct(true, $result);
    }

-    protected function handleInCategory($inCategory, &$result)
+    protected function applyIsUserFromTeams($link, $idsValue, &$result)
    {
-        $joins = [];
+        if (is_array($idsValue) && count($idsValue) == 1) {
+            $idsValue = $idsValue[0];
+        }

-        $part = array();
+        $query = $this->getEntityManager()->getQuery();
+
+        $seed = $this->getSeed();
+
+        $relDefs = $seed->getRelations();
+
+        if (!$seed->hasRelation($link)) return;
+
+        $relationType = $seed->getRelationType($link);
+
+        if ($relationType == 'belongsTo') {
+            $key = $seed->getRelationParam($link, 'key');
+
+            $aliasName = 'usersTeams' . ucfirst($link);
+
+            $result['customJoin'] .= "
+                JOIN team_user AS {$aliasName}Middle ON {$aliasName}Middle.user_id = ".$query->toDb($seed->getEntityType()).".".$query->toDb($key)." AND {$aliasName}Middle.deleted = 0
+                JOIN team AS {$aliasName} ON {$aliasName}.deleted = 0 AND {$aliasName}Middle.team_id = {$aliasName}.id
+            ";
+
+            $result['whereClause'][] = array(
+                $aliasName . 'Middle.teamId' => $idsValue
+            );
+        } else {
+            return;
+        }
+
+        $this->setDistinct(true, $result);
+    }
+
+    public function applyInCategory($link, $value, &$result)
+    {
+        $relDefs = $this->getSeed()->getRelations();

        $query = $this->getEntityManager()->getQuery();

        $tableName = $query->toDb($this->getSeed()->getEntityType());

-        foreach ($inCategory as $link => $val) {
+        if (!empty($relDefs[$link])) {
+            $defs = $relDefs[$link];

-            $relDefs = $this->getSeed()->getRelations();
+            $foreignEntity = $defs['entity'];
+            if (empty($foreignEntity)) {
+                return;
+            }

-            if (!empty($relDefs[$link])) {
-                $defs = $relDefs[$link];
+            $pathName = lcfirst($query->sanitize($foreignEntity . 'Path'));

-                $foreignEntity = $defs['entity'];
-                if (empty($foreignEntity)) {
-                    continue;
+            if ($defs['type'] == 'manyMany') {
+                if (!empty($defs['midKeys'])) {
+                    $result['distinct'] = true;
+                    $result['joins'][] = $link;
+                    $key = $defs['midKeys'][1];
+
+                    $middleName = $link . 'Middle';
+
+                    $result['customJoin'] .= "
+                        JOIN " . $query->toDb($pathName) . " AS `{$pathName}` ON {$pathName}.descendor_id = ".$query->sanitize($middleName) . "." . $query->toDb($key) . "
+                    ";
+                    $result['whereClause'][$pathName . '.ascendorId'] = $value;
                }
-
-                $pathName = lcfirst($query->sanitize($foreignEntity . 'Path'));
-
-                if ($defs['type'] == 'manyMany') {
-
-                    if (!empty($defs['midKeys'])) {
-                        $result['distinct'] = true;
-                        $result['joins'][] = $link;
-                        $key = $defs['midKeys'][1];
-
-                        $middleName = $link . 'Middle';
-
-                        $result['customJoin'] .= "
-                            JOIN " . $query->toDb($pathName) . " AS `{$pathName}` ON {$pathName}.descendor_id = ".$query->sanitize($middleName) . "." . $query->toDb($key) . "
-                        ";
-                        $part[$pathName . '.ascendorId'] = $val;
-                    }
-                } else if ($defs['type'] == 'belongsTo') {
-                    if (!empty($defs['key'])) {
-                        $key = $defs['key'];
-                        $result['customJoin'] .= "
-                            JOIN " . $query->toDb($pathName) . " AS `{$pathName}` ON {$pathName}.descendor_id = {$tableName}." . $query->toDb($key) . "
-                        ";
-                        $part[$pathName . '.ascendorId'] = $val;
-                    }
+            } else if ($defs['type'] == 'belongsTo') {
+                if (!empty($defs['key'])) {
+                    $key = $defs['key'];
+                    $result['customJoin'] .= "
+                        JOIN " . $query->toDb($pathName) . " AS `{$pathName}` ON {$pathName}.descendor_id = {$tableName}." . $query->toDb($key) . "
+                    ";
+                    $result['whereClause'][$pathName . '.ascendorId'] = $value;
                }
            }
        }
-
-
-        if (!empty($part)) {
-            $result['whereClause'][] = $part;
-        }
-
    }

    protected function q($params, &$result)
@@ -299,6 +360,14 @@ class Base
        $this->q(array('q' => $textFilter), $result);
    }

+    public function getEmptySelectParams()
+    {
+        $result = array();
+        $this->prepareResult($result);
+
+        return $result;
+    }
+
    protected function prepareResult(&$result)
    {
        if (empty($result)) {
@@ -324,47 +393,233 @@ class Base
        }
    }

+    protected function checkIsPortal()
+    {
+        return !!$this->getUser()->get('portalId');
+    }
+
    protected function access(&$result)
    {
-        if ($this->acl->checkReadOnlyOwn($this->entityType)) {
-            $this->accessOnlyOwn($result);
+        if (!$this->checkIsPortal()) {
+            if ($this->getAcl()->checkReadOnlyOwn($this->getEntityType())) {
+                $this->accessOnlyOwn($result);
+            } else {
+                if (!$this->getUser()->isAdmin()) {
+                    if ($this->getAcl()->checkReadOnlyTeam($this->getEntityType())) {
+                        $this->accessOnlyTeam($result);
+                    }
+                }
+            }
        } else {
-            if (!$this->user->isAdmin() && $this->acl->checkReadOnlyTeam($this->entityType)) {
-                $this->accessOnlyTeam($result);
+            if ($this->getAcl()->checkReadOnlyOwn($this->getEntityType())) {
+                $this->accessPortalOnlyOwn($result);
+            } else {
+                if ($this->getAcl()->checkReadOnlyAccount($this->getEntityType())) {
+                    $this->accessPortalOnlyAccount($result);
+                } else {
+                    if ($this->getAcl()->checkReadOnlyContact($this->getEntityType())) {
+                        $this->accessPortalOnlyContact($result);
+                    }
+                }
            }
        }
    }

    protected function accessOnlyOwn(&$result)
    {
-        if ($this->getSeed()->hasField('assignedUserId')) {
+        if ($this->hasAssignedUsersField()) {
+            $this->setDistinct(true, $result);
+            $this->addLeftJoin('assignedUsers', $result);
+            $result['whereClause'][] = array(
+                'assignedUsers.id' => $this->getUser()->id
+            );
+            return;
+        }
+
+        if ($this->hasAssignedUserField()) {
            $result['whereClause'][] = array(
                'assignedUserId' => $this->getUser()->id
            );
            return;
        }

-        if ($this->getSeed()->hasField('createdById')) {
+        if ($this->hasCreatedByField()) {
            $result['whereClause'][] = array(
                'createdById' => $this->getUser()->id
            );
-            return;
        }
    }

    protected function accessOnlyTeam(&$result)
    {
-        if (!$this->getSeed()->hasField('teamsIds')) {
+        if (!$this->hasTeamsField()) {
            return;
        }
+
        $this->setDistinct(true, $result);
-        $this->addLeftJoin('teams', $result);
-        $result['whereClause'][] = array(
-            'OR' => array(
-                'teams.id' => $this->user->get('teamsIds'),
-                'assignedUserId' => $this->getUser()->id
-            )
+        $this->addLeftJoin(['teams', 'teamsAccess'], $result);
+
+        if ($this->hasAssignedUsersField()) {
+            $this->addLeftJoin(['assignedUsers', 'assignedUsersAccess'], $result);
+            $result['whereClause'][] = array(
+                'OR' => array(
+                    'teamsAccess.id' => $this->getUser()->getLinkMultipleIdList('teams'),
+                    'assignedUsersAccess.id' => $this->getUser()->id
+                )
+            );
+            return;
+        }
+
+        $d = array(
+            'teamsAccess.id' => $this->getUser()->getLinkMultipleIdList('teams')
        );
+        if ($this->hasAssignedUserField()) {
+            $d['assignedUserId'] = $this->getUser()->id;
+        } else if ($this->hasCreatedByField()) {
+            $d['createdById'] = $this->getUser()->id;
+        }
+        $result['whereClause'][] = array(
+            'OR' => $d
+        );
+    }
+
+    protected function accessPortalOnlyOwn(&$result)
+    {
+        if ($this->getSeed()->hasAttribute('createdById')) {
+            $result['whereClause'][] = array(
+                'createdById' => $this->getUser()->id
+            );
+        } else {
+            $result['whereClause'][] = array(
+                'id' => null
+            );
+        }
+    }
+
+    protected function accessPortalOnlyContact(&$result)
+    {
+        $d = array();
+
+        $contactId = $this->getUser()->get('contactId');
+
+        if ($contactId) {
+            if ($this->getSeed()->hasAttribute('contactId')) {
+                $d['contactId'] = $contactId;
+            }
+            if ($this->getSeed()->hasRelation('contacts')) {
+                $this->addLeftJoin(['contacts', 'contactsAccess'], $result);
+                $this->setDistinct(true, $result);
+                $d['contactsAccess.id'] = $contactId;
+            }
+        }
+
+        if ($this->getSeed()->hasAttribute('createdById')) {
+            $d['createdById'] = $this->getUser()->id;
+        }
+
+        if ($this->getSeed()->hasAttribute('parentId') && $this->getSeed()->hasRelation('parent')) {
+            $contactId = $this->getUser()->get('contactId');
+            if ($contactId) {
+                $d[] = array(
+                    'parentType' => 'Contact',
+                    'parentId' => $contactId
+                );
+            }
+        }
+
+        if (!empty($d)) {
+            $result['whereClause'][] = array(
+                'OR' => $d
+            );
+        } else {
+            $result['whereClause'][] = array(
+                'id' => null
+            );
+        }
+    }
+
+    protected function accessPortalOnlyAccount(&$result)
+    {
+        $d = array();
+
+        $accountIdList = $this->getUser()->getLinkMultipleIdList('accounts');
+        $contactId = $this->getUser()->get('contactId');
+
+        if (count($accountIdList)) {
+            if ($this->getSeed()->hasAttribute('accountId')) {
+                $d['accountId'] = $accountIdList;
+            }
+            if ($this->getSeed()->hasRelation('accounts')) {
+                $this->addLeftJoin(['accounts', 'accountsAccess'], $result);
+                $this->setDistinct(true, $result);
+                $d['accountsAccess.id'] = $accountIdList;
+            }
+            if ($this->getSeed()->hasAttribute('parentId') && $this->getSeed()->hasRelation('parent')) {
+                $d[] = array(
+                    'parentType' => 'Account',
+                    'parentId' => $accountIdList
+                );
+                if ($contactId) {
+                    $d[] = array(
+                        'parentType' => 'Contact',
+                        'parentId' => $contactId
+                    );
+                }
+            }
+        }
+
+        if ($contactId) {
+            if ($this->getSeed()->hasAttribute('contactId')) {
+                $d['contactId'] = $contactId;
+            }
+            if ($this->getSeed()->hasRelation('contacts')) {
+                $this->addLeftJoin(['contacts', 'contactsAccess'], $result);
+                $this->setDistinct(true, $result);
+                $d['contactsAccess.id'] = $contactId;
+            }
+        }
+
+        if ($this->getSeed()->hasAttribute('createdById')) {
+            $d['createdById'] = $this->getUser()->id;
+        }
+
+        if (!empty($d)) {
+            $result['whereClause'][] = array(
+                'OR' => $d
+            );
+        } else {
+            $result['whereClause'][] = array(
+                'id' => null
+            );
+        }
+    }
+
+    protected function hasAssignedUsersField()
+    {
+        if ($this->getSeed()->hasRelation('assignedUsers') && $this->getSeed()->hasAttribute('assignedUsersIds')) {
+            return true;
+        }
+    }
+
+    protected function hasAssignedUserField()
+    {
+        if ($this->getSeed()->hasAttribute('assignedUserId')) {
+            return true;
+        }
+    }
+
+    protected function hasCreatedByField()
+    {
+        if ($this->getSeed()->hasAttribute('createdById')) {
+            return true;
+        }
+    }
+
+    protected function hasTeamsField()
+    {
+        if ($this->getSeed()->hasRelation('teams') && $this->getSeed()->hasAttribute('teamsIds')) {
+            return true;
+        }
    }

    public function getAclParams()
@@ -374,7 +629,12 @@ class Base
        return $result;
    }

-    public function getSelectParams(array $params, $withAcl = false)
+    public function buildSelectParams(array $params, $withAcl = false, $checkWherePermission = false)
+    {
+        return $this->getSelectParams($params, $withAcl, $checkWherePermission);
+    }
+
+    public function getSelectParams(array $params, $withAcl = false, $checkWherePermission = false)
    {
        $result = array();
        $this->prepareResult($result);
@@ -383,7 +643,7 @@ class Base
            if (!array_key_exists('asc', $params)) {
                $params['asc'] = true;
            }
-            $this->order($params['sortBy'], $params['asc'], $result);
+            $this->order($params['sortBy'], !$params['asc'], $result);
        }

        if (!isset($params['offset'])) {
@@ -405,6 +665,9 @@ class Base
        }

        if (!empty($params['where']) && is_array($params['where'])) {
+            if ($checkWherePermission) {
+                $this->checkWhere($params['where']);
+            }
            $this->where($params['where'], $result);
        }

@@ -418,21 +681,47 @@ class Base
            $this->access($result);
        }

+        $this->applyAdditional($result);
+
        return $result;
    }

-    protected function getUserTimeZone()
+    protected function checkWhere($where)
+    {
+        foreach ($where as $w) {
+            if (isset($w['field'])) {
+                if (isset($w['type']) && $w['type'] === 'linkedWith') {
+                    if (in_array($w['field'], $this->getAcl()->getScopeForbiddenFieldList($this->getEntityType()))) {
+                        throw new Forbidden();
+                    }
+                } else {
+                    if (in_array($w['field'], $this->getAcl()->getScopeForbiddenAttributeList($this->getEntityType()))) {
+                        throw new Forbidden();
+                    }
+                }
+            }
+            if (!empty($w['value']) && is_array($w['value'])) {
+                $this->checkWhere($w['value']);
+            }
+        }
+    }
+
+    public function getUserTimeZone()
    {
        if (empty($this->userTimeZone)) {
            $preferences = $this->getEntityManager()->getEntity('Preferences', $this->getUser()->id);
-            $timeZone = $preferences->get('timeZone');
-            $this->userTimeZone = $timeZone;
+            if ($preferences) {
+                $timeZone = $preferences->get('timeZone');
+                $this->userTimeZone = $timeZone;
+            } else {
+                $this->userTimeZone = 'UTC';
+            }
        }

        return $this->userTimeZone;
    }

-    protected function convertDateTimeWhere($item)
+    public function convertDateTimeWhere($item)
    {
        $format = 'Y-m-d H:i:s';

@@ -586,6 +875,18 @@ class Base
    {
        $part = array();

+        if (!empty($item['field']) && !empty($item['type'])) {
+            $methodName = 'getWherePart' . ucfirst($item['field']) . ucfirst($item['type']);
+            if (method_exists($this, $methodName)) {
+                $value = null;
+                if (!empty($item['value'])) {
+                    $value = $item['value'];
+                }
+                return $this->$methodName($value);
+            }
+        }
+
+
        if (!empty($item['dateTime'])) {
            return $this->convertDateTimeWhere($item);
        }
@@ -617,6 +918,9 @@ class Base
                case 'startsWith':
                    $part[$item['field'] . '*'] = $item['value'] . '%';
                    break;
+                case 'endsWith':
+                    $part[$item['field'] . '*'] = $item['value'] . '%';
+                    break;
                case 'contains':
                    $part[$item['field'] . '*'] = '%' . $item['value'] . '%';
                    break;
@@ -648,6 +952,7 @@ class Base
                    $part[$item['field'] . '='] = null;
                    break;
                case 'isNotNull':
+                case 'ever':
                    $part[$item['field'] . '!='] = null;
                    break;
                case 'isTrue':
@@ -760,10 +1065,10 @@ class Base
        return $part;
    }

-    public function applyOrder($sortBy, $asc, &$result)
+    public function applyOrder($sortBy, $desc, &$result)
    {
        $this->prepareResult($result);
-        $this->order($sortBy, $asc, $result);
+        $this->order($sortBy, $desc, $result);
    }

    public function applyLimit($offset, $maxSize, &$result)
@@ -798,15 +1103,74 @@ class Base
        $this->textFilter($textFilter, $result);
    }

+    public function applyAdditional(&$result)
+    {
+
+    }
+
+    public function hasJoin($join, &$result)
+    {
+        if (in_array($join, $result['joins'])) {
+            return true;
+        }
+
+        foreach ($result['joins'] as $item) {
+            if (is_array($item) && count($item) > 1) {
+                if ($item[1] == $join) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    public function hasLeftJoin($leftJoin, &$result)
+    {
+        if (in_array($leftJoin, $result['leftJoins'])) {
+            return true;
+        }
+
+        foreach ($result['leftJoins'] as $item) {
+            if (is_array($item) && count($item) > 1) {
+                if ($item[1] == $leftJoin) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
    public function addJoin($join, &$result)
    {
        if (empty($result['joins'])) {
            $result['joins'] = [];
        }

-        if (!in_array($join, $result['joins'])) {
-            $result['joins'][] = $join;
+        $alias = $join;
+        if (is_array($join)) {
+            if (count($join) > 1) {
+                $alias = $join[1];
+            } else {
+                $alias = $join[0];
+            }
        }
+        foreach ($result['joins'] as $j) {
+            $a = $j;
+            if (is_array($j)) {
+                if (count($j) > 1) {
+                    $a = $j[1];
+                } else {
+                    $a = $j[0];
+                }
+            }
+            if ($a === $alias) {
+                return;
+            }
+        }
+
+        $result['joins'][] = $join;
    }

    public function addLeftJoin($leftJoin, &$result)
@@ -815,9 +1179,34 @@ class Base
            $result['leftJoins'] = [];
        }

-        if (!in_array($leftJoin, $result['leftJoins'])) {
-            $result['leftJoins'][] = $leftJoin;
+        $alias = $leftJoin;
+        if (is_array($leftJoin)) {
+            if (count($leftJoin) > 1) {
+                $alias = $leftJoin[1];
+            } else {
+                $alias = $leftJoin[0];
+            }
        }
+        foreach ($result['leftJoins'] as $j) {
+            $a = $j;
+            if (is_array($j)) {
+                if (count($j) > 1) {
+                    $a = $j[1];
+                } else {
+                    $a = $j[0];
+                }
+            }
+            if ($a === $alias) {
+                return;
+            }
+        }
+
+        $result['leftJoins'][] = $leftJoin;
+    }
+
+    public function setJoinCondition($join, $condition, &$result)
+    {
+        $result['joinConditions'][$join] = $condition;
    }

    public function setDistinct($distinct, &$result)
@@ -825,22 +1214,40 @@ class Base
        $result['distinct'] = (bool) $distinct;
    }

+    public function addAndWhere($whereClause, &$result)
+    {
+        $result['whereClause'][] = $whereClause;
+    }
+
+    public function addOrWhere($whereClause, &$result)
+    {
+        $result['whereClause'][] = array(
+            'OR' => $whereClause
+        );
+    }
+
    protected function textFilter($textFilter, &$result)
    {
-        $fieldDefs = $this->getSeed()->getFields();
-        $fieldList = $this->getTextFilterFields();
+        $fieldDefs = $this->getSeed()->getAttributes();
+        $fieldList = $this->getTextFilterFieldList();
        $d = array();

        foreach ($fieldList as $field) {
+            $expression = $textFilter . '%';
            if (
                strlen($textFilter) >= self::MIN_LENGTH_FOR_CONTENT_SEARCH
                &&
-                !empty($fieldDefs[$field]['type']) && $fieldDefs[$field]['type'] == 'text'
+                (
+                    !empty($fieldDefs[$field]['type']) && $fieldDefs[$field]['type'] == 'text'
+                    ||
+                    $this->getConfig()->get('textFilterUseContainsForVarchar')
+                )
            ) {
-                $d[$field . '*'] = '%' . $textFilter . '%';
+                $expression = '%' . $textFilter . '%';
            } else {
-                $d[$field . '*'] = $textFilter . '%';
+                $expression = $textFilter . '%';
            }
+            $d[$field . '*'] = $expression;
        }
        $result['whereClause'][] = array(
            'OR' => $d
@@ -872,9 +1279,21 @@ class Base

    protected function boolFilterOnlyMy(&$result)
    {
-        $result['whereClause'][] = array(
-            'assignedUserId' => $this->getUser()->id
-        );
+        if (!$this->checkIsPortal()) {
+            if ($this->hasAssignedUserField()) {
+                $result['whereClause'][] = array(
+                    'assignedUserId' => $this->getUser()->id
+                );
+            } else {
+                $result['whereClause'][] = array(
+                    'createdById' => $this->getUser()->id
+                );
+            }
+        } else {
+            $result['whereClause'][] = array(
+                'createdById' => $this->getUser()->id
+            );
+        }
    }

    protected function filterFollowed(&$result)
--- a/application/Espo/Core/Services/Base.php
+++ b/application/Espo/Core/Services/Base.php
@@ -65,6 +65,13 @@ abstract class Base implements Injectable
        $this->dependencies[] = $name;
    }

+    protected function addDependencyList(array $list)
+    {
+        foreach ($list as $item) {
+            $this->addDependency($item);
+        }
+    }
+
    public function getDependencyList()
    {
        return $this->dependencies;
--- a/application/Espo/Core/Templates/Controllers/Event.php
+++ b/application/Espo/Core/Templates/Controllers/Event.php
@@ -0,0 +1,36 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Templates\Controllers;
+
+class Event extends \Espo\Core\Controllers\Record
+{
+
+}
+
--- a/application/Espo/Core/Templates/Entities/Event.php
+++ b/application/Espo/Core/Templates/Entities/Event.php
@@ -0,0 +1,36 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Templates\Entities;
+
+class Event extends \Espo\Core\ORM\Entity
+{
+
+}
+
--- a/application/Espo/Core/Templates/Layouts/Event/detail.json
+++ b/application/Espo/Core/Templates/Layouts/Event/detail.json
@@ -0,0 +1,39 @@
+[
+    {
+        "label": "Overview",
+        "rows": [
+            [
+                {
+                    "name": "name"
+                },
+                false
+            ],
+            [
+                {
+                    "name": "status"
+                },
+                false
+            ],
+            [
+                {
+                    "name": "dateStart"
+                },
+                {
+                    "name": "dateEnd"
+                }
+            ],
+            [
+                {
+                    "name": "duration"
+                },
+                false
+            ],
+            [
+                {
+                    "name": "description",
+                    "fullWidth": true
+                }
+            ]
+        ]
+    }
+]
--- a/application/Espo/Core/Templates/Layouts/Event/detailSmall.json
+++ b/application/Espo/Core/Templates/Layouts/Event/detailSmall.json
@@ -0,0 +1,43 @@
+[
+    {
+        "label": "",
+        "rows": [
+            [
+                {
+                    "name": "name",
+                    "fullWidth": true
+                }
+            ],
+            [
+                {
+                    "name": "status",
+                    "fullWidth": true
+                }
+            ],
+            [
+                {
+                    "name": "dateStart",
+                    "fullWidth": true
+                }
+            ],
+            [
+                {
+                    "name": "duration",
+                    "fullWidth": true
+                }
+            ],
+            [
+                {
+                    "name": "dateEnd",
+                    "fullWidth": true
+                }
+            ],
+            [
+                {
+                    "name": "description",
+                    "fullWidth": true
+                }
+            ]
+        ]
+    }
+]
--- a/application/Espo/Core/Templates/Metadata/Base/clientDefs.json
+++ b/application/Espo/Core/Templates/Metadata/Base/clientDefs.json
@@ -1,4 +1,4 @@
 {
-   "controller": "Controllers.Record",
+   "controller": "controllers/record",
   "boolFilterList": ["onlyMy"]
 }
--- a/application/Espo/Core/Templates/Metadata/Base/entityDefs.json
+++ b/application/Espo/Core/Templates/Metadata/Base/entityDefs.json
@@ -2,7 +2,8 @@
    "fields": {
        "name": {
            "type": "varchar",
-            "required": true
+            "required": true,
+            "trim": true
        },
        "description": {
            "type": "text"
@@ -17,18 +18,22 @@
        },
        "createdBy": {
            "type": "link",
-            "readOnly": true
+            "readOnly": true,
+            "view": "views/fields/user"
        },
        "modifiedBy": {
            "type": "link",
-            "readOnly": true
+            "readOnly": true,
+            "view": "views/fields/user"
        },
        "assignedUser": {
            "type": "link",
-            "required": true
+            "required": true,
+            "view": "views/fields/assigned-user"
        },
        "teams": {
-            "type": "linkMultiple"
+            "type": "linkMultiple",
+            "view": "views/fields/teams"
        }
    },
    "links": {
--- a/application/Espo/Core/Templates/Metadata/Base/scopes.json
+++ b/application/Espo/Core/Templates/Metadata/Base/scopes.json
@@ -3,6 +3,7 @@
    "layouts": true,
    "tab": true,
    "acl": true,
+    "aclPortal": true,
    "customizable": true,
    "importable": true,
    "notifications": true
--- a/application/Espo/Core/Templates/Metadata/CategoryTree/clientDefs.json
+++ b/application/Espo/Core/Templates/Metadata/CategoryTree/clientDefs.json
@@ -1,6 +1,6 @@
 {
-    "controller": "Controllers.RecordTree",
-    "collection": "Collections.Tree",
+    "controller": "controllers/record-tree",
+    "collection": "collections/tree",
    "menu": {
        "listTree": {
            "buttons": [
--- a/application/Espo/Core/Templates/Metadata/CategoryTree/entityDefs.json
+++ b/application/Espo/Core/Templates/Metadata/CategoryTree/entityDefs.json
@@ -2,7 +2,8 @@
    "fields": {
        "name": {
            "type": "varchar",
-            "required": true
+            "required": true,
+            "trim": true
        },
        "order": {
            "type": "int",
@@ -22,11 +23,13 @@
        },
        "createdBy": {
            "type": "link",
-            "readOnly": true
+            "readOnly": true,
+            "view": "views/fields/user"
        },
        "modifiedBy": {
            "type": "link",
-            "readOnly": true
+            "readOnly": true,
+            "view": "views/fields/user"
        },
        "teams": {
            "type": "linkMultiple"
--- a/application/Espo/Core/Templates/Metadata/CategoryTree/scopes.json
+++ b/application/Espo/Core/Templates/Metadata/CategoryTree/scopes.json
@@ -3,6 +3,7 @@
    "layouts": true,
    "tab": true,
    "acl": true,
+    "aclPortal": true,
    "customizable": true,
    "importable": false,
    "notifications": false
--- a/application/Espo/Core/Templates/Metadata/Event/clientDefs.json
+++ b/application/Espo/Core/Templates/Metadata/Event/clientDefs.json
@@ -0,0 +1,4 @@
+{
+   "controller": "controllers/record",
+   "boolFilterList": ["onlyMy"]
+}
--- a/application/Espo/Core/Templates/Metadata/Event/entityDefs.json
+++ b/application/Espo/Core/Templates/Metadata/Event/entityDefs.json
@@ -0,0 +1,116 @@
+{
+    "fields": {
+        "name": {
+            "type": "varchar",
+            "required": true,
+            "trim": true
+        },
+        "status": {
+            "type": "enum",
+            "options": ["Planned", "Held", "Not Held"],
+            "default": "Planned",
+            "view": "views/fields/enum-styled",
+            "style": {
+                "Held": "success"
+            },
+            "audited": true
+        },
+        "dateStart": {
+            "type": "datetime",
+            "required": true,
+            "default": "javascript: return this.dateTime.getNow(15);",
+            "audited": true
+        },
+        "dateEnd": {
+            "type": "datetime",
+            "required": true,
+            "after": "dateStart"
+        },
+        "duration": {
+            "type": "duration",
+            "start": "dateStart",
+            "end": "dateEnd",
+            "options": [300, 600, 900, 1800, 2700, 3600, 7200],
+            "default": 300,
+            "notStorable": true
+        },
+        "parent": {
+            "type": "linkParent",
+            "entityList": ["Account", "Lead"]
+        },
+        "description": {
+            "type": "text"
+        },
+        "createdAt": {
+            "type": "datetime",
+            "readOnly": true
+        },
+        "modifiedAt": {
+            "type": "datetime",
+            "readOnly": true
+        },
+        "createdBy": {
+            "type": "link",
+            "readOnly": true,
+            "view": "views/fields/user"
+        },
+        "modifiedBy": {
+            "type": "link",
+            "readOnly": true,
+            "view": "views/fields/user"
+        },
+        "assignedUser": {
+            "type": "link",
+            "required": false,
+            "view": "views/fields/assigned-user"
+        },
+        "teams": {
+            "type": "linkMultiple",
+            "view": "views/fields/teams"
+        }
+    },
+    "links": {
+        "parent": {
+            "type": "belongsToParent"
+        },
+        "createdBy": {
+            "type": "belongsTo",
+            "entity": "User"
+        },
+        "modifiedBy": {
+            "type": "belongsTo",
+            "entity": "User"
+        },
+        "assignedUser": {
+            "type": "belongsTo",
+            "entity": "User"
+        },
+        "teams": {
+            "type": "hasMany",
+            "entity": "Team",
+            "relationName": "EntityTeam",
+            "layoutRelationshipsDisabled": true
+        }
+    },
+    "collection": {
+        "sortBy": "dateStart",
+        "asc": false
+    },
+    "indexes": {
+        "dateStartStatus": {
+            "columns": ["dateStart", "status"]
+        },
+        "dateStart": {
+            "columns": ["dateStart", "deleted"]
+        },
+        "status": {
+            "columns": ["status", "deleted"]
+        },
+        "assignedUser": {
+            "columns": ["assignedUserId", "deleted"]
+        },
+        "assignedUserStatus": {
+            "columns": ["assignedUserId", "status"]
+        }
+    }
+}
--- a/application/Espo/Core/Templates/Metadata/Event/scopes.json
+++ b/application/Espo/Core/Templates/Metadata/Event/scopes.json
@@ -0,0 +1,11 @@
+{
+    "entity": true,
+    "layouts": true,
+    "tab": true,
+    "acl": true,
+    "aclPortal": true,
+    "customizable": true,
+    "importable": true,
+    "calendar": true,
+    "notifications": true
+}
--- a/application/Espo/Core/Templates/Metadata/Person/clientDefs.json
+++ b/application/Espo/Core/Templates/Metadata/Person/clientDefs.json
@@ -1,4 +1,4 @@
 {
-   "controller": "Controllers.Record",
+   "controller": "controllers/record",
   "boolFilterList": ["onlyMy"]
 }
--- a/application/Espo/Core/Templates/Metadata/Person/entityDefs.json
+++ b/application/Espo/Core/Templates/Metadata/Person/entityDefs.json
@@ -21,10 +21,6 @@
        "description": {
            "type": "text"
        },
-        "createdAt": {
-            "type": "datetime",
-            "readOnly": true
-        },
        "emailAddress": {
            "type": "email"
        },
@@ -53,24 +49,32 @@
        "addressPostalCode": {
            "type": "varchar"
        },
+        "createdAt": {
+            "type": "datetime",
+            "readOnly": true
+        },
        "modifiedAt": {
            "type": "datetime",
            "readOnly": true
        },
        "createdBy": {
            "type": "link",
-            "readOnly": true
+            "readOnly": true,
+            "view": "views/fields/user"
        },
        "modifiedBy": {
            "type": "link",
-            "readOnly": true
+            "readOnly": true,
+            "view": "views/fields/user"
        },
        "assignedUser": {
            "type": "link",
-            "required": true
+            "required": false,
+            "view": "views/fields/assigned-user"
        },
        "teams": {
-            "type": "linkMultiple"
+            "type": "linkMultiple",
+            "view": "views/fields/teams"
        }
    },
    "links": {
--- a/application/Espo/Core/Templates/Metadata/Person/scopes.json
+++ b/application/Espo/Core/Templates/Metadata/Person/scopes.json
@@ -3,6 +3,7 @@
    "layouts": true,
    "tab": true,
    "acl": true,
+    "aclPortal": true,
    "customizable": true,
    "importable": true,
    "notifications": true
--- a/application/Espo/Core/Templates/Repositories/Event.php
+++ b/application/Espo/Core/Templates/Repositories/Event.php
@@ -0,0 +1,36 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Templates\Repositories;
+
+class Event extends \Espo\Core\ORM\Repositories\RDB
+{
+
+}
+
--- a/application/Espo/Core/Templates/Services/Event.php
+++ b/application/Espo/Core/Templates/Services/Event.php
@@ -0,0 +1,36 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Templates\Services;
+
+class Event extends \Espo\Services\Record
+{
+
+}
+
--- a/application/Espo/Core/Templates/Services/Person.php
+++ b/application/Espo/Core/Templates/Services/Person.php
@@ -32,6 +32,39 @@ namespace Espo\Core\Templates\Services;

 class Person extends \Espo\Services\Record
 {
+    protected function getDuplicateWhereClause(Entity $entity, $data = array())
+    {
+        $data = array(
+            'OR' => array(
+                array(
+                    'firstName' => $entity->get('firstName'),
+                    'lastName' => $entity->get('lastName'),
+                )
+            )
+        );
+        if (
+            ($entity->get('emailAddress') || $entity->get('emailAddressData'))
+            &&
+            ($entity->isNew() || $entity->isFieldChanged('emailAddress') || $entity->isFieldChanged('emailAddressData'))
+        ) {
+            if ($entity->get('emailAddress')) {
+                $list = [$entity->get('emailAddress')];
+            }
+            if ($entity->get('emailAddressData')) {
+                foreach ($entity->get('emailAddressData') as $row) {
+                    if (!in_array($row->emailAddress, $list)) {
+                        $list[] = $row->emailAddress;
+                    }
+                }
+            }
+            foreach ($list as $emailAddress) {
+                $data['OR'][] = array(
+                    'emailAddress' => $emailAddress
+                );
+            }
+        }

+        return $data;
+    }
 }

--- a/application/Espo/Core/Upgrades/Actions/Base.php
+++ b/application/Espo/Core/Upgrades/Actions/Base.php
@@ -32,7 +32,7 @@ use Espo\Core\Utils\Util;
 use Espo\Core\Utils\System;
 use Espo\Core\Utils\Json;
 use Espo\Core\Exceptions\Error;
-use vierbergenlars\SemVer;
+use Composer\Semver\Semver;

 abstract class Base
 {
@@ -221,20 +221,12 @@ abstract class Base
            $versionList = (array) $versionList;
        }

-        try {
-            $semver = new SemVer\version($currentVersion);
-        } catch (\Exception $e) {
-            $GLOBALS['log']->error('Cannot recognize currentVersion ['.$currentVersion.'], error: '.$e->getMessage().'.');
-            return false;
-        }
-
        foreach ($versionList as $version) {
-
            $isInRange = false;
            try {
-                $isInRange = $semver->satisfies(new SemVer\expression($version));
+                $isInRange = Semver::satisfies($currentVersion, $version);
            } catch (\Exception $e) {
-                $GLOBALS['log']->error('Version identification error: '.$e->getMessage().'.');
+                $GLOBALS['log']->error('SemVer: Version identification error: '.$e->getMessage().'.');
            }

            if ($isInRange) {
--- a/application/Espo/Core/Utils/Api/Slim.php
+++ b/application/Espo/Core/Utils/Api/Slim.php
@@ -39,33 +39,19 @@ class Slim extends \Slim\Slim
     */
    public function run()
    {
-        //set_error_handler(array('\Slim\Slim', 'handleErrors')); //Espo: no needs to use this handler
-
-        //Apply final outer middleware layers
-        if ($this->config('debug')) {
-            //Apply pretty exceptions only in debug to avoid accidental information leakage in production
-            //$this->add(new \Slim\Middleware\PrettyExceptions()); //Espo: no needs to use this handler
-        }
-
-        //Invoke middleware and application stack
        $this->middleware[0]->call();

-        //Fetch status, header, and body
        list($status, $headers, $body) = $this->response->finalize();

-        // Serialize cookies (with optional encryption)
        \Slim\Http\Util::serializeCookies($headers, $this->response->cookies, $this->settings);

-        //Send headers
        if (headers_sent() === false) {
-            //Send status
            if (strpos(PHP_SAPI, 'cgi') === 0) {
                header(sprintf('Status: %s', \Slim\Http\Response::getMessageForCode($status)));
            } else {
                header(sprintf('HTTP/%s %s', $this->config('http.version'), \Slim\Http\Response::getMessageForCode($status)));
            }

-            //Send headers
            foreach ($headers as $name => $value) {
                $hValues = explode("\n", $value);
                foreach ($hValues as $hVal) {
@@ -74,12 +60,9 @@ class Slim extends \Slim\Slim
            }
        }

-        //Send body, but only if it isn't a HEAD request
        if (!$this->request->isHead()) {
            echo $body;
        }
-
-        //restore_error_handler(); //Espo: no needs to use this handler
    }

    public function printError($error, $status)
@@ -87,5 +70,4 @@ class Slim extends \Slim\Slim
        echo static::generateTemplateMarkup($status, '<p>'.$error.'</p><a href="' . $this->request->getRootUri() . '/">Visit the Home Page</a>');
    }

-
 }
--- a/application/Espo/Core/Utils/Auth.php
+++ b/application/Espo/Core/Utils/Auth.php
@@ -32,50 +32,112 @@ namespace Espo\Core\Utils;
 use \Espo\Core\Exceptions\Error;
 use \Espo\Core\Exceptions\Forbidden;

+use \Espo\Entities\Portal;
+
 class Auth
 {
    protected $container;

    protected $authentication;

-    protected $config;
+    protected $allowAnyAccess;

-    protected $entityManager;
+    const ACCESS_CRM_ONLY = 0;

-    public function __construct(\Espo\Core\Container $container)
+    const ACCESS_PORTAL_ONLY = 1;
+
+    const ACCESS_ANY = 3;
+
+    private $portal;
+
+    public function __construct(\Espo\Core\Container $container, $allowAnyAccess = false)
    {
        $this->container = $container;

-        $this->entityManager = $this->container->get('entityManager');
-        $this->config = $this->container->get('config');
+        $this->allowAnyAccess = $allowAnyAccess;

-        $authenticationMethod = $this->config->get('authenticationMethod', 'Espo');
+        $authenticationMethod = $this->getConfig()->get('authenticationMethod', 'Espo');
        $authenticationClassName = "\\Espo\\Core\\Utils\\Authentication\\" . $authenticationMethod;
-        $this->authentication = new $authenticationClassName($this->config, $this->entityManager, $this);
+        $this->authentication = new $authenticationClassName($this->getConfig(), $this->getEntityManager(), $this);

-        $this->request = $this->container->get('slim')->request();
+        $this->request = $container->get('slim')->request();
+    }
+
+    protected function getContainer()
+    {
+        return $this->container;
+    }
+
+    protected function setPortal(Portal $portal)
+    {
+        $this->portal = $portal;
+    }
+
+    protected function isPortal()
+    {
+        if ($this->portal) {
+            return true;
+        }
+        return !!$this->getContainer()->get('portal');
+    }
+
+    protected function getPortal()
+    {
+        if ($this->portal) {
+            return $this->portal;
+        }
+        return $this->getContainer()->get('portal');
+    }
+
+    protected function getConfig()
+    {
+        return $this->getContainer()->get('config');
+    }
+
+    protected function getEntityManager()
+    {
+        return $this->getContainer()->get('entityManager');
    }

    public function useNoAuth($isAdmin = false)
    {
-        $entityManager = $this->container->get('entityManager');
+        $entityManager = $this->getContainer()->get('entityManager');

        $user = $entityManager->getRepository('User')->get('system');
        if (!$user) {
-            throw new Error('System user is not found');
+            throw new Error("System user is not found");
        }

        $user->set('isAdmin', $isAdmin);

        $entityManager->setUser($user);
-        $this->container->setUser($user);
+        $this->getContainer()->setUser($user);
    }

    public function login($username, $password)
    {
-        $entityManager = $this->entityManager;
+        $authToken = $this->getEntityManager()->getRepository('AuthToken')->where(array('token' => $password))->findOne();

-        $authToken = $entityManager->getRepository('AuthToken')->where(array('token' => $password))->findOne();
+        if ($authToken) {
+            if (!$this->allowAnyAccess) {
+                if ($this->isPortal() && $authToken->get('portalId') !== $this->getPortal()->id) {
+                    $GLOBALS['log']->debug("AUTH: Trying to login to portal with a token not related to portal.");
+                    return false;
+                }
+                if (!$this->isPortal() && $authToken->get('portalId')) {
+                    $GLOBALS['log']->debug("AUTH: Trying to login to crm with a token related to portal.");
+                    return false;
+                }
+            }
+            if ($this->allowAnyAccess) {
+                if ($authToken->get('portalId') && !$this->isPortal()) {
+                    $portal = $this->getEntityManager()->getEntity('Portal', $authToken->get('portalId'));
+                    if ($portal) {
+                        $this->setPortal($portal);
+                    }
+                }
+            }
+        }

        $user = $this->authentication->login($username, $password, $authToken);

@@ -84,21 +146,45 @@ class Auth
                $GLOBALS['log']->debug("AUTH: Trying to login as user '".$user->get('userName')."' which is not active.");
                return false;
            }
-            $entityManager->setUser($user);
-            $this->container->setUser($user);
+
+            if (!$user->isAdmin() && !$this->isPortal() && $user->get('isPortalUser')) {
+                $GLOBALS['log']->debug("AUTH: Trying to login to crm as a portal user '".$user->get('userName')."'.");
+                return false;
+            }
+
+            if (!$user->isAdmin() && $this->isPortal() && !$user->get('isPortalUser')) {
+                $GLOBALS['log']->debug("AUTH: Trying to login to portal as user '".$user->get('userName')."' which is not portal user.");
+                return false;
+            }
+
+            if ($this->isPortal()) {
+                if (!$user->isAdmin() && !$this->getEntityManager()->getRepository('Portal')->isRelated($this->getPortal(), 'users', $user)) {
+                    $GLOBALS['log']->debug("AUTH: Trying to login to portal as user '".$user->get('userName')."' which is portal user but does not belongs to portal.");
+                    return false;
+                }
+                $user->set('portalId', $this->getPortal()->id);
+            } else {
+                $user->loadLinkMultipleField('teams');
+            }
+
+            $this->getEntityManager()->setUser($user);
+            $this->getContainer()->setUser($user);

            if ($this->request->headers->get('HTTP_ESPO_AUTHORIZATION')) {
 	            if (!$authToken) {
-	                $authToken = $entityManager->getEntity('AuthToken');
+	                $authToken = $this->getEntityManager()->getEntity('AuthToken');
 	                $token = $this->createToken($user);
 	                $authToken->set('token', $token);
 	                $authToken->set('hash', $user->get('password'));
 	                $authToken->set('ipAddress', $_SERVER['REMOTE_ADDR']);
 	                $authToken->set('userId', $user->id);
+                    if ($this->isPortal()) {
+                        $authToken->set('portalId', $this->getPortal()->id);
+                    }
 	            }
            	$authToken->set('lastAccess', date('Y-m-d H:i:s'));

-            	$entityManager->saveEntity($authToken);
+            	$this->getEntityManager()->saveEntity($authToken);
            	$user->set('token', $authToken->get('token'));
            }

@@ -113,11 +199,9 @@ class Auth

    public function destroyAuthToken($token)
    {
-        $entityManager = $this->container->get('entityManager');
-
-        $authToken = $entityManager->getRepository('AuthToken')->where(array('token' => $token))->findOne();
+        $authToken = $this->getEntityManager()->getRepository('AuthToken')->where(array('token' => $token))->findOne();
        if ($authToken) {
-            $entityManager->removeEntity($authToken);
+            $this->getEntityManager()->removeEntity($authToken);
            return true;
        }
    }
--- a/application/Espo/Core/Utils/Authentication/Base.php
+++ b/application/Espo/Core/Utils/Authentication/Base.php
@@ -73,6 +73,5 @@ abstract class Base

        return $this->passwordHash;
    }
-
 }

--- a/application/Espo/Core/Utils/Authentication/Espo.php
+++ b/application/Espo/Core/Utils/Authentication/Espo.php
@@ -45,7 +45,7 @@ class Espo extends Base
            'whereClause' => array(
                'userName' => $username,
                'password' => $hash
-            ),
+            )
        ));

        return $user;
--- a/application/Espo/Core/Utils/Authentication/LDAP.php
+++ b/application/Espo/Core/Utils/Authentication/LDAP.php
@@ -28,49 +28,68 @@
 ************************************************************************/

 namespace Espo\Core\Utils\Authentication;
-use Espo\Core\Exceptions\Error,
-    Espo\Core\Utils\Config,
-    Espo\Core\ORM\EntityManager,
-    Espo\Core\Utils\Auth;
+
+use Espo\Core\Exceptions\Error;
+use Espo\Core\Utils\Config;
+use Espo\Core\ORM\EntityManager;
+use Espo\Core\Utils\Auth;

 class LDAP extends Base
 {
    private $utils;

-    private $zendLdap;
+    private $ldapClient;

    /**
-     * Espo => LDAP name
+     * User field name  => option name (LDAP attribute)
     *
     * @var array
     */
-    private $fields = array(
-        'userName' => 'cn',
-        'firstName' => 'givenname',
-        'lastName' => 'sn',
-        'title' => 'title',
-        'emailAddress' => 'mail',
-        'phoneNumber' => 'telephonenumber',
+    protected $ldapFieldMap = array(
+        'userName' => 'userNameAttribute',
+        'firstName' => 'userTitleAttribute',
+        'lastName' => 'userFirstNameAttribute',
+        'title' => 'userLastNameAttribute',
+        'emailAddress' => 'userEmailAddressAttribute',
+        'phoneNumber' => 'userPhoneNumberAttribute',
+    );
+
+    /**
+     * User field name => option name
+     *
+     * @var array
+     */
+    protected $userFieldMap = array(
+        'teamsIds' => 'userTeamsIds',
+        'defaultTeamId' => 'userDefaultTeamId',
    );

    public function __construct(Config $config, EntityManager $entityManager, Auth $auth)
    {
        parent::__construct($config, $entityManager, $auth);

-        $this->zendLdap = new LDAP\LDAP();
        $this->utils = new LDAP\Utils($config);
    }

-    protected function getZendLdap()
-    {
-        return $this->zendLdap;
-    }
-
    protected function getUtils()
    {
        return $this->utils;
    }

+    protected function getLdapClient()
+    {
+        if (!isset($this->ldapClient)) {
+            $options = $this->getUtils()->getLdapClientOptions();
+
+            try {
+                $this->ldapClient = new LDAP\Client($options);
+            } catch (\Exception $e) {
+                $GLOBALS['log']->error('LDAP error: ' . $e->getMessage());
+            }
+        }
+
+        return $this->ldapClient;
+    }

    /**
     * LDAP login
@@ -78,6 +97,7 @@ class LDAP extends Base
     * @param  string $username
     * @param  string $password
     * @param  \Espo\Entities\AuthToken $authToken
+     *
     * @return \Espo\Entities\User | null
     */
    public function login($username, $password, \Espo\Entities\AuthToken $authToken = null)
@@ -86,28 +106,35 @@ class LDAP extends Base
            return $this->loginByToken($username, $authToken);
        }

-        $options = $this->getUtils()->getZendOptions();
+        $ldapClient = $this->getLdapClient();

-        $ldap = $this->getZendLdap();
-        $ldap = $ldap->setOptions($options);
+        //login LDAP admin user (ldapUsername, ldapPassword)
+        try {
+            $ldapClient->bind();
+        } catch (\Exception $e) {
+            $options = $this->getUtils()->getLdapClientOptions();
+            $GLOBALS['log']->error('LDAP: Authentication failed for user ['.$options['username'].'], details: ' . $e->getMessage());
+            return;
+        }
+
+        $userDn = $this->findLdapUserDnByUsername($username);
+        $GLOBALS['log']->debug('Found DN for ['.$username.']: ['.$userDn.'].');
+        if (!isset($userDn)) {
+            $GLOBALS['log']->error('LDAP: Authentication failed for user ['.$username.'], details: user is not found.');
+            return;
+        }

        try {
-            $ldap->bind($username, $password);
-
-            $dn = $ldap->getDn($username);
-
-            $loginFilter = $this->getUtils()->getOption('userLoginFilter');
-            $userData = $ldap->searchByLoginFilter($loginFilter, $dn, 3);
-
-        } catch (\Zend\Ldap\Exception\LdapException $zle) {
+            $ldapClient->bind($userDn, $password);
+        } catch (\Exception $e) {

            $admin = $this->adminLogin($username, $password);
            if (!isset($admin)) {
-                $GLOBALS['log']->info('LDAP Authentication: ' . $zle->getMessage());
+                $GLOBALS['log']->error('LDAP: Authentication failed for user ['.$username.'], details: ' . $e->getMessage());
                return null;
            }

-            $GLOBALS['log']->info('LDAP Authentication: Administrator login by username ['.$username.']');
+            $GLOBALS['log']->info('LDAP: Administrator ['.$username.'] was logged in by Espo method.');
        }

        $user = $this->getEntityManager()->getRepository('User')->findOne(array(
@@ -118,7 +145,7 @@ class LDAP extends Base

        $isCreateUser = $this->getUtils()->getOption('createEspoUser');
        if (!isset($user) && $isCreateUser) {
-            $this->getAuth()->useNoAuth(); /** Required to fix Acl "isFetched()" error */
+            $userData = $ldapClient->getEntry($userDn);
            $user = $this->createUser($userData);
        }

@@ -130,6 +157,7 @@ class LDAP extends Base
     *
     * @param  string $username
     * @param  \Espo\Entities\AuthToken $authToken
+     *
     * @return \Espo\Entities\User | null
     */
    protected function loginByToken($username, \Espo\Entities\AuthToken $authToken = null)
@@ -182,26 +210,106 @@ class LDAP extends Base
     * Create Espo user with data gets from LDAP server
     *
     * @param  array $userData LDAP entity data
+     *
     * @return \Espo\Entities\User
     */
    protected function createUser(array $userData)
    {
+        $GLOBALS['log']->info('Creating new user ...');
        $data = array();
-        foreach ($this->fields as $espo => $ldap) {
+
+        // show full array of the LDAP user
+        $GLOBALS['log']->debug('LDAP: user data: ' .print_r($userData, true));
+
+        //set values from ldap server
+        $ldapFields = $this->loadFields('ldap');
+        foreach ($ldapFields as $espo => $ldap) {
+            $ldap = strtolower($ldap);
            if (isset($userData[$ldap][0])) {
+                $GLOBALS['log']->debug('LDAP: Create a user wtih ['.$espo.'] = ['.$userData[$ldap][0].'].');
                $data[$espo] = $userData[$ldap][0];
            }
        }

+        //set user fields
+        $userFields = $this->loadFields('user');
+        foreach ($userFields as $fieldName => $fieldValue) {
+            $data[$fieldName] = $fieldValue;
+        }
+
        $user = $this->getEntityManager()->getEntity('User');
        $user->set($data);

        $this->getEntityManager()->saveEntity($user);

-        return $user;
+        return $this->getEntityManager()->getEntity('User', $user->id);
    }

+    /**
+     * Find LDAP user DN by his username
+     *
+     * @param  string $username
+     *
+     * @return string | null
+     */
+    protected function findLdapUserDnByUsername($username)
+    {
+        $ldapClient = $this->getLdapClient();
+        $options = $this->getUtils()->getOptions();

+        $loginFilterString = '';
+        if (!empty($options['userLoginFilter'])) {
+            $loginFilterString = $this->convertToFilterFormat($options['userLoginFilter']);
+        }

-}
+        $searchString = '(&(objectClass='.$options['userObjectClass'].')('.$options['userNameAttribute'].'='.$username.')'.$loginFilterString.')';
+        $result = $ldapClient->search($searchString, null, LDAP\Client::SEARCH_SCOPE_ONE);
+        $GLOBALS['log']->debug('LDAP: user search string: "' . $searchString . '"');

+        foreach ($result as $item) {
+            return $item["dn"];
+        }
+    }
+
+    /**
+     * Check and convert filter item into LDAP format
+     *
+     * @param  string $filter E.g. "memberof=CN=externalTesters,OU=groups,DC=espo,DC=local"
+     *
+     * @return string
+     */
+    protected function convertToFilterFormat($filter)
+    {
+        $filter = trim($filter);
+        if (substr($filter, 0, 1) != '(') {
+            $filter = '(' . $filter;
+        }
+        if (substr($filter, -1) != ')') {
+            $filter = $filter . ')';
+        }
+        return $filter;
+    }
+
+    /**
+     * Load fields for a user
+     *
+     * @param  string $type
+     *
+     * @return array
+     */
+    protected function loadFields($type)
+    {
+        $options = $this->getUtils()->getOptions();
+
+        $typeMap = $type . 'FieldMap';
+
+        $fields = array();
+        foreach ($this->$typeMap as $fieldName => $fieldValue) {
+            if (isset($options[$fieldValue])) {
+                $fields[$fieldName] = $options[$fieldValue];
+            }
+        }
+
+        return $fields;
+    }
+}
--- a/application/Espo/Core/Utils/Authentication/LDAP/Client.php
+++ b/application/Espo/Core/Utils/Authentication/LDAP/Client.php
@@ -0,0 +1,35 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
+ * Website: http://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Utils\Authentication\LDAP;
+
+class Client extends \Zend\Ldap\Ldap
+{
+
+}
--- a/application/Espo/Core/Utils/Authentication/LDAP/LDAP.php
+++ b/application/Espo/Core/Utils/Authentication/LDAP/LDAP.php
@@ -1,129 +0,0 @@
-<?php
-/************************************************************************
- * This file is part of EspoCRM.
- *
- * EspoCRM - Open Source CRM application.
- * Copyright (C) 2014-2015 Yuri Kuznetsov, Taras Machyshyn, Oleksiy Avramenko
- * Website: http://www.espocrm.com
- *
- * EspoCRM is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * EspoCRM is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
- *
- * The interactive user interfaces in modified source and object code versions
- * of this program must display Appropriate Legal Notices, as required under
- * Section 5 of the GNU General Public License version 3.
- *
- * In accordance with Section 7(b) of the GNU General Public License version 3,
- * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
- ************************************************************************/
-
-namespace Espo\Core\Utils\Authentication\LDAP;
-class LDAP extends \Zend\Ldap\Ldap
-{
-    protected $usernameAttribute = 'cn';
-
-
-    /**
-     * Get DN depends on options, ex. "cn=test,ou=People,dc=maxcrc,dc=com"
-     *
-     * @return string DN format
-     */
-    public function getDn($acctname)
-    {
-        return $this->getAccountDn($acctname, \Zend\Ldap\Ldap::ACCTNAME_FORM_DN);
-    }
-
-    /**
-     * Fix a bug, ex. CN=Alice Baker,CN=Users,DC=example,DC=com
-     *
-     * @param  string $acctname
-     * @return string - Account DN
-     */
-    protected function getAccountDn($acctname)
-    {
-        $baseDn = $this->getBaseDn();
-
-        if ($this->getBindRequiresDn() && isset($baseDn)) {
-            try {
-                return parent::getAccountDn($acctname);
-            } catch (\Zend\Ldap\Exception\LdapException $zle) {
-                if ($zle->getCode() != \Zend\Ldap\Exception\LdapException::LDAP_NO_SUCH_OBJECT) {
-                    throw $zle;
-                }
-            }
-
-            $acctname = $this->usernameAttribute . '=' . \Zend\Ldap\Filter\AbstractFilter::escapeValue($acctname) . ',' . $baseDn;
-        }
-
-        return parent::getAccountDn($acctname);
-    }
-
-    /**
-     * Search a user using userLoginFilter
-     *
-     * @param  string $filter
-     * @param  string $basedn
-     * @param  int $scope
-     * @param  array  $attributes
-     * @return array
-     */
-    public function searchByLoginFilter($filter, $basedn = null, $scope = self::SEARCH_SCOPE_SUB, array $attributes = array())
-    {
-        $filter = $this->getLoginFilter($filter);
-
-        $result = $this->search($filter, $basedn, $scope, $attributes);
-
-        if ($result->count() > 0) {
-            return $result->getFirst();
-        }
-
-        throw new \Zend\Ldap\Exception\LdapException($this, 'searching: ' . $filter);
-    }
-
-    /**
-     * Get login filter in LDAP format
-     *
-     * @param  string $filter
-     * @return string
-     */
-    protected function getLoginFilter($filter)
-    {
-        $baseFilter = '(objectClass=*)';
-
-        if (!empty($filter)) {
-            $baseFilter = '(&' . $baseFilter . $this->convertToFilterFormat($filter). ')';
-        }
-
-        return $baseFilter;
-    }
-
-    /**
-     * Check and convert filter item in LDAP format
-     *
-     * @param  string $filter [description]
-     * @return string
-     */
-    protected function convertToFilterFormat($filter)
-    {
-        $filter = trim($filter);
-        if (substr($filter, 0, 1) != '(') {
-            $filter = '(' . $filter;
-        }
-
-        if (substr($filter, -1) != ')') {
-            $filter = $filter . ')';
-        }
-
-        return $filter;
-    }
-}
--- a/Show More
+++ b/Show More