attachment csp

* fixed require promise

* czech translation fix

Co-authored-by: David Moškoř <david.moskor@apertia.cz>

.editorconfig

@@ -4,8 +4,7 @@ root = true
 [*]
 indent_style = space
 indent_size = 4
-end_of_line = lf
+end_of_line = crlf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
-

.gitattributes

@@ -8,4 +8,9 @@
 *.tpl text eol=crlf
 *.html text eol=crlf
 
+bin/command text eol=lf
+
+.gitattributes text eol=crlf
+.gitignore text eol=crlf
+
 *.png binary

.github/SECURITY.md

@@ -6,4 +6,4 @@ If you believe you have discovered a vulnerability in EspoCRM please contacts us
 
 ## Supported versions
 
-For severe vulnerabilities we provide fixes for 2 minor versions (the second number in the version string) back from the current stable version. Separate patches or manual fix guidelines will be provided for more old versions.
+For severe vulnerabilities we provide fixes for 2 minor versions (the second number in the version string) back from the current stable version.

.htaccess

@@ -24,11 +24,6 @@ Options -Indexes
     # Skip redirect for `client` dir.
     RewriteRule ^client/ - [L]
 
-# {#dev}
-    # Skip redirect for `node_modules` dir. Actual only for dev environment.
-    RewriteRule ^node_modules/ - [L]
-# {/dev}
-
     # Store base path.
     RewriteCond %{REQUEST_URI}::$1 ^(.*?/)(.*)::\2$
     RewriteRule ^(.*)$ - [E=BASE:%1]

.idea/.gitignore

@@ -0,0 +1,5 @@
+*
+!.gitignore
+!/codeStyles
+!/fileTemplates
+!/inspectionProfiles

.idea/codeStyles/Project.xml

@@ -0,0 +1,11 @@
+<component name="ProjectCodeStyleConfiguration">
+  <code_scheme name="Project" version="173">
+    <PHPCodeStyleSettings>
+      <option name="GROUP_USE_WRAP" value="2" />
+    </PHPCodeStyleSettings>
+    <codeStyleSettings language="PHP">
+      <option name="ALIGN_MULTILINE_PARAMETERS" value="false" />
+      <option name="ALIGN_MULTILINE_FOR" value="false" />
+    </codeStyleSettings>
+  </code_scheme>
+</component>

.idea/codeStyles/codeStyleConfig.xml

@@ -0,0 +1,5 @@
+<component name="ProjectCodeStyleConfiguration">
+  <state>
+    <option name="USE_PER_PROJECT_SETTINGS" value="true" />
+  </state>
+</component>

.idea/fileTemplates/includes/PHP File Header.php

@@ -0,0 +1,27 @@
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-${YEAR} Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/

.idea/fileTemplates/internal/JavaScript File.js

@@ -0,0 +1 @@
+#parse("PHP File Header.php")

.idea/inspectionProfiles/Project_Default.xml

@@ -0,0 +1,19 @@
+<component name="InspectionProjectProfileManager">
+  <profile version="1.0">
+    <option name="myName" value="Project Default" />
+    <inspection_tool class="DuplicatedCode" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="ES6ConvertVarToLetConst" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="JSIgnoredPromiseFromCall" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="PhpDocMissingThrowsInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="PhpDocSignatureIsNotCompleteInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="PhpMissingFieldTypeInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="PhpMissingParamTypeInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="PhpMissingReturnTypeInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="PhpStanGlobal" enabled="false" level="WEAK WARNING" enabled_by_default="false">
+      <option name="config" value="$PROJECT_DIR$/phpstan.neon" />
+    </inspection_tool>
+    <inspection_tool class="PhpSwitchStatementWitSingleBranchInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
+    <inspection_tool class="PsalmAdvanceCallableParamsInspection" enabled="false" level="WARNING" enabled_by_default="false" />
+    <inspection_tool class="TrivialIfJS" enabled="false" level="WARNING" enabled_by_default="false" />
+  </profile>
+</component>

Gruntfile.js

@@ -32,36 +32,41 @@
 const fs = require('fs');
 const cp = require('child_process');
 const path = require('path');
+const buildUtils = require('./js/build-utils');
 
 module.exports = grunt => {
 
     const pkg = grunt.file.readJSON('package.json');
     const bundleConfig = require('./frontend/bundle-config.json');
+    const libs = require('./frontend/libs.json');
 
-    let jsFilesToBundle = getBundleLibList().concat(bundleConfig.jsFiles);
-    let jsFilesToCopy = getCopyLibDataList();
+    const originalLibDir = 'client/lib/original';
 
-    let libFilesToMinify = jsFilesToCopy
+    let bundleJsFileList = buildUtils.getPreparedBundleLibList(libs).concat(originalLibDir + '/espo.js');
+    let copyJsFileList = buildUtils.getCopyLibDataList(libs);
+
+    let minifyLibFileList = copyJsFileList
         .filter(item => item.minify)
-        .reduce((map, item) => (
-            map[item.dest] = item.dest,
-            map
-        ), {});
+        .map(item => {
+            return {
+                dest: item.dest,
+                src: item.originalDest,
+            };
+        });
 
     let currentPath = path.dirname(fs.realpathSync(__filename));
 
     let themeList = [];
 
     fs.readdirSync('application/Espo/Resources/metadata/themes').forEach(file => {
-        themeList.push(file.substr(0, file.length - 5));
+        themeList.push(file.substring(0, file.length - 5));
     });
 
     let cssminFilesData = {};
-
     let lessData = {};
 
     themeList.forEach(theme => {
-        let name = camelCaseToHyphen(theme);
+        let name = buildUtils.camelCaseToHyphen(theme);
 
         let files = {};
 
@@ -71,14 +76,12 @@ module.exports = grunt => {
         cssminFilesData['client/css/espo/'+name+'.css'] = 'client/css/espo/'+name+'.css';
         cssminFilesData['client/css/espo/'+name+'-iframe.css'] = 'client/css/espo/'+name+'-iframe.css';
 
-        let o = {
+        lessData[theme] = {
             options: {
                 yuicompress: true,
             },
             files: files,
         };
-
-        lessData[theme] = o;
     });
 
     grunt.initConfig({
@@ -118,7 +121,7 @@ module.exports = grunt => {
                     'build/tmp/client/custom/modules/*',
                     '!build/tmp/client/custom/modules/dummy.txt',
                 ]
-            }
+            },
         },
 
         less: lessData,
@@ -142,11 +145,11 @@ module.exports = grunt => {
                     banner: '/*! <%= pkg.name %> <%= grunt.template.today("yyyy-mm-dd") %> */\n',
                 },
                 files: {
-                    'client/lib/espo.min.js': jsFilesToBundle,
+                    'client/lib/espo.min.js': bundleJsFileList,
                 },
             },
             lib: {
-                files: libFilesToMinify,
+                files: minifyLibFileList,
             },
         },
 
@@ -172,7 +175,7 @@ module.exports = grunt => {
                 dest: 'build/tmp/client',
             },
             frontendLib: {
-                files: jsFilesToCopy,
+                files: copyJsFileList,
             },
             backend: {
                 expand: true,
@@ -246,15 +249,33 @@ module.exports = grunt => {
                 ],
             },
         },
+    });
 
+    grunt.registerTask('espo-bundle', () => {
+        const Bundler = require('./js/bundler');
+
+        let contents = (new Bundler()).bundle(bundleConfig.jsFiles);
+
+        if (!fs.existsSync(originalLibDir)) {
+            fs.mkdirSync(originalLibDir);
+        }
+
+        fs.writeFileSync(originalLibDir + '/espo.js', contents, 'utf8');
+    });
+
+    grunt.registerTask('prepare-lib-original', () => {
+        // Even though `npm ci` runs the same script, 'clean:start' deletes files.
+        cp.execSync("node js/scripts/prepare-lib-original");
+    });
+
+    grunt.registerTask('prepare-lib', () => {
+        cp.execSync("node js/scripts/prepare-lib");
     });
 
     grunt.registerTask('chmod-folders', () => {
         cp.execSync(
             "find . -type d -exec chmod 755 {} +",
-            {
-                cwd: 'build/EspoCRM-' + pkg.version,
-            }
+            {cwd: 'build/EspoCRM-' + pkg.version}
         );
     });
 
@@ -360,7 +381,7 @@ module.exports = grunt => {
     });
 
     grunt.registerTask('upgrade', () => {
-        cp.execSync("node diff --all --vendor", {stdio: 'inherit'});
+        cp.execSync("node diff --closest", {stdio: 'inherit'});
     });
 
     grunt.registerTask('unit-tests-run', () => {
@@ -375,7 +396,7 @@ module.exports = grunt => {
         cp.execSync("composer run-script setConfigParams", {stdio: 'ignore'});
     });
 
-    grunt.registerTask('zip', () => {
+    grunt.registerTask('zip', function () { // Don't change to arrow-function.
         const archiver = require('archiver');
 
         let resolve = this.async();
@@ -404,8 +425,9 @@ module.exports = grunt => {
 
         archive
             .directory(currentPath + '/build/' + folder, folder)
-            .pipe(zipOutput)
-            .finalize();
+            .pipe(zipOutput);
+
+        archive.finalize();
     });
 
     grunt.registerTask('npm-install', () => {
@@ -423,8 +445,11 @@ module.exports = grunt => {
     grunt.registerTask('internal', [
         'less',
         'cssmin',
+        'espo-bundle',
+        'prepare-lib-original',
         'uglify:bundle',
         'copy:frontendLib',
+        'prepare-lib',
         'uglify:lib',
     ]);
 
@@ -487,77 +512,3 @@ module.exports = grunt => {
         'offline',
     ]);
 };
-
-function getBundleLibList() {
-    const libs = require('./frontend/libs.json');
-
-    let list = [];
-
-    libs.forEach(item => {
-        if (!item.bundle) {
-            return;
-        }
-
-        if (item.files) {
-            item.files.forEach(item  => {
-                list.push(item.src);
-            });
-
-            return;
-        }
-
-        if (!item.src) {
-            throw new Error("No lib src.");
-        }
-
-        list.push(item.src);
-    });
-
-    return list;
-}
-
-function getCopyLibDataList() {
-    const libs = require('./frontend/libs.json');
-
-    let list = [];
-
-    libs.forEach(item => {
-        if (item.bundle) {
-            return;
-        }
-
-        let minify = item.minify;
-
-        if (item.files) {
-            item.files.forEach(item => {
-                list.push({
-                    src: item.src,
-                    dest: item.dest || 'client/lib/' + item.src.split('/').pop(),
-                    minify: minify,
-                });
-            });
-
-            return;
-        }
-
-        if (!item.src) {
-            throw new Error("No lib src.");
-        }
-
-        list.push({
-            src: item.src,
-            dest: item.dest || 'client/lib/' + item.src.split('/').pop(),
-            minify: minify,
-        });
-    });
-
-    return list;
-}
-
-function camelCaseToHyphen(string){
-    if (string === null) {
-        return string;
-    }
-
-    return string.replace(/([a-z])([A-Z])/g, '$1-$2').toLowerCase();
-}

application/Espo/Classes/Acl/Email/AccessChecker.php

@@ -104,7 +104,7 @@ class AccessChecker implements AccessEntityCREDSChecker
                 return true;
             }
 
-            /** @var string[] */
+            /** @var string[] $assignedUserIdList */
             $assignedUserIdList = $entity->getLinkMultipleIdList('assignedUsers');
 
             if (

application/Espo/Classes/Acl/Note/AccessChecker.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Classes\Acl\Note;
 
+use Espo\Entities\Note;
 use Espo\Entities\User;
 
 use Espo\ORM\Entity;
@@ -77,6 +78,9 @@ class AccessChecker implements AccessEntityCREDChecker
         $this->config = $config;
     }
 
+    /**
+     * @param Note $entity
+     */
     public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
     {
         $parentId = $entity->get('parentId');
@@ -95,6 +99,62 @@ class AccessChecker implements AccessEntityCREDChecker
         return false;
     }
 
+    /**
+     * @param Note $entity
+     */
+    public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
+    {
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        $parentId = $entity->getParentId();
+        $parentType = $entity->getParentType();
+
+        if ($parentId && $parentType) {
+            $parent = $this->entityManager->getEntityById($parentType, $parentId);
+
+            if (!$parent) {
+                return false;
+            }
+
+            return $this->aclManager->checkEntityStream($user, $parent);
+        }
+
+        if ($entity->getType() !== Note::TYPE_POST) {
+            return false;
+        }
+
+        if ($entity->getCreatedById() === $user->getId()) {
+            return true;
+        }
+
+        if ($entity->getTargetType() === Note::TARGET_ALL) {
+            return true;
+        }
+
+        if ($entity->getTargetType() === Note::TARGET_TEAMS) {
+            $targetTeamIdList = $entity->getLinkMultipleIdList('teams') ?? [];
+
+            foreach ($user->getTeamIdList() as $teamId) {
+                if (in_array($teamId, $targetTeamIdList)) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
+        if ($entity->getTargetType() === Note::TARGET_USERS) {
+            return in_array($user->getId(), $entity->getLinkMultipleIdList('users') ?? []);
+        }
+
+        return false;
+    }
+
+    /**
+     * @param Note $entity
+     */
     public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
     {
         if ($user->isAdmin()) {
@@ -106,7 +166,7 @@ class AccessChecker implements AccessEntityCREDChecker
         }
 
         if (!$this->aclManager->checkOwnershipOwn($user, $entity)) {
-            return true;
+            return false;
         }
 
         $createdAt = $entity->get('createdAt');
@@ -134,6 +194,9 @@ class AccessChecker implements AccessEntityCREDChecker
         return true;
     }
 
+    /**
+     * @param Note $entity
+     */
     public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
     {
         if ($user->isAdmin()) {
@@ -145,7 +208,7 @@ class AccessChecker implements AccessEntityCREDChecker
         }
 
         if (!$this->aclManager->checkOwnershipOwn($user, $entity)) {
-            return true;
+            return false;
         }
 
         $createdAt = $entity->get('createdAt');

application/Espo/Classes/Acl/Note/OwnershipChecker.php

@@ -29,22 +29,24 @@
 
 namespace Espo\Classes\Acl\Note;
 
+use Espo\Entities\Note;
 use Espo\Entities\User;
 
 use Espo\ORM\Entity;
 
-use Espo\Core\{
-    Acl\OwnershipOwnChecker,
-};
+use Espo\Core\Acl\OwnershipOwnChecker;
 
 /**
  * @implements OwnershipOwnChecker<\Espo\Entities\Note>
  */
 class OwnershipChecker implements OwnershipOwnChecker
 {
+    /**
+     * @param Note $entity
+     */
     public function checkOwn(User $user, Entity $entity): bool
     {
-        if ($entity->get('type') === 'Post' && $user->getId() === $entity->get('createdById')) {
+        if ($entity->getType() === Note::TYPE_POST && $user->getId() === $entity->getCreatedById()) {
             return true;
         }
 

application/Espo/Classes/Acl/Team/OwnershipChecker.php

@@ -44,7 +44,7 @@ class OwnershipChecker implements OwnershipOwnChecker
 {
     public function checkOwn(User $user, Entity $entity): bool
     {
-        /** @var string[] */
+        /** @var string[] $userTeamIdList */
         $userTeamIdList = $user->getLinkMultipleIdList('teams');
 
         return in_array($entity->getId(), $userTeamIdList);

application/Espo/Classes/AclPortal/Note/AccessChecker.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Classes\AclPortal\Note;
 
+use Espo\Entities\Note;
 use Espo\Entities\User;
 
 use Espo\ORM\Entity;
@@ -77,16 +78,19 @@ class AccessChecker implements AccessEntityCREDChecker
         $this->config = $config;
     }
 
+    /**
+     * @param Note $entity
+     */
     public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
     {
-        $parentId = $entity->get('parentId');
-        $parentType = $entity->get('parentType');
+        $parentId = $entity->getParentId();
+        $parentType = $entity->getParentType();
 
         if (!$parentId || !$parentType) {
             return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data);
         }
 
-        $parent = $this->entityManager->getEntity($parentType, $parentId);
+        $parent = $this->entityManager->getEntityById($parentType, $parentId);
 
         if ($parent && $this->aclManager->checkEntityStream($user, $parent)) {
             return true;
@@ -95,31 +99,42 @@ class AccessChecker implements AccessEntityCREDChecker
         return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data);
     }
 
+    /**
+     * @param Note $entity
+     */
     public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
     {
-        if ($entity->get('type') !== 'Post') {
-            return false;
-        }
+        $parentId = $entity->getParentId();
+        $parentType = $entity->getParentType();
 
-        if ($entity->get('type') === 'Post' && $entity->get('targetType')) {
-            return false;
-        }
+        if ($parentId && $parentType) {
+            $parent = $this->entityManager->getEntityById($parentType, $parentId);
 
-        if (!$entity->get('parentId') || !$entity->get('parentType')) {
-            return false;
-        }
-
-        $parent = $this->entityManager->getEntity($entity->get('parentType'), $entity->get('parentId'));
-
-        if ($parent) {
-            if ($this->aclManager->checkEntityStream($user, $parent)) {
-                return true;
+            if (!$parent) {
+                return false;
             }
+
+            return $this->aclManager->checkEntityStream($user, $parent);
+        }
+
+        if ($entity->getType() !== Note::TYPE_POST) {
+            return false;
+        }
+
+        if ($entity->getCreatedById() === $user->getId()) {
+            return true;
+        }
+
+        if ($entity->getTargetType() === Note::TARGET_PORTALS) {
+            return in_array($user->getPortalId(), $entity->getLinkMultipleIdList('portals') ?? []);
         }
 
         return false;
     }
 
+    /**
+     * @param Note $entity
+     */
     public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
     {
         if (!$this->defaultAccessChecker->checkEntityEdit($user, $entity, $data)) {
@@ -127,7 +142,7 @@ class AccessChecker implements AccessEntityCREDChecker
         }
 
         if (!$this->aclManager->checkOwnershipOwn($user, $entity)) {
-            return true;
+            return false;
         }
 
         $createdAt = $entity->get('createdAt');
@@ -155,6 +170,9 @@ class AccessChecker implements AccessEntityCREDChecker
         return true;
     }
 
+    /**
+     * @param Note $entity
+     */
     public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
     {
         if (!$this->defaultAccessChecker->checkEntityDelete($user, $entity, $data)) {
@@ -162,7 +180,7 @@ class AccessChecker implements AccessEntityCREDChecker
         }
 
         if (!$this->aclManager->checkOwnershipOwn($user, $entity)) {
-            return true;
+            return false;
         }
 
         $createdAt = $entity->get('createdAt');

application/Espo/Classes/AclPortal/Note/OwnershipChecker.php

@@ -29,22 +29,24 @@
 
 namespace Espo\Classes\AclPortal\Note;
 
+use Espo\Entities\Note;
 use Espo\Entities\User;
 
 use Espo\ORM\Entity;
 
-use Espo\Core\{
-    Acl\OwnershipOwnChecker,
-};
+use Espo\Core\Acl\OwnershipOwnChecker;
 
 /**
  * @implements OwnershipOwnChecker<\Espo\Entities\Note>
  */
 class OwnershipChecker implements OwnershipOwnChecker
 {
+    /**
+     * @param Note $entity
+     */
     public function checkOwn(User $user, Entity $entity): bool
     {
-        if ($entity->get('type') === 'Post' && $user->getId() === $entity->get('createdById')) {
+        if ($entity->getType() === Note::TYPE_POST && $user->getId() === $entity->getCreatedById()) {
             return true;
         }
 

application/Espo/Classes/AppInfo/Container.php

@@ -63,7 +63,7 @@ class Container
             'user',
         ];
 
-        /** @var string[] */
+        /** @var string[] $fileList */
         $fileList = scandir('application/Espo/Core/Loaders');
 
         if (file_exists('custom/Espo/Custom/Core/Loaders')) {

application/Espo/Classes/AppParams/TemplateEntityTypeList.php

@@ -34,20 +34,24 @@ use Espo\Core\{
     Select\SelectBuilderFactory,
     ORM\EntityManager,
 };
+use Espo\Tools\App\AppParam;
 
 /**
  * Returns a list of entity types for which a PDF template exists.
  */
-class TemplateEntityTypeList
+class TemplateEntityTypeList implements AppParam
 {
-    private $acl;
+    private Acl $acl;
 
-    private $selectBuilderFactory;
+    private SelectBuilderFactory $selectBuilderFactory;
 
-    private $entityManager;
+    private EntityManager $entityManager;
 
-    public function __construct(Acl $acl, SelectBuilderFactory $selectBuilderFactory, EntityManager $entityManager)
-    {
+    public function __construct(
+        Acl $acl,
+        SelectBuilderFactory $selectBuilderFactory,
+        EntityManager $entityManager
+    ) {
         $this->acl = $acl;
         $this->selectBuilderFactory = $selectBuilderFactory;
         $this->entityManager = $entityManager;

application/Espo/Classes/ConsoleCommands/Import.php

@@ -83,14 +83,21 @@ class Import implements Command
                 $resultId = $result->getId();
                 $countCreated = $result->getCountCreated();
                 $countUpdated = $result->getCountUpdated();
+                $countError = $result->getCountError();
+                $countDuplicate = $result->getCountDuplicate();
             }
             catch (Throwable $e) {
-                $io->writeLine("Error occurred: ". $e->getMessage() . "");
+                $io->writeLine("Error occurred: " . $e->getMessage());
 
                 return;
             }
 
-            $io->writeLine("Finished. Import ID: {$resultId}. Created: {$countCreated}. Updated: {$countUpdated}.");
+            $io->writeLine("Finished.");
+            $io->writeLine("  Import ID: {$resultId}");
+            $io->writeLine("  Created: {$countCreated}");
+            $io->writeLine("  Updated: {$countUpdated}");
+            $io->writeLine("  Duplicates: {$countDuplicate}");
+            $io->writeLine("  Errors: {$countError}");
 
             return;
         }
@@ -102,7 +109,7 @@ class Import implements Command
                 $this->service->revert($id);
             }
             catch (Throwable $e) {
-                $io->writeLine("Error occurred: " . $e->getMessage() . "");
+                $io->writeLine("Error occurred: " . $e->getMessage());
 
                 return;
             }
@@ -119,15 +126,21 @@ class Import implements Command
                 $result = $this->service->importById($id, true, $forceResume);
             }
             catch (Throwable $e) {
-                $io->writeLine("Error occurred: " . $e->getMessage() . "");
+                $io->writeLine("Error occurred: " . $e->getMessage());
 
                 return;
             }
 
             $countCreated = $result->getCountCreated();
             $countUpdated = $result->getCountUpdated();
+            $countError = $result->getCountError();
+            $countDuplicate = $result->getCountDuplicate();
 
-            $io->writeLine("Finished. Created: {$countCreated}. Updated: {$countUpdated}.");
+            $io->writeLine("Finished.");
+            $io->writeLine("  Created: {$countCreated}");
+            $io->writeLine("  Updated: {$countUpdated}");
+            $io->writeLine("  Duplicates: {$countDuplicate}");
+            $io->writeLine("  Errors: {$countError}");
 
             return;
         }

application/Espo/Classes/FieldDuplicators/LinkMultiple.php

@@ -71,7 +71,7 @@ class LinkMultiple implements FieldDuplicator
             ->getRelation($relationDefs->getForeignRelationName())
             ->getType();
 
-        if ($foreignRelationType !== Entity::HAS_MANY) {
+        if ($foreignRelationType !== Entity::MANY_MANY) {
             $valueMap->{$field . 'Ids'} = [];
             $valueMap->{$field . 'Names'} = (object) [];
             $valueMap->{$field . 'Columns'} = (object) [];

application/Espo/Classes/FieldProcessing/Email/IcsDataLoader.php

@@ -29,6 +29,8 @@
 
 namespace Espo\Classes\FieldProcessing\Email;
 
+use Espo\Modules\Crm\Entities\Call;
+use Espo\Modules\Crm\Entities\Meeting;
 use Espo\ORM\Entity;
 use Espo\ORM\EntityManager;
 use Espo\Repositories\EmailAddress as EmailAddressRepository;
@@ -44,7 +46,6 @@ use Espo\Core\{
 };
 
 use ICal\ICal;
-use ICal\Event;
 
 use Throwable;
 use stdClass;
@@ -85,7 +86,7 @@ class IcsDataLoader implements Loader
 
         $ical->initString($icsContents);
 
-        /* @var $event Event */
+        /* @var \ICal\Event|null $event */
         $event = $ical->events()[0] ?? null;
 
         if ($event === null) {
@@ -121,11 +122,14 @@ class IcsDataLoader implements Loader
             return;
         }
 
+        if ($this->eventAlreadyExists($espoEvent)) {
+            return;
+        }
+
         /** @var EmailAddressRepository $emailAddressRepository */
         $emailAddressRepository = $this->entityManager->getRepository(EmailAddress::ENTITY_TYPE);
 
         $attendeeEmailAddressList = $espoEvent->getAttendeeEmailAddressList();
-
         $organizerEmailAddress = $espoEvent->getOrganizerEmailAddress();
 
         if ($organizerEmailAddress) {
@@ -167,7 +171,6 @@ class IcsDataLoader implements Loader
         $this->loadCreatedEvent($entity, $espoEvent, $eventData);
 
         $entity->set('icsEventData', $eventData);
-
         $entity->set('icsEventDateStart', $espoEvent->getDateStart());
 
         if ($espoEvent->isAllDay()) {
@@ -209,4 +212,35 @@ class IcsDataLoader implements Loader
             'name' => $createdEvent->get('name'),
         ];
     }
+
+    private function eventAlreadyExists(EspoEvent $espoEvent): bool
+    {
+        $id = $espoEvent->getUid();
+
+        if (!$id) {
+            return false;
+        }
+
+        $found1 = $this->entityManager
+            ->getRDBRepository(Meeting::ENTITY_TYPE)
+            ->select(['id'])
+            ->where(['id' => $id])
+            ->findOne();
+
+        if ($found1) {
+            return true;
+        }
+
+        $found2 = $this->entityManager
+            ->getRDBRepository(Call::ENTITY_TYPE)
+            ->select(['id'])
+            ->where(['id' => $id])
+            ->findOne();
+
+        if ($found2) {
+            return true;
+        }
+
+        return false;
+    }
 }

application/Espo/Classes/FieldProcessing/Email/StringDataLoader.php

@@ -104,7 +104,7 @@ class StringDataLoader implements Loader
             return;
         }
 
-        /**  @var ?string */
+        /**  @var ?string $fromEmailAddressId */
         $fromEmailAddressId = $entity->get('fromEmailAddressId');
 
         if (!$fromEmailAddressId) {

application/Espo/Classes/FieldValidators/ArrayType.php

@@ -29,12 +29,27 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
+
+use Espo\ORM\Defs;
 use Espo\ORM\Entity;
 
-use StdClass;
+use stdClass;
 
 class ArrayType
 {
+    private Metadata $metadata;
+
+    private Defs $defs;
+
+    private const DEFAULT_MAX_LENGTH = 100;
+
+    public function __construct(Metadata $metadata, Defs $defs)
+    {
+        $this->metadata = $metadata;
+        $this->defs = $defs;
+    }
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         return $this->isNotEmpty($entity, $field);
@@ -55,9 +70,92 @@ class ArrayType
         return true;
     }
 
-    public function rawCheckArray(StdClass $data, string $field): bool
+    public function checkArrayOfString(Entity $entity, string $field): bool
     {
-        if (isset($data->$field) && $data->$field !== null && !is_array($data->$field)) {
+        /** @var ?mixed[] $list */
+        $list = $entity->get($field);
+
+        if ($list === null) {
+            return true;
+        }
+
+        foreach ($list as $item) {
+            if (!is_string($item)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    public function checkValid(Entity $entity, string $field): bool
+    {
+        if (!$entity->has($field)) {
+            return true;
+        }
+
+        /** @var ?string[] $value */
+        $value = $entity->get($field);
+
+        if ($value === null || $value === []) {
+            return true;
+        }
+
+        $fieldDefs = $this->defs
+            ->getEntity($entity->getEntityType())
+            ->getField($field);
+
+        if ($fieldDefs->getParam('allowCustomOptions')) {
+            return true;
+        }
+
+        $optionList = $this->getOptionList($entity->getEntityType(), $field);
+
+        if ($optionList === null) {
+            return true;
+        }
+
+        foreach ($value as $item) {
+            if (!in_array($item, $optionList)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * @return ?string[]
+     */
+    private function getOptionList(string $entityType, string $field): ?array
+    {
+        $fieldDefs = $this->defs
+            ->getEntity($entityType)
+            ->getField($field);
+
+        /** @var ?string $path */
+        $path = $fieldDefs->getParam('optionsPath');
+
+        /** @var string[]|null|false $optionList */
+        $optionList = $path ?
+            $this->metadata->get($path) :
+            $fieldDefs->getParam('options');
+
+        if ($optionList === null) {
+            return null;
+        }
+
+        // For bc.
+        if ($optionList === false) {
+            return null;
+        }
+
+        return $optionList;
+    }
+
+    public function rawCheckArray(stdClass $data, string $field): bool
+    {
+        if (isset($data->$field) && !is_array($data->$field)) {
             return false;
         }
 
@@ -82,4 +180,73 @@ class ArrayType
 
         return false;
     }
+
+    public function checkMaxLength(Entity $entity, string $field, ?int $validationValue): bool
+    {
+        $maxLength = $validationValue ?? self::DEFAULT_MAX_LENGTH;
+
+        /** @var string[] $value */
+        $value = $entity->get($field) ?? [];
+
+        foreach ($value as $item) {
+            if (mb_strlen($item) > $maxLength) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    public function checkPattern(Entity $entity, string $field, ?string $validationValue): bool
+    {
+        if (!$validationValue) {
+            return true;
+        }
+
+        $pattern = $validationValue;
+
+        if ($validationValue[0] === '$') {
+            $patternName = substr($validationValue, 1);
+
+            $pattern = $this->metadata->get(['app', 'regExpPatterns', $patternName, 'pattern']) ??
+                $pattern;
+        }
+
+        $preparedPattern = '/^' . $pattern . '$/';
+
+        /** @var string[] $value */
+        $value = $entity->get($field) ?? [];
+
+        foreach ($value as $item) {
+            if ($item === '') {
+                continue;
+            }
+
+            if (!preg_match($preparedPattern, $item)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    public function checkNoEmptyString(Entity $entity, string $field, ?bool $validationValue): bool
+    {
+        if (!$validationValue) {
+            return true;
+        }
+
+        /** @var string[] $value */
+        $value = $entity->get($field) ?? [];
+
+        $optionList = $this->getOptionList($entity->getEntityType(), $field) ?? [];
+
+        foreach ($value as $item) {
+            if ($item === '' && !in_array($item, $optionList)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }

application/Espo/Classes/FieldValidators/Attachment/Related.php

@@ -0,0 +1,47 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldValidators\Attachment;
+
+use Espo\Classes\FieldValidators\LinkParentType;
+use Espo\ORM\Entity;
+
+class Related extends LinkParentType
+{
+    public function checkValid(Entity $entity, string $field): bool
+    {
+        $typeValue = $entity->get($field . 'Type');
+
+        if ($typeValue === 'TemplateManager') {
+            return true;
+        }
+
+        return parent::checkValid($entity, $field);
+    }
+}

application/Espo/Classes/FieldValidators/ChecklistType.php

@@ -29,7 +29,4 @@
 
 namespace Espo\Classes\FieldValidators;
 
-class ChecklistType extends ArrayType
-{
-
-}
+class ChecklistType extends ArrayType {}

application/Espo/Classes/FieldValidators/EmailType.php

@@ -29,10 +29,21 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
 use Espo\ORM\Entity;
 
+use stdClass;
+
 class EmailType
 {
+    private Metadata $metadata;
+
+    private const DEFAULT_MAX_LENGTH = 255;
+
+    public function __construct(Metadata $metadata)
+    {
+        $this->metadata = $metadata;
+    }
     public function checkRequired(Entity $entity, string $field): bool
     {
         if ($this->isNotEmpty($entity, $field)) {
@@ -71,6 +82,10 @@ class EmailType
         }
 
         foreach ($dataList as $item) {
+            if (!$item instanceof stdClass) {
+                return false;
+            }
+
             if (empty($item->emailAddress)) {
                 continue;
             }
@@ -85,6 +100,36 @@ class EmailType
         return true;
     }
 
+    public function checkMaxLength(Entity $entity, string $field): bool
+    {
+        /** @var ?string $value */
+        $value = $entity->get($field);
+
+        /** @var int $maxLength */
+        $maxLength = $this->metadata->get(['entityDefs', 'EmailAddress', 'fields', 'name', 'maxLength']) ??
+            self::DEFAULT_MAX_LENGTH;
+
+        if ($value && mb_strlen($value) > $maxLength) {
+            return false;
+        }
+
+        $dataList = $entity->get($field . 'Data');
+
+        if (!is_array($dataList)) {
+            return true;
+        }
+
+        foreach ($dataList as $item) {
+            $value = $item->emailAddress;
+
+            if ($value && mb_strlen($value) > $maxLength) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     protected function isNotEmpty(Entity $entity, string $field): bool
     {
         return $entity->has($field) && $entity->get($field) !== '' && $entity->get($field) !== null;

application/Espo/Classes/FieldValidators/EnumType.php

@@ -29,15 +29,90 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
+
+use Espo\ORM\Defs;
 use Espo\ORM\Entity;
 
 class EnumType
 {
+    private Metadata $metadata;
+
+    private Defs $defs;
+
+    private const DEFAULT_MAX_LENGTH = 255;
+
+    public function __construct(Metadata $metadata, Defs $defs)
+    {
+        $this->metadata = $metadata;
+        $this->defs = $defs;
+    }
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         return $this->isNotEmpty($entity, $field);
     }
 
+    public function checkValid(Entity $entity, string $field): bool
+    {
+        if (!$entity->has($field)) {
+            return true;
+        }
+
+        $fieldDefs = $this->defs
+            ->getEntity($entity->getEntityType())
+            ->getField($field);
+
+        /** @var ?string $path */
+        $path = $fieldDefs->getParam('optionsPath');
+
+        /** @var string[]|null|false $optionList */
+        $optionList = $path ?
+            $this->metadata->get($path) :
+            $fieldDefs->getParam('options');
+
+        if ($optionList === null) {
+            return true;
+        }
+
+        // For bc.
+        if ($optionList === false) {
+            return true;
+        }
+
+        $optionList = array_map(
+            fn ($item) => $item === '' ? null : $item,
+            $optionList
+        );
+
+        $value = $entity->get($field);
+
+        // For bc.
+        // @todo Remove in v8.0.
+        if ($value === '') {
+            $value = null;
+        }
+
+        return in_array($value, $optionList);
+    }
+
+    public function checkMaxLength(Entity $entity, string $field, ?int $validationValue): bool
+    {
+        if (!$this->isNotEmpty($entity, $field)) {
+            return true;
+        }
+
+        $value = $entity->get($field);
+
+        $maxLength = $validationValue ?? self::DEFAULT_MAX_LENGTH;
+
+        if (mb_strlen($value) > $maxLength) {
+            return false;
+        }
+
+        return true;
+    }
+
     protected function isNotEmpty(Entity $entity, string $field): bool
     {
         return $entity->has($field) && $entity->get($field) !== null;

application/Espo/Classes/FieldValidators/JsonArrayType.php

@@ -37,7 +37,7 @@ class JsonArrayType
 {
     public function rawCheckArray(StdClass $data, string $field): bool
     {
-        if (isset($data->$field) && $data->$field !== null && !is_array($data->$field)) {
+        if (isset($data->$field) && !is_array($data->$field)) {
             return false;
         }
 

application/Espo/Classes/FieldValidators/LinkMultipleType.php

@@ -29,20 +29,240 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
+use Espo\ORM\Defs;
 use Espo\ORM\Entity;
 use Espo\Core\ORM\Entity as CoreEntity;
 
+use stdClass;
+
 class LinkMultipleType
 {
+    private Metadata $metadata;
+    private Defs $defs;
+
+    private const COLUMN_TYPE_ENUM = 'enum';
+    private const COLUMN_TYPE_VARCHAR = 'varchar';
+    private const COLUMN_TYPE_BOOL = 'bool';
+
+    public function __construct(Metadata $metadata, Defs $defs)
+    {
+        $this->metadata = $metadata;
+        $this->defs = $defs;
+    }
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         if (!$entity instanceof CoreEntity) {
             return false;
         }
 
-        /** @var string[] */
+        /** @var string[] $idList */
         $idList = $entity->getLinkMultipleIdList($field);
 
         return count($idList) > 0;
     }
+
+    public function checkPattern(Entity $entity, string $field): bool
+    {
+        /** @var ?mixed[] $idList */
+        $idList = $entity->get($field . 'Ids');
+
+        if ($idList === null || $idList === []) {
+            return true;
+        }
+
+        $pattern = $this->metadata->get(['app', 'regExpPatterns', 'id', 'pattern']);
+
+        if (!$pattern) {
+            return true;
+        }
+
+        $preparedPattern = '/^' . $pattern . '$/';
+
+        foreach ($idList as $id) {
+            if (!is_string($id)) {
+                return false;
+            }
+
+            if (!preg_match($preparedPattern, $id)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    public function checkColumnsValid(Entity $entity, string $field): bool
+    {
+        if (!$entity instanceof CoreEntity) {
+            return true;
+        }
+
+        if (!$entity->has($field . 'Columns')) {
+            return true;
+        }
+
+        /** @var ?stdClass $columnsData */
+        $columnsData = $entity->get($field . 'Columns');
+
+        if ($columnsData === null) {
+            return true;
+        }
+
+        $entityDefs = $this->defs->getEntity($entity->getEntityType());
+        $fieldDefs = $entityDefs->getField($field);
+
+        if ($fieldDefs->isNotStorable()) {
+            return true;
+        }
+
+        /** @var ?array<string,string> $columnsMap */
+        $columnsMap = $fieldDefs->getParam('columns');
+
+        if ($columnsMap === null || $columnsMap === []) {
+            return true;
+        }
+
+        if (!$entityDefs->hasRelation($field)) {
+            return true;
+        }
+
+        $relationDefs = $entityDefs->getRelation($field);
+
+        if (!$relationDefs->hasForeignEntityType()) {
+            return true;
+        }
+
+        $foreignEntityType = $relationDefs->getForeignEntityType();
+
+        foreach (array_keys(get_object_vars($columnsData)) as $id) {
+            $itemData = $columnsData->$id;
+
+            if (!$itemData instanceof stdClass) {
+                return false;
+            }
+
+            foreach ($columnsMap as $column => $foreignField) {
+                if (!property_exists($itemData, $column)) {
+                    continue;
+                }
+
+                $value = $itemData->$column;
+
+                $result = $this->checkColumnValue($foreignEntityType, $foreignField, $value);
+
+                if (!$result) {
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * @param mixed $value
+     */
+    private function checkColumnValue(string $entityType, string $field, $value): bool
+    {
+        $fieldDefs = $this->defs
+            ->getEntity($entityType)
+            ->getField($field);
+
+        $type = $fieldDefs->getType();
+
+        if ($type === self::COLUMN_TYPE_VARCHAR) {
+            return $this->checkColumnValueVarchar($fieldDefs, $value);
+        }
+
+        if ($type === self::COLUMN_TYPE_ENUM) {
+            return $this->checkColumnValueEnum($fieldDefs, $value);
+        }
+
+        if ($type === self::COLUMN_TYPE_BOOL) {
+            return is_bool($value);
+        }
+
+        return true;
+    }
+
+    /**
+     * @param mixed $value
+     */
+    private function checkColumnValueVarchar(Defs\FieldDefs $fieldDefs, $value): bool
+    {
+        if ($value === null) {
+            return true;
+        }
+
+        if (!is_string($value)) {
+            return false;
+        }
+
+        $maxLength = $fieldDefs->getParam('maxLength');
+        $pattern = $fieldDefs->getParam('pattern');
+
+        if ($maxLength && mb_strlen($value) > $maxLength) {
+            return false;
+        }
+
+        if ($pattern) {
+            if ($pattern[0] === '$') {
+                $patternName = substr($pattern, 1);
+
+                $pattern = $this->metadata
+                    ->get(['app', 'regExpPatterns', $patternName, 'pattern']) ??
+                    $pattern;
+            }
+
+            $preparedPattern = '/^' . $pattern . '$/';
+
+            if (!preg_match($preparedPattern, $value)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * @param mixed $value
+     */
+    private function checkColumnValueEnum(Defs\FieldDefs $fieldDefs, $value): bool
+    {
+        if (!is_string($value) && $value !== null) {
+            return false;
+        }
+
+        /** @var ?string $path */
+        $path = $fieldDefs->getParam('optionsPath');
+
+        /** @var string[]|null|false $optionList */
+        $optionList = $path ?
+            $this->metadata->get($path) :
+            $fieldDefs->getParam('options');
+
+        if ($optionList === null) {
+            return true;
+        }
+
+        // For bc.
+        if ($optionList === false) {
+            return true;
+        }
+
+        $optionList = array_map(
+            fn ($item) => $item === '' ? null : $item,
+            $optionList
+        );
+
+        // For bc.
+        // @todo Remove in v8.0.
+        if ($value === '') {
+            $value = null;
+        }
+
+        return in_array($value, $optionList);
+    }
 }

application/Espo/Classes/FieldValidators/LinkParentType.php

@@ -29,10 +29,21 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
+use Espo\ORM\Defs;
 use Espo\ORM\Entity;
 
 class LinkParentType
 {
+    private Metadata $metadata;
+    private Defs $defs;
+
+    public function __construct(Metadata $metadata, Defs $defs)
+    {
+        $this->metadata = $metadata;
+        $this->defs = $defs;
+    }
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         $idAttribute = $field . 'Id';
@@ -52,4 +63,46 @@ class LinkParentType
 
         return true;
     }
+
+    public function checkPattern(Entity $entity, string $field): bool
+    {
+        /** @var ?string $idValue */
+        $idValue = $entity->get($field . 'Id');
+
+        if ($idValue === null) {
+            return true;
+        }
+
+        $pattern = $this->metadata->get(['app', 'regExpPatterns', 'id', 'pattern']);
+
+        if (!$pattern) {
+            return true;
+        }
+
+        $preparedPattern = '/^' . $pattern . '$/';
+
+        return (bool) preg_match($preparedPattern, $idValue);
+    }
+
+    public function checkValid(Entity $entity, string $field): bool
+    {
+        /** @var ?string $typeValue */
+        $typeValue = $entity->get($field . 'Type');
+
+        if ($typeValue === null) {
+            return true;
+        }
+
+        /** @var ?string[] $entityTypeList */
+        $entityTypeList = $this->defs
+            ->getEntity($entity->getEntityType())
+            ->getField($field)
+            ->getParam('entityList');
+
+        if ($entityTypeList !== null) {
+            return in_array($typeValue, $entityTypeList);
+        }
+
+        return (bool) $this->metadata->get(['entityDefs', $typeValue]);
+    }
 }

application/Espo/Classes/FieldValidators/LinkType.php

@@ -29,10 +29,18 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
 use Espo\ORM\Entity;
 
 class LinkType
 {
+    private Metadata $metadata;
+
+    public function __construct(Metadata $metadata)
+    {
+        $this->metadata = $metadata;
+    }
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         $idAttribute = $field . 'Id';
@@ -43,4 +51,23 @@ class LinkType
 
         return $entity->get($idAttribute) !== null && $entity->get($idAttribute) !== '';
     }
+
+    public function checkPattern(Entity $entity, string $field): bool
+    {
+        $idValue = $entity->get($field . 'Id');
+
+        if ($idValue === null) {
+            return true;
+        }
+
+        $pattern = $this->metadata->get(['app', 'regExpPatterns', 'id', 'pattern']);
+
+        if (!$pattern) {
+            return true;
+        }
+
+        $preparedPattern = '/^' . $pattern . '$/';
+
+        return (bool) preg_match($preparedPattern, $idValue);
+    }
 }

application/Espo/Classes/FieldValidators/MultiEnumType.php

@@ -29,7 +29,12 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\ORM\Entity;
+
 class MultiEnumType extends ArrayType
 {
-
+    public function checkNoEmptyString(Entity $entity, string $field, ?bool $validationValue): bool
+    {
+        return parent::checkNoEmptyString($entity, $field, true);
+    }
 }

application/Espo/Classes/FieldValidators/PasswordType.php

@@ -0,0 +1,65 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldValidators;
+
+use stdClass;
+
+class PasswordType
+{
+    private const DEFAULT_MAX_LENGTH = 255;
+
+    public function rawCheckValid(stdClass $data, string $field): bool
+    {
+        $value = $data->$field ?? null;
+
+        if ($value === null) {
+            return true;
+        }
+
+        return is_string($value);
+    }
+
+    public function rawCheckMaxLength(stdClass $data, string $field, ?int $validationValue): bool
+    {
+        $value = $data->$field ?? null;
+
+        if (!is_string($value)) {
+            return true;
+        }
+
+        $maxLength = $validationValue ?? self::DEFAULT_MAX_LENGTH;
+
+        if (mb_strlen($value) > $maxLength) {
+            return false;
+        }
+
+        return true;
+    }
+}

application/Espo/Classes/FieldValidators/PhoneType.php

@@ -29,10 +29,26 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
+use Espo\ORM\Defs;
 use Espo\ORM\Entity;
 
+use stdClass;
+
 class PhoneType
 {
+    private Metadata $metadata;
+
+    private Defs $defs;
+
+    private const DEFAULT_MAX_LENGTH = 36;
+
+    public function __construct(Metadata $metadata, Defs $defs)
+    {
+        $this->metadata = $metadata;
+        $this->defs = $defs;
+    }
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         if ($this->isNotEmpty($entity, $field)) {
@@ -54,6 +70,132 @@ class PhoneType
         return false;
     }
 
+    public function checkValid(Entity $entity, string $field): bool
+    {
+        if ($this->isNotEmpty($entity, $field)) {
+            $number = $entity->get($field);
+
+            if (!$this->isValidNumber($number)) {
+                return false;
+            }
+        }
+
+        $dataList = $entity->get($field . 'Data');
+
+        if (!is_array($dataList)) {
+            return true;
+        }
+
+        foreach ($dataList as $item) {
+            if (!$item instanceof stdClass) {
+                return false;
+            }
+
+            $number = $item->phoneNumber ?? null;
+            $type = $item->type ?? null;
+
+            if (!$number) {
+                return false;
+            }
+
+            if (!$this->isValidNumber($number)) {
+                return false;
+            }
+
+            if (!$this->isValidType($entity->getEntityType(), $field, $type)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    public function checkMaxLength(Entity $entity, string $field): bool
+    {
+        /** @var ?string $value */
+        $value = $entity->get($field);
+
+        /** @var int $maxLength */
+        $maxLength = $this->metadata->get(['entityDefs', 'PhoneNumber', 'fields', 'name', 'maxLength']) ??
+            self::DEFAULT_MAX_LENGTH;
+
+        if ($value && mb_strlen($value) > $maxLength) {
+            return false;
+        }
+
+        $dataList = $entity->get($field . 'Data');
+
+        if (!is_array($dataList)) {
+            return true;
+        }
+
+        foreach ($dataList as $item) {
+            $value = $item->phoneNumber;
+
+            if ($value && mb_strlen($value) > $maxLength) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * @param mixed $type
+     */
+    private function isValidType(string $entityType, string $field, $type): bool
+    {
+        if ($type === null) {
+            // Will be stored with a default type.
+            return true;
+        }
+
+        if (!is_string($type)) {
+            return false;
+        }
+
+        /** @var string[]|null|false $typeList */
+        $typeList = $this->defs
+            ->getEntity($entityType)
+            ->getField($field)
+            ->getParam('typeList');
+
+        if ($typeList === null) {
+            return true;
+        }
+
+        // For bc.
+        if ($typeList === false) {
+            return true;
+        }
+
+        return in_array($type, $typeList);
+    }
+
+    /**
+     * @param mixed $number
+     */
+    private function isValidNumber($number): bool
+    {
+        if (!is_string($number)) {
+            return false;
+        }
+
+        if ($number === '') {
+            return false;
+        }
+
+        $pattern = $this->metadata->get(['app', 'regExpPatterns', 'phoneNumberLoose', 'pattern']);
+
+        if (!$pattern) {
+            return true;
+        }
+
+        $preparedPattern = '/^' . $pattern . '$/';
+
+        return (bool) preg_match($preparedPattern, $number);
+    }
+
     protected function isNotEmpty(Entity $entity, string $field): bool
     {
         return $entity->has($field) && $entity->get($field) !== '' && $entity->get($field) !== null;

application/Espo/Classes/FieldValidators/TextType.php

@@ -0,0 +1,63 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldValidators;
+
+use Espo\ORM\Entity;
+
+class TextType
+{
+    public function checkRequired(Entity $entity, string $field): bool
+    {
+        return $this->isNotEmpty($entity, $field);
+    }
+
+    public function checkMaxLength(Entity $entity, string $field, int $validationValue): bool
+    {
+        if (!$this->isNotEmpty($entity, $field)) {
+            return true;
+        }
+
+        $value = $entity->get($field);
+
+        if (mb_strlen($value) > $validationValue) {
+            return false;
+        }
+
+        return true;
+    }
+
+    protected function isNotEmpty(Entity $entity, string $field): bool
+    {
+        return
+            $entity->has($field) &&
+            $entity->get($field) !== '' &&
+            $entity->get($field) !== null;
+    }
+}

application/Espo/Classes/FieldValidators/UrlType.php

@@ -0,0 +1,72 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldValidators;
+
+use Espo\Core\Utils\Metadata;
+use Espo\ORM\Entity;
+
+class UrlType
+{
+    private Metadata $metadata;
+
+    private VarcharType $varcharType;
+
+    public function __construct(Metadata $metadata, VarcharType $varcharType)
+    {
+        $this->metadata = $metadata;
+        $this->varcharType = $varcharType;
+    }
+
+    public function checkRequired(Entity $entity, string $field): bool
+    {
+        return $this->varcharType->checkRequired($entity, $field);
+    }
+
+    public function checkMaxLength(Entity $entity, string $field, ?int $validationValue): bool
+    {
+        return $this->varcharType->checkMaxLength($entity, $field, $validationValue);
+    }
+
+    public function checkValid(Entity $entity, string $field): bool
+    {
+        $value = $entity->get($field);
+
+        if ($value === null) {
+            return true;
+        }
+
+        /** @var string $pattern */
+        $pattern = $this->metadata->get(['app', 'regExpPatterns', 'uriOptionalProtocol', 'pattern']);
+
+        $preparedPattern = '/^' . $pattern . '$/';
+
+        return (bool) preg_match($preparedPattern, $value);
+    }
+}

application/Espo/Classes/FieldValidators/VarcharType.php

@@ -29,30 +29,79 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Espo\Core\Utils\Metadata;
+use Espo\ORM\Defs;
 use Espo\ORM\Entity;
 
 class VarcharType
 {
+    private Metadata $metadata;
+
+    private const DEFAULT_MAX_LENGTH = 255;
+    private Defs $defs;
+
+    public function __construct(Metadata $metadata, Defs $defs)
+    {
+        $this->metadata = $metadata;
+        $this->defs = $defs;
+    }
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         return $this->isNotEmpty($entity, $field);
     }
 
-    public function checkMaxLength(Entity $entity, string $field, int $validationValue): bool
+    public function checkMaxLength(Entity $entity, string $field, ?int $validationValue): bool
     {
-        if ($this->isNotEmpty($entity, $field)) {
-            $value = $entity->get($field);
+        if (!$this->isNotEmpty($entity, $field)) {
+            return true;
+        }
 
-            if (mb_strlen($value) > $validationValue) {
-                return false;
-            }
+        $fieldDefs = $this->defs
+            ->getEntity($entity->getEntityType())
+            ->getField($field);
+
+        if ($fieldDefs->isNotStorable() && !$validationValue) {
+            return true;
+        }
+
+        $value = $entity->get($field);
+
+        $maxLength = $validationValue ?? self::DEFAULT_MAX_LENGTH;
+
+        if (mb_strlen($value) > $maxLength) {
+            return false;
         }
 
         return true;
     }
 
+    public function checkPattern(Entity $entity, string $field, ?string $validationValue): bool
+    {
+        if (!$this->isNotEmpty($entity, $field) || !$validationValue) {
+            return true;
+        }
+
+        $value = $entity->get($field);
+        $pattern = $validationValue;
+
+        if ($validationValue[0] === '$') {
+            $patternName = substr($validationValue, 1);
+
+            $pattern = $this->metadata->get(['app', 'regExpPatterns', $patternName, 'pattern']) ??
+                $pattern;
+        }
+
+        $preparedPattern = '/^' . $pattern . '$/';
+
+        return (bool) preg_match($preparedPattern, $value);
+    }
+
     protected function isNotEmpty(Entity $entity, string $field): bool
     {
-        return $entity->has($field) && $entity->get($field) !== '' && $entity->get($field) !== null;
+        return
+            $entity->has($field) &&
+            $entity->get($field) !== '' &&
+            $entity->get($field) !== null;
     }
 }

application/Espo/Classes/Jobs/Cleanup.php

@@ -30,6 +30,7 @@
 namespace Espo\Classes\Jobs;
 
 use Espo\Core\Record\ServiceContainer;
+use Espo\Entities\Attachment;
 use Espo\ORM\Repository\RDBRepository;
 use Espo\Core\ORM\Entity as CoreEntity;
 
@@ -134,7 +135,7 @@ class Cleanup implements JobDataLess
 
         foreach ($items as $name => $item) {
             try {
-                /** @var class-string<\Espo\Core\Cleanup\Cleanup> */
+                /** @var class-string<\Espo\Core\Cleanup\Cleanup> $className */
                 $className = $item['className'];
 
                 $obj = $injectableFactory->create($className);
@@ -312,11 +313,15 @@ class Cleanup implements JobDataLess
         $datetime->modify($period);
 
         $collection = $this->entityManager
-            ->getRDBRepository('Attachment')
+            ->getRDBRepository(Attachment::ENTITY_TYPE)
             ->where([
                 'OR' => [
                     [
-                        'role' => ['Export File', 'Mail Merge', 'Mass Pdf']
+                        'role' => [
+                            Attachment::ROLE_EXPORT_FILE,
+                            'Mail Merge',
+                            'Mass Pdf',
+                        ]
                     ]
                 ],
                 'createdAt<' => $datetime->format('Y-m-d H:i:s'),
@@ -357,7 +362,7 @@ class Cleanup implements JobDataLess
 
         $datetimeFrom->modify($fromPeriod);
 
-        /** @var string[] */
+        /** @var string[] $scopeList */
         $scopeList = array_keys($this->metadata->get(['scopes']));
 
         foreach ($scopeList as $scope) {
@@ -450,6 +455,19 @@ class Cleanup implements JobDataLess
             }
         }
 
+        $isBeingUploadedCollection = $this->entityManager
+            ->getRDBRepository('Attachment')
+            ->sth()
+            ->where([
+                'isBeingUploaded' => true,
+                'createdAt<' => $datetime->format('Y-m-d H:i:s'),
+            ])
+            ->find();
+
+        foreach ($isBeingUploadedCollection as $e) {
+            $this->entityManager->removeEntity($e);
+        }
+
         $delete = $this->entityManager
             ->getQueryBuilder()
             ->delete()
@@ -554,7 +572,7 @@ class Cleanup implements JobDataLess
         $fileManager = $this->fileManager;
 
         if ($fileManager->exists($path)) {
-            /** @var string[] */
+            /** @var string[] $fileList */
             $fileList = $fileManager->getFileList($path, false, '', false);
 
             foreach ($fileList as $dirName) {
@@ -713,7 +731,7 @@ class Cleanup implements JobDataLess
 
         $datetime = new DateTime($period);
 
-        /** @var string[] */
+        /** @var string[] $scopeList */
         $scopeList = array_keys($this->metadata->get(['scopes']));
 
         foreach ($scopeList as $scope) {

application/Espo/Classes/MassAction/User/MassUpdate.php

@@ -29,40 +29,54 @@
 
 namespace Espo\Classes\MassAction\User;
 
-use Espo\Core\{
-    MassAction\Actions\MassUpdate as MassUpdateOriginal,
-    MassAction\QueryBuilder,
-    MassAction\Params,
-    MassAction\Result,
-    MassAction\Data,
-    MassAction\MassAction,
-    Utils\File\Manager as FileManager,
-    DataManager,
-    Acl,
-    ORM\EntityManager,
-    Exceptions\Forbidden,
-};
+use Espo\Core\MassAction\Actions\MassUpdate as MassUpdateOriginal;
+use Espo\Core\MassAction\QueryBuilder;
+use Espo\Core\MassAction\Params;
+use Espo\Core\MassAction\Result;
+use Espo\Core\MassAction\Data;
+use Espo\Core\MassAction\MassAction;
+use Espo\Core\Utils\File\Manager as FileManager;
+use Espo\Core\DataManager;
+use Espo\Core\Acl;
+use Espo\Core\Acl\Table;
 
-use Espo\{
-    Entities\User,
-    ORM\Entity,
-};
+use Espo\Core\Exceptions\Forbidden;
+
+use Espo\Entities\User;
+use Espo\ORM\Entity;
+use Espo\ORM\EntityManager;
+
+use Espo\Tools\MassUpdate\Data as MassUpdateData;
 
 class MassUpdate implements MassAction
 {
-    private $massUpdateOriginal;
+    private MassUpdateOriginal $massUpdateOriginal;
 
-    private $queryBuilder;
+    private QueryBuilder $queryBuilder;
 
-    private $entityManager;
+    private EntityManager $entityManager;
 
-    private $acl;
+    private Acl $acl;
 
-    private $user;
+    private User $user;
 
-    private $fileManager;
+    private FileManager $fileManager;
 
-    private $dataManager;
+    private DataManager $dataManager;
+
+    private const PERMISSION = 'massUpdatePermission';
+
+    private const SYSTEM_USER_ID = 'system';
+
+    /** @var string[] */
+    private array $notAllowedAttributeList = [
+        'type',
+        'password',
+        'emailAddress',
+        'isAdmin',
+        'isSuperAdmin',
+        'isPortalUser',
+    ];
 
     public function __construct(
         MassUpdateOriginal $massUpdateOriginal,
@@ -86,48 +100,54 @@ class MassUpdate implements MassAction
     {
         $entityType = $params->getEntityType();
 
-        if (!$this->acl->check($entityType, 'edit')) {
+        if (!$this->user->isAdmin()) {
+            throw new Forbidden("Only admin can mass-update users.");
+        }
+
+        if (!$this->acl->check($entityType, Table::ACTION_EDIT)) {
             throw new Forbidden("No edit access for '{$entityType}'.");
         }
 
-        if ($this->acl->get('massUpdatePermission') !== 'yes') {
+        if ($this->acl->get(self::PERMISSION) !== Table::LEVEL_YES) {
             throw new Forbidden("No mass-update permission.");
         }
 
-        if (
-            $data->has('type') ||
-            $data->has('password') ||
-            $data->has('emailAddress') ||
-            $data->has('isAdmin') ||
-            $data->has('isSuperAdmin') ||
-            $data->has('isPortalUser')
-        ) {
-            throw new Forbidden("Not allowed fields.");
-        }
+        $massUpdateData = MassUpdateData::fromMassActionData($data);
+
+        $this->checkAccess($massUpdateData);
 
         $query = $this->queryBuilder->build($params);
 
         $collection = $this->entityManager
-            ->getRDBRepository('User')
+            ->getRDBRepository(User::ENTITY_TYPE)
             ->clone($query)
             ->sth()
             ->select(['id'])
             ->find();
 
         foreach ($collection as $entity) {
-            $this->checkEntity($entity, $data);
+            $this->checkEntity($entity, $massUpdateData);
         }
 
         $result = $this->massUpdateOriginal->process($params, $data);
 
-        $this->afterProcess($result, $data);
+        $this->afterProcess($result, $massUpdateData);
 
         return $result;
     }
 
-    protected function checkEntity(Entity $entity, Data $data): void
+    private function checkAccess(MassUpdateData $data): void
     {
-        if ($entity->getId() === 'system') {
+        foreach ($this->notAllowedAttributeList as $attribute) {
+            if ($data->has($attribute)) {
+                throw new Forbidden("Attribute '{$attribute}' not allowed for mass-update.");
+            }
+        }
+    }
+
+    private function checkEntity(Entity $entity, MassUpdateData $data): void
+    {
+        if ($entity->getId() === self::SYSTEM_USER_ID) {
             throw new Forbidden("Can't update 'system' user.");
         }
 
@@ -138,9 +158,9 @@ class MassUpdate implements MassAction
         }
     }
 
-    protected function afterProcess(Result $result, Data $dataWrapped): void
+    private function afterProcess(Result $result, MassUpdateData $dataWrapped): void
     {
-        $data = $dataWrapped->getRaw();
+        $data = $dataWrapped->getValues();
 
         if (
             property_exists($data, 'rolesIds') ||
@@ -168,12 +188,12 @@ class MassUpdate implements MassAction
         }
     }
 
-    protected function clearRoleCache(string $id): void
+    private function clearRoleCache(string $id): void
     {
         $this->fileManager->removeFile('data/cache/application/acl/' . $id . '.php');
     }
 
-    protected function clearPortalRolesCache(): void
+    private function clearPortalRolesCache(): void
     {
         $this->fileManager->removeInDir('data/cache/application/aclPortal');
     }

application/Espo/Classes/RecordHooks/Event/BeforeUpdatePreserveDuration.php

@@ -0,0 +1,119 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\RecordHooks\Event;
+
+use Espo\Core\Record\Hook\UpdateHook;
+use Espo\Core\Record\UpdateParams;
+use Espo\Core\ORM\Entity as CoreEntity;
+use Espo\Core\Field\DateTime;
+use Espo\Core\Field\Date;
+
+use Espo\ORM\Entity;
+use Espo\ORM\Defs as OrmDefs;
+
+/**
+ * @implements UpdateHook<CoreEntity>
+ */
+class BeforeUpdatePreserveDuration implements UpdateHook
+{
+    private OrmDefs $ormDefs;
+
+    public function __construct(OrmDefs $ormDefs)
+    {
+        $this->ormDefs = $ormDefs;
+    }
+
+    public function process(Entity $entity, UpdateParams $params): void
+    {
+        /** @var CoreEntity $entity */
+
+        if (!$entity->isAttributeChanged('dateStart') && !$entity->isAttributeChanged('dateStartDate')) {
+            return;
+        }
+
+        if ($entity->isAttributeWritten('dateEnd') || $entity->isAttributeWritten('dateEndDate')) {
+            return;
+        }
+
+        $preserveDurationDisabled = $this->ormDefs
+            ->getEntity($entity->getEntityType())
+            ->getField('dateEnd')
+            ->getParam('preserveDurationDisabled');
+
+        if ($preserveDurationDisabled) {
+            return;
+        }
+
+        $this->processDateTime($entity);
+        $this->processDate($entity);
+    }
+
+    private function processDateTime(Entity $entity): void
+    {
+        $dateStartFetchedString = $entity->getFetched('dateStart');
+        $dateStartString = $entity->get('dateStart');
+        $dateEndString = $entity->get('dateEnd');
+
+        if (!$dateStartFetchedString || !$dateStartString || !$dateEndString) {
+            return;
+        }
+
+        $dateStartFetched = DateTime::fromString($dateStartFetchedString);
+        $dateStart = DateTime::fromString($dateStartString);
+        $dateEnd = DateTime::fromString($dateEndString);
+
+        $diff = $dateStartFetched->diff($dateEnd);
+
+        $dateEndModified = $dateStart->add($diff);
+
+        $entity->set('dateEnd', $dateEndModified->getString());
+    }
+
+    private function processDate(Entity $entity): void
+    {
+        $dateStartFetchedString = $entity->getFetched('dateStartDate');
+        $dateStartString = $entity->get('dateStartDate');
+        $dateEndString = $entity->get('dateEndDate');
+
+        if (!$dateStartFetchedString || !$dateStartString || !$dateEndString) {
+            return;
+        }
+
+        $dateStartFetched = Date::fromString($dateStartFetchedString);
+        $dateStart = Date::fromString($dateStartString);
+        $dateEnd = Date::fromString($dateEndString);
+
+        $diff = $dateStartFetched->diff($dateEnd);
+
+        $dateEndModified = $dateStart->add($diff);
+
+        $entity->set('dateEndDate', $dateEndModified->getString());
+    }
+}

application/Espo/Classes/Select/Email/AccessControlFilters/PortalOnlyAccount.php

@@ -61,7 +61,7 @@ class PortalOnlyAccount implements Filter
             'emailUser.userId' => $this->user->getId(),
         ];
 
-        /** @var string[] */
+        /** @var string[] $accountIdList */
         $accountIdList = $this->user->getLinkMultipleIdList('accounts');
 
         if (count($accountIdList)) {

application/Espo/Classes/Select/ImportError/OrderItemConverters/ExportLineNumber.php

@@ -0,0 +1,49 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\ImportError\OrderItemConverters;
+
+use Espo\Core\Select\Order\ItemConverter;
+use Espo\Core\Select\Order\Item;
+
+use Espo\ORM\Query\Part\OrderList;
+use Espo\ORM\Query\Part\Order;
+use Espo\ORM\Query\Part\Expression as Expr;
+
+class ExportLineNumber implements ItemConverter
+{
+    public function convert(Item $item): OrderList
+    {
+        return OrderList::create([
+            Order
+                ::create(Expr::column('exportRowIndex'))
+                ->withDirection($item->getOrder())
+        ]);
+    }
+}

application/Espo/Classes/Select/ImportError/OrderItemConverters/LineNumber.php

@@ -0,0 +1,49 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\ImportError\OrderItemConverters;
+
+use Espo\Core\Select\Order\ItemConverter;
+use Espo\Core\Select\Order\Item;
+
+use Espo\ORM\Query\Part\OrderList;
+use Espo\ORM\Query\Part\Order;
+use Espo\ORM\Query\Part\Expression as Expr;
+
+class LineNumber implements ItemConverter
+{
+    public function convert(Item $item): OrderList
+    {
+        return OrderList::create([
+            Order
+                ::create(Expr::column('rowIndex'))
+                ->withDirection($item->getOrder())
+        ]);
+    }
+}

application/Espo/Classes/Select/User/BoolFilters/OnlyMyTeam.php

@@ -50,7 +50,7 @@ class OnlyMyTeam implements Filter
 
     public function apply(SelectBuilder $queryBuilder, OrGroupBuilder $orGroupBuilder): void
     {
-        /** @var string[] */
+        /** @var string[] $teamIdList */
         $teamIdList = $this->user->getLinkMultipleIdList('teams');
 
         if (count($teamIdList) === 0) {

application/Espo/Controllers/Admin.php

@@ -106,14 +106,16 @@ class Admin
 
 
     /**
-     * @todo Use Request.
-     *
      * @param array<string,mixed> $params
      * @param string $data
      * @return array{
      *   id: string,
      *   version: string,
      * }
+     * @throws Forbidden
+     * @throws \Espo\Core\Exceptions\Error
+     * @todo Use Request.
+     *
      */
     public function postActionUploadUpgradePackage($params, $data): array
     {
@@ -134,6 +136,10 @@ class Admin
         ];
     }
 
+    /**
+     * @throws Forbidden
+     * @throws \Espo\Core\Exceptions\Error
+     */
     public function postActionRunUpgrade(Request $request): bool
     {
         $data = $request->getParsedBody();

application/Espo/Controllers/Attachment.php

@@ -52,6 +52,11 @@ class Attachment extends RecordBase
         return parent::getActionList($request, $response);
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Forbidden
+     * @throws \Espo\Core\Exceptions\Error
+     */
     public function postActionGetAttachmentFromImageUrl(Request $request): stdClass
     {
         $data = $request->getParsedBody();
@@ -69,6 +74,12 @@ class Attachment extends RecordBase
             ->getValueMap();
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Forbidden
+     * @throws \Espo\Core\Exceptions\Error
+     * @throws \Espo\Core\Exceptions\NotFound
+     */
     public function postActionGetCopiedAttachment(Request $request): stdClass
     {
         $data = $request->getParsedBody();
@@ -86,6 +97,11 @@ class Attachment extends RecordBase
             ->getValueMap();
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Forbidden
+     * @throws \Espo\Core\Exceptions\NotFound
+     */
     public function getActionFile(Request $request, Response $response): void
     {
         $id = $request->getRouteParam('id');
@@ -103,6 +119,26 @@ class Attachment extends RecordBase
             ->setBody($fileData->stream);
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Forbidden
+     * @throws \Espo\Core\Exceptions\Error
+     * @throws \Espo\Core\Exceptions\NotFound
+     */
+    public function postActionChunk(Request $request, Response $response): void
+    {
+        $id = $request->getRouteParam('id');
+        $body = $request->getBodyContents();
+
+        if (!$id || !$body) {
+            throw new BadRequest();
+        }
+
+        $this->getAttachmentService()->uploadChunk($id, $body);
+
+        $response->writeBody('true');
+    }
+
     private function getAttachmentService(): Service
     {
         /** @var Service */

application/Espo/Controllers/Email.php

@@ -29,22 +29,28 @@
 
 namespace Espo\Controllers;
 
+use Espo\Core\Acl\Table;
 use Espo\Core\Exceptions\BadRequest;
+use Espo\Core\Exceptions\Error;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Exceptions\NotFound;
 
 use Espo\Core\Controllers\Record;
 use Espo\Core\Api\Request;
 
+use Espo\Entities\Email as EmailEntity;
 use Espo\Services\Email as Service;
 use Espo\Services\EmailTemplate as EmailTemplateService;
 
-use Espo\Core\Utils\Crypt;
-
 use stdClass;
 
 class Email extends Record
 {
+    /**
+     * @throws BadRequest
+     * @throws Forbidden
+     * @throws NotFound
+     */
     public function postActionGetCopiedAttachments(Request $request): stdClass
     {
         $data = $request->getParsedBody();
@@ -61,89 +67,73 @@ class Email extends Record
     }
 
     /**
-     * @todo Move to service.
+     * @throws Forbidden
+     * @throws NotFound
+     * @throws Error
+     * @throws BadRequest
      */
     public function postActionSendTestEmail(Request $request): bool
     {
-        $data = $request->getParsedBody();
-
-        if (!$this->acl->checkScope('Email')) {
+        if (!$this->acl->checkScope(EmailEntity::ENTITY_TYPE)) {
             throw new Forbidden();
         }
 
-        if (is_null($data->password)) {
-            if ($data->type == 'preferences') {
-                if (!$this->user->isAdmin() && $data->id !== $this->user->id) {
-                    throw new Forbidden();
-                }
+        $data = get_object_vars($request->getParsedBody());
 
-                $preferences = $this->getEntityManager()->getEntity('Preferences', $data->id);
+        $allowedParamList = [
+            'type',
+            'id',
+            'username',
+            'password',
+            'auth',
+            'authMechanism',
+            'userId',
+            'fromAddress',
+            'fromName',
+            'server',
+            'port',
+            'security',
+            'emailAddress',
+        ];
 
-                if (!$preferences) {
-                    throw new NotFound();
-                }
-
-                if (is_null($data->password)) {
-                    $data->password = $this->getCrypt()->decrypt($preferences->get('smtpPassword'));
-                }
-            }
-            else if ($data->type == 'emailAccount') {
-                if (!$this->acl->checkScope('EmailAccount')) {
-                    throw new Forbidden();
-                }
-
-                if (!empty($data->id)) {
-                    $emailAccount = $this->getEntityManager()
-                        ->getEntity('EmailAccount', $data->id);
-
-                    if (!$emailAccount) {
-                        throw new NotFound();
-                    }
-
-                    if (!$this->user->isAdmin()) {
-                        if ($emailAccount->get('assignedUserId') !== $this->user->id) {
-                            throw new Forbidden();
-                        }
-                    }
-
-                    if (is_null($data->password)) {
-                        $data->password = $this->getCrypt()->decrypt($emailAccount->get('smtpPassword'));
-                    }
-                }
-            }
-            else if ($data->type == 'inboundEmail') {
-                if (!$this->user->isAdmin()) {
-                    throw new Forbidden();
-                }
-
-                if (!empty($data->id)) {
-                    $emailAccount = $this->getEntityManager()->getEntity('InboundEmail', $data->id);
-
-                    if (!$emailAccount) {
-                        throw new NotFound();
-                    }
-
-                    if (is_null($data->password)) {
-                        $data->password = $this->getCrypt()->decrypt($emailAccount->get('smtpPassword'));
-                    }
-                }
-            }
-            else {
-                if (!$this->user->isAdmin()) {
-                    throw new Forbidden();
-                }
-
-                if (is_null($data->password)) {
-                    $data->password = $this->getConfig()->get('smtpPassword');
-                }
+        foreach (array_keys($data) as $key) {
+            if (!in_array($key, $allowedParamList)) {
+                throw new BadRequest("Not allowed parameter `{$key}`.");
             }
         }
 
-        $this->getEmailService()->sendTestEmail(get_object_vars($data));
+        $emailAddress = $data['emailAddress'] ?? null;
+
+        if (!is_string($emailAddress)) {
+            throw new BadRequest("No email address.");
+        }
+
+        /**
+         * @var array{
+         *     type?: ?string,
+         *     id?: ?string,
+         *     username?: ?string,
+         *     password?: ?string,
+         *     auth?: bool,
+         *     authMechanism?: ?string,
+         *     userId?: ?string,
+         *     fromAddress?: ?string,
+         *     fromName?: ?string,
+         *     server: string,
+         *     port: int,
+         *     security: string,
+         *     emailAddress: string,
+         * } $data
+         */
+
+        $this->getEmailService()->sendTestEmail($data);
 
         return true;
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function postActionMarkAsRead(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -165,6 +155,9 @@ class Email extends Record
         return true;
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function postActionMarkAsNotRead(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -193,6 +186,9 @@ class Email extends Record
         return true;
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function postActionMarkAsImportant(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -214,6 +210,9 @@ class Email extends Record
         return true;
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function postActionMarkAsNotImportant(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -235,6 +234,9 @@ class Email extends Record
         return true;
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function postActionMoveToTrash(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -256,6 +258,9 @@ class Email extends Record
         return true;
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function postActionRetrieveFromTrash(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -282,6 +287,9 @@ class Email extends Record
         return $this->getEmailService()->getFoldersNotReadCounts();
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function postActionMoveToFolder(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -305,9 +313,12 @@ class Email extends Record
         return true;
     }
 
+    /**
+     * @throws Forbidden
+     */
     public function getActionGetInsertFieldData(Request $request): stdClass
     {
-        if (!$this->acl->checkScope('Email', 'create')) {
+        if (!$this->acl->checkScope(EmailEntity::ENTITY_TYPE, Table::ACTION_CREATE)) {
             throw new Forbidden();
         }
 
@@ -329,10 +340,4 @@ class Email extends Record
         /** @var EmailTemplateService */
         return $this->getServiceFactory()->create('EmailTemplate');
     }
-
-    private function getCrypt(): Crypt
-    {
-        /** @var Crypt */
-        return $this->getContainer()->get('crypt');
-    }
 }

application/Espo/Controllers/EmailAccount.php

@@ -29,6 +29,8 @@
 
 namespace Espo\Controllers;
 
+use Espo\Core\Exceptions\Error;
+use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Mail\Account\PersonalAccount\Service;
 use Espo\Core\Mail\Account\Storage\Params as StorageParams;
 
@@ -44,6 +46,8 @@ class EmailAccount extends Record
 
     /**
      * @return string[]
+     * @throws Forbidden
+     * @throws Error
      */
     public function postActionGetFolders(Request $request): array
     {
@@ -63,6 +67,10 @@ class EmailAccount extends Record
         return $this->getEmailAccountService()->getFolderList($params);
     }
 
+    /**
+     * @throws Error
+     * @throws Forbidden
+     */
     public function postActionTestConnection(Request $request): bool
     {
         $data = $request->getParsedBody();

application/Espo/Controllers/EmailAddress.php

@@ -45,6 +45,8 @@ class EmailAddress extends RecordBase
 
     /**
      * @return array<int,array<string,mixed>>
+     * @throws Forbidden
+     * @throws BadRequest
      */
     public function actionSearchInAddressBook(Request $request): array
     {

application/Espo/Controllers/ExternalAccount.php

@@ -66,7 +66,7 @@ class ExternalAccount extends RecordBase
                 $entity->get('enabled') &&
                 $this->metadata->get('integrations.' . $entity->getId() .'.allowUserAccounts')
             ) {
-                /** @var string */
+                /** @var string $id */
                 $id = $entity->getId();
 
                 $userAccountAclScope = $this->metadata
@@ -118,9 +118,13 @@ class ExternalAccount extends RecordBase
 
     public function getActionRead(Request $request, Response $response): stdClass
     {
-        /** @var string */
+        /** @var string $id */
         $id = $request->getRouteParam('id');
 
+        if ($id === '') {
+            throw new BadRequest();
+        }
+
         return $this->getRecordService()
             ->read($id, ReadParams::create())
             ->getValueMap();
@@ -128,7 +132,7 @@ class ExternalAccount extends RecordBase
 
     public function putActionUpdate(Request $request, Response $response): stdClass
     {
-        /** @var string */
+        /** @var string $id */
         $id = $request->getRouteParam('id');
 
         $data = $request->getParsedBody();

application/Espo/Controllers/FieldManager.php

@@ -35,12 +35,12 @@ use Espo\{
 };
 
 use Espo\Core\{
+    Exceptions\Conflict,
     Exceptions\Error,
     Exceptions\Forbidden,
     Exceptions\BadRequest,
     Api\Request,
-    DataManager,
-};
+    DataManager};
 
 class FieldManager
 {
@@ -50,6 +50,9 @@ class FieldManager
 
     private $fieldManagerTool;
 
+    /**
+     * @throws Forbidden
+     */
     public function __construct(User $user, DataManager $dataManager, FieldManagerTool $fieldManagerTool)
     {
         $this->user = $user;
@@ -59,6 +62,9 @@ class FieldManager
         $this->checkControllerAccess();
     }
 
+    /**
+     * @throws Forbidden
+     */
     protected function checkControllerAccess(): void
     {
         if (!$this->user->isAdmin()) {
@@ -68,6 +74,8 @@ class FieldManager
 
     /**
      * @return array<string,mixed>
+     * @throws BadRequest
+     * @throws Error
      */
     public function getActionRead(Request $request): array
     {
@@ -83,6 +91,9 @@ class FieldManager
 
     /**
      * @return array<string,mixed>
+     * @throws BadRequest
+     * @throws Conflict
+     * @throws Error
      */
     public function postActionCreate(Request $request): array
     {
@@ -113,6 +124,8 @@ class FieldManager
 
     /**
      * @return array<string,mixed>
+     * @throws BadRequest
+     * @throws Error
      */
     public function patchActionUpdate(Request $request): array
     {
@@ -121,6 +134,8 @@ class FieldManager
 
     /**
      * @return array<string,mixed>
+     * @throws BadRequest
+     * @throws Error
      */
     public function putActionUpdate(Request $request): array
     {
@@ -146,6 +161,10 @@ class FieldManager
         return $fieldManagerTool->read($scope, $name);
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Error
+     */
     public function deleteActionDelete(Request $request): bool
     {
         $scope = $request->getRouteParam('scope');
@@ -162,6 +181,10 @@ class FieldManager
         return $result;
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Error
+     */
     public function postActionResetToDefault(Request $request): bool
     {
         $data = $request->getParsedBody();
@@ -173,7 +196,6 @@ class FieldManager
         $this->fieldManagerTool->resetToDefault($data->scope, $data->name);
 
         $this->dataManager->clearCache();
-
         $this->dataManager->rebuildMetadata();
 
         return true;

application/Espo/Controllers/Import.php

@@ -144,6 +144,25 @@ class Import extends Record
         return true;
     }
 
+    /**
+     * @throws BadRequest
+     * @throws \Espo\Core\Exceptions\NotFound
+     */
+    public function postActionExportErrors(Request $request): stdClass
+    {
+        $id = $request->getParsedBody()->id ?? null;
+
+        if (!$id) {
+            throw new BadRequest("No `id`.");
+        }
+
+        $attachmentId = $this->getImportService()->exportErrors($id);
+
+        return (object) [
+            'attachmentId' => $attachmentId,
+        ];
+    }
+
     public function putActionUpdate(Request $request, Response $response): stdClass
     {
         throw new Forbidden();

application/Espo/Controllers/ImportError.php

@@ -0,0 +1,36 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Controllers;
+
+use Espo\Core\Controllers\Record;
+
+class ImportError extends Record
+{
+}

application/Espo/Controllers/InboundEmail.php

@@ -44,6 +44,7 @@ class InboundEmail extends Record
 
     /**
      * @return string[]
+     * @throws \Espo\Core\Exceptions\Error
      */
     public function postActionGetFolders(Request $request): array
     {

application/Espo/Controllers/Integration.php

@@ -56,7 +56,7 @@ class Integration
 
     public function getActionRead(Request $request): stdClass
     {
-        /** @var string */
+        /** @var string $id */
         $id = $request->getRouteParam('id');
 
         $entity = $this->service->read($id);
@@ -66,7 +66,7 @@ class Integration
 
     public function putActionUpdate(Request $request): stdClass
     {
-        /** @var string */
+        /** @var string $id */
         $id = $request->getRouteParam('id');
         $data = $request->getParsedBody();
 

application/Espo/Controllers/Kanban.php

@@ -53,7 +53,7 @@ class Kanban
 
     public function getActionGetData(Request $request): stdClass
     {
-        /** @var string */
+        /** @var string $entityType */
         $entityType = $request->getRouteParam('entityType');
 
         $searchParams = $this->searchParamsFetcher->fetch($request);

application/Espo/Controllers/Layout.php

@@ -29,10 +29,12 @@
 
 namespace Espo\Controllers;
 
+use Espo\Core\Exceptions\Error;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Exceptions\BadRequest;
 
 use Espo\Core\Api\Request;
+use Espo\Core\Exceptions\NotFound;
 use Espo\Services\Layout as Service;
 use Espo\Entities\User;
 
@@ -50,6 +52,10 @@ class Layout
 
     /**
      * @return mixed
+     * @throws Forbidden
+     * @throws NotFound
+     * @throws Error
+     * @throws BadRequest
      */
     public function getActionRead(Request $request)
     {
@@ -67,6 +73,10 @@ class Layout
 
     /**
      * @return mixed
+     * @throws Forbidden
+     * @throws BadRequest
+     * @throws NotFound
+     * @throws Error
      */
     public function putActionUpdate(Request $request)
     {
@@ -95,6 +105,10 @@ class Layout
 
     /**
      * @return mixed
+     * @throws Forbidden
+     * @throws BadRequest
+     * @throws NotFound
+     * @throws Error
      */
     public function postActionResetToDefault(Request $request)
     {
@@ -113,6 +127,10 @@ class Layout
 
     /**
      * @return mixed
+     * @throws BadRequest
+     * @throws Forbidden
+     * @throws NotFound
+     * @throws Error
      */
     public function getActionGetOriginal(Request $request)
     {

application/Espo/Controllers/LeadCapture.php

@@ -99,6 +99,7 @@ class LeadCapture extends Record
 
     /**
      * @return stdClass[]
+     * @throws Forbidden
      */
     public function getActionSmtpAccountDataList(): array
     {

application/Espo/Controllers/MassAction.php

@@ -119,6 +119,7 @@ class MassAction
 
     /**
      * @return array<string,mixed>
+     * @throws BadRequest
      */
     private function prepareMassActionParams(stdClass $data): array
     {
@@ -149,6 +150,9 @@ class MassAction
         throw new BadRequest("Bad search params for mass action.");
     }
 
+    /**
+     * @throws Error
+     */
     private function convertResult(ServiceResult $serviceResult): stdClass
     {
         if (!$serviceResult->hasResult()) {

application/Espo/Controllers/Metadata.php

@@ -49,6 +49,7 @@ class Metadata extends Base
 
     /**
      * @return mixed
+     * @throws Forbidden
      */
     public function getActionGet(Request $request)
     {

application/Espo/Core/Acl.php

@@ -30,9 +30,9 @@
 namespace Espo\Core;
 
 use Espo\Core\{
+    Acl\GlobalRestriction,
     Acl\Table,
-    Acl\Exceptions\NotImplemented,
-};
+    Acl\Exceptions\NotImplemented};
 
 use Espo\ORM\Entity;
 use Espo\Entities\User;
@@ -283,7 +283,7 @@ class Acl
     /**
      * Get a restricted field list for a specific scope by a restriction type.
      *
-     * @param string|string[] $type
+     * @param GlobalRestriction::TYPE_*|array<int,GlobalRestriction::TYPE_*> $type
      * @return string[]
      */
     public function getScopeRestrictedFieldList(string $scope, $type): array
@@ -294,7 +294,7 @@ class Acl
     /**
      * Get a restricted attribute list for a specific scope by a restriction type.
      *
-     * @param string|string[] $type
+     * @param GlobalRestriction::TYPE_*|array<int,GlobalRestriction::TYPE_*> $type
      * @return string[]
      */
     public function getScopeRestrictedAttributeList(string $scope, $type): array
@@ -305,7 +305,7 @@ class Acl
     /**
      * Get a restricted link list for a specific scope by a restriction type.
      *
-     * @param string|string[] $type
+     * @param GlobalRestriction::TYPE_*|array<int,GlobalRestriction::TYPE_*> $type
      * @return string[]
      */
     public function getScopeRestrictedLinkList(string $scope, $type): array

application/Espo/Core/Acl/AccessChecker/AccessCheckerFactory.php

@@ -85,7 +85,7 @@ class AccessCheckerFactory
      */
     private function getClassName(string $scope): string
     {
-        /** @var ?class-string<AccessChecker> */
+        /** @var ?class-string<AccessChecker> $className1 */
         $className1 = $this->metadata->get(['aclDefs', $scope, 'accessCheckerClassName']);
 
         if ($className1) {

application/Espo/Core/Acl/AccessChecker/AccessCheckers/Foreign.php

@@ -0,0 +1,170 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2022 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Acl\AccessChecker\AccessCheckers;
+
+use Espo\Entities\User;
+
+use Espo\ORM\Entity;
+
+use Espo\Core\Utils\Metadata;
+
+use Espo\Core\Acl\DefaultAccessChecker;
+use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
+use Espo\Core\Acl\AccessEntityCreateChecker;
+use Espo\Core\Acl\AccessEntityReadChecker;
+use Espo\Core\Acl\AccessEntityEditChecker;
+use Espo\Core\Acl\AccessEntityDeleteChecker;
+use Espo\Core\Acl\AccessEntityStreamChecker;
+use Espo\Core\Acl\ScopeData;
+
+use Espo\ORM\EntityManager;
+
+use LogicException;
+
+/**
+ * Access is determined by access to a foreign entity.
+ *
+ * @implements AccessEntityCreateChecker<Entity>
+ * @implements AccessEntityReadChecker<Entity>
+ * @implements AccessEntityEditChecker<Entity>
+ * @implements AccessEntityDeleteChecker<Entity>
+ * @implements AccessEntityStreamChecker<Entity>
+ */
+class Foreign implements
+
+    AccessEntityCreateChecker,
+    AccessEntityReadChecker,
+    AccessEntityEditChecker,
+    AccessEntityDeleteChecker,
+    AccessEntityStreamChecker
+{
+    use DefaultAccessCheckerDependency;
+
+    private Metadata $metadata;
+    private EntityManager $entityManager;
+
+    public function __construct(
+        Metadata $metadata,
+        DefaultAccessChecker $defaultAccessChecker,
+        EntityManager $entityManager
+    ) {
+        $this->metadata = $metadata;
+        $this->defaultAccessChecker = $defaultAccessChecker;
+        $this->entityManager = $entityManager;
+    }
+
+    private function getForeignEntity(Entity $entity): ?Entity
+    {
+        $entityType = $entity->getEntityType();
+
+        $link = $this->metadata->get(['aclDefs', $entityType, 'link']);
+
+        if (!$link) {
+            throw new LogicException("No `link` in aclDefs for {$entityType}.");
+        }
+
+        if ($entity->isNew()) {
+            $foreignEntityType = $this->entityManager
+                ->getDefs()
+                ->getEntity($entityType)
+                ->getRelation($link)
+                ->getForeignEntityType();
+
+            /** @var ?string $id */
+            $id = $entity->get($link . 'Id');
+
+            if (!$id) {
+                return null;
+            }
+
+            return $this->entityManager->getEntityById($foreignEntityType, $id);
+        }
+
+        return $this->entityManager
+            ->getRDBRepository($entityType)
+            ->getRelation($entity, $link)
+            ->findOne();
+    }
+
+    public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool
+    {
+        $foreign = $this->getForeignEntity($entity);
+
+        if (!$foreign) {
+            return false;
+        }
+
+        return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data);
+    }
+
+    public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
+    {
+        $foreign = $this->getForeignEntity($entity);
+
+        if (!$foreign) {
+            return false;
+        }
+
+        return $this->defaultAccessChecker->checkEntityRead($user, $entity, $data);
+    }
+
+    public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
+    {
+        $foreign = $this->getForeignEntity($entity);
+
+        if (!$foreign) {
+            return false;
+        }
+
+        return $this->defaultAccessChecker->checkEntityEdit($user, $entity, $data);
+    }
+
+    public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
+    {
+        $foreign = $this->getForeignEntity($entity);
+
+        if (!$foreign) {
+            return false;
+        }
+
+        return $this->defaultAccessChecker->checkEntityDelete($user, $entity, $data);
+    }
+
+    public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
+    {
+        $foreign = $this->getForeignEntity($entity);
+
+        if (!$foreign) {
+            return false;
+        }
+
+        return $this->defaultAccessChecker->checkEntityStream($user, $entity, $data);
+    }
+}

application/Espo/Core/Acl/AssignmentChecker/AssignmentCheckerFactory.php

@@ -75,7 +75,7 @@ class AssignmentCheckerFactory
      */
     private function getClassName(string $scope): string
     {
-        /** @var ?class-string<AssignmentChecker<\Espo\ORM\Entity>> */
+        /** @var ?class-string<AssignmentChecker<\Espo\ORM\Entity>> $className */
         $className = $this->metadata->get(['aclDefs', $scope, 'assignmentCheckerClassName']);
 
         if ($className) {

application/Espo/Core/Acl/DefaultAssignmentChecker.php

@@ -228,7 +228,7 @@ class DefaultAssignmentChecker implements AssignmentChecker
             return true;
         }
 
-        /** @var string[] */
+        /** @var string[] $userTeamIdList */
         $userTeamIdList = $user->getLinkMultipleIdList(self::FIELD_TEAMS);
 
         foreach ($newIdList as $id) {
@@ -331,7 +331,7 @@ class DefaultAssignmentChecker implements AssignmentChecker
 
     private function isPermittedAssignedUsersLevelNo(User $user, CoreEntity $entity): bool
     {
-        /** @var string[] */
+        /** @var string[] $userIdList */
         $userIdList = $entity->getLinkMultipleIdList(self::FIELD_ASSIGNED_USERS);
 
         $fetchedAssignedUserIdList = $entity->getFetched(self::ATTR_ASSIGNED_USERS_IDS);
@@ -351,12 +351,12 @@ class DefaultAssignmentChecker implements AssignmentChecker
 
     private function isPermittedAssignedUsersLevelTeam(User $user, CoreEntity $entity): bool
     {
-        /** @var string[] */
+        /** @var string[] $userIdList */
         $userIdList = $entity->getLinkMultipleIdList(self::FIELD_ASSIGNED_USERS);
 
         $fetchedAssignedUserIdList = $entity->getFetched(self::ATTR_ASSIGNED_USERS_IDS);
 
-        /** @var string[] */
+        /** @var string[] $teamIdList */
         $teamIdList = $user->getLinkMultipleIdList(self::FIELD_TEAMS);
 
         foreach ($userIdList as $userId) {

application/Espo/Core/Acl/DefaultOwnershipChecker.php

@@ -85,7 +85,7 @@ class DefaultOwnershipChecker implements OwnershipOwnChecker, OwnershipTeamCheck
             return false;
         }
 
-        /** @var string[] */
+        /** @var string[] $userTeamIdList */
         $userTeamIdList = $user->getLinkMultipleIdList(self::FIELD_TEAMS);
 
         if (

application/Espo/Core/Acl/GlobalRestriction.php

@@ -33,7 +33,6 @@ use Espo\Core\{
     Utils\Metadata,
     Utils\DataCache,
     Utils\FieldUtil,
-    Utils\Log,
     Utils\Config,
 };
 
@@ -43,68 +42,75 @@ use stdClass;
  * Lists of restricted fields can be obtained from here. Restricted fields
  * are specified in metadata > entityAcl.
  */
-class GlobalRestricton
+class GlobalRestriction
 {
+    /** Totally forbidden. */
     public const TYPE_FORBIDDEN = 'forbidden';
 
+    /** Reading forbidden, writing allowed. */
     public const TYPE_INTERNAL = 'internal';
 
+    /** Forbidden for non-admin users. */
     public const TYPE_ONLY_ADMIN = 'onlyAdmin';
 
+    /** Read-only for all users. */
     public const TYPE_READ_ONLY = 'readOnly';
 
+    /** Read-only for non-admin users. */
     public const TYPE_NON_ADMIN_READ_ONLY = 'nonAdminReadOnly';
 
     /**
-     * @var string[]
+     * @var array<int,self::TYPE_*>
      */
-    protected $fieldTypeList = [
-        'forbidden', // totally forbidden
-        'internal', // reading forbidden, writing allowed
-        'onlyAdmin', // forbidden for non admin users
-        'readOnly', // read-only for all users
-        'nonAdminReadOnly' // read-only for non-admin users
+    private $fieldTypeList = [
+        self::TYPE_FORBIDDEN,
+        self::TYPE_INTERNAL,
+        self::TYPE_ONLY_ADMIN,
+        self::TYPE_READ_ONLY,
+        self::TYPE_NON_ADMIN_READ_ONLY,
     ];
 
     /**
-     * @var string[]
+     * @var array<int,self::TYPE_*>
      */
-    protected $linkTypeList = [
-        'forbidden', // totally forbidden
-        'internal', // reading forbidden, writing allowed
-        'onlyAdmin', // forbidden for non admin users
-        'readOnly', // read-only for all users
-        'nonAdminReadOnly' // read-only for non-admin users
+    private $linkTypeList = [
+        self::TYPE_FORBIDDEN,
+        self::TYPE_INTERNAL,
+        self::TYPE_ONLY_ADMIN,
+        self::TYPE_READ_ONLY,
+        self::TYPE_NON_ADMIN_READ_ONLY,
+    ];
+
+    /**
+     * Types that should also be taken from entityDefs.
+     * @var array<int,self::TYPE_*>
+     */
+    private array $entityDefsTypeList = [
+        self::TYPE_READ_ONLY,
     ];
 
     private ?stdClass $data = null;
 
-    protected string $cacheKey = 'entityAcl';
+    private string $cacheKey = 'entityAcl';
 
     private Metadata $metadata;
-
     private DataCache $dataCache;
-
     private FieldUtil $fieldUtil;
 
-    private Log $log;
-
     public function __construct(
         Metadata $metadata,
         DataCache $dataCache,
         FieldUtil $fieldUtil,
-        Log $log,
         Config $config
     ) {
         $this->metadata = $metadata;
         $this->dataCache = $dataCache;
         $this->fieldUtil = $fieldUtil;
-        $this->log = $log;
 
         $useCache = $config->get('useCache');
 
         if ($useCache && $this->dataCache->has($this->cacheKey)) {
-            /** @var stdClass */
+            /** @var stdClass $cachedData */
             $cachedData = $this->dataCache->get($this->cacheKey);
 
             $this->data = $cachedData;
@@ -121,25 +127,25 @@ class GlobalRestricton
         }
     }
 
-    protected function storeCacheFile(): void
+    private function storeCacheFile(): void
     {
         assert($this->data !== null);
 
         $this->dataCache->store($this->cacheKey, $this->data);
     }
 
-    protected function buildData(): void
+    private function buildData(): void
     {
-        /** @var string[] */
-        $scopeList = array_keys($this->metadata->get(['entityDefs'], []));
+        /** @var string[] $scopeList */
+        $scopeList = array_keys($this->metadata->get(['entityDefs']) ?? []);
 
         $data = (object) [];
 
         foreach ($scopeList as $scope) {
-            /** @var string[] */
-            $fieldList = array_keys($this->metadata->get(['entityDefs', $scope, 'fields'], []));
-            /** @var string[] */
-            $linkList = array_keys($this->metadata->get(['entityDefs', $scope, 'links'], []));
+            /** @var string[] $fieldList */
+            $fieldList = array_keys($this->metadata->get(['entityDefs', $scope, 'fields']) ?? []);
+            /** @var string[] $linkList */
+            $linkList = array_keys($this->metadata->get(['entityDefs', $scope, 'links']) ?? []);
 
             $isNotEmpty = false;
 
@@ -154,16 +160,24 @@ class GlobalRestricton
                 $resultAttributeList = [];
 
                 foreach ($fieldList as $field) {
-                    if ($this->metadata->get(['entityAcl', $scope, 'fields', $field, $type])) {
-                        $isNotEmpty = true;
+                    $value = $this->metadata->get(['entityAcl', $scope, 'fields', $field, $type]);
 
-                        $resultFieldList[] = $field;
+                    if (!$value && in_array($type, $this->entityDefsTypeList)) {
+                        $value = $this->metadata->get(['entityDefs', $scope, 'fields', $field, $type]);
+                    }
 
-                        $fieldAttributeList = $this->fieldUtil->getAttributeList($scope, $field);
+                    if (!$value) {
+                        continue;
+                    }
 
-                        foreach ($fieldAttributeList as $attribute) {
-                            $resultAttributeList[] = $attribute;
-                        }
+                    $isNotEmpty = true;
+
+                    $resultFieldList[] = $field;
+
+                    $fieldAttributeList = $this->fieldUtil->getAttributeList($scope, $field);
+
+                    foreach ($fieldAttributeList as $attribute) {
+                        $resultAttributeList[] = $attribute;
                     }
                 }
 
@@ -175,12 +189,21 @@ class GlobalRestricton
                 $resultLinkList = [];
 
                 foreach ($linkList as $link) {
-                    if ($this->metadata->get(['entityAcl', $scope, 'links', $link, $type])) {
-                        $isNotEmpty = true;
+                    $value = $this->metadata->get(['entityAcl', $scope, 'links', $link, $type]);
 
-                        $resultLinkList[] = $link;
+                    if (!$value && in_array($type, $this->entityDefsTypeList)) {
+                        $value = $this->metadata->get(['entityDefs', $scope, 'links', $link, $type]);
                     }
+
+                    if (!$value) {
+                        continue;
+                    }
+
+                    $isNotEmpty = true;
+
+                    $resultLinkList[] = $link;
                 }
+
                 $scopeData->links->$type = $resultLinkList;
             }
 
@@ -193,6 +216,7 @@ class GlobalRestricton
     }
 
     /**
+     * @param self::TYPE_* $type
      * @return string[]
      */
     public function getScopeRestrictedFieldList(string $scope, string $type): array
@@ -215,6 +239,7 @@ class GlobalRestricton
     }
 
     /**
+     * @param self::TYPE_* $type
      * @return string[]
      */
     public function getScopeRestrictedAttributeList(string $scope, string $type): array
@@ -237,6 +262,7 @@ class GlobalRestricton
     }
 
     /**
+     * @param self::TYPE_* $type
      * @return string[]
      */
     public function getScopeRestrictedLinkList(string $scope, string $type): array

application/Espo/Core/Acl/Map/Map.php

@@ -95,7 +95,7 @@ class Map
         $this->cacheKey = $cacheKeyProvider->get();
 
         if ($this->config->get('useCache') && $this->dataCache->has($this->cacheKey)) {
-            /** @var stdClass */
+            /** @var stdClass $cachedData */
             $cachedData = $this->dataCache->get($this->cacheKey);
 
             $this->data = $cachedData;

application/Espo/Core/Acl/OwnershipChecker/OwnershipCheckerFactory.php

@@ -80,7 +80,7 @@ class OwnershipCheckerFactory
      */
     private function getClassName(string $scope): string
     {
-        /** @var ?class-string<OwnershipChecker> */
+        /** @var ?class-string<OwnershipChecker> $className */
         $className = $this->metadata->get(['aclDefs', $scope, 'ownershipCheckerClassName']);
 
         if ($className) {

application/Espo/Core/Acl/Table/DefaultRoleListProvider.php

@@ -53,7 +53,7 @@ class DefaultRoleListProvider implements RoleListProvider
     {
         $roleList = [];
 
-        /** @var iterable<RoleEntity> */
+        /** @var iterable<RoleEntity> $userRoleList */
         $userRoleList = $this->entityManager
             ->getRDBRepository('User')
             ->getRelation($this->user, 'roles')
@@ -63,14 +63,14 @@ class DefaultRoleListProvider implements RoleListProvider
             $roleList[] = $role;
         }
 
-        /** @var iterable<\Espo\Entities\Team> */
+        /** @var iterable<\Espo\Entities\Team> $teamList */
         $teamList = $this->entityManager
             ->getRDBRepository('User')
             ->getRelation($this->user, 'teams')
             ->find();
 
         foreach ($teamList as $team) {
-            /** @var iterable<RoleEntity> */
+            /** @var iterable<RoleEntity> $teamRoleList */
             $teamRoleList = $this->entityManager
                 ->getRDBRepository('Team')
                 ->getRelation($team, 'roles')

application/Espo/Core/Acl/Table/DefaultTable.php

@@ -146,7 +146,7 @@ class DefaultTable implements Table
         $this->cacheKey = $cacheKeyProvider->get();
 
         if ($config->get('useCache') && $dataCache->has($this->cacheKey)) {
-            /** @var stdClass */
+            /** @var stdClass $cachedData */
             $cachedData = $dataCache->get($this->cacheKey);
 
             $this->data = $cachedData;
@@ -248,6 +248,7 @@ class DefaultTable implements Table
             $fieldTable = (object) [];
 
             $this->applyHighest($aclTable, $fieldTable);
+            $this->applyDisabled($aclTable, $fieldTable);
             $this->applyAdminMandatory($aclTable, $fieldTable);
         }
 
@@ -526,10 +527,6 @@ class DefaultTable implements Table
 
     protected function applyDisabled(stdClass &$table, stdClass &$fieldTable): void
     {
-        if ($this->user->isAdmin()) {
-            return;
-        }
-
         foreach ($this->getScopeList() as $scope) {
             if ($this->metadata->get(['scopes', $scope, 'disabled'])) {
                 $table->$scope = false;

application/Espo/Core/AclManager.php

@@ -37,7 +37,7 @@ use Espo\ORM\EntityManager;
 
 use Espo\Core\{
     Acl,
-    Acl\GlobalRestricton,
+    Acl\GlobalRestriction,
     Acl\OwnerUserFieldProvider,
     Acl\Table\TableFactory,
     Acl\Table,
@@ -140,9 +140,9 @@ class AclManager
     private $mapFactory;
 
     /**
-     * @var GlobalRestricton
+     * @var GlobalRestriction
      */
-    protected $globalRestricton;
+    protected $globalRestriction;
 
     /**
      * @var OwnerUserFieldProvider
@@ -159,7 +159,7 @@ class AclManager
         OwnershipCheckerFactory $ownershipCheckerFactory,
         TableFactory $tableFactory,
         MapFactory $mapFactory,
-        GlobalRestricton $globalRestricton,
+        GlobalRestriction $globalRestriction,
         OwnerUserFieldProvider $ownerUserFieldProvider,
         EntityManager $entityManager
     ) {
@@ -167,7 +167,7 @@ class AclManager
         $this->ownershipCheckerFactory = $ownershipCheckerFactory;
         $this->tableFactory = $tableFactory;
         $this->mapFactory = $mapFactory;
-        $this->globalRestricton = $globalRestricton;
+        $this->globalRestriction = $globalRestriction;
         $this->ownerUserFieldProvider = $ownerUserFieldProvider;
         $this->entityManager = $entityManager;
     }
@@ -487,27 +487,27 @@ class AclManager
     }
 
     /**
-     * @return string[]
+     * @return array<int,GlobalRestriction::TYPE_*>
      */
     protected function getGlobalRestrictionTypeList(User $user, string $action = Table::ACTION_READ): array
     {
         $typeList = [
-            GlobalRestricton::TYPE_FORBIDDEN,
+            GlobalRestriction::TYPE_FORBIDDEN,
         ];
 
         if ($action === Table::ACTION_READ) {
-            $typeList[] = GlobalRestricton::TYPE_INTERNAL;
+            $typeList[] = GlobalRestriction::TYPE_INTERNAL;
         }
 
         if (!$user->isAdmin()) {
-            $typeList[] = GlobalRestricton::TYPE_ONLY_ADMIN;
+            $typeList[] = GlobalRestriction::TYPE_ONLY_ADMIN;
         }
 
         if ($action === Table::ACTION_EDIT) {
-            $typeList[] = GlobalRestricton::TYPE_READ_ONLY;
+            $typeList[] = GlobalRestriction::TYPE_READ_ONLY;
 
             if (!$user->isAdmin()) {
-                $typeList[] = GlobalRestricton::TYPE_NON_ADMIN_READ_ONLY;
+                $typeList[] = GlobalRestriction::TYPE_NON_ADMIN_READ_ONLY;
             }
         }
 
@@ -596,7 +596,7 @@ class AclManager
      */
     public function checkUserPermission(User $user, $target, string $permissionType = 'user'): bool
     {
-        $permission = $this->get($user, $permissionType);
+        $permission = $this->getPermissionLevel($user, $permissionType);
 
         if (is_object($target)) {
             $userId = $target->getId();
@@ -618,11 +618,11 @@ class AclManager
         }
 
         if ($permission === Table::LEVEL_TEAM) {
-            /** @var string[] */
+            /** @var string[] $teamIdList */
             $teamIdList = $user->getLinkMultipleIdList('teams');
 
             /** @var \Espo\Repositories\User $userRepository */
-            $userRepository = $this->entityManager->getRepository('User');
+            $userRepository = $this->entityManager->getRepository(User::ENTITY_TYPE);
 
             if (!$userRepository->checkBelongsToAnyOfTeams($userId, $teamIdList)) {
                 return false;
@@ -658,7 +658,7 @@ class AclManager
     /**
      * Get a restricted field list for a specific scope by a restriction type.
      *
-     * @param string|string[] $type
+     * @param GlobalRestriction::TYPE_*|array<int,GlobalRestriction::TYPE_*> $type
      * @return string[]
      */
     public function getScopeRestrictedFieldList(string $scope, $type): array
@@ -671,20 +671,20 @@ class AclManager
             foreach ($typeList as $type) {
                 $list = array_merge(
                     $list,
-                    $this->globalRestricton->getScopeRestrictedFieldList($scope, $type)
+                    $this->globalRestriction->getScopeRestrictedFieldList($scope, $type)
                 );
             }
 
             return array_unique($list);
         }
 
-        return $this->globalRestricton->getScopeRestrictedFieldList($scope, $type);
+        return $this->globalRestriction->getScopeRestrictedFieldList($scope, $type);
     }
 
     /**
      * Get a restricted attribute list for a specific scope by a restriction type.
      *
-     * @param string|string[] $type
+     * @param GlobalRestriction::TYPE_*|array<int,GlobalRestriction::TYPE_*> $type
      * @return string[]
      */
     public function getScopeRestrictedAttributeList(string $scope, $type): array
@@ -697,20 +697,20 @@ class AclManager
             foreach ($typeList as $type) {
                 $list = array_merge(
                     $list,
-                    $this->globalRestricton->getScopeRestrictedAttributeList($scope, $type)
+                    $this->globalRestriction->getScopeRestrictedAttributeList($scope, $type)
                 );
             }
 
             return array_unique($list);
         }
 
-        return $this->globalRestricton->getScopeRestrictedAttributeList($scope, $type);
+        return $this->globalRestriction->getScopeRestrictedAttributeList($scope, $type);
     }
 
     /**
      * Get a restricted link list for a specific scope by a restriction type.
      *
-     * @param string|string[] $type
+     * @param GlobalRestriction::TYPE_*|array<int,GlobalRestriction::TYPE_*> $type
      * @return string[]
      */
     public function getScopeRestrictedLinkList(string $scope, $type): array
@@ -723,19 +723,19 @@ class AclManager
             foreach ($typeList as $type) {
                 $list = array_merge(
                     $list,
-                    $this->globalRestricton->getScopeRestrictedLinkList($scope, $type)
+                    $this->globalRestriction->getScopeRestrictedLinkList($scope, $type)
                 );
             }
 
             return array_unique($list);
         }
 
-        return $this->globalRestricton->getScopeRestrictedLinkList($scope, $type);
+        return $this->globalRestriction->getScopeRestrictedLinkList($scope, $type);
     }
 
     /**
      * Get an entity field that stores an owner-user (or multiple users).
-     * Must be link or linkMulitple field. NULL means no owner.
+     * Must be a link or linkMultiple field. NULL means no owner.
      */
     public function getReadOwnerUserField(string $entityType): ?string
     {

application/Espo/Core/Action/ActionFactory.php

@@ -65,8 +65,10 @@ class ActionFactory
 
     /**
      * @param array<string,object> $with
-     * @deprecated
+     * @throws NotFound
+     * @throws Forbidden
      * @todo Remove.
+     * @deprecated
      */
     public function createWith(string $action, ?string $entityType, array $with): Action
     {

application/Espo/Core/Action/Actions/Merge/Merger.php

@@ -209,7 +209,7 @@ class Merger
     {
         $list = [];
 
-        /** @var iterable<PhoneNumber> */
+        /** @var iterable<PhoneNumber> $collection */
         $collection = $this->entityManager
             ->getRDBRepository($entity->getEntityType())
             ->getRelation($entity, 'phoneNumbers')
@@ -229,7 +229,7 @@ class Merger
     {
         $list = [];
 
-        /** @var iterable<EmailAddress> */
+        /** @var iterable<EmailAddress> $collection */
         $collection = $this->entityManager
             ->getRDBRepository($entity->getEntityType())
             ->getRelation($entity, 'emailAddresses')

application/Espo/Core/Api/ActionProcessor.php

@@ -135,6 +135,7 @@ class ActionProcessor
 
     /**
      * @param mixed $result
+     * @throws \JsonException
      */
     private function handleResult(Response $response, $result): void
     {
@@ -177,7 +178,7 @@ class ActionProcessor
             return false;
         }
 
-        /** @var class-string */
+        /** @var class-string $className */
         $className = $type->getName();
 
         $firstParamClass = new ReflectionClass($className);

application/Espo/Core/Api/Auth.php

@@ -33,8 +33,6 @@ use Espo\Core\Exceptions\BadRequest;
 use Espo\Core\Exceptions\ServiceUnavailable;
 use Espo\Core\Exceptions\Forbidden;
 
-use Espo\Core\Api\Request;
-use Espo\Core\Api\Response;
 use Espo\Core\Authentication\Authentication;
 use Espo\Core\Authentication\AuthenticationData;
 use Espo\Core\Authentication\Result;
@@ -69,6 +67,10 @@ class Auth
         $this->isEntryPoint = $isEntryPoint;
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Exception
+     */
     public function process(Request $request, Response $response): AuthResult
     {
         $username = null;
@@ -87,6 +89,18 @@ class Auth
 
         $hasAuthData = (bool) ($username || $authenticationMethod);
 
+        if (!$hasAuthData) {
+            $password = $this->obtainTokenFromCookies($request);
+
+            if ($password) {
+                $authenticationData = AuthenticationData::create()
+                    ->withPassword($password)
+                    ->withByTokenOnly(true);
+
+                $hasAuthData = true;
+            }
+        }
+
         if (!$this->authRequired && !$this->isEntryPoint && $hasAuthData) {
             $authResult = $this->processAuthNotRequired(
                 $authenticationData,
@@ -118,6 +132,9 @@ class Auth
         return AuthResult::createNotResolved();
     }
 
+    /**
+     * @throws Exception
+     */
     private function processAuthNotRequired(
         AuthenticationData $data,
         Request $request,
@@ -140,6 +157,9 @@ class Auth
         return null;
     }
 
+    /**
+     * @throws Exception
+     */
     private function processWithAuthData(
         AuthenticationData $data,
         Request $request,
@@ -178,7 +198,7 @@ class Auth
      */
     protected function decodeAuthorizationString(string $string): array
     {
-        /** @var string */
+        /** @var string $stringDecoded */
         $stringDecoded = base64_decode($string);
 
         if (strpos($stringDecoded, ':') === false) {
@@ -205,6 +225,9 @@ class Auth
         $response->writeBody(Json::encode($bodyData));
     }
 
+    /**
+     * @throws Exception
+     */
     protected function handleException(Response $response, Exception $e): void
     {
         if (
@@ -269,6 +292,7 @@ class Auth
 
     /**
      * @return array{?string,?string}
+     * @throws BadRequest
      */
     protected function obtainUsernamePasswordFromRequest(Request $request): array
     {
@@ -290,17 +314,6 @@ class Auth
             return [$username, $password];
         }
 
-        if (
-            $request->getCookieParam('auth-username') &&
-            $request->getCookieParam('auth-token')
-        ) {
-
-            $username = $request->getCookieParam('auth-username');
-            $password = $request->getCookieParam('auth-token');
-
-            return [$username, $password];
-        }
-
         $cgiAuthString = $request->getHeader('Http-Espo-Cgi-Auth') ??
             $request->getHeader('Redirect-Http-Espo-Cgi-Auth');
 
@@ -312,4 +325,9 @@ class Auth
 
         return [null, null];
     }
+
+    private function obtainTokenFromCookies(Request $request): ?string
+    {
+        return $request->getCookieParam('auth-token');
+    }
 }

application/Espo/Core/Api/AuthBuilder.php

@@ -30,11 +30,12 @@
 namespace Espo\Core\Api;
 
 use Espo\Core\{
-    Exceptions\Error,
     Authentication\Authentication,
     Utils\Log,
 };
 
+use RuntimeException;
+
 /**
  * Builds Auth instance.
  */
@@ -77,7 +78,7 @@ class AuthBuilder
     public function build(): Auth
     {
         if (!$this->authentication) {
-            throw new Error("Authentication is not set.");
+            throw new RuntimeException("Authentication is not set.");
         }
 
         return new Auth($this->log, $this->authentication, $this->authRequired, $this->isEntryPoint);

application/Espo/Core/Api/ErrorOutput.php

@@ -34,6 +34,7 @@ use Espo\Core\Exceptions\HasBody;
 use Espo\Core\{
     Api\Request,
     Api\Response,
+    Exceptions\HasLogMessage,
     Utils\Log,
     Utils\Config,
 };
@@ -121,14 +122,16 @@ class ErrorOutput
         $message = $exception->getMessage();
         $statusCode = $exception->getCode();
 
+        if ($exception instanceof HasLogMessage) {
+            $message = $exception->getLogMessage();
+        }
+
         if ($route) {
             $this->processRoute($route, $request, $exception);
         }
 
         $logLevel = 'error';
 
-        $messageLineFile = null;
-
         $messageLineFile =
             'line: ' . $exception->getLine() . ', ' .
             'file: ' . $exception->getFile();
@@ -176,10 +179,10 @@ class ErrorOutput
         }
 
         if ($toPrintBody) {
-            $codeDesription = $this->getCodeDescription($statusCode);
+            $codeDescription = $this->getCodeDescription($statusCode);
 
-            $statusText = isset($codeDesription) ?
-                $statusCode . ' '. $codeDesription :
+            $statusText = isset($codeDescription) ?
+                $statusCode . ' '. $codeDescription :
                 'HTTP ' . $statusCode;
 
             if ($message) {

application/Espo/Core/Api/RequestProcessor.php

@@ -29,7 +29,7 @@
 
 namespace Espo\Core\Api;
 
-use Espo\Core\Exceptions\Error;
+use Espo\Core\Exceptions\BadRequest;
 use Espo\Core\Authentication\AuthenticationFactory;
 use Espo\Core\Utils\Config;
 use Espo\Core\Utils\Log;
@@ -37,6 +37,7 @@ use Espo\Core\ApplicationUser;
 
 use Exception;
 use Throwable;
+use LogicException;
 
 /**
  * Processes requests. Handles authentication. Obtains a controller name, action, body from a request.
@@ -113,6 +114,10 @@ class RequestProcessor
         ob_clean();
     }
 
+    /**
+     * @throws \Espo\Core\Exceptions\NotFound
+     * @throws BadRequest
+     */
     private function proceed(Request $request, Response $response): void
     {
         $this->beforeProceed($response);
@@ -129,7 +134,7 @@ class RequestProcessor
             $actionName = $crudList[$httpMethod] ?? null;
 
             if (!$actionName) {
-                throw new Error("No action for method {$httpMethod}.");
+                throw new BadRequest("No action for method {$httpMethod}.");
             }
         }
 
@@ -143,7 +148,7 @@ class RequestProcessor
         $controllerName = $request->getRouteParam('controller');
 
         if (!$controllerName) {
-            throw new Error("Route doesn't have specified controller.");
+            throw new LogicException("Route doesn't have specified controller.");
         }
 
         return ucfirst($controllerName);
@@ -174,6 +179,7 @@ class RequestProcessor
     private function afterProceed(Response $response): void
     {
         $response
+            ->setHeader('X-App-Timestamp', (string) ($this->config->get('appTimestamp') ?? '0'))
             ->setHeader('Expires', '0')
             ->setHeader('Last-Modified', gmdate('D, d M Y H:i:s') . ' GMT')
             ->setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0')

application/Espo/Core/Api/RequestWrapper.php

@@ -29,6 +29,9 @@
 
 namespace Espo\Core\Api;
 
+use Espo\Core\Utils\Json;
+use Espo\Core\Exceptions\BadRequest;
+
 use Psr\Http\Message\{
     ServerRequestInterface as Psr7Request,
     UriInterface,
@@ -181,30 +184,44 @@ class RequestWrapper implements ApiRequest
         return $contents;
     }
 
+    /**
+     * @throws BadRequest
+     */
     public function getParsedBody(): stdClass
     {
         if ($this->parsedBody === null) {
             $this->initParsedBody();
         }
 
-        assert($this->parsedBody !== null);
+        if ($this->parsedBody === null) {
+            throw new BadRequest();
+        }
 
         return Util::cloneObject($this->parsedBody);
     }
 
+    /**
+     * @throws BadRequest
+     */
     private function initParsedBody(): void
     {
         $contents = $this->getBodyContents();
 
         if ($this->getContentType() === 'application/json' && $contents) {
-            $this->parsedBody = json_decode($contents);
+            $parsedBody = Json::decode($contents);
 
-            if (is_array($this->parsedBody)) {
-                $this->parsedBody = (object) [
-                    'list' => $this->parsedBody,
+            if (is_array($parsedBody)) {
+                $parsedBody = (object) [
+                    'list' => $parsedBody,
                 ];
             }
 
+            if (!$parsedBody instanceof stdClass) {
+                throw new BadRequest("Body is not a JSON object.");
+            }
+
+            $this->parsedBody = $parsedBody;
+
             return;
         }
 

application/Espo/Core/Application.php

@@ -61,7 +61,7 @@ class Application
 
     protected function initContainer(): void
     {
-        /** @var Container */
+        /** @var Container $container */
         $container = (new ContainerBuilder())->build();
 
         $this->container = $container;

application/Espo/Core/ApplicationRunners/ClearCache.php

@@ -32,6 +32,7 @@ namespace Espo\Core\ApplicationRunners;
 use Espo\Core\{
     Application\Runner,
     DataManager,
+    Exceptions\Error,
 };
 
 /**
@@ -48,6 +49,9 @@ class ClearCache implements Runner
         $this->dataManager = $dataManager;
     }
 
+    /**
+     * @throws Error
+     */
     public function run(): void
     {
         $this->dataManager->clearCache();

application/Espo/Core/ApplicationRunners/Command.php

@@ -42,7 +42,7 @@ class Command implements Runner
     use Cli;
     use SetupSystemUser;
 
-    private $commandManager;
+    private ConsoleCommandManager $commandManager;
 
     public function __construct(ConsoleCommandManager $commandManager)
     {
@@ -52,10 +52,14 @@ class Command implements Runner
     public function run(): void
     {
         try {
-            $this->commandManager->run($_SERVER['argv']);
+            $exitStatus = $this->commandManager->run($_SERVER['argv']);
         }
         catch (Exception $e) {
             echo "Error: " . $e->getMessage() . "\n";
+
+            exit(1);
         }
+
+        exit($exitStatus);
     }
 }

application/Espo/Core/ApplicationRunners/PortalClient.php

@@ -29,11 +29,10 @@
 
 namespace Espo\Core\ApplicationRunners;
 
-use Espo\Core\Exceptions\Error;
-
 use Espo\Core\{
     Application\RunnerParameterized,
     Application\Runner\Params,
+    Exceptions\BadRequest,
     Exceptions\NotFound,
     Utils\ClientManager,
     Utils\Config,
@@ -42,8 +41,7 @@ use Espo\Core\{
     Portal\Utils\Url,
     Api\ErrorOutput,
     Api\RequestWrapper,
-    Api\ResponseWrapper,
-};
+    Api\ResponseWrapper};
 
 use Slim\{
     ResponseEmitter,
@@ -89,7 +87,7 @@ class PortalClient implements RunnerParameterized
         $responseWrapped = new ResponseWrapper(new Response());
 
         if ($requestWrapped->getMethod() !== 'GET') {
-            throw new Error("Only GET request is allowed.");
+            throw new BadRequest("Only GET request is allowed.");
         }
 
         try {

application/Espo/Core/ApplicationState.php

@@ -33,12 +33,14 @@ use Espo\Core\Exceptions\Error;
 use Espo\Entities\Portal as PortalEntity;
 use Espo\Entities\User as UserEntity;
 
+use LogicException;
+
 /**
  * Provides information about an application, current user, portal.
  */
 class ApplicationState
 {
-    private $container;
+    private Container $container;
 
     public function __construct(Container $container)
     {
@@ -59,7 +61,7 @@ class ApplicationState
     public function getPortalId(): string
     {
         if (!$this->isPortal()) {
-            throw new Error("Can't get portal ID for non-portal application.");
+            throw new LogicException("Can't get portal ID for non-portal application.");
         }
 
         return $this->getPortal()->getId();
@@ -71,7 +73,7 @@ class ApplicationState
     public function getPortal(): PortalEntity
     {
         if (!$this->isPortal()) {
-            throw new Error("Can't get portal for non-portal application.");
+            throw new LogicException("Can't get portal for non-portal application.");
         }
 
         /** @var PortalEntity */
@@ -92,7 +94,7 @@ class ApplicationState
     public function getUser(): UserEntity
     {
         if (!$this->hasUser()) {
-            throw new Error("User is not yet available.");
+            throw new LogicException("User is not yet available.");
         }
 
         /** @var UserEntity */

application/Espo/Core/ApplicationUser.php

@@ -29,10 +29,6 @@
 
 namespace Espo\Core;
 
-use Espo\Core\Exceptions\{
-    Error,
-};
-
 use Espo\Entities\{
     User,
 };
@@ -41,6 +37,8 @@ use Espo\Core\{
     ORM\EntityManagerProxy,
 };
 
+use RuntimeException;
+
 /**
  * Setting a current user for the application.
  */
@@ -57,14 +55,14 @@ class ApplicationUser
     }
 
     /**
-     * Setup the system user as a current user. The system user is used when no user is logged in.
+     * Set up the system user as a current user. The system user is used when no user is logged in.
      */
     public function setupSystemUser(): void
     {
         $user = $this->entityManagerProxy->getEntity('User', 'system');
 
         if (!$user) {
-            throw new Error("System user is not found.");
+            throw new RuntimeException("System user is not found.");
         }
 
         $user->set('ipAddress', $_SERVER['REMOTE_ADDR'] ?? null);

application/Espo/Core/Authentication/AuthToken/EspoManager.php

@@ -50,7 +50,7 @@ class EspoManager implements Manager
     {
         $this->entityManager = $entityManager;
 
-        /** @var RDBRepository<AuthTokenEntity> */
+        /** @var RDBRepository<AuthTokenEntity> $repository */
         $repository = $entityManager->getRDBRepository(AuthTokenEntity::ENTITY_TYPE);
 
         $this->repository = $repository;
@@ -58,7 +58,7 @@ class EspoManager implements Manager
 
     public function get(string $token): ?AuthToken
     {
-        /** @var ?AuthTokenEntity */
+        /** @var ?AuthTokenEntity $authToken */
         $authToken = $this->entityManager
             ->getRDBRepository(AuthTokenEntity::ENTITY_TYPE)
             ->select([
@@ -83,7 +83,7 @@ class EspoManager implements Manager
 
     public function create(Data $data): AuthToken
     {
-        /** @var AuthTokenEntity */
+        /** @var AuthTokenEntity $authToken */
         $authToken = $this->repository->getNew();
 
         $authToken->set([
@@ -169,7 +169,7 @@ class EspoManager implements Manager
         }
 
         if (function_exists('openssl_random_pseudo_bytes')) {
-            /** @var string */
+            /** @var string $randomValue */
             $randomValue = openssl_random_pseudo_bytes($length);
 
             return bin2hex($randomValue);

application/Espo/Core/Authentication/Authentication.php

@@ -29,7 +29,6 @@
 
 namespace Espo\Core\Authentication;
 
-use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Exceptions\ServiceUnavailable;
 
 use Espo\Repositories\UserData as UserDataRepository;
@@ -43,9 +42,7 @@ use Espo\Entities\{
 };
 
 use Espo\Core\Authentication\{
-    Result,
     Result\FailReason,
-    LoginFactory,
     TwoFactor\LoginFactory as TwoFactorLoginFactory,
     AuthToken\Manager as AuthTokenManager,
     AuthToken\Data as AuthTokenData,
@@ -124,7 +121,6 @@ class Authentication
      *
      * Warning: This method can change the state of the object (by setting the `portal` prop.).
      *
-     * @throws Forbidden
      * @throws ServiceUnavailable
      */
     public function login(AuthenticationData $data, Request $request, Response $response): Result
@@ -132,14 +128,14 @@ class Authentication
         $username = $data->getUsername();
         $password = $data->getPassword();
         $authenticationMethod = $data->getMethod();
+        $byTokenOnly = $data->byTokenOnly();
 
         if (
             $authenticationMethod &&
             !$this->configDataProvider->authenticationMethodIsApi($authenticationMethod)
         ) {
-            $this->log->warning(
-                "AUTH: Trying to use not allowed authentication method '{$authenticationMethod}'."
-            );
+            $this->log
+                ->warning("AUTH: Trying to use not allowed authentication method '{$authenticationMethod}'.");
 
             return $this->processFail(
                 Result::fail(FailReason::METHOD_NOT_ALLOWED),
@@ -184,9 +180,13 @@ class Authentication
             }
         }
 
-        $isByTokenOnly = !$authenticationMethod && $request->getHeader('Espo-Authorization-By-Token') === 'true';
+        $byTokenAndUsername = $request->getHeader('Espo-Authorization-By-Token') === 'true';
 
-        if ($isByTokenOnly && !$authToken) {
+        if ($authenticationMethod && $byTokenAndUsername) {
+            return Result::fail(FailReason::DISCREPANT_DATA);
+        }
+
+        if (($byTokenAndUsername || $byTokenOnly) && !$authToken) {
             if ($username) {
                 $this->log->info(
                     "AUTH: Trying to login as user '{$username}' by token but token is not found."
@@ -200,6 +200,20 @@ class Authentication
             );
         }
 
+        if ($byTokenOnly) {
+            assert($authToken !== null);
+
+            $username = $this->getUsernameByAuthToken($authToken);
+
+            if (!$username) {
+                return $this->processFail(
+                    Result::fail(FailReason::USER_NOT_FOUND),
+                    $data,
+                    $request
+                );
+            }
+        }
+
         if (!$authenticationMethod) {
             $authenticationMethod = $this->configDataProvider->getDefaultAuthenticationMethod();
         }
@@ -354,7 +368,7 @@ class Authentication
     private function processAuthTokenCheck(AuthToken $authToken): bool
     {
         if ($this->allowAnyAccess && $authToken->getPortalId() && !$this->isPortal()) {
-            /** @var ?Portal */
+            /** @var ?Portal $portal */
             $portal = $this->entityManager->getEntity('Portal', $authToken->getPortalId());
 
             if ($portal) {
@@ -504,7 +518,7 @@ class Authentication
         );
 
         if ($createSecret) {
-            $this->setSecretInCookie($authToken->getSecret(), $response);
+            $this->setSecretInCookie($authToken->getSecret(), $response, $request);
         }
 
         if (
@@ -563,7 +577,7 @@ class Authentication
             return null;
         }
 
-        /** @var AuthLogRecord */
+        /** @var AuthLogRecord $authLogRecord */
         $authLogRecord = $this->entityManager->getNewEntity('AuthLogRecord');
 
         $requestUrl =
@@ -612,7 +626,7 @@ class Authentication
         $this->entityManager->saveEntity($authLogRecord);
     }
 
-    private function setSecretInCookie(?string $secret, Response $response): void
+    private function setSecretInCookie(?string $secret, Response $response, ?Request $request = null): void
     {
         $time = $secret ? strtotime('+1000 days') : 1;
 
@@ -625,9 +639,36 @@ class Authentication
             '; HttpOnly' .
             '; SameSite=Lax';
 
+        if ($request && self::isSecureRequest($request)) {
+            $headerValue .= "; Secure";
+        }
+
         $response->addHeader('Set-Cookie', $headerValue);
     }
 
+    private static function isSecureRequest(Request $request): bool
+    {
+        $https = $request->getServerParam('HTTPS');
+
+        if ($https === 'on') {
+            return true;
+        }
+
+        $scheme = $request->getServerParam('REQUEST_SCHEME');
+
+        if ($scheme === 'https') {
+            return true;
+        }
+
+        $forwardedProto = $request->getServerParam('HTTP_X_FORWARDED_PROTO');
+
+        if ($forwardedProto === 'https') {
+            return true;
+        }
+
+        return false;
+    }
+
     private function processFail(Result $result, AuthenticationData $data, Request $request): Result
     {
         $this->hookManager->processOnFail($result, $data, $request);
@@ -669,4 +710,20 @@ class Authentication
         /** @var UserDataRepository */
         return $this->entityManager->getRepository(UserData::ENTITY_TYPE);
     }
+
+    private function getUsernameByAuthToken(AuthToken $authToken): ?string
+    {
+        /** @var ?User $user */
+        $user = $this->entityManager
+            ->getRDBRepository(User::ENTITY_TYPE)
+            ->select(['userName'])
+            ->where(['id' => $authToken->getUserId()])
+            ->findOne();
+
+        if (!$user) {
+            return null;
+        }
+
+        return $user->getUserName();
+    }
 }

application/Espo/Core/Authentication/AuthenticationData.php

@@ -31,11 +31,10 @@ namespace Espo\Core\Authentication;
 
 class AuthenticationData
 {
-    private $username;
-
-    private $password;
-
-    private $method;
+    private ?string $username;
+    private ?string $password;
+    private ?string $method;
+    private bool $byTokenOnly = false;
 
     public function __construct(
         ?string $username = null,
@@ -52,21 +51,38 @@ class AuthenticationData
         return new self();
     }
 
+    /**
+     * A username.
+     */
     public function getUsername(): ?string
     {
         return $this->username;
     }
 
+    /**
+     * A password or auth-token.
+     */
     public function getPassword(): ?string
     {
         return $this->password;
     }
 
+    /**
+     * A method.
+     */
     public function getMethod(): ?string
     {
         return $this->method;
     }
 
+    /**
+     * Authenticate by auth-token only. No username check.
+     */
+    public function byTokenOnly(): bool
+    {
+        return $this->byTokenOnly;
+    }
+
     public function withUsername(?string $username): self
     {
         $obj = clone $this;
@@ -90,4 +106,12 @@ class AuthenticationData
 
         return $obj;
     }
+
+    public function withByTokenOnly(bool $byTokenOnly): self
+    {
+        $obj = clone $this;
+        $obj->byTokenOnly = $byTokenOnly;
+
+        return $obj;
+    }
 }

application/Espo/Core/Authentication/Helper/UserFinder.php

@@ -44,7 +44,7 @@ class UserFinder
 
     public function find(string $username, string $hash): ?User
     {
-        /** @var ?User */
+        /** @var ?User $user */
         $user = $this->entityManager
             ->getRDBRepository(User::ENTITY_TYPE)
             ->where([
@@ -59,7 +59,7 @@ class UserFinder
 
     public function findApiHmac(string $apiKey): ?User
     {
-        /** @var ?User */
+        /** @var ?User $user */
         $user = $this->entityManager
             ->getRDBRepository(User::ENTITY_TYPE)
             ->where([
@@ -74,7 +74,7 @@ class UserFinder
 
     public function findApiApiKey(string $apiKey): ?User
     {
-        /** @var ?User */
+        /** @var ?User $user */
         $user = $this->entityManager
             ->getRDBRepository(User::ENTITY_TYPE)
             ->where([

application/Espo/Core/Authentication/LDAP/ClientFactory.php

@@ -33,6 +33,7 @@ class ClientFactory
 {
     /**
      * @param array<string,mixed> $options
+     * @throws \Laminas\Ldap\Exception\LdapException
      */
     public function create(array $options): Client
     {

application/Espo/Core/Authentication/LoginFactory.php

@@ -52,14 +52,14 @@ class LoginFactory
 
     public function create(string $method, bool $isPortal = false): Login
     {
-        /** @var class-string<Login> */
+        /** @var class-string<Login> $className */
         $className = $this->metadata->get(['authenticationMethods', $method, 'implementationClassName']);
 
         if (!$className) {
             $sanitizedName = preg_replace('/[^a-zA-Z0-9]+/', '', $method);
 
             if (!class_exists($className)) {
-                /** @var class-string<Login> */
+                /** @var class-string<Login> $className */
                 $className = "Espo\\Core\\Authentication\\Logins\\" . $sanitizedName;
             }
         }

application/Espo/Core/Authentication/Logins/Espo.php

@@ -43,9 +43,10 @@ use RuntimeException;
 
 class Espo implements Login
 {
-    private $userFinder;
+    public const NAME = 'Espo';
 
-    private $passwordHash;
+    private UserFinder $userFinder;
+    private PasswordHash $passwordHash;
 
     public function __construct(UserFinder $userFinder, PasswordHash $passwordHash)
     {
@@ -81,7 +82,7 @@ class Espo implements Login
             return Result::fail(FailReason::WRONG_CREDENTIALS);
         }
 
-        if ($authToken && $user->id !== $authToken->getUserId()) {
+        if ($authToken && $user->getId() !== $authToken->getUserId()) {
             return Result::fail(FailReason::USER_TOKEN_MISMATCH);
         }
 

application/Espo/Core/Authentication/Logins/Hmac.php

@@ -36,10 +36,11 @@ use Espo\Core\{
     Authentication\Login\Data,
     Authentication\Result,
     Authentication\Helper\UserFinder,
-    Exceptions\Error,
     Authentication\Result\FailReason,
 };
 
+use RuntimeException;
+
 class Hmac implements Login
 {
     private $userFinder;
@@ -71,7 +72,7 @@ class Hmac implements Login
         $secretKey = $this->apiKeyUtil->getSecretKeyForUserId($user->getId());
 
         if (!$secretKey) {
-            throw new Error("No secret key for API user '" . $user->getId() . "'.");
+            throw new RuntimeException("No secret key for API user '" . $user->getId() . "'.");
         }
 
         $string = $request->getMethod() . ' ' . $request->getResourcePath();

application/Espo/Core/Authentication/Logins/LDAP.php

@@ -408,6 +408,8 @@ class LDAP implements Login
 
     /**
      * Find LDAP user DN by his username.
+     *
+     * @throws \Laminas\Ldap\Exception\LdapException
      */
     private function findLdapUserDnByUsername(string $username): ?string
     {
@@ -426,7 +428,7 @@ class LDAP implements Login
             '(' . $options['userNameAttribute'] . '=' . $username . ')' .
             $loginFilterString . ')';
 
-        /** @var array<int,array{dn: string}> */
+        /** @var array<int,array{dn: string}> $result */
         $result = $ldapClient->search($searchString, null, Client::SEARCH_SCOPE_SUB);
 
         $this->log->debug('LDAP: user search string: "' . $searchString . '"');

application/Espo/Core/Authentication/Result/Data.php

@@ -37,7 +37,7 @@ class Data
 {
     private ?string $message = null;
 
-    private ?string$token = null;
+    private ?string $token = null;
 
     private ?string $view = null;
 

application/Espo/Core/Authentication/Result/FailReason.php

@@ -50,4 +50,6 @@ class FailReason
     public const HASH_NOT_MATCHED = 'Hash not matched';
 
     public const METHOD_NOT_ALLOWED = 'Not allowed authentication method';
+
+    public const DISCREPANT_DATA = 'Discrepant authentication data';
 }

application/Espo/Core/Authentication/TwoFactor/LoginFactory.php

@@ -31,7 +31,8 @@ namespace Espo\Core\Authentication\TwoFactor;
 
 use Espo\Core\InjectableFactory;
 use Espo\Core\Utils\Metadata;
-use Espo\Core\Exceptions\Error;
+
+use LogicException;
 
 class LoginFactory
 {
@@ -47,11 +48,11 @@ class LoginFactory
 
     public function create(string $method): Login
     {
-        /** @var ?class-string<Login> */
+        /** @var ?class-string<Login> $className */
         $className = $this->metadata->get(['app', 'authentication2FAMethods', $method, 'loginClassName']);
 
         if (!$className) {
-            throw new Error("No login-class class for '{$method}'.");
+            throw new LogicException("No login-class class for '{$method}'.");
         }
 
         return $this->injectableFactory->create($className);

application/Espo/Core/Authentication/TwoFactor/UserSetupFactory.php

@@ -48,7 +48,7 @@ class UserSetupFactory
 
     public function create(string $method): UserSetup
     {
-        /** @var ?class-string<UserSetup> */
+        /** @var ?class-string<UserSetup> $className */
         $className = $this->metadata->get(['app', 'authentication2FAMethods', $method, 'userSetupClassName']);
 
         if (!$className) {