lang

* Get only active users in email address lookup

* fix isActive field name

.github/CONTRIBUTING.md

@@ -1,14 +1,18 @@
 ## Issues
 
 When reporting a possible bug, provide detail steps so that we will be able
-to reproduce the issue. Try not to use phrases like "very big bug",
+to reproduce the issue. Steps to reproduce should be clear and unambiguous. Try not to use phrases like "very big bug",
 "huge issue", "useless feature", etc. No need to use exclamation marks as well.
 
-Steps to reproduce should be clear and unambiguous.
-
 Note that we don't provide developer help or any kind of support on GitHub.
 For this, please use our [forum](https://forum.espocrm.com).
 
+If you are very new to EspoCRM, it's probable that an issue you ran into is not a bug.
+Consider creating a topic on our [forum](https://forum.espocrm.com/forum/general) instead.
+
+The issue tracker is for the benefit of the EspoCRM project. The project maintainers are going to handle issues in the project's best interest.
+The maintainers have right to close issues without explanation.
+
 ## Pull Requests
 
 We are open for contributions that are bug fixes and small improvements. If you would like to contribute something that is not a small fix, please reach out to maintainers before submitting your PR (by creating a GitHub issue).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,6 +1,6 @@
 ---
 name: Feature request
-about: Feature requests are not desired at the moment. Need to polish the system. For high-level features, consider creating feature requests on the forum. For low-level (framework) – here on GitHub.
+about: For high-level features, create feature requests on our forum. For low-level (framework) – here on GitHub.
 title: ''
 labels: ''
 assignees: ''

.idea/codeStyles/Project.xml

@@ -17,8 +17,6 @@
     <codeStyleSettings language="PHP">
       <option name="KEEP_FIRST_COLUMN_COMMENT" value="false" />
       <option name="KEEP_CONTROL_STATEMENT_IN_ONE_LINE" value="false" />
-      <option name="CATCH_ON_NEW_LINE" value="true" />
-      <option name="FINALLY_ON_NEW_LINE" value="true" />
       <option name="ALIGN_MULTILINE_PARAMETERS" value="false" />
       <option name="ALIGN_MULTILINE_FOR" value="false" />
       <option name="METHOD_PARAMETERS_RPAREN_ON_NEXT_LINE" value="true" />

.idea/inspectionProfiles/Project_Default.xml

@@ -3,6 +3,7 @@
     <option name="myName" value="Project Default" />
     <inspection_tool class="DuplicatedCode" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
     <inspection_tool class="ES6ConvertLetToConst" enabled="true" level="WEAK WARNING" enabled_by_default="true" editorAttributes="INFO_ATTRIBUTES" />
+    <inspection_tool class="HtmlUnknownAnchorTarget" enabled="false" level="WARNING" enabled_by_default="false" />
     <inspection_tool class="JSIgnoredPromiseFromCall" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
     <inspection_tool class="PhpDocMissingThrowsInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
     <inspection_tool class="PhpDocSignatureIsNotCompleteInspection" enabled="false" level="WEAK WARNING" enabled_by_default="false" />

README.md

@@ -2,37 +2,41 @@
 
 [![PHPStan level 8](https://img.shields.io/badge/PHPStan-level%208-brightgreen)](#espocrm)
 
-[EspoCRM is an Open Source CRM](https://www.espocrm.com) (Customer Relationship Management)
-software that allows you to see, enter and evaluate all your company relationships regardless
-of the type. People, companies or opportunities – all in an easy and intuitive interface.
-
-It's a web application with a frontend designed as a single page application and a REST API
-backend written in PHP.
-
-[Download](https://www.espocrm.com/download/) the latest release from our website. Release notes
-and release packages are available at [Releases](https://github.com/espocrm/espocrm/releases) on GitHub.
+[EspoCRM](https://www.espocrm.com) is a free, open-source CRM platform designed to help organizations build and maintain strong customer relationships. 
+It provides a wide range of tools to store, organize, and manage leads, contacts, sales opportunities, marketing campaigns, 
+support cases, and more – all business information in a simple and intuitive interface.
 
 ![Screenshot](https://user-images.githubusercontent.com/1006792/226094559-995dfd2a-a18f-4619-a21b-79a4e671990a.png)
 
+### Architecture
+
+EspoCRM is a web application with a frontend designed as a single-page application and a REST API
+backend written in PHP.
+
 ### Demo
 
-You can try the CRM on the online [demo](https://www.espocrm.com/demo/).
+You can try the CRM on an online [demo](https://www.espocrm.com/demo/).
 
 ### Requirements
 
 * PHP 8.1 - 8.3;
 * MySQL 5.7 (and later), or MariaDB 10.2 (and later);
-* PostgreSQL 15 (and later) (yet experimental, officially supported soon).
+* PostgreSQL 15 (and later) (beta, official support soon).
 
-For more information about server configuration see [this article](https://docs.espocrm.com/administration/server-configuration/).
+For more information about server configuration, see [this article](https://docs.espocrm.com/administration/server-configuration/).
 
-### Documentation
+### Why EspoCRM?
 
-See the [documentation](https://docs.espocrm.com) for administrators, users and developers.
+* **Open-source transparency**. EspoCRM’s source code is open and accessible, so anyone can inspect it and see how data is being managed within the CRM.
+* **Customization freedom**. You can develop features, create custom entities, fields, relationships, buttons to make the CRM fit your specific needs.
+* **Clean user interface**. EspoCRM has a uncluttered, minimalist and very fast user inteface that is easy to navigate and has a short learning curve.
+* **Straightforward REST API**. It can be easily integrated with other applications using a REST API.
 
-### Bug reporting
+### Who is EspoCRM for?
 
-Create a [GitHub issue](https://github.com/espocrm/espocrm/issues/new/choose) or post on our [forum](https://forum.espocrm.com/forum/bug-reports).
+* **Startups, small & medium-sized businesses**. It’s an affordable solution that is flexible and fully customizable.
+* **Developers & tech enthusiasts**. You can extend functionalities, build extensions, and create custom integrations.
+* **Anyone seeking a free CRM**. If you're looking for a user-friendly and secure CRM platform, it can be a good option.
 
 ### Installing stable version
 
@@ -43,11 +47,29 @@ See installation instructions:
 * [Installation with Docker](https://docs.espocrm.com/administration/docker/installation/)
 * [Installation with Traefik](https://docs.espocrm.com/administration/docker/traefik/)
 
+### Download
+
+[Download](https://www.espocrm.com/download/) the latest release from our website. You can also download the latest and previous release packages from GitHub [releases](https://github.com/espocrm/espocrm/releases).
+
+### Release notes
+
+Release notes are available at GitHub [releases](https://github.com/espocrm/espocrm/releases).
+
+### Documentation
+
+See the [documentation](https://docs.espocrm.com) for administrators, users and developers.
+
+### Bug reporting
+
+Create a [GitHub issue](https://github.com/espocrm/espocrm/issues/new/choose) or post on our [forum](https://forum.espocrm.com/forum/bug-reports).
+
 ### Development
 
 See the [developer documentation](https://docs.espocrm.com/development/).
 
-We highly recommend using IDE for development. The backend codebase follows SOLID principles, utilizes interfaces, static typing and generics. We recommend to start learning EspoCRM from the Dependency Injection article in the documentation.
+We highly recommend using an IDE for development. The backend codebase follows SOLID principles, utilizes interfaces, static typing and generics. We recommend to start learning EspoCRM from the Dependency Injection article in the documentation.
+
+Metadata plays an integral role in the EspoCRM application. All possible parameters are described with a JSON Schema, meaning you will have autocompletion in the IDE. You can also find the full metadata reference in the documentation.
 
 ### Community & Support
 
@@ -55,11 +77,11 @@ If you have a question regarding some features, need help or customizations, wan
 
 ### License
 
-EspoCRM is published under the GNU AGPLv3 [license](https://raw.githubusercontent.com/espocrm/espocrm/master/LICENSE.txt).
+EspoCRM is an open-source project licensed under [GNU AGPLv3](https://raw.githubusercontent.com/espocrm/espocrm/master/LICENSE.txt).
 
 ### Contributing
 
-Before we can merge your pull request, you need to accept our CLA [here](https://github.com/espocrm/cla). See [contributing guidelines](https://github.com/espocrm/espocrm/blob/master/.github/CONTRIBUTING.md).
+Before we can merge your pull request, you need to accept our CLA [here](https://github.com/espocrm/cla). See the [contributing guidelines](https://github.com/espocrm/espocrm/blob/master/.github/CONTRIBUTING.md).
 
 Branches:
 

application/Espo/Classes/Acl/ImportEml/AccessChecker.php

@@ -0,0 +1,47 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Acl\ImportEml;
+
+use Espo\Core\Acl\AccessCreateChecker;
+use Espo\Core\Acl\ScopeData;
+use Espo\Entities\User;
+
+class AccessChecker implements AccessCreateChecker
+{
+    public function check(User $user, ScopeData $data): bool
+    {
+        return $data->isTrue();
+    }
+
+    public function checkCreate(User $user, ScopeData $data): bool
+    {
+        return $data->isTrue();
+    }
+}

application/Espo/Classes/Acl/Note/AccessChecker.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Classes\Acl\Note;
 
+use Espo\Core\Acl\Permission;
 use Espo\Core\Acl\Table;
 use Espo\Entities\Note;
 use Espo\Entities\User;
@@ -143,7 +144,7 @@ class AccessChecker implements AccessEntityCREDChecker
         }
 
         if ($entity->getTargetType() === Note::TARGET_PORTALS) {
-            return $this->aclManager->getPermissionLevel($user, 'portal') === Table::LEVEL_YES;
+            return $this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES;
         }
 
         return false;

application/Espo/Classes/Acl/Portal/AccessChecker.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Classes\Acl\Portal;
 
+use Espo\Core\Acl\Permission;
 use Espo\Entities\Portal;
 use Espo\Entities\User;
 use Espo\Core\Acl\AccessEntityCREDChecker;
@@ -45,18 +46,12 @@ class AccessChecker implements AccessEntityCREDChecker
 {
     use DefaultAccessCheckerDependency;
 
-    private DefaultAccessChecker $defaultAccessChecker;
-    private AclManager $aclManager;
-
-    public function __construct(DefaultAccessChecker $defaultAccessChecker, AclManager $aclManager)
-    {
-        $this->defaultAccessChecker = $defaultAccessChecker;
-        $this->aclManager = $aclManager;
-    }
+    public function __construct(private DefaultAccessChecker $defaultAccessChecker, private AclManager $aclManager)
+    {}
 
     public function check(User $user, ScopeData $data): bool
     {
-        $level = $this->aclManager->getPermissionLevel($user, 'portal');
+        $level = $this->aclManager->getPermissionLevel($user, Permission::PORTAL);
 
         return $level === Table::LEVEL_YES;
     }

application/Espo/Classes/Acl/User/AccessChecker.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Classes\Acl\User;
 
+use Espo\Core\Acl\Permission;
 use Espo\Entities\User;
 use Espo\ORM\Entity;
 use Espo\Core\Acl\AccessEntityCREDSChecker;
@@ -60,8 +61,6 @@ class AccessChecker implements AccessEntityCREDSChecker
             return false;
         }
 
-        /** @var User $entity */
-
         if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) {
             return false;
         }
@@ -71,10 +70,8 @@ class AccessChecker implements AccessEntityCREDSChecker
 
     public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
     {
-        /** @var User $entity */
-
         if ($entity->isPortal()) {
-            if ($this->aclManager->getPermissionLevel($user, 'portal') === Table::LEVEL_YES) {
+            if ($this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES) {
                 return true;
             }
 
@@ -90,8 +87,6 @@ class AccessChecker implements AccessEntityCREDSChecker
 
     public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
     {
-        /** @var User $entity */
-
         if ($entity->isSystem()) {
             return false;
         }
@@ -111,8 +106,6 @@ class AccessChecker implements AccessEntityCREDSChecker
 
     public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
     {
-        /** @var User $entity */
-
         if (!$user->isAdmin()) {
             return false;
         }
@@ -130,8 +123,7 @@ class AccessChecker implements AccessEntityCREDSChecker
 
     public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
     {
-        /** @var User $entity */
-
-        return $this->aclManager->checkUserPermission($user, $entity, 'user');
+        /** @noinspection PhpRedundantOptionalArgumentInspection */
+        return $this->aclManager->checkUserPermission($user, $entity, Permission::USER);
     }
 }

application/Espo/Classes/AppParams/AddressCountryData.php

@@ -0,0 +1,48 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\AppParams;
+
+use Espo\Core\Utils\Address\CountryDataProvider;
+use Espo\Tools\App\AppParam;
+
+class AddressCountryData implements AppParam
+{
+    public function __construct(
+        private CountryDataProvider $provider
+    ) {}
+
+    /**
+     * @return array{list: string[], preferredList: string[]}
+     */
+    public function get(): array
+    {
+        return $this->provider->get();
+    }
+}

application/Espo/Classes/Cleanup/AppLog.php

@@ -0,0 +1,65 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Cleanup;
+
+use Espo\Core\Cleanup\Cleanup;
+use Espo\Core\Field\DateTime;
+use Espo\Core\Utils\Config;
+use Espo\Entities\AppLogRecord;
+use Espo\ORM\EntityManager;
+use Espo\ORM\Query\DeleteBuilder;
+
+class AppLog implements Cleanup
+{
+    private const PERIOD = '30 days';
+
+    public function __construct(
+        private EntityManager $entityManager,
+        private Config $config
+    ) {}
+
+    public function process(): void
+    {
+        $query = DeleteBuilder::create()
+            ->from(AppLogRecord::ENTITY_TYPE)
+            ->where(['createdAt<' => $this->getBefore()->toString()])
+            ->build();
+
+        $this->entityManager->getQueryExecutor()->execute($query);
+    }
+
+    private function getBefore(): DateTime
+    {
+        /** @var string $period */
+        $period = $this->config->get('cleanupAppLogPeriod') ?? self::PERIOD;
+
+        return DateTime::createNow()->modify('-' . $period);
+    }
+}

application/Espo/Classes/Cleanup/Stars.php

@@ -0,0 +1,137 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Cleanup;
+
+use Espo\Core\Cleanup\Cleanup;
+use Espo\Core\Utils\Acl\UserAclManagerProvider;
+use Espo\Entities\StarSubscription;
+use Espo\Entities\User;
+use Espo\ORM\EntityManager;
+use Espo\ORM\Query\DeleteBuilder;
+use Espo\Tools\Stars\StarService;
+
+/**
+ * @noinspection PhpUnused
+ */
+class Stars implements Cleanup
+{
+    public function __construct(
+        private EntityManager $entityManager,
+        private UserAclManagerProvider $userAclManagerProvider,
+        private StarService $service
+    ) {}
+
+    public function process(): void
+    {
+        foreach ($this->getEntityTypeList() as $entityType) {
+            $this->processEntityType($entityType);
+        }
+    }
+
+    /**
+     * @return string[]
+     */
+    private function getEntityTypeList(): array
+    {
+        $groups = $this->entityManager->getRDBRepositoryByClass(StarSubscription::class)
+            ->group('entityType')
+            ->select('entityType')
+            ->find();
+
+        $list = [];
+
+        foreach ($groups as $group) {
+            $list[] = $group->get('entityType');
+        }
+
+        return $list;
+    }
+
+    private function processEntityType(string $entityType): void
+    {
+        if (
+            !$this->service->isEnabled($entityType) ||
+            !$this->entityManager->hasRepository($entityType)
+        ) {
+            $deleteQuery = DeleteBuilder::create()
+                ->from(StarSubscription::ENTITY_TYPE)
+                ->where(['entityType' => $entityType])
+                ->build();
+
+            $this->entityManager->getQueryExecutor()->execute($deleteQuery);
+
+            return;
+        }
+
+        $stars = $this->entityManager
+            ->getRDBRepositoryByClass(StarSubscription::class)
+            ->where(['entityType' => $entityType])
+            ->sth()
+            ->find();
+
+        foreach ($stars as $star) {
+            $entityId = $star->get('entityId');
+            $userId = $star->get('userId');
+
+            if ($userId === null || $entityId === null) {
+                continue;
+            }
+
+            $entity = $this->entityManager->getEntityById($entityType, $entityId);
+            $user = $this->entityManager->getRDBRepositoryByClass(User::class)->getById($userId);
+
+            if (!$entity || !$user) {
+                $this->unstar($userId, $entityType, $entityId);
+
+                continue;
+            }
+
+            $aclManager = $this->userAclManagerProvider->get($user);
+
+            if (!$aclManager->checkEntityRead($user, $entity)) {
+                $this->unstar($userId, $entityType, $entityId);
+            }
+        }
+    }
+
+    private function unstar(string $userId, string $entityType, string $entityId): void
+    {
+        $deleteQuery = DeleteBuilder::create()
+            ->from(StarSubscription::ENTITY_TYPE)
+            ->where([
+                'userId' => $userId,
+                'entityType' => $entityType,
+                'entityId' => $entityId,
+            ])
+            ->build();
+
+        $this->entityManager->getQueryExecutor()->execute($deleteQuery);
+    }
+}

application/Espo/Classes/Cleanup/Subscribers.php

@@ -33,7 +33,7 @@ use Espo\Core\Cleanup\Cleanup;
 use Espo\Core\Field\DateTime;
 use Espo\Core\Utils\Config;
 use Espo\Core\Utils\Metadata;
-use Espo\Entities\Subscription;
+use Espo\Entities\StreamSubscription;
 use Espo\ORM\EntityManager;
 use Espo\ORM\Query\Part\Condition as Cond;
 
@@ -41,19 +41,11 @@ class Subscribers implements Cleanup
 {
     private const PERIOD = '2 months';
 
-    private Metadata $metadata;
-    private EntityManager $entityManager;
-    private Config $config;
-
     public function __construct(
-        Metadata $metadata,
-        EntityManager $entityManager,
-        Config $config
-    ) {
-        $this->metadata = $metadata;
-        $this->entityManager = $entityManager;
-        $this->config = $config;
-    }
+        private Metadata $metadata,
+        private EntityManager $entityManager,
+        private Config $config
+    ) {}
 
     public function process(): void
     {
@@ -105,7 +97,7 @@ class Subscribers implements Cleanup
         $query = $this->entityManager
             ->getQueryBuilder()
             ->delete()
-            ->from(Subscription::ENTITY_TYPE, 'subscription')
+            ->from(StreamSubscription::ENTITY_TYPE, 'subscription')
             ->join(
                 $entityType,
                 'entity',

application/Espo/Classes/FieldProcessing/Email/FolderDataLoader.php

@@ -0,0 +1,66 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldProcessing\Email;
+
+use Espo\Core\FieldProcessing\Loader;
+use Espo\Core\FieldProcessing\Loader\Params;
+use Espo\Entities\Email;
+use Espo\Entities\EmailFolder;
+use Espo\ORM\Entity;
+use Espo\ORM\EntityManager;
+
+/**
+ * @implements Loader<Email>
+ */
+class FolderDataLoader implements Loader
+{
+    public function __construct(private EntityManager $entityManager) {}
+
+    public function process(Entity $entity, Params $params): void
+    {
+        $folderId = $entity->get(Email::USERS_COLUMN_FOLDER_ID);
+
+        if (!$folderId) {
+            return;
+        }
+
+        $folder = $this->entityManager
+            ->getRDBRepositoryByClass(EmailFolder::class)
+            ->select(['id', 'name'])
+            ->where(['id' => $folderId])
+            ->findOne();
+
+        if (!$folder) {
+            return;
+        }
+
+        $entity->set('folderName', $folder->getName());
+    }
+}

application/Espo/Classes/FieldProcessing/Email/UserColumnsLoader.php

@@ -41,14 +41,10 @@ use Espo\Entities\User;
  */
 class UserColumnsLoader implements Loader
 {
-    private EntityManager $entityManager;
-    private User $user;
-
-    public function __construct(EntityManager $entityManager, User $user)
-    {
-        $this->entityManager = $entityManager;
-        $this->user = $user;
-    }
+    public function __construct(
+        private EntityManager $entityManager,
+        private User $user
+    ) {}
 
     public function process(Entity $entity, Params $params): void
     {
@@ -58,6 +54,7 @@ class UserColumnsLoader implements Loader
                 Email::USERS_COLUMN_IS_READ,
                 Email::USERS_COLUMN_IS_IMPORTANT,
                 Email::USERS_COLUMN_IN_TRASH,
+                Email::USERS_COLUMN_IN_ARCHIVE,
             ])
             ->where([
                 'deleted' => false,
@@ -70,6 +67,7 @@ class UserColumnsLoader implements Loader
             $entity->set(Email::USERS_COLUMN_IS_READ, null);
             $entity->clear(Email::USERS_COLUMN_IS_IMPORTANT);
             $entity->clear(Email::USERS_COLUMN_IN_TRASH);
+            $entity->clear(Email::USERS_COLUMN_IN_ARCHIVE);
 
             return;
         }
@@ -78,6 +76,8 @@ class UserColumnsLoader implements Loader
             Email::USERS_COLUMN_IS_READ => $emailUser->get(Email::USERS_COLUMN_IS_READ),
             Email::USERS_COLUMN_IS_IMPORTANT => $emailUser->get(Email::USERS_COLUMN_IS_IMPORTANT),
             Email::USERS_COLUMN_IN_TRASH => $emailUser->get(Email::USERS_COLUMN_IN_TRASH),
+            Email::USERS_COLUMN_IN_ARCHIVE => $emailUser->get(Email::USERS_COLUMN_IN_ARCHIVE),
+            'isUsersSent' => $entity->getSentBy()?->getId() === $this->user->getId(),
         ]);
     }
 }

application/Espo/Classes/FieldProcessing/InboundEmail/IsSystemLoader.php

@@ -0,0 +1,27 @@
+<?php
+/**LICENSE**/
+
+namespace Espo\Classes\FieldProcessing\InboundEmail;
+
+use Espo\Core\FieldProcessing\Loader;
+use Espo\Core\FieldProcessing\Loader\Params;
+use Espo\Core\Utils\Config;
+use Espo\Entities\InboundEmail;
+use Espo\ORM\Entity;
+
+/**
+ * @implements Loader<InboundEmail>
+ */
+class IsSystemLoader implements Loader
+{
+    public function __construct(
+        private Config $config,
+    ) {}
+
+    public function process(Entity $entity, Params $params): void
+    {
+        $isSystem = $entity->getEmailAddress() === $this->config->get('outboundEmailFromAddress');
+
+        $entity->set('isSystem', $isSystem);
+    }
+}

application/Espo/Classes/FieldSanitizers/StringLowerCase.php

@@ -0,0 +1,56 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldSanitizers;
+
+use Espo\Core\FieldSanitize\Sanitizer;
+use Espo\Core\FieldSanitize\Sanitizer\Data;
+
+/**
+ * @noinspection PhpUnused
+ */
+class StringLowerCase implements Sanitizer
+{
+    public function sanitize(Data $data, string $field): void
+    {
+        if (!$data->has($field)) {
+            return;
+        }
+
+        $value = $data->get($field);
+
+        if (!is_string($value)) {
+            return;
+        }
+
+        $value = mb_strtolower($value);
+
+        $data->set($field, $value);
+    }
+}

application/Espo/Classes/FieldSanitizers/StringUpperCase.php

@@ -0,0 +1,56 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldSanitizers;
+
+use Espo\Core\FieldSanitize\Sanitizer;
+use Espo\Core\FieldSanitize\Sanitizer\Data;
+
+/**
+ * @noinspection PhpUnused
+ */
+class StringUpperCase implements Sanitizer
+{
+    public function sanitize(Data $data, string $field): void
+    {
+        if (!$data->has($field)) {
+            return;
+        }
+
+        $value = $data->get($field);
+
+        if (!is_string($value)) {
+            return;
+        }
+
+        $value = mb_strtoupper($value);
+
+        $data->set($field, $value);
+    }
+}

application/Espo/Classes/FieldValidators/IntType.php

@@ -29,16 +29,54 @@
 
 namespace Espo\Classes\FieldValidators;
 
+use Doctrine\DBAL\Types\Types;
+use Espo\ORM\Defs;
 use Espo\ORM\Entity;
 use stdClass;
 
 class IntType
 {
+    public function __construct(
+        private Defs $defs,
+    ) {}
+
     public function checkRequired(Entity $entity, string $field): bool
     {
         return $this->isNotEmpty($entity, $field);
     }
 
+    /** @noinspection PhpUnused */
+    public function checkRangeInternal(Entity $entity, string $field): bool
+    {
+        $value = $entity->get($field);
+
+        if ($value === null) {
+            return true;
+        }
+
+        $dbType = $this->defs
+            ->getEntity($entity->getEntityType())
+            ->tryGetAttribute($field)
+            ?->getParam('dbType') ?? Types::INTEGER;
+
+        $ranges = [
+            Types::INTEGER => [-2147483648, 2147483647],
+            Types::SMALLINT => [-32768, 32767],
+        ];
+
+        $range = $ranges[$dbType] ?? null;
+
+        if (!$range) {
+            return true;
+        }
+
+        if ($value < $range[0] || $value > $range[1]) {
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * @param mixed $validationValue
      * @noinspection PhpUnused

application/Espo/Classes/FieldValidators/LinkMultipleType.php

@@ -36,20 +36,17 @@ use Espo\Core\ORM\Entity as CoreEntity;
 
 use stdClass;
 
+/**
+ * @noinspection PhpUnused
+ */
 class LinkMultipleType
 {
-    private Metadata $metadata;
-    private Defs $defs;
-
     private const COLUMN_TYPE_ENUM = 'enum';
     private const COLUMN_TYPE_VARCHAR = 'varchar';
     private const COLUMN_TYPE_BOOL = 'bool';
 
-    public function __construct(Metadata $metadata, Defs $defs)
-    {
-        $this->metadata = $metadata;
-        $this->defs = $defs;
-    }
+    public function __construct(private Metadata $metadata, private Defs $defs)
+    {}
 
     public function checkRequired(Entity $entity, string $field): bool
     {
@@ -63,6 +60,7 @@ class LinkMultipleType
         return count($idList) > 0;
     }
 
+    /** @noinspection PhpUnused */
     public function checkPattern(Entity $entity, string $field): bool
     {
         /** @var ?mixed[] $idList */
@@ -93,6 +91,27 @@ class LinkMultipleType
         return true;
     }
 
+    /** @noinspection PhpUnused */
+    public function checkMaxCount(Entity $entity, string $field, ?int $maxCount): bool
+    {
+        if ($maxCount === null) {
+            return true;
+        }
+
+        $list = $entity->get($field . 'Ids');
+
+        if (!is_array($list)) {
+            return true;
+        }
+
+        if (count($list) > $maxCount) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /** @noinspection PhpUnused */
     public function checkColumnsValid(Entity $entity, string $field): bool
     {
         if (!$entity instanceof CoreEntity) {

application/Espo/Classes/FieldValidators/PhoneType.php

@@ -31,6 +31,7 @@ namespace Espo\Classes\FieldValidators;
 
 use Brick\PhoneNumber\PhoneNumber;
 use Brick\PhoneNumber\PhoneNumberParseException;
+use Espo\Core\PhoneNumber\Util;
 use Espo\Core\Utils\Config;
 use Espo\Core\Utils\Metadata;
 use Espo\ORM\Defs;
@@ -203,6 +204,22 @@ class PhoneType
             return true;
         }
 
+        $ext = null;
+
+        if ($this->config->get('phoneNumberExtensions')) {
+            [$number, $ext] = Util::splitExtension($number);
+        }
+
+        if ($ext) {
+            if (!preg_match('/[0-9]+/', $ext)) {
+                return false;
+            }
+
+            if (strlen($ext) > 6) {
+                return false;
+            }
+        }
+
         try {
             $numberObj = PhoneNumber::parse($number);
         }

application/Espo/Classes/FieldValidators/Settings/AuthIpAddressWhitelist/Valid.php

@@ -0,0 +1,90 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldValidators\Settings\AuthIpAddressWhitelist;
+
+use Espo\Core\FieldValidation\Validator;
+use Espo\Core\FieldValidation\Validator\Data;
+use Espo\Core\FieldValidation\Validator\Failure;
+use Espo\ORM\Entity;
+
+/**
+ * @implements Validator<Entity>
+ */
+class Valid implements Validator
+{
+    public function validate(Entity $entity, string $field, Data $data): ?Failure
+    {
+        $list = $entity->get($field);
+
+        if (!is_array($list)) {
+            return null;
+        }
+
+        foreach ($list as $item) {
+            if (!is_string($item)) {
+                continue;
+            }
+
+            if (!$this->isValid($item)) {
+                return Failure::create();
+            }
+        }
+
+        return null;
+    }
+
+    private function isValid(string $item): bool
+    {
+        $address = $item;
+
+        if (count(explode('/', $item)) > 1) {
+            [$address, $mask] = explode('/', $item, 2);
+
+            if (!is_numeric($mask)) {
+                return false;
+            }
+
+            $mask = (int) $mask;
+
+            if ($mask < 0 || $mask > 128) {
+                return false;
+            }
+        }
+
+        if (
+            filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false &&
+            filter_var($address, FILTER_VALIDATE_IP) === false
+        ) {
+            return false;
+        }
+
+        return true;
+    }
+}

application/Espo/Classes/FieldValidators/User/DefaultTeam/IsUserTeam.php

@@ -0,0 +1,55 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\FieldValidators\User\DefaultTeam;
+
+use Espo\Core\FieldValidation\Validator;
+use Espo\Core\FieldValidation\Validator\Data;
+use Espo\Core\FieldValidation\Validator\Failure;
+use Espo\Entities\User;
+use Espo\ORM\Entity;
+
+/**
+ * @implements Validator<User>
+ */
+class IsUserTeam implements Validator
+{
+    public function validate(Entity $entity, string $field, Data $data): ?Failure
+    {
+        if (!$entity->getDefaultTeam()) {
+            return null;
+        }
+
+        if (in_array($entity->getDefaultTeam()->getId(), $entity->getTeamIdList())) {
+            return null;
+        }
+
+        return Failure::create();
+    }
+}

application/Espo/Classes/Jobs/AuthTokenControl.php

@@ -30,6 +30,7 @@
 namespace Espo\Classes\Jobs;
 
 use Espo\Entities\AuthToken;
+use Espo\Entities\Portal;
 use Espo\Core\Job\JobDataLess;
 use Espo\Core\ORM\EntityManager;
 use Espo\Core\Utils\Config;
@@ -50,27 +51,69 @@ class AuthTokenControl implements JobDataLess
 
     public function run(): void
     {
-        $authTokenLifetime = (int) ($this->config->get('authTokenLifetime', 0) * 60);
-        $authTokenMaxIdleTime = (int) ($this->config->get('authTokenMaxIdleTime', 0) * 60);
+        $lifetime = (int) $this->config->get('authTokenLifetime', 0) * 60;
+        $maxIdleTime = (int) $this->config->get('authTokenMaxIdleTime', 0) * 60;
 
-        if (!$authTokenLifetime && !$authTokenMaxIdleTime) {
+        $portalIds = [];
+
+        /** @var iterable<Portal> $portals */
+        $portals = $this->entityManager
+            ->getRDBRepositoryByClass(Portal::class)
+            ->find();
+
+        foreach ($portals as $portal) {
+            $portalIds[] = $portal->getId();
+        }
+
+        $this->process(null, $lifetime, $maxIdleTime, $portalIds);
+
+        foreach ($portals as $portal) {
+            $itemLifetime = $portal->get('authTokenLifetime') !== null ?
+                (int) $portal->get('authTokenLifetime') * 60 :
+                $lifetime;
+
+            $itemMaxIdleTime = $portal->get('authTokenMaxIdleTime') !== null ?
+                (int) $portal->get('authTokenMaxIdleTime') * 60 :
+                $maxIdleTime;
+
+            $this->process($portal->getId(), $itemLifetime, $itemMaxIdleTime);
+        }
+    }
+
+    /**
+     * @param string[] $ignorePortalIds
+     */
+    private function process(?string $portalId, int $lifetime, int $maxIdleTime, array $ignorePortalIds = []): void
+    {
+        if (!$lifetime && !$maxIdleTime) {
             return;
         }
 
-        $whereClause = [
-            'isActive' => true,
-        ];
+        $whereClause = ['isActive' => true];
 
-        if ($authTokenLifetime) {
+        if ($portalId) {
+            $whereClause['portalId'] = $portalId;
+        }
+
+        if (!$portalId && $ignorePortalIds !== []) {
+            $whereClause[] = [
+                'OR' => [
+                    ['portalId' => null],
+                    ['portalId!=' => $ignorePortalIds],
+                ]
+            ];
+        }
+
+        if ($lifetime) {
             $dt = new DateTime();
-            $dt->modify("-$authTokenLifetime minutes");
+            $dt->modify("-$lifetime minutes");
 
             $whereClause['createdAt<'] = $dt->format(DateTimeUtil::SYSTEM_DATE_TIME_FORMAT);
         }
 
-        if ($authTokenMaxIdleTime) {
+        if ($maxIdleTime) {
             $dt = new DateTime();
-            $dt->modify("-$authTokenMaxIdleTime minutes");
+            $dt->modify("-$maxIdleTime minutes");
 
             $whereClause['lastAccess<'] = $dt->format(DateTimeUtil::SYSTEM_DATE_TIME_FORMAT);
         }

application/Espo/Classes/Jobs/CheckEmailAccounts.php

@@ -29,39 +29,31 @@
 
 namespace Espo\Classes\Jobs;
 
-use Espo\Core\Exceptions\Error;
-
 use Espo\Core\Mail\Account\PersonalAccount\Service;
 use Espo\Core\Job\Job;
 use Espo\Core\Job\Job\Data;
 
+use RuntimeException;
 use Throwable;
 
 class CheckEmailAccounts implements Job
 {
-    private $service;
-
-    public function __construct(Service $service)
-    {
-        $this->service = $service;
-    }
+    public function __construct(private Service $service)
+    {}
 
     public function run(Data $data): void
     {
         $targetId = $data->getTargetId();
 
         if (!$targetId) {
-            throw new Error("No target.");
+            throw new RuntimeException("No target.");
         }
 
         try {
             $this->service->fetch($targetId);
         }
         catch (Throwable $e) {
-            throw new Error(
-                'Job CheckEmailAccounts ' . $targetId . ': [' . $e->getCode() . '] ' . $e->getMessage() . ' ' .
-                $e->getFile() . ':' . $e->getLine()
-            );
+            throw new RuntimeException("CheckInboundEmails job failed, $targetId; {$e->getMessage()}", 0, $e);
         }
     }
 }

application/Espo/Classes/Jobs/CheckInboundEmails.php

@@ -29,37 +29,31 @@
 
 namespace Espo\Classes\Jobs;
 
-use Espo\Core\Exceptions\Error;
 use Espo\Core\Mail\Account\GroupAccount\Service;
 use Espo\Core\Job\Job;
 use Espo\Core\Job\Job\Data;
 
+use RuntimeException;
 use Throwable;
 
 class CheckInboundEmails implements Job
 {
-    private $service;
-
-    public function __construct(Service $service)
-    {
-        $this->service = $service;
-    }
+    public function __construct(private Service $service)
+    {}
 
     public function run(Data $data): void
     {
         $targetId = $data->getTargetId();
 
         if (!$targetId) {
-            throw new Error("No target.");
+            throw new RuntimeException("No target.");
         }
 
         try {
             $this->service->fetch($targetId);
         }
         catch (Throwable $e) {
-            throw new Error(
-                'Job CheckInboundEmails ' . $targetId . ': [' . $e->getCode() . '] ' .$e->getMessage()
-            );
+            throw new RuntimeException("CheckInboundEmails job failed, $targetId; {$e->getMessage()}", 0, $e);
         }
     }
 }

application/Espo/Classes/MassAction/Email/MoveToFolder.php

@@ -30,6 +30,7 @@
 namespace Espo\Classes\MassAction\Email;
 
 use Espo\Core\Exceptions\BadRequest;
+use Espo\Core\Exceptions\Error;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\MassAction\Data;
 use Espo\Core\MassAction\MassAction;
@@ -44,11 +45,10 @@ use Espo\ORM\EntityManager;
 use Espo\Tools\Email\Folder;
 use Espo\Tools\Email\InboxService as EmailService;
 use Exception;
+use RuntimeException;
 
 class MoveToFolder implements MassAction
 {
-    private const FOLDER_INBOX = Folder::INBOX;
-
     public function __construct(
         private QueryBuilder $queryBuilder,
         private EntityManager $entityManager,
@@ -68,7 +68,11 @@ class MoveToFolder implements MassAction
             throw new BadRequest("No folder ID.");
         }
 
-        if ($folderId !== self::FOLDER_INBOX && !str_starts_with($folderId, 'group:')) {
+        if (
+            $folderId !== Folder::INBOX &&
+            $folderId !== Folder::ARCHIVE &&
+            !str_starts_with($folderId, 'group:')
+        ) {
             $folder = $this->entityManager
                 ->getRDBRepositoryByClass(EmailFolder::class)
                 ->where([
@@ -93,7 +97,12 @@ class MoveToFolder implements MassAction
             }
         }
 
-        $query = $this->queryBuilder->build($params);
+        try {
+            $query = $this->queryBuilder->build($params);
+        }
+        catch (BadRequest|Forbidden $e) {
+            throw new RuntimeException($e->getMessage());
+        }
 
         $collection = $this->entityManager
             ->getRDBRepositoryByClass(Email::class)

application/Espo/Classes/MassAction/User/MassDelete.php

@@ -31,6 +31,7 @@ namespace Espo\Classes\MassAction\User;
 
 use Espo\Core\Acl;
 use Espo\Core\Exceptions\BadRequest;
+use Espo\Core\Exceptions\Error;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\MassAction\Actions\MassDelete as MassDeleteOriginal;
 use Espo\Core\MassAction\Data;
@@ -59,18 +60,19 @@ class MassDelete implements MassAction
     /**
      * @throws Forbidden
      * @throws BadRequest
+     * @throws Error
      */
     public function process(Params $params, Data $data): Result
     {
         $entityType = $params->getEntityType();
 
         if (!$this->acl->check($entityType, Acl\Table::ACTION_DELETE)) {
-            throw new Forbidden("No delete access for '{$entityType}'.");
+            throw new Forbidden("No delete access for '$entityType'.");
         }
 
         if (
             !$params->hasIds() &&
-            $this->acl->getPermissionLevel('massUpdatePermission') !== Acl\Table::LEVEL_YES
+            $this->acl->getPermissionLevel(Acl\Permission::MASS_UPDATE) !== Acl\Table::LEVEL_YES
         ) {
             throw new Forbidden("No mass-update permission.");
         }

application/Espo/Classes/MassAction/User/MassUpdate.php

@@ -51,7 +51,7 @@ use Espo\Tools\MassUpdate\Data as MassUpdateData;
 
 class MassUpdate implements MassAction
 {
-    private const PERMISSION = 'massUpdatePermission';
+    private const PERMISSION = Acl\Permission::MASS_UPDATE;
 
     /** @var string[] */
     private array $notAllowedAttributeList = [

application/Espo/Classes/RecordHooks/AddressCountry/BeforeSave.php

@@ -0,0 +1,70 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\RecordHooks\AddressCountry;
+
+use Espo\Core\Exceptions\ConflictSilent;
+use Espo\Core\Exceptions\Error\Body;
+use Espo\Core\Record\Hook\SaveHook;
+use Espo\Entities\AddressCountry;
+use Espo\ORM\Entity;
+use Espo\ORM\EntityManager;
+
+/**
+ * @implements SaveHook<AddressCountry>
+ */
+class BeforeSave implements SaveHook
+{
+    public function __construct(
+        private EntityManager $entityManager,
+    ) {}
+
+    public function process(Entity $entity): void
+    {
+        $where = ['name' => $entity->getName()];
+
+        if (!$entity->isNew()) {
+            $where['id!='] = $entity->getId();
+        }
+
+        $one = $this->entityManager
+            ->getRDBRepositoryByClass(AddressCountry::class)
+            ->where($where)
+            ->findOne();
+
+        if (!$one) {
+            return;
+        }
+
+        throw ConflictSilent::createWithBody(
+            'duplicateError',
+            Body::create()->withMessageTranslation('duplicateConflict')
+        );
+    }
+}

application/Espo/Classes/RecordHooks/Email/CheckFromAddress.php

@@ -0,0 +1,101 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\RecordHooks\Email;
+
+use Espo\Core\Acl;
+use Espo\Core\Exceptions\BadRequest;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Mail\Account\SendingAccountProvider;
+use Espo\Core\Record\Hook\SaveHook;
+use Espo\Core\Utils\Config;
+use Espo\Entities\Email;
+use Espo\Entities\User;
+use Espo\ORM\Entity;
+
+/**
+ * @implements SaveHook<Email>
+ */
+class CheckFromAddress implements SaveHook
+{
+    public function __construct(
+        private User $user,
+        private SendingAccountProvider $sendingAccountProvider,
+        private Config $config,
+        private Acl $acl,
+    ) {}
+
+    public function process(Entity $entity): void
+    {
+        if ($this->user->isAdmin()) {
+            return;
+        }
+
+        $fromAddress = $entity->getFromAddress();
+
+        // Should be after 'getFromAddress'.
+        if (!$entity->isAttributeChanged('from')) {
+            return;
+        }
+
+        if (!$fromAddress) {
+            throw new BadRequest("No 'from' address");
+        }
+
+        if ($this->acl->checkScope('Import')) {
+            return;
+        }
+
+        $fromAddress = strtolower($fromAddress);
+
+        foreach ($this->user->getEmailAddressGroup()->getAddressList() as $address) {
+            if ($fromAddress === strtolower($address)) {
+                return;
+            }
+        }
+
+        if ($this->sendingAccountProvider->getShared($this->user, $fromAddress)) {
+            return;
+        }
+
+        $system = $this->sendingAccountProvider->getSystem();
+
+        if (
+            $system &&
+            $this->config->get('outboundEmailIsShared') &&
+            $system->getEmailAddress()
+        ) {
+            if ($fromAddress === strtolower($system->getEmailAddress())) {
+                return;
+            }
+        }
+
+        throw new Forbidden("Not allowed 'from' address.");
+    }
+}

application/Espo/Classes/RecordHooks/Note/AssignmentCheck.php

@@ -30,6 +30,7 @@
 namespace Espo\Classes\RecordHooks\Note;
 
 use Espo\Core\Acl;
+use Espo\Core\Acl\Permission;
 use Espo\Core\Acl\Table as AclTable;
 use Espo\Core\Exceptions\BadRequest;
 use Espo\Core\Exceptions\Forbidden;
@@ -90,7 +91,7 @@ class AssignmentCheck implements SaveHook
             }
         }
 
-        $messagePermission = $this->acl->getPermissionLevel('message');
+        $messagePermission = $this->acl->getPermissionLevel(Permission::MESSAGE);
 
         if ($messagePermission === AclTable::LEVEL_NO) {
             if (
@@ -126,14 +127,14 @@ class AssignmentCheck implements SaveHook
                 throw new BadRequest("No portal IDs.");
             }
 
-            if ($this->acl->getPermissionLevel('portal') !== AclTable::LEVEL_YES) {
+            if ($this->acl->getPermissionLevel(Permission::PORTAL) !== AclTable::LEVEL_YES) {
                 throw new Forbidden('Not permitted to post to portal users.');
             }
         }
 
         if (
             $targetType === Note::TARGET_USERS &&
-            $this->acl->getPermissionLevel('portal') !== AclTable::LEVEL_YES
+            $this->acl->getPermissionLevel(Permission::PORTAL) !== AclTable::LEVEL_YES
         ) {
             if ($hasPortalTargetUser) {
                 throw new Forbidden('Not permitted to post to portal users.');

application/Espo/Classes/RecordHooks/Note/BeforeCreate.php

@@ -70,6 +70,7 @@ class BeforeCreate implements SaveHook
 
         $targetType = $entity->getTargetType();
 
+        $entity->clear('isPinned');
         $entity->clear('isGlobal');
 
         switch ($targetType) {
@@ -87,7 +88,7 @@ class BeforeCreate implements SaveHook
                 $entity->clear('usersIds');
                 $entity->clear('teamsIds');
                 $entity->clear('portalsIds');
-                $entity->set('usersIds', [$this->user->getId()]);
+                $entity->setUsersIds([$this->user->getId()]);
                 $entity->set('isForSelf', true);
 
                 break;

application/Espo/Classes/RecordHooks/Note/BeforeUpdate.php

@@ -32,7 +32,6 @@ namespace Espo\Classes\RecordHooks\Note;
 use Espo\Core\Exceptions\ForbiddenSilent;
 use Espo\Core\Record\Hook\SaveHook;
 use Espo\Entities\Note;
-use Espo\Entities\User;
 use Espo\ORM\Entity;
 use Espo\Tools\Stream\NoteUtil;
 
@@ -43,18 +42,27 @@ use Espo\Tools\Stream\NoteUtil;
 class BeforeUpdate implements SaveHook
 {
     public function __construct(
-        private User $user,
-        private NoteUtil $noteUtil
+        private NoteUtil $noteUtil,
     ) {}
 
     public function process(Entity $entity): void
     {
+        if (!$this->isEditableType($entity)) {
+            throw new ForbiddenSilent("Note is not editable.");
+        }
+
         if ($entity->isPost()) {
             $this->noteUtil->handlePostText($entity);
         }
 
-        if (!$entity->isPost() && !$this->user->isAdmin()) {
-            throw new ForbiddenSilent("Only 'Post' type allowed.");
+        if (!$entity->isPost()) {
+            $entity->clear('post');
+            $entity->clear('attachmentsIds');
         }
     }
+
+    private function isEditableType(Note $entity): bool
+    {
+        return $entity->getType() == Note::TYPE_POST;
+    }
 }

application/Espo/Classes/Select/AddressCountry/PreferredNameOrderer.php

@@ -0,0 +1,45 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\AddressCountry;
+
+use Espo\Core\Select\Order\Item;
+use Espo\Core\Select\Order\Orderer;
+use Espo\ORM\Query\Part\Order;
+use Espo\ORM\Query\SelectBuilder;
+
+class PreferredNameOrderer implements Orderer
+{
+    public function apply(SelectBuilder $queryBuilder, Item $item): void
+    {
+        $queryBuilder
+            ->order('isPreferred', $item->getOrder() === Order::ASC ? Order::DESC : Order::ASC)
+            ->order('name', $item->getOrder());
+    }
+}

application/Espo/Classes/Select/AppLogRecord/PrimaryFilters/Errors.php

@@ -0,0 +1,49 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\AppLogRecord\PrimaryFilters;
+
+use Espo\Core\Select\Primary\Filter;
+use Espo\ORM\Query\SelectBuilder as QueryBuilder;
+use Psr\Log\LogLevel;
+
+class Errors implements Filter
+{
+    public function apply(QueryBuilder $queryBuilder): void
+    {
+        $queryBuilder->where([
+            'level' => [
+                ucfirst(LogLevel::ERROR),
+                ucfirst(LogLevel::EMERGENCY),
+                ucfirst(LogLevel::CRITICAL),
+                ucfirst(LogLevel::ALERT),
+            ]
+        ]);
+    }
+}

application/Espo/Classes/Select/Email/AccessControlFilters/OnlyOwn.php

@@ -32,6 +32,7 @@ namespace Espo\Classes\Select\Email\AccessControlFilters;
 use Espo\Core\Select\AccessControl\Filter;
 
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\SelectBuilder as QueryBuilder;
 
@@ -46,6 +47,6 @@ class OnlyOwn implements Filter
     {
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
-        $queryBuilder->where(['emailUser.userId' => $this->user->getId()]);
+        $queryBuilder->where([Email::ALIAS_INBOX . '.userId' => $this->user->getId()]);
     }
 }

application/Espo/Classes/Select/Email/AccessControlFilters/OnlyTeam.php

@@ -52,15 +52,15 @@ class OnlyTeam implements Filter
                 'entityTeam.entityType' => Email::ENTITY_TYPE,
                 'entityTeam.deleted' => false,
             ])
-            ->leftJoin(Email::RELATIONSHIP_EMAIL_USER, 'emailUser', [
-                'emailUser.emailId:' => 'id',
-                'emailUser.deleted' => false,
-                'emailUser.userId' => $this->user->getId(),
+            ->leftJoin(Email::RELATIONSHIP_EMAIL_USER, Email::ALIAS_INBOX, [
+                Email::ALIAS_INBOX . '.emailId:' => 'id',
+                Email::ALIAS_INBOX . '.deleted' => false,
+                Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
             ])
             ->where([
                 'OR' => [
                     'entityTeam.teamId' => $this->user->getTeamIdList(),
-                    'emailUser.userId' => $this->user->getId(),
+                    Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
                 ]
             ])
             ->build();

application/Espo/Classes/Select/Email/AccessControlFilters/PortalOnlyAccount.php

@@ -31,6 +31,7 @@ namespace Espo\Classes\Select\Email\AccessControlFilters;
 
 use Espo\Core\Select\AccessControl\Filter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\SelectBuilder as QueryBuilder;
 
@@ -46,10 +47,9 @@ class PortalOnlyAccount implements Filter
         $queryBuilder->distinct();
 
         $orGroup = [
-            'emailUser.userId' => $this->user->getId(),
+            Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
         ];
 
-        /** @var string[] $accountIdList */
         $accountIdList = $this->user->getLinkMultipleIdList('accounts');
 
         if (count($accountIdList)) {

application/Espo/Classes/Select/Email/AccessControlFilters/PortalOnlyContact.php

@@ -31,6 +31,7 @@ namespace Espo\Classes\Select\Email\AccessControlFilters;
 
 use Espo\Core\Select\AccessControl\Filter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\SelectBuilder as QueryBuilder;
 
@@ -46,7 +47,7 @@ class PortalOnlyContact implements Filter
         $queryBuilder->distinct();
 
         $orGroup = [
-            'emailUser.userId' => $this->user->getId(),
+            Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
         ];
 
         $contactId = $this->user->get('contactId');

application/Espo/Classes/Select/Email/AdditionalAppliers/Main.php

@@ -76,9 +76,9 @@ class Main implements AdditionalApplier
             return;
         }
 
-        if ($this->checkApplyDateSentIndex($queryBuilder, $searchParams)) {
+        /*if ($this->checkApplyDateSentIndex($queryBuilder, $searchParams)) {
             $queryBuilder->useIndex('dateSent');
-        }
+        }*/
     }
 
     private function joinEmailUser(SelectBuilder $queryBuilder): void
@@ -93,11 +93,12 @@ class Main implements AdditionalApplier
             Email::USERS_COLUMN_IS_READ,
             Email::USERS_COLUMN_IS_IMPORTANT,
             Email::USERS_COLUMN_IN_TRASH,
+            Email::USERS_COLUMN_IN_ARCHIVE,
             Email::USERS_COLUMN_FOLDER_ID,
         ];
 
         foreach ($itemList as $item) {
-            $queryBuilder->select('emailUser.' . $item, $item);
+            $queryBuilder->select(Email::ALIAS_INBOX . '.' . $item, $item);
         }
     }
 
@@ -116,7 +117,7 @@ class Main implements AdditionalApplier
         return null;
     }
 
-    private function checkApplyDateSentIndex(SelectBuilder $queryBuilder, SearchParams $searchParams): bool
+    /*private function checkApplyDateSentIndex(SelectBuilder $queryBuilder, SearchParams $searchParams): bool
     {
         if ($searchParams->getTextFilter()) {
             return false;
@@ -149,5 +150,5 @@ class Main implements AdditionalApplier
         }
 
         return true;
-    }
+    }*/
 }

application/Espo/Classes/Select/Email/BoolFilters/OnlyMy.php

@@ -31,6 +31,7 @@ namespace Espo\Classes\Select\Email\BoolFilters;
 
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
 use Espo\Core\Select\Bool\Filter;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\Part\Where\OrGroupBuilder;
 use Espo\ORM\Query\Part\WhereClause;
@@ -46,7 +47,7 @@ class OnlyMy implements Filter
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
         $item = WhereClause::fromRaw([
-            'emailUser.userId' => $this->user->getId(),
+            Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
         ]);
 
         $orGroupBuilder->add($item);

application/Espo/Classes/Select/Email/Helpers/JoinHelper.php

@@ -36,14 +36,14 @@ class JoinHelper
 {
     public function joinEmailUser(QueryBuilder $queryBuilder, string $userId): void
     {
-        if ($queryBuilder->hasLeftJoinAlias('emailUser')) {
+        if ($queryBuilder->hasLeftJoinAlias(Email::ALIAS_INBOX)) {
             return;
         }
 
-        $queryBuilder->leftJoin(Email::RELATIONSHIP_EMAIL_USER, 'emailUser', [
-            'emailUser.emailId:' => 'id',
-            'emailUser.deleted' => false,
-            'emailUser.userId' => $userId,
+        $queryBuilder->leftJoin(Email::RELATIONSHIP_EMAIL_USER, Email::ALIAS_INBOX, [
+            Email::ALIAS_INBOX . '.emailId:' => 'id',
+            Email::ALIAS_INBOX . '.deleted' => false,
+            Email::ALIAS_INBOX . '.userId' => $userId,
         ]);
     }
 }

application/Espo/Classes/Select/Email/Where/ItemConverters/CcEquals.php

@@ -0,0 +1,83 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\Email\Where\ItemConverters;
+
+use Espo\Core\Select\Helpers\RandomStringGenerator;
+use Espo\Core\Select\Where\Item;
+use Espo\Core\Select\Where\ItemConverter;
+use Espo\Classes\Select\Email\Helpers\EmailAddressHelper;
+use Espo\ORM\Query\Part\WhereClause;
+use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
+use Espo\ORM\Query\SelectBuilder as QueryBuilder;
+
+class CcEquals implements ItemConverter
+{
+    public function __construct(
+        private EmailAddressHelper $emailAddressHelper,
+        private RandomStringGenerator $randomStringGenerator
+    ) {}
+
+    public function convert(QueryBuilder $queryBuilder, Item $item): WhereClauseItem
+    {
+        $value = $item->getValue();
+
+        if (!$value) {
+            return WhereClause::fromRaw([
+                'id' => null,
+            ]);
+        }
+
+        $emailAddressId = $this->emailAddressHelper->getEmailAddressIdByValue($value);
+
+        if (!$emailAddressId) {
+            return WhereClause::fromRaw([
+                'id' => null,
+            ]);
+        }
+
+        $queryBuilder->distinct();
+
+        $alias = 'emailEmailAddress' . $this->randomStringGenerator->generate();
+
+        $queryBuilder->leftJoin(
+            'EmailEmailAddress',
+            $alias,
+            [
+                'emailId:' => 'id',
+                'deleted' => false,
+            ]
+        );
+
+        return WhereClause::fromRaw([
+            $alias . '.emailAddressId' => $emailAddressId,
+            $alias . '.addressType' => 'cc',
+        ]);
+    }
+}

application/Espo/Classes/Select/Email/Where/ItemConverters/InArchiveIsFalse.php

@@ -0,0 +1,54 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\Email\Where\ItemConverters;
+
+use Espo\Core\Select\Where\Item;
+use Espo\Core\Select\Where\ItemConverter;
+use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
+use Espo\Entities\User;
+use Espo\ORM\Query\Part\WhereClause;
+use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
+use Espo\ORM\Query\SelectBuilder as QueryBuilder;
+
+class InArchiveIsFalse implements ItemConverter
+{
+    public function __construct(private User $user, private JoinHelper $joinHelper)
+    {}
+
+    public function convert(QueryBuilder $queryBuilder, Item $item): WhereClauseItem
+    {
+        $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
+
+        return WhereClause::fromRaw([
+            Email::ALIAS_INBOX . '.inArchive' => false,
+        ]);
+    }
+}

application/Espo/Classes/Select/Email/Where/ItemConverters/InArchiveIsTrue.php

@@ -0,0 +1,54 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\Email\Where\ItemConverters;
+
+use Espo\Core\Select\Where\Item;
+use Espo\Core\Select\Where\ItemConverter;
+use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
+use Espo\Entities\User;
+use Espo\ORM\Query\Part\WhereClause;
+use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
+use Espo\ORM\Query\SelectBuilder as QueryBuilder;
+
+class InArchiveIsTrue implements ItemConverter
+{
+    public function __construct(private User $user, private JoinHelper $joinHelper)
+    {}
+
+    public function convert(QueryBuilder $queryBuilder, Item $item): WhereClauseItem
+    {
+        $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
+
+        return WhereClause::fromRaw([
+            Email::ALIAS_INBOX . '.inArchive' => true,
+        ]);
+    }
+}

application/Espo/Classes/Select/Email/Where/ItemConverters/InFolder.php

@@ -41,6 +41,9 @@ use Espo\Entities\User;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
 use Espo\Tools\Email\Folder;
 
+/**
+ * @noinspection PhpUnused
+ */
 class InFolder implements ItemConverter
 {
     public function __construct(
@@ -59,19 +62,21 @@ class InFolder implements ItemConverter
             Folder::IMPORTANT => $this->convertImportant($queryBuilder),
             Folder::SENT => $this->convertSent($queryBuilder),
             Folder::TRASH => $this->convertTrash($queryBuilder),
-            Folder::DRAFTS => $this->convertDraft($queryBuilder),
+            Folder::ARCHIVE => $this->convertArchive($queryBuilder),
+            Folder::DRAFTS => $this->convertDraft(),
             default => $this->convertFolderId($queryBuilder, $folderId),
         };
     }
 
-    protected function convertInbox(QueryBuilder $queryBuilder): WhereClauseItem
+    private function convertInbox(QueryBuilder $queryBuilder): WhereClauseItem
     {
         $this->joinEmailUser($queryBuilder);
 
         $whereClause = [
-            'emailUser.inTrash' => false,
-            'emailUser.folderId' => null,
-            'emailUser.userId' => $this->user->getId(),
+            Email::ALIAS_INBOX . '.inTrash' => false,
+            Email::ALIAS_INBOX . '.inArchive' => false,
+            Email::ALIAS_INBOX . '.folderId' => null,
+            Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
             [
                 'status' => [
                     Email::STATUS_ARCHIVED,
@@ -83,7 +88,7 @@ class InFolder implements ItemConverter
 
         $emailAddressIdList = $this->getEmailAddressIdList();
 
-        if (!empty($emailAddressIdList)) {
+        if ($emailAddressIdList !== []) {
             $whereClause['fromEmailAddressId!='] = $emailAddressIdList;
 
             $whereClause[] = [
@@ -92,8 +97,7 @@ class InFolder implements ItemConverter
                     'createdById!=' => $this->user->getId(),
                 ],
             ];
-        }
-        else {
+        } else {
             $whereClause[] = [
                 'status' => Email::STATUS_ARCHIVED,
                 'createdById!=' => $this->user->getId(),
@@ -103,7 +107,7 @@ class InFolder implements ItemConverter
         return WhereClause::fromRaw($whereClause);
     }
 
-    protected function convertSent(QueryBuilder $queryBuilder): WhereClauseItem
+    private function convertSent(QueryBuilder $queryBuilder): WhereClauseItem
     {
         $this->joinEmailUser($queryBuilder);
 
@@ -118,31 +122,41 @@ class InFolder implements ItemConverter
             [
                 'status!=' => Email::STATUS_DRAFT,
             ],
-            'emailUser.inTrash' => false,
+            Email::ALIAS_INBOX . '.inTrash' => false,
         ]);
     }
 
-    protected function convertImportant(QueryBuilder $queryBuilder): WhereClauseItem
+    private function convertImportant(QueryBuilder $queryBuilder): WhereClauseItem
     {
         $this->joinEmailUser($queryBuilder);
 
         return WhereClause::fromRaw([
-            'emailUser.userId' => $this->user->getId(),
-            'emailUser.isImportant' => true,
+            Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
+            Email::ALIAS_INBOX . '.isImportant' => true,
         ]);
     }
 
-    protected function convertTrash(QueryBuilder $queryBuilder): WhereClauseItem
+    private function convertTrash(QueryBuilder $queryBuilder): WhereClauseItem
     {
         $this->joinEmailUser($queryBuilder);
 
         return WhereClause::fromRaw([
-            'emailUser.userId' => $this->user->getId(),
-            'emailUser.inTrash' => true,
+            Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
+            Email::ALIAS_INBOX . '.inTrash' => true,
         ]);
     }
 
-    protected function convertDraft(QueryBuilder $queryBuilder): WhereClauseItem
+    private function convertArchive(QueryBuilder $queryBuilder): WhereClauseItem
+    {
+        $this->joinEmailUser($queryBuilder);
+
+        return WhereClause::fromRaw([
+            Email::ALIAS_INBOX . '.userId' => $this->user->getId(),
+            Email::ALIAS_INBOX . '.inArchive' => true,
+        ]);
+    }
+
+    private function convertDraft(): WhereClauseItem
     {
         return WhereClause::fromRaw([
             'status' => Email::STATUS_DRAFT,
@@ -150,7 +164,7 @@ class InFolder implements ItemConverter
         ]);
     }
 
-    protected function convertFolderId(QueryBuilder $queryBuilder, string $folderId): WhereClauseItem
+    private function convertFolderId(QueryBuilder $queryBuilder, string $folderId): WhereClauseItem
     {
         $this->joinEmailUser($queryBuilder);
 
@@ -164,15 +178,17 @@ class InFolder implements ItemConverter
             return WhereClause::fromRaw([
                 'groupFolderId' => $groupFolderId,
                 'OR' => [
-                    'emailUser.id' => null,
-                    'emailUser.inTrash' => false,
+                    Email::ALIAS_INBOX . '.id' => null,
+                    Email::ALIAS_INBOX . '.inTrash' => false,
+                    Email::ALIAS_INBOX . '.inArchive' => false,
                 ]
             ]);
         }
 
         return WhereClause::fromRaw([
-            'emailUser.inTrash' => false,
-            'emailUser.folderId' => $folderId,
+            Email::ALIAS_INBOX . '.inTrash' => false,
+            Email::ALIAS_INBOX . '.inArchive' => false,
+            Email::ALIAS_INBOX . '.folderId' => $folderId,
             'groupFolderId' => null,
         ]);
     }

application/Espo/Classes/Select/Email/Where/ItemConverters/InTrashIsFalse.php

@@ -32,6 +32,7 @@ namespace Espo\Classes\Select\Email\Where\ItemConverters;
 use Espo\Core\Select\Where\Item;
 use Espo\Core\Select\Where\ItemConverter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\Part\WhereClause;
 use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
@@ -47,7 +48,7 @@ class InTrashIsFalse implements ItemConverter
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
         return WhereClause::fromRaw([
-            'emailUser.inTrash' => false,
+            Email::ALIAS_INBOX . '.inTrash' => false,
         ]);
     }
 }

application/Espo/Classes/Select/Email/Where/ItemConverters/InTrashIsTrue.php

@@ -32,6 +32,7 @@ namespace Espo\Classes\Select\Email\Where\ItemConverters;
 use Espo\Core\Select\Where\Item;
 use Espo\Core\Select\Where\ItemConverter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\Part\WhereClause;
 use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
@@ -47,7 +48,7 @@ class InTrashIsTrue implements ItemConverter
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
         return WhereClause::fromRaw([
-            'emailUser.inTrash' => true,
+            Email::ALIAS_INBOX . '.inTrash' => true,
         ]);
     }
 }

application/Espo/Classes/Select/Email/Where/ItemConverters/IsImportantIsFalse.php

@@ -32,6 +32,7 @@ namespace Espo\Classes\Select\Email\Where\ItemConverters;
 use Espo\Core\Select\Where\Item;
 use Espo\Core\Select\Where\ItemConverter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\Part\WhereClause;
 use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
@@ -47,7 +48,7 @@ class IsImportantIsFalse implements ItemConverter
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
         return WhereClause::fromRaw([
-            'emailUser.isImportant' => false,
+            Email::ALIAS_INBOX . '.isImportant' => false,
         ]);
     }
 }

application/Espo/Classes/Select/Email/Where/ItemConverters/IsImportantIsTrue.php

@@ -32,6 +32,7 @@ namespace Espo\Classes\Select\Email\Where\ItemConverters;
 use Espo\Core\Select\Where\Item;
 use Espo\Core\Select\Where\ItemConverter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\Part\WhereClause;
 use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
@@ -47,7 +48,7 @@ class IsImportantIsTrue implements ItemConverter
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
         return WhereClause::fromRaw([
-            'emailUser.isImportant' => true,
+            Email::ALIAS_INBOX . '.isImportant' => true,
         ]);
     }
 }

application/Espo/Classes/Select/Email/Where/ItemConverters/IsNotReadIsFalse.php

@@ -32,6 +32,7 @@ namespace Espo\Classes\Select\Email\Where\ItemConverters;
 use Espo\Core\Select\Where\Item;
 use Espo\Core\Select\Where\ItemConverter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\Part\WhereClause;
 use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
@@ -47,7 +48,7 @@ class IsNotReadIsFalse implements ItemConverter
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
         return WhereClause::fromRaw([
-            'emailUser.isRead' => true,
+            Email::ALIAS_INBOX . '.isRead' => true,
         ]);
     }
 }

application/Espo/Classes/Select/Email/Where/ItemConverters/IsNotReadIsTrue.php

@@ -32,6 +32,7 @@ namespace Espo\Classes\Select\Email\Where\ItemConverters;
 use Espo\Core\Select\Where\Item;
 use Espo\Core\Select\Where\ItemConverter;
 use Espo\Classes\Select\Email\Helpers\JoinHelper;
+use Espo\Entities\Email;
 use Espo\Entities\User;
 use Espo\ORM\Query\Part\WhereClause;
 use Espo\ORM\Query\Part\WhereItem as WhereClauseItem;
@@ -47,7 +48,7 @@ class IsNotReadIsTrue implements ItemConverter
         $this->joinHelper->joinEmailUser($queryBuilder, $this->user->getId());
 
         return WhereClause::fromRaw([
-            'emailUser.isRead' => false,
+            Email::ALIAS_INBOX . '.isRead' => false,
             'OR' => [
                 'sentById' => null,
                 'sentById!=' => $this->user->getId()

application/Espo/Classes/Select/EmailAccount/PrimaryFilters/Active.php

@@ -0,0 +1,42 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\EmailAccount\PrimaryFilters;
+
+use Espo\Core\Select\Primary\Filter;
+use Espo\Entities\EmailFilter;
+use Espo\ORM\Query\SelectBuilder as QueryBuilder;
+
+class Active implements Filter
+{
+    public function apply(QueryBuilder $queryBuilder): void
+    {
+        $queryBuilder->where(['status' => EmailFilter::STATUS_ACTIVE]);
+    }
+}

application/Espo/Classes/Select/User/AccessControlFilters/Mandatory.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Classes\Select\User\AccessControlFilters;
 
+use Espo\Core\Acl\Permission;
 use Espo\ORM\Query\SelectBuilder;
 use Espo\Core\Acl\Table;
 use Espo\Core\AclManager;
@@ -51,7 +52,7 @@ class Mandatory implements Filter
             ]);
         }
 
-        if ($this->aclManager->getPermissionLevel($this->user, 'portalPermission') !== Table::LEVEL_YES) {
+        if ($this->aclManager->getPermissionLevel($this->user, Permission::PORTAL) !== Table::LEVEL_YES) {
             $queryBuilder->where([
                 'OR' => [
                     'type!=' => User::TYPE_PORTAL,

application/Espo/Classes/Select/User/AccessControlFilters/OnlyOwn.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Classes\Select\User\AccessControlFilters;
 
+use Espo\Core\Acl\Permission;
 use Espo\ORM\Query\SelectBuilder;
 use Espo\Core\Acl\Table;
 use Espo\Core\AclManager;
@@ -43,7 +44,7 @@ class OnlyOwn implements Filter
 
     public function apply(SelectBuilder $queryBuilder): void
     {
-        if ($this->aclManager->getPermissionLevel($this->user, 'portalPermission') === Table::LEVEL_YES) {
+        if ($this->aclManager->getPermissionLevel($this->user, Permission::PORTAL) === Table::LEVEL_YES) {
             $queryBuilder->where([
                 'OR' => [
                     'id' => $this->user->getId(),

application/Espo/Classes/Select/User/AccessControlFilters/OnlyTeam.php

@@ -51,7 +51,7 @@ class OnlyTeam implements Filter
             'id' => $this->user->getId(),
         ];
 
-        if ($this->aclManager->getPermissionLevel($this->user, 'portalPermission') === Table::LEVEL_YES) {
+        if ($this->aclManager->getPermissionLevel($this->user, 'portal') === Table::LEVEL_YES) {
             $orGroup['type'] = User::TYPE_PORTAL;
         }
 

application/Espo/Classes/Select/User/BoolFilters/OnlyMe.php

@@ -0,0 +1,47 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Select\User\BoolFilters;
+
+use Espo\Core\Select\Bool\Filter;
+use Espo\Entities\User;
+use Espo\ORM\Query\Part\Where\OrGroupBuilder;
+use Espo\ORM\Query\SelectBuilder as QueryBuilder;
+
+class OnlyMe implements Filter
+{
+    public function __construct(
+        private User $user
+    ) {}
+
+    public function apply(QueryBuilder $queryBuilder, OrGroupBuilder $orGroupBuilder): void
+    {
+        $queryBuilder->where(['id' => $this->user->getId()]);
+    }
+}

application/Espo/Classes/TemplateHelpers/GoogleMaps.php

@@ -165,7 +165,7 @@ class GoogleMaps implements Helper
 
         $url = "https://maps.googleapis.com/maps/api/staticmap?" .
             'center=' . $addressEncoded .
-            'format=' . $format .
+            '&format=' . $format .
             '&size=' . $size .
             '&key=' . $apiKey;
 

application/Espo/Controllers/AddressCountry.php

@@ -0,0 +1,50 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Controllers;
+
+use Espo\Core\Controllers\RecordBase;
+use Espo\Tools\Address\CountryDefaultsPopulator;
+
+class AddressCountry extends RecordBase
+{
+    protected function checkAccess(): bool
+    {
+        return $this->user->isAdmin();
+    }
+
+    public function postActionPopulateDefaults(): bool
+    {
+        $populate = $this->injectableFactory->create(CountryDefaultsPopulator::class);
+
+        $populate->populate();
+
+        return true;
+    }
+}

application/Espo/Controllers/Admin.php

@@ -36,7 +36,7 @@ use Espo\Core\Container;
 use Espo\Core\DataManager;
 use Espo\Core\Api\Request;
 use Espo\Core\Utils\Config;
-use Espo\Core\Utils\AdminNotificationManager;
+use Espo\Tools\AdminNotifications\Manager;
 use Espo\Core\Utils\SystemRequirements;
 use Espo\Core\Utils\ScheduledJob;
 use Espo\Core\Upgrades\UpgradeManager;
@@ -51,7 +51,7 @@ class Admin
         private Container $container,
         private Config $config,
         private User $user,
-        private AdminNotificationManager $adminNotificationManager,
+        private Manager $adminNotificationManager,
         private SystemRequirements $systemRequirements,
         private ScheduledJob $scheduledJob,
         private DataManager $dataManager

application/Espo/Controllers/ApiIndex.php

@@ -29,10 +29,14 @@
 
 namespace Espo\Controllers;
 
+use Espo\Core\Api\Request;
+use Espo\Core\Api\Response;
+use Espo\Core\Utils\Json;
+
 class ApiIndex
 {
-    public function getActionIndex(): string
+    public function getActionIndex(Request $request, Response $response): void
     {
-        return "EspoCRM REST API";
+        $response->writeBody(Json::encode("EspoCRM REST API"));
     }
 }

application/Espo/Controllers/AppLogRecord.php

@@ -0,0 +1,76 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Controllers;
+
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Controllers\Record;
+use Espo\Core\Api\Request;
+use Espo\Core\Api\Response;
+use stdClass;
+
+class AppLogRecord extends Record
+{
+    protected function checkAccess(): bool
+    {
+        if (!$this->user->isAdmin()) {
+            return false;
+        }
+
+        if (!$this->config->get('restrictedMode')) {
+            return true;
+        }
+
+        if ($this->config->get('appLogAdminAllowed')) {
+            return true;
+        }
+
+        return $this->user->isSuperAdmin();
+    }
+
+    public function postActionCreate(Request $request, Response $response): stdClass
+    {
+        throw new Forbidden();
+    }
+
+    public function putActionUpdate(Request $request, Response $response): stdClass
+    {
+        throw new Forbidden();
+    }
+
+    public function postActionCreateLink(Request $request): bool
+    {
+        throw new Forbidden();
+    }
+
+    public function deleteActionRemoveLink(Request $request): bool
+    {
+        throw new Forbidden();
+    }
+}

application/Espo/Controllers/DataPrivacy.php

@@ -36,17 +36,26 @@ use Espo\Core\Acl;
 use Espo\Core\Api\Request;
 use Espo\Core\Api\Response;
 
+use Espo\Core\Exceptions\NotFound;
 use Espo\Tools\DataPrivacy\Erasor;
 
 class DataPrivacy
 {
+    /**
+     * @throws Forbidden
+     */
     public function __construct(private Erasor $erasor, private Acl $acl)
     {
-        if ($this->acl->getPermissionLevel('dataPrivacyPermission') === Acl\Table::LEVEL_NO) {
+        if ($this->acl->getPermissionLevel(Acl\Permission::DATA_PRIVACY) === Acl\Table::LEVEL_NO) {
             throw new Forbidden();
         }
     }
 
+    /**
+     * @throws BadRequest
+     * @throws Forbidden
+     * @throws NotFound
+     */
     public function postActionErase(Request $request, Response $response): void
     {
         $data = $request->getParsedBody();

application/Espo/Controllers/InboundEmail.php

@@ -35,6 +35,7 @@ use Espo\Core\Mail\Account\Storage\Params as StorageParams;
 
 use Espo\Core\Controllers\Record;
 use Espo\Core\Api\Request;
+use Espo\Core\Mail\Exceptions\ImapError;
 
 class InboundEmail extends Record
 {
@@ -45,7 +46,8 @@ class InboundEmail extends Record
 
     /**
      * @return string[]
-     * @throws \Espo\Core\Exceptions\Error
+     * @throws Error
+     * @throws ImapError
      */
     public function postActionGetFolders(Request $request): array
     {

application/Espo/Controllers/Portal.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Controllers;
 
+use Espo\Core\Acl\Permission;
 use Espo\Core\Acl\Table;
 use Espo\Core\Controllers\Record;
 
@@ -36,7 +37,7 @@ class Portal extends Record
 {
     protected function checkAccess(): bool
     {
-        $level = $this->acl->getPermissionLevel('portal');
+        $level = $this->acl->getPermissionLevel(Permission::PORTAL);
 
         return $level === Table::LEVEL_YES;
     }

application/Espo/Controllers/Stream.php

@@ -68,19 +68,28 @@ class Stream
             throw new BadRequest();
         }
 
-        if ($id === null && $scope !== UserEntity::ENTITY_TYPE) {
-            throw new BadRequest("No ID.");
-        }
-
         $searchParams = $this->fetchSearchParams($request);
 
-        $result = $scope === UserEntity::ENTITY_TYPE ?
-            $this->userRecordService->find($id, $searchParams) :
-            $this->service->find($scope, $id ?? '', $searchParams);
+        if ($scope === UserEntity::ENTITY_TYPE) {
+            $collection = $this->userRecordService->find($id, $searchParams);
+
+            return (object) [
+                'total' => $collection->getTotal(),
+                'list' => $collection->getValueMapList(),
+            ];
+        }
+
+        if ($id === null) {
+            throw new BadRequest();
+        }
+
+        $collection = $this->service->find($scope, $id, $searchParams);
+        $pinnedCollection = $this->service->getPinned($scope, $id);
 
         return (object) [
-            'total' => $result->getTotal(),
-            'list' => $result->getValueMapList(),
+            'total' => $collection->getTotal(),
+            'list' => $collection->getValueMapList(),
+            'pinnedList' => $pinnedCollection->getValueMapList(),
         ];
     }
 

application/Espo/Core/Acl.php

@@ -31,6 +31,7 @@ namespace Espo\Core;
 
 use Espo\Core\Acl\Exceptions\NotImplemented;
 use Espo\Core\Acl\GlobalRestriction;
+use Espo\Core\Acl\Permission;
 use Espo\Core\Acl\Table;
 
 use Espo\ORM\Entity;
@@ -283,7 +284,7 @@ class Acl
      *
      * @param User|string $target User entity or user ID.
      */
-    public function checkUserPermission($target, string $permissionType = 'user'): bool
+    public function checkUserPermission($target, string $permissionType = Permission::USER): bool
     {
         return $this->aclManager->checkUserPermission($this->user, $target, $permissionType);
     }

application/Espo/Core/Acl/AccessChecker/AccessCheckers/Foreign.php

@@ -30,11 +30,8 @@
 namespace Espo\Core\Acl\AccessChecker\AccessCheckers;
 
 use Espo\Entities\User;
-
 use Espo\ORM\Entity;
-
 use Espo\Core\Utils\Metadata;
-
 use Espo\Core\Acl\DefaultAccessChecker;
 use Espo\Core\Acl\Traits\DefaultAccessCheckerDependency;
 use Espo\Core\Acl\AccessEntityCreateChecker;
@@ -67,17 +64,12 @@ class Foreign implements
 {
     use DefaultAccessCheckerDependency;
 
-    private Metadata $metadata;
-    private EntityManager $entityManager;
-
     public function __construct(
-        Metadata $metadata,
+        private Metadata $metadata,
         DefaultAccessChecker $defaultAccessChecker,
-        EntityManager $entityManager
+        private EntityManager $entityManager
     ) {
-        $this->metadata = $metadata;
         $this->defaultAccessChecker = $defaultAccessChecker;
-        $this->entityManager = $entityManager;
     }
 
     private function getForeignEntity(Entity $entity): ?Entity
@@ -121,7 +113,9 @@ class Foreign implements
             return false;
         }
 
-        return $this->defaultAccessChecker->checkEntityCreate($user, $entity, $data);
+        // @todo Check parent 'edit' access.
+
+        return $this->defaultAccessChecker->checkEntityCreate($user, $foreign, $data);
     }
 
     public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
@@ -132,7 +126,7 @@ class Foreign implements
             return false;
         }
 
-        return $this->defaultAccessChecker->checkEntityRead($user, $entity, $data);
+        return $this->defaultAccessChecker->checkEntityRead($user, $foreign, $data);
     }
 
     public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
@@ -143,7 +137,7 @@ class Foreign implements
             return false;
         }
 
-        return $this->defaultAccessChecker->checkEntityEdit($user, $entity, $data);
+        return $this->defaultAccessChecker->checkEntityEdit($user, $foreign, $data);
     }
 
     public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
@@ -151,10 +145,14 @@ class Foreign implements
         $foreign = $this->getForeignEntity($entity);
 
         if (!$foreign) {
+            if ($user->isAdmin()) {
+                return true;
+            }
+
             return false;
         }
 
-        return $this->defaultAccessChecker->checkEntityDelete($user, $entity, $data);
+        return $this->defaultAccessChecker->checkEntityDelete($user, $foreign, $data);
     }
 
     public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
@@ -165,6 +163,6 @@ class Foreign implements
             return false;
         }
 
-        return $this->defaultAccessChecker->checkEntityStream($user, $entity, $data);
+        return $this->defaultAccessChecker->checkEntityStream($user, $foreign, $data);
     }
 }

application/Espo/Core/Acl/DefaultAccessChecker.php

@@ -87,7 +87,7 @@ class DefaultAccessChecker implements
         return $this->scopeChecker->check($data, $action, $checkerData);
     }
 
-    private function checkScope(User $user, ScopeData $data, ?string $action = null): bool
+    private function checkScope(ScopeData $data, ?string $action = null): bool
     {
         $checkerData = ScopeCheckerData
             ::createBuilder()
@@ -100,27 +100,27 @@ class DefaultAccessChecker implements
 
     public function check(User $user, ScopeData $data): bool
     {
-        return $this->checkScope($user, $data);
+        return $this->checkScope($data);
     }
 
     public function checkCreate(User $user, ScopeData $data): bool
     {
-        return $this->checkScope($user, $data, Table::ACTION_CREATE);
+        return $this->checkScope($data, Table::ACTION_CREATE);
     }
 
     public function checkRead(User $user, ScopeData $data): bool
     {
-        return $this->checkScope($user, $data, Table::ACTION_READ);
+        return $this->checkScope($data, Table::ACTION_READ);
     }
 
     public function checkEdit(User $user, ScopeData $data): bool
     {
-        return $this->checkScope($user, $data, Table::ACTION_EDIT);
+        return $this->checkScope($data, Table::ACTION_EDIT);
     }
 
     public function checkDelete(User $user, ScopeData $data): bool
     {
-        if ($this->checkScope($user, $data, Table::ACTION_DELETE)) {
+        if ($this->checkScope($data, Table::ACTION_DELETE)) {
             return true;
         }
 
@@ -137,7 +137,7 @@ class DefaultAccessChecker implements
 
     public function checkStream(User $user, ScopeData $data): bool
     {
-        return $this->checkScope($user, $data, Table::ACTION_STREAM);
+        return $this->checkScope($data, Table::ACTION_STREAM);
     }
 
     public function checkEntityCreate(User $user, Entity $entity, ScopeData $data): bool

application/Espo/Core/Acl/DefaultAssignmentChecker.php

@@ -99,7 +99,7 @@ class DefaultAssignmentChecker implements AssignmentChecker
             return false;
         }
 
-        $assignmentPermission = $this->aclManager->getPermissionLevel($user, 'assignmentPermission');
+        $assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
 
         if (
             $assignmentPermission === Table::LEVEL_YES ||
@@ -157,7 +157,7 @@ class DefaultAssignmentChecker implements AssignmentChecker
 
     protected function isPermittedTeams(User $user, Entity $entity): bool
     {
-        $assignmentPermission = $this->aclManager->getPermissionLevel($user, 'assignmentPermission');
+        $assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
 
         if (!in_array($assignmentPermission, [Table::LEVEL_TEAM, Table::LEVEL_NO])) {
             return true;
@@ -219,7 +219,7 @@ class DefaultAssignmentChecker implements AssignmentChecker
 
     private function isPermittedTeamsEmpty(User $user, CoreEntity $entity): bool
     {
-        $assignmentPermission = $this->aclManager->getPermissionLevel($user, 'assignmentPermission');
+        $assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
 
         if ($assignmentPermission !== Table::LEVEL_TEAM) {
             return true;
@@ -259,7 +259,7 @@ class DefaultAssignmentChecker implements AssignmentChecker
             return false;
         }
 
-        $assignmentPermission = $this->aclManager->getPermissionLevel($user, 'assignmentPermission');
+        $assignmentPermission = $this->aclManager->getPermissionLevel($user, Permission::ASSIGNMENT);
 
         if (
             $assignmentPermission === Table::LEVEL_YES ||

application/Espo/Core/Acl/DefaultOwnershipChecker.php

@@ -81,7 +81,6 @@ class DefaultOwnershipChecker implements OwnershipOwnChecker, OwnershipTeamCheck
             return false;
         }
 
-        /** @var string[] $userTeamIdList */
         $userTeamIdList = $user->getLinkMultipleIdList(self::FIELD_TEAMS);
 
         if (

application/Espo/Core/Acl/OwnerUserFieldProvider.php

@@ -53,7 +53,7 @@ class OwnerUserFieldProvider
 
     /**
      * Get an entity field that stores an owner-user (or multiple users).
-     * Must be link or linkMulitple field. NULL means no owner.
+     * Must be a link or linkMultiple field. NULL means no owner.
      */
     public function get(string $entityType): ?string
     {

application/Espo/Core/Acl/Permission.php

@@ -0,0 +1,43 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Acl;
+
+class Permission
+{
+    public const ASSIGNMENT = 'assignment';
+    public const USER = 'user';
+    public const PORTAL = 'portal';
+    public const MASS_UPDATE = 'massUpdate';
+    public const EXPORT = 'export';
+    public const AUDIT = 'audit';
+    public const DATA_PRIVACY = 'dataPrivacy';
+    public const MESSAGE = 'message';
+    public const MENTION = 'mention';
+}

application/Espo/Core/Acl/Table/DefaultTable.php

@@ -52,9 +52,7 @@ class DefaultTable implements Table
     protected string $type = 'acl';
     protected string $defaultAclType = 'recordAllTeamOwnNo';
 
-    /**
-     * @var string[]
-     */
+    /** @var string[] */
     private $actionList = [
         self::ACTION_READ,
         self::ACTION_STREAM,
@@ -63,16 +61,12 @@ class DefaultTable implements Table
         self::ACTION_CREATE,
     ];
 
-    /**
-     * @var string[]
-     */
+    /** @var string[] */
     private $booleanActionList = [
         self::ACTION_CREATE,
     ];
 
-    /**
-     * @var string[]
-     */
+    /** @var string[] */
     protected $levelList = [
         self::LEVEL_YES,
         self::LEVEL_ALL,
@@ -81,30 +75,23 @@ class DefaultTable implements Table
         self::LEVEL_NO,
     ];
 
-    /**
-     * @var string[]
-     */
+    /** @var string[]  */
     private $fieldActionList = [
         self::ACTION_READ,
         self::ACTION_EDIT,
     ];
 
-    /**
-     * @var string[]
-     */
+    /** @var string[] */
     protected $fieldLevelList = [
         self::LEVEL_YES,
         self::LEVEL_NO,
     ];
 
     private stdClass $data;
-
     private string $cacheKey;
-
-    /**
-     * @var string[]
-     */
+    /** @var string[] */
     private $valuePermissionList = [];
+    private ScopeDataResolver $scopeDataResolver;
 
     public function __construct(
         private RoleListProvider $roleListProvider,
@@ -112,7 +99,7 @@ class DefaultTable implements Table
         protected User $user,
         Config $config,
         protected Metadata $metadata,
-        DataCache $dataCache
+        DataCache $dataCache,
     ) {
 
         $this->data = (object) [
@@ -135,14 +122,15 @@ class DefaultTable implements Table
             $cachedData = $dataCache->get($this->cacheKey);
 
             $this->data = $cachedData;
-        }
-        else {
+        } else {
             $this->load();
 
             if ($config->get('useCache')) {
                 $dataCache->store($this->cacheKey, $this->data);
             }
         }
+
+        $this->scopeDataResolver = new ScopeDataResolver($this);
     }
 
     /**
@@ -156,11 +144,7 @@ class DefaultTable implements Table
 
         $data = $this->data->scopes->$scope;
 
-        if (is_string($data)) {
-            return $this->getScopeData($data);
-        }
-
-        return ScopeData::fromRaw($data);
+        return $this->scopeDataResolver->resolve($data);
     }
 
     /**

application/Espo/Core/Acl/Table/ScopeDataResolver.php

@@ -0,0 +1,66 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Acl\Table;
+
+use Espo\Core\Acl\ScopeData;
+use Espo\Core\Acl\Table;
+
+/**
+ * @internal
+ */
+class ScopeDataResolver
+{
+    public function __construct(
+        private Table $table,
+    ) {}
+
+    public function resolve(mixed $data): ScopeData
+    {
+        if (!is_string($data)) {
+            return ScopeData::fromRaw($data);
+        }
+
+        $foreignScope = $data;
+        $isBoolean = false;
+
+        if (str_starts_with($data, 'boolean:')) {
+            [, $foreignScope] = explode(':', $data, 2);
+            $isBoolean = true;
+        }
+
+        $scopeData = $this->table->getScopeData($foreignScope);
+
+        if ($isBoolean && !$scopeData->isBoolean()) {
+            return ScopeData::fromRaw(true);
+        }
+
+        return $scopeData;
+    }
+}

application/Espo/Core/AclManager.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Core;
 
+use Espo\Core\Acl\Permission;
 use Espo\ORM\Entity;
 use Espo\ORM\EntityManager;
 use Espo\Entities\User;
@@ -69,7 +70,7 @@ use InvalidArgumentException;
  */
 class AclManager
 {
-    protected const PERMISSION_ASSIGNMENT = 'assignment';
+    protected const PERMISSION_ASSIGNMENT = Permission::ASSIGNMENT;
 
     /** @var array<string, AccessChecker> */
     private $accessCheckerHashMap = [];
@@ -572,7 +573,7 @@ class AclManager
      *
      * @param User|string $target User entity or user ID.
      */
-    public function checkUserPermission(User $user, $target, string $permissionType = 'user'): bool
+    public function checkUserPermission(User $user, $target, string $permissionType = Permission::USER): bool
     {
         $permission = $this->getPermissionLevel($user, $permissionType);
 

application/Espo/Core/Api/Auth.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Core\Api;
 
+use Espo\Core\Authentication\HeaderKey;
 use Espo\Core\Exceptions\BadRequest;
 use Espo\Core\Exceptions\ServiceUnavailable;
 use Espo\Core\Exceptions\Forbidden;
@@ -47,8 +48,6 @@ use Exception;
  */
 class Auth
 {
-    private const HEADER_ESPO_AUTHORIZATION = 'Espo-Authorization';
-
     public function __construct(
         private Log $log,
         private Authentication $authentication,
@@ -195,8 +194,12 @@ class Auth
             throw new BadRequest("Auth: Bad authorization string provided.");
         }
 
-        /** @var array{string, string} */
-        return explode(':', $stringDecoded, 2);
+        [$username, $password] = explode(':', $stringDecoded, 2);
+
+        $username = trim($username);
+        $password = trim($password);
+
+        return [$username, $password];
     }
 
     private function handleSecondStepRequired(Response $response, Result $result): void
@@ -237,7 +240,9 @@ class Auth
                 $response->writeBody($e->getBody());
             }
 
-            $this->log->notice("Auth: " . $e->getMessage());
+            if ($e->getMessage()) {
+                $this->log->notice("Auth exception: {message}", ['message' => $e->getMessage()]);
+            }
 
             return;
         }
@@ -269,7 +274,7 @@ class Auth
 
     private function obtainAuthenticationMethodFromRequest(Request $request): ?string
     {
-        if ($request->hasHeader(self::HEADER_ESPO_AUTHORIZATION)) {
+        if ($request->hasHeader(HeaderKey::AUTHORIZATION)) {
             return null;
         }
 
@@ -299,12 +304,10 @@ class Auth
      */
     private function obtainUsernamePasswordFromRequest(Request $request): array
     {
-        if ($request->hasHeader(self::HEADER_ESPO_AUTHORIZATION)) {
-            [$username, $password] = $this->decodeAuthorizationString(
-                $request->getHeader(self::HEADER_ESPO_AUTHORIZATION) ?? ''
-            );
+        if ($request->hasHeader(HeaderKey::AUTHORIZATION)) {
+            $headerValue = $request->getHeader(HeaderKey::AUTHORIZATION) ?? '';
 
-            return [$username, $password];
+            return $this->decodeAuthorizationString($headerValue);
         }
 
         if (
@@ -314,6 +317,14 @@ class Auth
             $username = $request->getServerParam('PHP_AUTH_USER');
             $password = $request->getServerParam('PHP_AUTH_PW');
 
+            if (is_string($username)) {
+                $username = trim($username);
+            }
+
+            if (is_string($password)) {
+                $password = trim($password);
+            }
+
             return [$username, $password];
         }
 

application/Espo/Core/Api/ErrorOutput.php

@@ -37,9 +37,11 @@ use Espo\Core\Exceptions\HasBody;
 use Espo\Core\Exceptions\HasLogLevel;
 use Espo\Core\Exceptions\HasLogMessage;
 use Espo\Core\Exceptions\NotFound;
-use Espo\Core\Utils\Config;
 use Espo\Core\Utils\Log;
 
+use LogicException;
+use Psr\Log\LogLevel;
+use RuntimeException;
 use Throwable;
 
 /**
@@ -80,7 +82,7 @@ class ErrorOutput
         NotFound::class,
     ];
 
-    public function __construct(private Log $log, private Config $config)
+    public function __construct(private Log $log)
     {}
 
     public function process(
@@ -112,6 +114,11 @@ class ErrorOutput
     ): void {
 
         $message = $exception->getMessage();
+
+        if ($exception->getPrevious() && $exception->getPrevious()->getMessage()) {
+            $message .= " " . $exception->getPrevious()->getMessage();
+        }
+
         $statusCode = $exception->getCode();
 
         if ($exception instanceof HasLogMessage) {
@@ -122,30 +129,12 @@ class ErrorOutput
             $this->processRoute($route, $request, $exception);
         }
 
-        $logLevel = $exception instanceof HasLogLevel ?
-            $exception->getLogLevel() :
-            Log::LEVEL_ERROR;
+        $level = $this->getLevel($exception);
 
-        $messageLineFile =
-            'line: ' . $exception->getLine() . ', ' .
-            'file: ' . $exception->getFile();
-
-        $logMessageItemList = [];
-
-        if ($message) {
-            $logMessageItemList[] = "$message";
-        }
-
-        $logMessageItemList[] = $request->getMethod() . ' ' . $request->getResourcePath();
-        $logMessageItemList[] = $messageLineFile;
-
-        $logMessage = "($statusCode) " . implode("; ", $logMessageItemList);
-
-        if ($this->toPrintTrace()) {
-            $logMessage .= " :: " . $exception->getTraceAsString();
-        }
-
-        $this->log->log($logLevel, $logMessage);
+        $this->log->log($level, $message, [
+            'exception' => $exception,
+            'request' => $request,
+        ]);
 
         if (!in_array($statusCode, $this->allowedStatusCodeList)) {
             $statusCode = 500;
@@ -224,6 +213,11 @@ class ErrorOutput
         $requestBodyString = $this->clearPasswords($request->getBodyContents() ?? '');
 
         $message = $exception->getMessage();
+
+        if ($exception->getPrevious() && $exception->getPrevious()->getMessage()) {
+            $message .= " " . $exception->getPrevious()->getMessage();
+        }
+
         $statusCode = $exception->getCode();
 
         $routeParams = $request->getRouteParams();
@@ -250,12 +244,7 @@ class ErrorOutput
 
         $logMessage .= implode("; ", $logMessageItemList);
 
-        $this->log->log('debug', $logMessage);
-    }
-
-    private function toPrintTrace(): bool
-    {
-        return (bool) $this->config->get('logger.printTrace');
+        $this->log->debug($logMessage);
     }
 
     private function toPrintExceptionStatusReason(Throwable $exception): bool
@@ -269,4 +258,21 @@ class ErrorOutput
 
         return false;
     }
+
+    private function getLevel(Throwable $exception): string
+    {
+        if ($exception instanceof HasLogLevel) {
+            return $exception->getLogLevel();
+        }
+
+        if ($exception instanceof LogicException) {
+            return LogLevel::ALERT;
+        }
+
+        if ($exception instanceof RuntimeException) {
+            return LogLevel::CRITICAL;
+        }
+
+        return LogLevel::ERROR;
+    }
 }

application/Espo/Core/ApplicationRunners/Command.php

@@ -40,7 +40,6 @@ use Exception;
 class Command implements Runner
 {
     use Cli;
-    use SetupSystemUser;
 
     public function __construct(private ConsoleCommandManager $commandManager)
     {}

application/Espo/Core/Authentication/Authentication.php

@@ -67,9 +67,7 @@ class Authentication
 {
     private const LOGOUT_USERNAME = '**logout';
 
-    private const HEADER_ESPO_AUTHORIZATION = 'Espo-Authorization';
     private const HEADER_CREATE_TOKEN_SECRET = 'Espo-Authorization-Create-Token-Secret';
-    private const HEADER_BY_TOKEN = 'Espo-Authorization-By-Token';
     private const HEADER_ANOTHER_USER = 'X-Another-User';
     private const HEADER_LOGOUT_REDIRECT_URL = 'X-Logout-Redirect-Url';
 
@@ -95,6 +93,7 @@ class Authentication
      * Process logging in.
      *
      * @throws ServiceUnavailable
+     * @throws Forbidden
      */
     public function login(AuthenticationData $data, Request $request, Response $response): Result
     {
@@ -107,16 +106,21 @@ class Authentication
             $method &&
             !$this->configDataProvider->authenticationMethodIsApi($method)
         ) {
-            $this->log
-                ->warning("AUTH: Trying to use not allowed authentication method '$method'.");
+            $this->log->warning("Auth: Trying to use not allowed authentication method '{method}'.", [
+                'method' => $method,
+            ]);
 
             return $this->processFail(Result::fail(FailReason::METHOD_NOT_ALLOWED), $data, $request);
         }
 
-        $this->hookManager->processBeforeLogin($data, $request);
+        try {
+            $this->hookManager->processBeforeLogin($data, $request);
+        } catch (Forbidden $e) {
+            $this->processForbidden($e);
+        }
 
         if (!$method && $password === null) {
-            $this->log->error("AUTH: Trying to login w/o password.");
+            $this->log->error("Auth: Trying to login w/o password.");
 
             return Result::fail(FailReason::NO_PASSWORD);
         }
@@ -149,7 +153,7 @@ class Authentication
             }
         }
 
-        $byTokenAndUsername = $request->getHeader(self::HEADER_BY_TOKEN) === 'true';
+        $byTokenAndUsername = $request->getHeader(HeaderKey::AUTHORIZATION_BY_TOKEN) === 'true';
 
         if ($method && $byTokenAndUsername) {
             return Result::fail(FailReason::DISCREPANT_DATA);
@@ -157,7 +161,9 @@ class Authentication
 
         if (($byTokenAndUsername || $byTokenOnly) && !$authToken) {
             if ($username) {
-                $this->log->info("AUTH: Trying to login as user '$username' by token but token is not found.");
+                $this->log->info("Auth: Trying to login as user '{username}' by token but token is not found.", [
+                    'username' => $username,
+                ]);
             }
 
             return $this->processFail(Result::fail(FailReason::TOKEN_NOT_FOUND), $data, $request);
@@ -213,15 +219,7 @@ class Authentication
             return $this->processFail(Result::fail(FailReason::DENIED), $data, $request);
         }
 
-        if ($this->isPortal()) {
-            $user->set('portalId', $this->getPortal()->getId());
-        }
-
-        if (!$this->isPortal()) {
-            $user->loadLinkMultipleField('teams');
-        }
-
-        $user->set('ipAddress', $this->util->obtainIpFromRequest($request));
+        $this->prepareUser($user, $request);
 
         [$loggedUser, $anotherUserFailReason] = $this->getLoggedUser($request, $user);
 
@@ -234,6 +232,7 @@ class Authentication
         $this->applicationUser->setUser($loggedUser);
 
         if (
+            !$result->bypassSecondStep() &&
             !$result->isSecondStepRequired() &&
             !$authToken &&
             $this->configDataProvider->isTwoFactorEnabled()
@@ -241,13 +240,19 @@ class Authentication
             $result = $this->processTwoFactor($result, $request);
 
             if ($result->isFail()) {
-                return $this->processFail($result, $data, $request);
+                return $this->processTwoFactorFail($result, $data, $request, $authLogRecord);
             }
         }
 
+        try {
+            $this->hookManager->processOnLogin($result, $data, $request);
+        } catch (Forbidden $e) {
+            $this->processForbidden($e, $authLogRecord);
+        }
+
         if (
             !$result->isSecondStepRequired() &&
-            $request->getHeader(self::HEADER_ESPO_AUTHORIZATION)
+            $request->getHeader(HeaderKey::AUTHORIZATION)
         ) {
             $authToken = $this->processAuthTokenFinal(
                 $authToken,
@@ -344,13 +349,13 @@ class Authentication
     private function processAuthTokenCheck(AuthToken $authToken): bool
     {
         if ($this->isPortal() && $authToken->getPortalId() !== $this->getPortal()->getId()) {
-            $this->log->info("AUTH: Trying to login to portal with a token not related to portal.");
+            $this->log->info("Auth: Trying to login to portal with a token not related to portal.");
 
             return false;
         }
 
         if (!$this->isPortal() && $authToken->getPortalId()) {
-            $this->log->info("AUTH: Trying to login to crm with a token related to portal.");
+            $this->log->info("Auth: Trying to login to crm with a token related to portal.");
 
             return false;
         }
@@ -361,8 +366,9 @@ class Authentication
     private function processUserCheck(User $user, ?AuthLogRecord $authLogRecord): bool
     {
         if (!$user->isActive()) {
-            $this->log
-                ->info("AUTH: Trying to login as user '" . $user->getUserName() . "' which is not active.");
+            $this->log->info("Auth: Trying to login as user '{username}' which is not active.", [
+                'username' => $user->getUserName(),
+            ]);
 
             $this->logDenied($authLogRecord, AuthLogRecord::DENIAL_REASON_INACTIVE_USER);
 
@@ -370,8 +376,9 @@ class Authentication
         }
 
         if ($user->isSystem()) {
-            $this->log
-                ->info("AUTH: Trying to login to crm as a system user '{$user->getUserName()}'.");
+            $this->log->info("Auth: Trying to login to crm as a system user '{username}'.", [
+                'username' => $user->getUserName(),
+            ]);
 
             $this->logDenied($authLogRecord, AuthLogRecord::DENIAL_REASON_IS_SYSTEM_USER);
 
@@ -379,8 +386,9 @@ class Authentication
         }
 
         if (!$user->isAdmin() && !$this->isPortal() && $user->isPortal()) {
-            $this->log
-                ->info("AUTH: Trying to login to crm as a portal user '" . $user->getUserName() . "'.");
+            $this->log->info("Auth: Trying to login to crm as a portal user '{username}'.", [
+                'username' => $user->getUserName(),
+            ]);
 
             $this->logDenied($authLogRecord, AuthLogRecord::DENIAL_REASON_IS_PORTAL_USER);
 
@@ -388,8 +396,9 @@ class Authentication
         }
 
         if ($this->isPortal() && !$user->isPortal()) {
-            $this->log->info(
-                "AUTH: Trying to login to portal as user '" . $user->getUserName() . "' which is not portal user.");
+            $this->log->info("Auth: Trying to login to portal as user '{username}' which is not portal user.", [
+                'username' => $user->getUserName(),
+            ]);
 
             $this->logDenied($authLogRecord, AuthLogRecord::DENIAL_REASON_IS_NOT_PORTAL_USER);
 
@@ -403,9 +412,12 @@ class Authentication
                 ->isRelated($user);
 
             if (!$isPortalRelatedToUser) {
-                $this->log->info(
-                    "AUTH: Trying to login to portal as user '" . $user->getUserName() . "' ".
-                    "which is portal user but does not belong to portal.");
+                $msg = "Auth: Trying to login to portal as user '{username}' " .
+                    "which is portal user but does not belong to portal.";
+
+                $this->log->info($msg, [
+                    'username' => $user->getUserName(),
+                ]);
 
                 $this->logDenied($authLogRecord, AuthLogRecord::DENIAL_REASON_USER_IS_NOT_IN_PORTAL);
 
@@ -771,4 +783,56 @@ class Authentication
 
         return [$loggedUser, null];
     }
+
+    private function prepareUser(User $user, Request $request): void
+    {
+        if ($this->isPortal()) {
+            $user->set('portalId', $this->getPortal()->getId());
+        }
+
+        if (!$this->isPortal()) {
+            $user->loadLinkMultipleField('teams');
+        }
+
+        $user->set('ipAddress', $this->util->obtainIpFromRequest($request));
+    }
+
+    /**
+     * @throws Forbidden
+     */
+    private function processForbidden(Forbidden $exception, ?AuthLogRecord $authLogRecord = null): never
+    {
+        $this->log->warning('Auth: Forbidden. {message}', [
+            'message' => $exception->getMessage(),
+            'exception' => $exception,
+        ]);
+
+        if ($authLogRecord) {
+            $authLogRecord
+                ->setIsDenied()
+                ->setDenialReason(AuthLogRecord::DENIAL_REASON_FORBIDDEN);
+
+            $this->entityManager->saveEntity($authLogRecord);
+        }
+
+        throw new Forbidden();
+    }
+
+    private function processTwoFactorFail(
+        Result $result,
+        AuthenticationData $data,
+        Request $request,
+        ?AuthLogRecord $authLogRecord
+    ): Result {
+
+        if ($authLogRecord) {
+            $authLogRecord
+                ->setIsDenied()
+                ->setDenialReason(AuthLogRecord::DENIAL_REASON_WRONG_CODE);
+
+            $this->entityManager->saveEntity($authLogRecord);
+        }
+
+        return $this->processFail($result, $data, $request);
+    }
 }

application/Espo/Core/Authentication/ConfigDataProvider.php

@@ -37,6 +37,7 @@ use Espo\Core\Utils\Metadata;
 class ConfigDataProvider
 {
     private const FAILED_ATTEMPTS_PERIOD =  '60 seconds';
+    private const FAILED_CODE_ATTEMPTS_PERIOD =  '5 minutes';
     private const MAX_FAILED_ATTEMPT_NUMBER = 10;
 
     public function __construct(private Config $config, private Metadata $metadata)
@@ -50,6 +51,14 @@ class ConfigDataProvider
         return $this->config->get('authFailedAttemptsPeriod', self::FAILED_ATTEMPTS_PERIOD);
     }
 
+    /**
+     * A period for max failed 2FA code attempts checking.
+     */
+    public function getFailedCodeAttemptsPeriod(): string
+    {
+        return $this->config->get('authFailedCodeAttemptsPeriod', self::FAILED_CODE_ATTEMPTS_PERIOD);
+    }
+
     /**
      * Max failed log in attempts.
      */
@@ -147,4 +156,25 @@ class ConfigDataProvider
 
         return $list;
     }
+
+    public function ipAddressCheck(): bool
+    {
+        return (bool) $this->config->get('authIpAddressCheck');
+    }
+
+    /**
+     * @return string[]
+     */
+    public function getIpAddressWhitelist(): array
+    {
+        return $this->config->get('authIpAddressWhitelist') ?? [];
+    }
+
+    /**
+     * @return string[]
+     */
+    public function getIpAddressCheckExcludedUserIdList(): array
+    {
+        return $this->config->get('authIpAddressCheckExcludedUsersIds') ?? [];
+    }
 }

application/Espo/Core/Authentication/HeaderKey.php

@@ -0,0 +1,37 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication;
+
+class HeaderKey
+{
+    public const AUTHORIZATION_BY_TOKEN = 'Espo-Authorization-By-Token';
+    public const AUTHORIZATION_CODE = 'Espo-Authorization-Code';
+    public const AUTHORIZATION = 'Espo-Authorization';
+}

application/Espo/Core/Authentication/Hook/BeforeLogin.php

@@ -36,11 +36,12 @@ use Espo\Core\Exceptions\ServiceUnavailable;
 
 /**
  * Before logging in, before credentials are checked.
- *
- * @throws Forbidden
- * @throws ServiceUnavailable
  */
 interface BeforeLogin
 {
+    /**
+     * @throws Forbidden
+     * @throws ServiceUnavailable
+     */
     public function process(AuthenticationData $data, Request $request): void;
 }

application/Espo/Core/Authentication/Hook/Hooks/FailedAttemptsLimit.php

@@ -30,12 +30,12 @@
 namespace Espo\Core\Authentication\Hook\Hooks;
 
 use Espo\Core\Api\Util;
+use Espo\Core\Authentication\HeaderKey;
 use Espo\Core\Authentication\Hook\BeforeLogin;
 use Espo\Core\Authentication\AuthenticationData;
 use Espo\Core\Api\Request;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Authentication\ConfigDataProvider;
-use Espo\Core\Utils\Log;
 use Espo\ORM\EntityManager;
 use Espo\Entities\AuthLogRecord;
 
@@ -51,7 +51,6 @@ class FailedAttemptsLimit implements BeforeLogin
     public function __construct(
         private ConfigDataProvider $configDataProvider,
         private EntityManager $entityManager,
-        private Log $log,
         private Util $util
     ) {}
 
@@ -60,34 +59,20 @@ class FailedAttemptsLimit implements BeforeLogin
      */
     public function process(AuthenticationData $data, Request $request): void
     {
-        $isByTokenOnly = !$data->getMethod() && $request->getHeader('Espo-Authorization-By-Token') === 'true';
+        $isByTokenOnly = !$data->getMethod() && $request->getHeader(HeaderKey::AUTHORIZATION_BY_TOKEN) === 'true';
 
-        if ($isByTokenOnly) {
-            return;
-        }
-
-        if ($this->configDataProvider->isAuthLogDisabled()) {
+        if ($isByTokenOnly || $this->configDataProvider->isAuthLogDisabled()) {
             return;
         }
 
         $failedAttemptsPeriod = $this->configDataProvider->getFailedAttemptsPeriod();
-        $maxFailedAttempts = $this->configDataProvider->getMaxFailedAttemptNumber();
 
-        $requestTime = intval($request->getServerParam('REQUEST_TIME_FLOAT'));
-
-        try {
-            $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
-        }
-        catch (Exception $e) {
-            throw new RuntimeException($e->getMessage());
-        }
-
-        $ip = $this->util->obtainIpFromRequest($request);
+        $ipAddress = $this->util->obtainIpFromRequest($request);
 
         $where = [
-            'requestTime>' => $requestTimeFrom->format('U'),
-            'ipAddress' => $ip,
+            'requestTime>' => $this->getTimeFrom($request, $failedAttemptsPeriod)->format('U'),
             'isDenied' => true,
+            'ipAddress' => $ipAddress,
         ];
 
         $wasFailed = (bool) $this->entityManager
@@ -105,12 +90,24 @@ class FailedAttemptsLimit implements BeforeLogin
             ->where($where)
             ->count();
 
-        if ($failAttemptCount <= $maxFailedAttempts) {
+        if ($failAttemptCount <= $this->configDataProvider->getMaxFailedAttemptNumber()) {
             return;
         }
 
-        $this->log->warning("AUTH: Max failed login attempts exceeded for IP '$ip'.");
+        throw new Forbidden("Max failed login attempts exceeded for IP address $ipAddress.");
+    }
 
-        throw new Forbidden("Max failed login attempts exceeded.");
+    private function getTimeFrom(Request $request, string $failedAttemptsPeriod): DateTime
+    {
+        $requestTime = intval($request->getServerParam('REQUEST_TIME_FLOAT'));
+
+        try {
+            $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
+        }
+        catch (Exception $e) {
+            throw new RuntimeException($e->getMessage());
+        }
+
+        return $requestTimeFrom;
     }
 }

application/Espo/Core/Authentication/Hook/Hooks/FailedCodeAttemptsLimit.php

@@ -0,0 +1,118 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Request;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\Core\Authentication\Hook\BeforeLogin;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Entities\AuthLogRecord;
+use Espo\ORM\EntityManager;
+
+use DateTime;
+use Exception;
+use RuntimeException;
+
+/**
+ * @noinspection PhpUnused
+ */
+class FailedCodeAttemptsLimit implements BeforeLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private EntityManager $entityManager,
+    ) {}
+
+    /**
+     * @throws Forbidden
+     */
+    public function process(AuthenticationData $data, Request $request): void
+    {
+        if (
+            $request->getHeader('Espo-Authorization-Code') === null ||
+            $this->configDataProvider->isAuthLogDisabled()
+        ) {
+            return;
+        }
+
+        $isByTokenOnly = !$data->getMethod() && $request->getHeader('Espo-Authorization-By-Token') === 'true';
+
+        if ($isByTokenOnly) {
+            return;
+        }
+
+        $failedAttemptsPeriod = $this->configDataProvider->getFailedCodeAttemptsPeriod();
+
+        $where = [
+            'requestTime>' => $this->getTimeFrom($request, $failedAttemptsPeriod)->format('U'),
+            'isDenied' => true,
+            'username' => $data->getUsername(),
+            'denialReason' => AuthLogRecord::DENIAL_REASON_WRONG_CODE,
+        ];
+
+        $wasFailed = (bool) $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->select(['id'])
+            ->where($where)
+            ->findOne();
+
+        if (!$wasFailed) {
+            return;
+        }
+
+        $failAttemptCount = $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->where($where)
+            ->count();
+
+        if ($failAttemptCount <= $this->configDataProvider->getMaxFailedAttemptNumber()) {
+            return;
+        }
+
+        $username = $data->getUsername() ?? '';
+
+        throw new Forbidden("Max failed 2FA login attempts exceeded for username '$username'.");
+    }
+
+    private function getTimeFrom(Request $request, string $failedAttemptsPeriod): DateTime
+    {
+        $requestTime = intval($request->getServerParam('REQUEST_TIME_FLOAT'));
+
+        try {
+            $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
+        }
+        catch (Exception $e) {
+            throw new RuntimeException($e->getMessage());
+        }
+
+        return $requestTimeFrom;
+    }
+}

application/Espo/Core/Authentication/Hook/Hooks/IpAddressWhitelist.php

@@ -0,0 +1,87 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Request;
+use Espo\Core\Api\Util;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\Core\Authentication\Hook\OnLogin;
+use Espo\Core\Authentication\Result;
+use Espo\Core\Authentication\Util\IpAddressUtil;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Utils\Config;
+
+class IpAddressWhitelist implements OnLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private Util $util,
+        private Config $config,
+        private IpAddressUtil $ipAddressUtil
+    ) {}
+
+    public function process(Result $result, AuthenticationData $data, Request $request): void
+    {
+        if (!$this->configDataProvider->ipAddressCheck()) {
+            return;
+        }
+
+        $ipAddress = $this->util->obtainIpFromRequest($request);
+
+        if (
+            $ipAddress &&
+            $this->ipAddressUtil->isInWhitelist($ipAddress, $this->configDataProvider->getIpAddressWhitelist())
+        ) {
+            return;
+        }
+
+        $user = $result->getUser();
+
+        if ($user && $user->isPortal()) {
+            return;
+        }
+
+        if ($user && $user->isSuperAdmin() && $this->config->get('restrictedMode')) {
+            return;
+        }
+
+        if (
+            $user &&
+            in_array($user->getId(), $this->configDataProvider->getIpAddressCheckExcludedUserIdList())
+        ) {
+            return;
+        }
+
+        $username = $user ? $user->getUserName() : '?';
+
+        throw new Forbidden("Not allowed IP address $ipAddress, user: $username.");
+    }
+}

application/Espo/Core/Authentication/Hook/Manager.php

@@ -29,6 +29,8 @@
 
 namespace Espo\Core\Authentication\Hook;
 
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Exceptions\ServiceUnavailable;
 use Espo\Core\Utils\Metadata;
 use Espo\Core\InjectableFactory;
 use Espo\Core\Authentication\AuthenticationData;
@@ -41,6 +43,10 @@ class Manager
     public function __construct(private Metadata $metadata, private InjectableFactory $injectableFactory)
     {}
 
+    /**
+     * @throws ServiceUnavailable
+     * @throws Forbidden
+     */
     public function processBeforeLogin(AuthenticationData $data, Request $request): void
     {
         foreach ($this->getBeforeLoginHookList() as $hook) {
@@ -48,6 +54,16 @@ class Manager
         }
     }
 
+    /**
+     * @throws Forbidden
+     */
+    public function processOnLogin(Result $result, AuthenticationData $data, Request $request): void
+    {
+        foreach ($this->getOnLoginHookList() as $hook) {
+            $hook->process($result, $data, $request);
+        }
+    }
+
     public function processOnFail(Result $result, AuthenticationData $data, Request $request): void
     {
         foreach ($this->getOnFailHookList() as $hook) {
@@ -102,6 +118,21 @@ class Manager
         return $list;
     }
 
+    /**
+     * @return OnLogin[]
+     */
+    private function getOnLoginHookList(): array
+    {
+        $list = [];
+
+        foreach ($this->getHookClassNameList('onLogin') as $className) {
+            /** @var class-string<OnLogin> $className */
+            $list[] = $this->injectableFactory->create($className);
+        }
+
+        return $list;
+    }
+
     /**
      * @return OnResult[]
      */

application/Espo/Core/Authentication/Hook/OnLogin.php

@@ -0,0 +1,46 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook;
+
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Api\Request;
+use Espo\Core\Authentication\Result;
+use Espo\Core\Exceptions\Forbidden;
+
+/**
+ * Once a login result is ready.
+ */
+interface OnLogin
+{
+    /**
+     * @throws Forbidden
+     */
+    public function process(Result $result, AuthenticationData $data, Request $request): void;
+}

application/Espo/Core/Authentication/Ldap/LdapLogin.php

@@ -132,9 +132,8 @@ class LdapLogin implements Login
             if ($user) {
                 return Result::success($user);
             }
-            else {
-                return Result::fail(FailReason::WRONG_CREDENTIALS);
-            }
+
+            return Result::fail(FailReason::WRONG_CREDENTIALS);
         }
 
         if (!$password || $username == '**logout') {
@@ -158,9 +157,10 @@ class LdapLogin implements Login
         catch (Exception $e) {
             $options = $this->utils->getLdapClientOptions();
 
-            $this->log->error(
-                'LDAP: Could not connect to LDAP server [' . $options['host'] . '], details: ' . $e->getMessage()
-            );
+            $this->log->error("LDAP: Could not connect to LDAP server host. {message}", [
+                'host' => $options['host'],
+                'message' => $e->getMessage()
+            ]);
 
             /** @var string $username */
 
@@ -170,7 +170,9 @@ class LdapLogin implements Login
                 return Result::fail();
             }
 
-            $this->log->info('LDAP: Administrator [' . $username . '] was logged in by Espo method.');
+            $this->log->info("LDAP: Administrator '{username}' was logged in by Espo method.", [
+                'username' => $username,
+            ]);
         }
 
         $userDn = null;
@@ -182,15 +184,16 @@ class LdapLogin implements Login
                 $userDn = $this->findLdapUserDnByUsername($username);
             }
             catch (Exception $e) {
-                $this->log->error(
-                    'Error while finding DN for [' . $username . '], details: ' . $e->getMessage() . '.'
-                );
+                $this->log->error("Error while finding DN for '{username}'. {message}", [
+                    'username' => $username,
+                    'message' => $e->getMessage(),
+                ]);
             }
 
             if (!isset($userDn)) {
-                $this->log->error(
-                    'LDAP: Authentication failed for user [' . $username . '], details: user is not found.'
-                );
+                $this->log->error("LDAP: Authentication failed for '{username}'; user is not found.", [
+                    'username' => $username,
+                ]);
 
                 $adminUser = $this->adminLogin($username, $password);
 
@@ -198,18 +201,24 @@ class LdapLogin implements Login
                     return Result::fail();
                 }
 
-                $this->log->info('LDAP: Administrator [' . $username . '] was logged in by Espo method.');
+                $this->log->info("LDAP: Administrator '{username}' was logged in by Espo method.", [
+                    'username' => $username,
+                ]);
             }
 
-            $this->log->debug('User [' . $username . '] is found with this DN ['.$userDn.'].');
+            $this->log->debug("User '{username}' with DN '{dn}' is found .", [
+                'username' => $username,
+                'dn' => $userDn,
+            ]);
 
             try {
                 $ldapClient->bind($userDn, $password);
             }
             catch (Exception $e) {
-                $this->log->error(
-                    'LDAP: Authentication failed for user [' . $username . '], details: ' . $e->getMessage()
-                );
+                $this->log->error("LDAP: Authentication failed for '{username}'. {message}", [
+                    'username' => $username,
+                    'message' => $e->getMessage(),
+                ]);
 
                 return Result::fail();
             }
@@ -229,9 +238,9 @@ class LdapLogin implements Login
 
         if (!isset($user)) {
             if (!$this->utils->getOption('createEspoUser')) {
-                $this->log->warning(
-                    "LDAP: Authentication success for user $username, but user is not created in EspoCRM."
-                );
+                $this->log->warning("LDAP: '{username}' authenticated, but user is not created in Espo.", [
+                    'username' => $username,
+                ]);
 
                 return Result::fail(FailReason::USER_NOT_FOUND);
             }
@@ -259,7 +268,7 @@ class LdapLogin implements Login
                 $this->client = $this->clientFactory->create($options);
             }
             catch (Exception $e) {
-                $this->log->error('LDAP error: ' . $e->getMessage());
+                $this->log->error("LDAP error. {message}", ['message' => $e->getMessage()]);
             }
         }
 
@@ -290,7 +299,10 @@ class LdapLogin implements Login
         if (strtolower($username) !== strtolower($tokenUsername)) {
             $ip = $this->util->obtainIpFromRequest($request);
 
-            $this->log->alert('Unauthorized access attempt for user [' . $username . '] from IP [' . $ip . ']');
+            $this->log->alert("Unauthorized access attempt for user '{username}' from IP '{ip}'.", [
+                'username' => $username,
+                'ip' => $ip,
+            ]);
 
             return null;
         }
@@ -325,11 +337,11 @@ class LdapLogin implements Login
      */
     private function createUser(array $userData, bool $isPortal = false): ?User
     {
-        $this->log->info('Creating new user...');
+        $this->log->info("LDAP: Creating new user.");
 
         $data = [];
 
-        $this->log->debug('LDAP: user data: ' . print_r($userData, true));
+        $this->log->debug("LDAP: user data: {userData}", ['userData' => print_r($userData, true)]);
 
         $ldapFields = $this->loadFields('ldap');
 
@@ -337,7 +349,10 @@ class LdapLogin implements Login
             $ldap = strtolower($ldap);
 
             if (isset($userData[$ldap][0])) {
-                $this->log->debug('LDAP: Create a user with [' . $espo . '] = [' . $userData[$ldap][0] . '].');
+                $this->log->debug("LDAP: Create a user with [{user1}] = [{user2}].", [
+                    'user1' => $espo,
+                    'user2' => $userData[$ldap][0],
+                ]);
 
                 $data[$espo] = $userData[$ldap][0];
             }
@@ -410,7 +425,7 @@ class LdapLogin implements Login
         /** @noinspection PhpRedundantOptionalArgumentInspection */
         $result = $ldapClient->search($searchString, null, Ldap::SEARCH_SCOPE_SUB);
 
-        $this->log->debug('LDAP: user search string: "' . $searchString . '"');
+        $this->log->debug("LDAP: user search string: {string}.", ['string' => $searchString]);
 
         foreach ($result as $item) {
             return $item["dn"];

application/Espo/Core/Authentication/Oidc/BackchannelLogout.php

@@ -43,7 +43,7 @@ use Espo\ORM\EntityManager;
 /**
  * Compatible only with default Espo auth tokens.
  *
- * @todo Use a token-sessionId map to retrieve tokens.
+ * @todo Use a token-sessionId map to retrieve tokens. Send sid claim in id_token.
  */
 class BackchannelLogout
 {

application/Espo/Core/Authentication/Oidc/ConfigDataProvider.php

@@ -214,7 +214,7 @@ class ConfigDataProvider
 
     public function getAuthorizationPrompt(): string
     {
-        return $this->config->get('oidcAuthorizationPrompt') ?? 'consent';
+        return $this->object->get('oidcAuthorizationPrompt') ?? 'consent';
     }
 
     public function getAuthorizationMaxAge(): ?int

application/Espo/Core/Authentication/Oidc/Login.php

@@ -152,7 +152,7 @@ class Login implements LoginInterface
             return Result::fail(FailReason::USER_NOT_FOUND);
         }
 
-        return Result::success($user);
+        return Result::success($user)->withBypassSecondStep();
     }
 
     private function loginFallback(Data $data, Request $request): Result

application/Espo/Core/Authentication/Oidc/UserProvider/DefaultUserProvider.php

@@ -51,6 +51,10 @@ class DefaultUserProvider implements UserProvider
     {
         $user = $this->findUser($payload);
 
+        if ($user === false) {
+            return null;
+        }
+
         if ($user) {
             $this->syncUser($user, $payload);
 
@@ -60,7 +64,10 @@ class DefaultUserProvider implements UserProvider
         return $this->tryToCreateUser($payload);
     }
 
-    private function findUser(Payload $payload): ?User
+    /**
+     * @return User|false|null
+     */
+    private function findUser(Payload $payload): User|bool|null
     {
         $usernameClaim = $this->configDataProvider->getUsernameClaim();
 
@@ -82,24 +89,26 @@ class DefaultUserProvider implements UserProvider
             return null;
         }
 
-        if (!$user->isActive()) {
-            return null;
-        }
-
         $userId = $user->getId();
 
+        if (!$user->isActive()) {
+            $this->log->info("Oidc: User $userId found but it's not active.");
+
+            return false;
+        }
+
         $isPortal = $this->applicationState->isPortal();
 
         if (!$isPortal && !$user->isRegular() && !$user->isAdmin()) {
-            $this->log->info("Oidc: User $userId found but it's neither regular user not admin.");
+            $this->log->info("Oidc: User $userId found but it's neither regular user nor admin.");
 
-            return null;
+            return false;
         }
 
         if ($isPortal && !$user->isPortal()) {
             $this->log->info("Oidc: User $userId found but it's not portal user.");
 
-            return null;
+            return false;
         }
 
         if ($isPortal) {
@@ -108,20 +117,20 @@ class DefaultUserProvider implements UserProvider
             if (!$user->getPortals()->hasId($portalId)) {
                 $this->log->info("Oidc: User $userId found but it's not related to current portal.");
 
-                return null;
+                return false;
             }
         }
 
         if ($user->isSuperAdmin()) {
             $this->log->info("Oidc: User $userId found but it's super-admin, not allowed.");
 
-            return null;
+            return false;
         }
 
         if ($user->isAdmin() && !$this->configDataProvider->allowAdminUser()) {
             $this->log->info("Oidc: User $userId found but it's admin, not allowed.");
 
-            return null;
+            return false;
         }
 
         return $user;

application/Espo/Core/Authentication/Result.php

@@ -51,6 +51,7 @@ class Result
     private ?string $token = null;
     private ?string $view = null;
     private ?string $failReason = null;
+    private bool $bypassSecondStep = false;
     private ?Data $data;
 
     private function __construct(string $status, ?User $user = null, ?Data $data = null)
@@ -105,13 +106,23 @@ class Result
     }
 
     /**
-     * Second step is required. E.g. for 2FA.
+     * The second step is required.
      */
     public function isSecondStepRequired(): bool
     {
         return $this->status === self::STATUS_SECOND_STEP_REQUIRED;
     }
 
+    /**
+     * To bypass the second step.
+     *
+     * @since 8.4.0
+     */
+    public function bypassSecondStep(): bool
+    {
+        return $this->bypassSecondStep;
+    }
+
     /**
      * Login is failed.
      */
@@ -183,4 +194,17 @@ class Result
     {
         return $this->failReason;
     }
+
+    /**
+     * Clone with bypass second step.
+     *
+     * @since 8.4.0
+     */
+    public function withBypassSecondStep(bool $bypassSecondStep = true): self
+    {
+        $obj = clone $this;
+        $obj->bypassSecondStep = $bypassSecondStep;
+
+        return $obj;
+    }
 }

application/Espo/Core/Authentication/TwoFactor/Email/EmailLogin.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Core\Authentication\TwoFactor\Email;
 
+use Espo\Core\Authentication\HeaderKey;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Mail\Exceptions\SendingError;
 use Espo\Core\Utils\Log;
@@ -56,7 +57,7 @@ class EmailLogin implements Login
 
     public function login(Result $result, Request $request): Result
     {
-        $code = $request->getHeader('Espo-Authorization-Code');
+        $code = $request->getHeader(HeaderKey::AUTHORIZATION_CODE);
 
         $user = $result->getUser();
 

application/Espo/Core/Authentication/TwoFactor/Sms/SmsLogin.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Core\Authentication\TwoFactor\Sms;
 
+use Espo\Core\Authentication\HeaderKey;
 use Espo\Core\Exceptions\Forbidden;
 use Espo\Core\Utils\Log;
 use Espo\ORM\EntityManager;
@@ -55,7 +56,7 @@ class SmsLogin implements Login
 
     public function login(Result $result, Request $request): Result
     {
-        $code = $request->getHeader('Espo-Authorization-Code');
+        $code = $request->getHeader(HeaderKey::AUTHORIZATION_CODE);
 
         $user = $result->getUser();
 

application/Espo/Core/Authentication/TwoFactor/Totp/TotpLogin.php

@@ -29,6 +29,7 @@
 
 namespace Espo\Core\Authentication\TwoFactor\Totp;
 
+use Espo\Core\Authentication\HeaderKey;
 use Espo\ORM\EntityManager;
 use Espo\Entities\User;
 use Espo\Entities\UserData;
@@ -55,7 +56,7 @@ class TotpLogin implements Login
 
     public function login(Result $result, Request $request): Result
     {
-        $code = $request->getHeader('Espo-Authorization-Code');
+        $code = $request->getHeader(HeaderKey::AUTHORIZATION_CODE);
 
         $user = $result->getUser();
 

application/Espo/Core/Authentication/Util/IpAddressUtil.php

@@ -0,0 +1,59 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2024 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Util;
+
+use CIDRmatch\CIDRmatch;
+
+class IpAddressUtil
+{
+    /**
+     * @param string $ipAddress An IP address.
+     * @param string[] $whitelist A whitelist. IPs or IP ranges in CIDR notation.
+     */
+    public function isInWhitelist(string $ipAddress, array $whitelist): bool
+    {
+        $cidrMatch = new CIDRmatch();
+
+        foreach ($whitelist as $whiteIpAddress) {
+            if ($ipAddress === $whiteIpAddress) {
+                return true;
+            }
+
+            if (
+                str_contains($whiteIpAddress, '/') &&
+                $cidrMatch->match($ipAddress, $whiteIpAddress)
+            ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

application/Espo/Core/Console/CommandManager.php

@@ -29,6 +29,8 @@
 
 namespace Espo\Core\Console;
 
+use Espo\Core\ApplicationUser;
+use Espo\Core\Console\Exceptions\InvalidArgument;
 use Espo\Core\InjectableFactory;
 use Espo\Core\Utils\Metadata;
 use Espo\Core\Utils\Util;
@@ -44,12 +46,14 @@ class CommandManager
     private const DEFAULT_COMMAND = 'Help';
     private const DEFAULT_COMMAND_FLAG = 'help';
 
-    public function __construct(private InjectableFactory $injectableFactory, private Metadata $metadata)
-    {}
+    public function __construct(
+        private InjectableFactory $injectableFactory,
+        private Metadata $metadata,
+        private ApplicationUser $applicationUser
+    ) {}
 
     /**
      * @param array<int, string> $argv
-     *
      * @return int<0, 255> Exit-status.
      */
     public function run(array $argv): int
@@ -73,8 +77,12 @@ class CommandManager
             throw new CommandNotSpecified("Command name is not specified.");
         }
 
+        $this->checkParams($command, $params);
+
         $io = new IO();
 
+        $this->setupUser($command);
+
         $commandObj = $this->createCommand($command);
 
         if (!$commandObj instanceof Command) {
@@ -146,4 +154,59 @@ class CommandManager
     {
         return Params::fromArgs(array_slice($argv, 1));
     }
+
+    private function setupUser(string $command): void
+    {
+        $noSystemUser = $this->metadata->get(['app', 'consoleCommands', lcfirst($command), 'noSystemUser']);
+
+        if ($noSystemUser) {
+            return;
+        }
+
+        $this->applicationUser->setupSystemUser();
+    }
+
+    private function checkParams(string $command, Params $params): void
+    {
+        $this->checkOptions($command, $params);
+        $this->checkFlags($command, $params);
+    }
+
+    private function checkOptions(string $command, Params $params): void
+    {
+        $allowedOptions = $this->metadata->get(['app', 'consoleCommands', lcfirst($command), 'allowedOptions']);
+
+        if (!is_array($allowedOptions)) {
+            return;
+        }
+
+        $notAllowedOptions = array_diff(array_keys($params->getOptions()), $allowedOptions);
+
+        if ($notAllowedOptions === []) {
+            return;
+        }
+
+        $msg = sprintf("Not allowed options: %s.", implode(', ', $notAllowedOptions));
+
+        throw new InvalidArgument($msg);
+    }
+
+    private function checkFlags(string $command, Params $params): void
+    {
+        $allowedFlags = $this->metadata->get(['app', 'consoleCommands', lcfirst($command), 'allowedFlags']);
+
+        if (!is_array($allowedFlags)) {
+            return;
+        }
+
+        $notAllowedFlags = array_diff($params->getFlagList(), $allowedFlags);
+
+        if ($notAllowedFlags === []) {
+            return;
+        }
+
+        $msg = sprintf("Not allowed flags: %s.", implode(', ', $notAllowedFlags));
+
+        throw new InvalidArgument($msg);
+    }
 }