Merge branch '5.0-trunk'

.gitignore

@@ -34,6 +34,7 @@
 /sbin/rt-dump-metadata
 /sbin/rt-email-dashboards
 /sbin/rt-email-digest
+/sbin/rt-email-expiring-auth-tokens
 /sbin/rt-email-group-admin
 /sbin/rt-externalize-attachments
 /sbin/rt-fulltext-indexer

Makefile.in

@@ -146,6 +146,7 @@ SYSTEM_BINARIES		=	rt-attributes-viewer \
 				rt-dump-metadata \
 				rt-email-dashboards \
 				rt-email-digest \
+				rt-email-expiring-auth-tokens \
 				rt-email-group-admin \
 				rt-externalize-attachments \
 				rt-fulltext-indexer \

README

@@ -58,6 +58,21 @@ o   An external HTML converter
         Installing an external utility to convert HTML can improve performance.
         See the $HTMLFormatter configuration option for details.
 
+o   An SSL certificate for your web server
+
+        For production use, we recommend getting an SSL certificate for your
+        web server. You can get them free from Let's Encrypt (https://letsencrypt.org/)
+        or even create your own self-signed certificate.
+
+        If you are testing and want to run without a cert, add this to your
+        etc/RT_SiteConfig.pm file:
+
+            Set( $WebSecureCookies, 0 );
+
+        Without this setting, your browser won't trust RT's cookies and you won't
+        be able to log in. See the documentation for more information.
+        (https://docs.bestpractical.com/rt/latest/RT_Config.html#WebSecureCookies)
+
 GENERAL INSTALLATION
 --------------------
 

configure.ac

@@ -473,6 +473,7 @@ AC_CONFIG_FILES([
                  sbin/rt-test-dependencies
                  sbin/rt-email-digest
                  sbin/rt-email-dashboards
+                 sbin/rt-email-expiring-auth-tokens
                  sbin/rt-externalize-attachments
                  sbin/rt-clean-attributes
                  sbin/rt-clean-sessions

docs/UPGRADING-5.0

@@ -604,16 +604,33 @@ fields containing C<HTML>, you can update them and switch the type to C<HTML>
 to use CKEditor for editing. This is specifically useful for the Content
 custom field in articles.
 
+=item * MySQL 8 now supported
+
+Starting with RT 5.0.4, RT now supports MySQL 8. Note that as part of this upgrade
+you also need to update the module L<DBIx::SearchBuilder>.
+
 =back
 
 =head1 UPGRADING FROM 5.0.4 AND EARLIER
 
 =over 4
 
-=item * MySQL 8 now supported
+=item Update Messages Changed for Consistency
 
-Starting with RT 5.0.5, RT now supports MySQL 8. Note that as part of this upgrade
-you also need to update the module L<DBIx::SearchBuilder>.
+Some parts of RT, notably Bulk Update, previously could show update messages
+like:
+
+    Ticket 123: Ticket 123: Status changed from 'new' to 'open'
+
+This is fixed in RT 5.0.5. As part of this fix, some JSON responses sent for
+REST 2 operations are also updated. For example, an Article update message
+is changed:
+
+    Old: Article More updates using REST: Name changed from...
+    New: Article 123: Name changed from...
+
+If you have any automation using REST 2 that checks these JSON response
+messages, you may need to update your system to match the new format.
 
 =back
 

docs/automating_rt.pod

@@ -78,6 +78,21 @@ The C<--action> argument is set to L<RT::Action> which is the base class
 for RT actions. Since this class doesn't perform any action itself, this
 command will just output the results of the TicketSQL search.
 
+=head2 Multiple --Action Parameters
+
+    /opt/rt4/bin/rt-crontool \
+      --search RT::Search::FromSQL \
+      --search-arg "Status = 'stalled'" \
+      --action RT::Action::SetStatus  --action-arg resolved \
+      --action RT::Action::Notify \
+          --action-arg 'Requestor' \
+          --transaction last \
+          --template 'Stalled ticket resolved' \
+
+rt-crontool can take more than one --action parameter to perform multiple steps at a time. In the example above
+two actions are completed, first the SetStatus action then the Notify action.
+
+
 =head1 Auto-resolve Aged Tickets
 
 You can auto-set status based on any criteria you can define in

docs/web_deployment.pod

@@ -154,6 +154,31 @@ RT to access the Authorization header.
 
 More information is available in L<RT::Authen::Token>.
 
+=head3 Restricting the REST 1.0 mail-gateway
+
+RT processes email via a REST 1.0 endpoint. If you accept email on the same
+server as your running RT, you can restrict this endpoint to localhost only
+with a configuration like the following:
+
+    # Accept requests only from localhost
+    <Location /REST/1.0/NoAuth/mail-gateway>
+        Require local
+    </Location>
+
+If you run C<bin/rt-mailgate> on a separate server, you can update
+the above to allow additional IP addresses.
+
+    <Location /REST/1.0/NoAuth/mail-gateway>
+        Require ip 127.0.0.1 ::1 192.0.2.0  # Add your actual IPs
+    </Location>
+
+See the L<Apache documentation|https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html>
+for additional configuration options.
+
+After adding this configuration, test receiving email and confirm
+your C<bin/rt-mailgate> utility and C</etc/aliases> configurations
+can successfully submit email to RT.
+
 =head2 nginx
 
 C<nginx> requires that you start RT's fastcgi process externally, for

etc/RT_Config.pm.in

@@ -145,7 +145,7 @@ your server.
 
 =cut
 
-Set($Timezone, "US/Eastern");
+Set($Timezone, "America/New_York");
 
 =item C<@Plugins>
 
@@ -378,6 +378,34 @@ See the L<Log::Dispatch::Syslog> documentation for more information.
 
 Set(@LogToSyslogConf, ());
 
+=item C<$LogScripsForUser>
+
+Enables logging for each Scrip, and log output can then be found in the
+Scrip Admin web interface. Log output is shown for the most recent run
+of each scrip.
+
+Accepts a hashref with username and log level. Output is generated only
+when that user performs an action that runs the scrip. Log levels are
+the same as for other RT logging. For example:
+
+    Set($LogScripsForUser, { 'Username1' => 'debug', 'Username2' => 'warning' });
+
+This allows you to enable debug logging just for yourself as you test
+a new scrip.
+
+If you have set the C<LogDir> option it needs to be writeable by the
+webserver user for Scrip logging to work.
+
+NOTICE: The Ticket Update page that is used to add a Reply or Comment
+will run all relevant Scrips in a dry run mode that executes the
+Scrip Condition and Scrip Prepare code. This means log files might be
+created just by loading the Ticket Update page if Scrip logging is
+enabled.
+
+=cut
+
+Set($LogScripsForUser, {});
+
 =back
 
 
@@ -3961,7 +3989,7 @@ Set(%AdminSearchResultFormat,
     Scrips =>
         q{'<a href="__WebPath__/Admin/Scrips/Modify.html?id=__id____From__">__id__</a>/TITLE:#'}
         .q{,'<a href="__WebPath__/Admin/Scrips/Modify.html?id=__id____From__">__Description__</a>/TITLE:Description'}
-        .q{,__Condition__, __Action__, __Template__, __Disabled__},
+        .q{,__Condition__, __Action__, __Template__, __Disabled__,__HasLogs__},
 
     Templates =>
         q{'<a href="__WebPath__/__WebRequestPathDir__/Template.html?Queue=__QueueId__&Template=__id__">__id__</a>/TITLE:#'}

etc/initialdata

@@ -778,6 +778,38 @@ Hour:         { $SubscriptionObj->SubValue('Hour') }
 }
 }
 },
+    {
+        Queue       => '0',
+        Name        => 'Auth tokens expiring in 7 days in HTML', # loc
+        Description => 'Auth tokens expiring in 7 days', # loc
+        Content     => q[Subject: [{RT->Config->Get('rtname')}] You have auth tokens that will expire in 7 days
+Content-Type: text/html
+
+<p>Hello { $UserObj->RealName || $UserObj->Name }:</p>
+
+<p>
+The following tokens will expire within the next 7 days:
+<ul>
+{
+    for my $token (@AuthTokens) {
+        $OUT .= '<li>' . $token->Description .  ' (expires at ' . $token->ExpiresObj->AsString . ')</li>';
+    }
+}
+</ul>
+</p>
+
+{
+    if (   $UserObj->HasRight( Right => 'ModifySelf', Object => RT->System )
+        && $UserObj->HasRight( Right => 'ManageAuthTokens', Object => RT->System ) )
+    {
+        $OUT .= '<p>You can revoke them and generate new ones on the <a href="' . RT->Config->Get('WebURL') . 'Prefs/AuthTokens.html' . '">Auth Tokens</a> page in RT.</p>';
+    }
+    else {
+        $OUT .= "<p>If you are still using them, please contact your RT manager to generate new ones for you.</p>";
+    }
+}
+],
+    },
 );
 
 @Scrips = (

etc/schema.Oracle

@@ -572,7 +572,8 @@ CREATE TABLE AuthTokens (
     Creator         NUMBER(11,0)    DEFAULT 0 NOT NULL,
     Created         DATE,
     LastUpdatedBy   NUMBER(11,0)    DEFAULT 0 NOT NULL,
-    LastUpdated     DATE
+    LastUpdated     DATE,
+    Expires         DATE
 );
 
 CREATE INDEX AuthTokensOwner ON AuthTokens (Owner);

etc/schema.Pg

@@ -811,6 +811,7 @@ CREATE TABLE AuthTokens (
     Created           timestamp                DEFAULT NULL,
     LastUpdatedBy     integer         NOT NULL DEFAULT 0,
     LastUpdated       timestamp                DEFAULT NULL,
+    Expires           timestamp                DEFAULT NULL,
     PRIMARY KEY (id)
 );
 

etc/schema.SQLite

@@ -603,7 +603,8 @@ CREATE TABLE AuthTokens (
     Creator           int(11)         NOT NULL DEFAULT 0,
     Created           timestamp                DEFAULT NULL,
     LastUpdatedBy     int(11)         NOT NULL DEFAULT 0,
-    LastUpdated       timestamp                DEFAULT NULL
+    LastUpdated       timestamp                DEFAULT NULL,
+    Expires           timestamp                DEFAULT NULL
 );
 
 CREATE INDEX AuthTokensOwner on AuthTokens (Owner);

etc/schema.mysql

@@ -593,6 +593,7 @@ CREATE TABLE AuthTokens (
     Created           datetime                 DEFAULT NULL,
     LastUpdatedBy     int(11)         NOT NULL DEFAULT 0,
     LastUpdated       datetime                 DEFAULT NULL,
+    Expires           datetime                 DEFAULT NULL,
     PRIMARY KEY (id)
 ) ENGINE=InnoDB CHARACTER SET utf8mb4;
 

etc/upgrade/5.0.5/content

@@ -0,0 +1,37 @@
+use strict;
+use warnings;
+
+our @Templates = (
+    {
+        Queue       => '0',
+        Name        => 'Auth tokens expiring in 7 days in HTML', # loc
+        Description => 'Auth tokens expiring in 7 days', # loc
+        Content     => q[Subject: [{RT->Config->Get('rtname')}] You have auth tokens that will expire in 7 days
+Content-Type: text/html
+
+<p>Hello { $UserObj->RealName || $UserObj->Name }:</p>
+
+<p>
+The following tokens will expire within the next 7 days:
+<ul>
+{
+    for my $token (@AuthTokens) {
+        $OUT .= '<li>' . $token->Description .  ' (expires at ' . $token->ExpiresObj->AsString . ')</li>';
+    }
+}
+</ul>
+</p>
+
+{
+    if (   $UserObj->HasRight( Right => 'ModifySelf', Object => RT->System )
+        && $UserObj->HasRight( Right => 'ManageAuthTokens', Object => RT->System ) )
+    {
+        $OUT .= '<p>You can revoke them and generate new ones on the <a href="' . RT->Config->Get('WebURL') . 'Prefs/AuthTokens.html' . '">Auth Tokens</a> page in RT.</p>';
+    }
+    else {
+        $OUT .= "<p>If you are still using them, please contact your RT manager to generate new ones for you.</p>";
+    }
+}
+],
+    },
+);

etc/upgrade/5.0.5/schema.Oracle

@@ -0,0 +1 @@
+ALTER TABLE AuthTokens ADD Expires DATE;

etc/upgrade/5.0.5/schema.Pg

@@ -0,0 +1,2 @@
+UPDATE CustomFieldValues SET Category=NULL WHERE Category='';
+ALTER TABLE AuthTokens ADD COLUMN Expires timestamp DEFAULT NULL;

etc/upgrade/5.0.5/schema.SQLite

@@ -0,0 +1,2 @@
+UPDATE CustomFieldValues SET Category=NULL WHERE Category='';
+ALTER TABLE AuthTokens ADD COLUMN Expires timestamp DEFAULT NULL;

etc/upgrade/5.0.5/schema.mysql

@@ -0,0 +1,2 @@
+UPDATE CustomFieldValues SET Category=NULL WHERE Category='';
+ALTER TABLE AuthTokens ADD COLUMN Expires datetime DEFAULT NULL;