bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

some big beautiful update

Browse Source
This commit is contained in:
bsiggel
2026-03-08 19:18:17 +01:00
parent 845a55d170
commit 218b6e0d97
96 changed files with 171864 additions and 465 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
application/Espo/Classes/FieldValidators/Common/Host/NotInternal.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2026 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\FieldValidators\Common\Host;
use Espo\Core\FieldValidation\Validator;
use Espo\Core\FieldValidation\Validator\Data;
use Espo\Core\FieldValidation\Validator\Failure;
use Espo\Core\Utils\Security\HostCheck;
use Espo\ORM\Entity;
/**
* @implements Validator<Entity>
* @since 9.3.2
*/
class NotInternal implements Validator
{
public function __construct(
private HostCheck $hostCheck,
) {}
public function validate(Entity $entity, string $field, Data $data): ?Failure
{
$value = $entity->get($field);
if (!$value) {
return null;
}
if (!$this->hostCheck->isNotInternalHost($value)) {
return Failure::create();
}
return null;
}
}

71
application/Espo/Classes/FieldValidators/Webhook/Url/NotInternal.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2026 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\FieldValidators\Webhook\Url;
use Espo\Core\FieldValidation\Validator;
use Espo\Core\FieldValidation\Validator\Data;
use Espo\Core\FieldValidation\Validator\Failure;
use Espo\Core\Utils\Security\UrlCheck;
use Espo\Core\Webhook\AddressUtil;
use Espo\ORM\Entity;
/**
* @implements Validator<Entity>
*/
class NotInternal implements Validator
{
public function __construct(
private UrlCheck $urlCheck,
private AddressUtil $addressUtil,
) {}
public function validate(Entity $entity, string $field, Data $data): ?Failure
{
$value = $entity->get($field);
if (!$value) {
return null;
}
if (!$this->urlCheck->isUrl($value)) {
return null;
}
if ($this->addressUtil->isAllowedUrl($value)) {
return null;
}
if (!$this->urlCheck->isNotInternalUrl($value)) {
return Failure::create();
}
return null;
}
}

120
application/Espo/Classes/RecordHooks/EmailAccount/BeforeSaveValidateHosts.php Normal file
View File

@@ -0,0 +1,120 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2026 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Classes\RecordHooks\EmailAccount;
use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Record\Hook\SaveHook;
use Espo\Core\Utils\Config;
use Espo\Core\Utils\Security\HostCheck;
use Espo\Entities\EmailAccount;
use Espo\Entities\InboundEmail;
use Espo\ORM\Entity;
/**
* @implements SaveHook<EmailAccount|InboundEmail>
*/
class BeforeSaveValidateHosts implements SaveHook
{
public function __construct(
private Config $config,
private HostCheck $hostCheck,
) {}
public function process(Entity $entity): void
{
if ($entity->isAttributeChanged('host') || $entity->isAttributeChanged('port')) {
$this->validateImap($entity);
}
if ($entity->isAttributeChanged('smtpHost') || $entity->isAttributeChanged('smtpPort')) {
$this->validateSmtp($entity);
}
}
/**
* @throws Forbidden
*/
private function validateImap(EmailAccount|InboundEmail $entity): void
{
$host = $entity->getHost();
$port = $entity->getPort();
if ($host === null || $port === null) {
return;
}
$address = $host . ':' . $port;
if (in_array($address, $this->getAllowedAddressList())) {
return;
}
if (!$this->hostCheck->isNotInternalHost($host)) {
$message = $this->composeErrorMessage($host, $address);
throw new Forbidden($message);
}
}
/**
* @throws Forbidden
*/
private function validateSmtp(EmailAccount|InboundEmail $entity): void
{
$host = $entity->getSmtpHost();
$port = $entity->getSmtpPort();
if ($host === null || $port === null) {
return;
}
$address = $host . ':' . $port;
if (!$this->hostCheck->isNotInternalHost($host)) {
$message = $this->composeErrorMessage($host, $address);
throw new Forbidden($message);
}
}
/**
* @return string[]
*/
private function getAllowedAddressList(): array
{
return $this->config->get('emailServerAllowedAddressList') ?? [];
}
private function composeErrorMessage(string $host, string $address): string
{
return "Host '$host' is not allowed as it's internal. " .
"To allow, add `$address` to the config parameter `emailServerAllowedAddressList`.";
}
}

3
application/Espo/Controllers/InboundEmail.php
View File

@@ -30,6 +30,7 @@
namespace Espo\Controllers;
use Espo\Core\Exceptions\Error;
use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Mail\Account\GroupAccount\Service;
use Espo\Core\Mail\Account\Storage\Params as StorageParams;
@@ -48,6 +49,7 @@ class InboundEmail extends Record
* @return string[]
* @throws Error
* @throws ImapError
* @throws Forbidden
*/
public function postActionGetFolders(Request $request): array
{
@@ -67,6 +69,7 @@ class InboundEmail extends Record
/**
* @throws Error
* @throws Forbidden
*/
public function postActionTestConnection(Request $request): bool
{

9
application/Espo/Controllers/Settings.php
View File

@@ -70,13 +70,6 @@ class Settings
private function getConfigData(): stdClass
{
$data = $this->service->getConfigData();
$metadataData = $this->service->getMetadataConfigData();
foreach (get_object_vars($metadataData) as $key => $value) {
$data->$key = $value;
}
return $data;
return $this->service->getConfigData();
}
}

25
application/Espo/Core/Mail/Account/GroupAccount/Service.php
View File

@@ -30,16 +30,19 @@
namespace Espo\Core\Mail\Account\GroupAccount;
use Espo\Core\Exceptions\ErrorSilent;
use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Mail\Account\Account as Account;
use Espo\Core\Exceptions\Error;
use Espo\Core\Mail\Account\Fetcher;
use Espo\Core\Mail\Account\Storage\Params;
use Espo\Core\Mail\Account\StorageFactory;
use Espo\Core\Mail\Account\Util\AddressUtil;
use Espo\Core\Mail\Account\Util\NotificationHelper;
use Espo\Core\Mail\Exceptions\ImapError;
use Espo\Core\Mail\Exceptions\NoImap;
use Espo\Core\Mail\Sender\Message;
use Espo\Core\Utils\Log;
use Espo\Core\Utils\Security\HostCheck;
use Exception;
class Service
@@ -49,7 +52,9 @@ class Service
private AccountFactory $accountFactory,
private StorageFactory $storageFactory,
private Log $log,
private NotificationHelper $notificationHelper
private NotificationHelper $notificationHelper,
private HostCheck $hostCheck,
private AddressUtil $addressUtil,
) {}
/**
@@ -77,9 +82,18 @@ class Service
* @return string[]
* @throws Error
* @throws ImapError
* @throws Forbidden
*/
public function getFolderList(Params $params): array
{
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
) {
throw new Forbidden("Not allowed internal host.");
}
if ($params->getId()) {
$account = $this->accountFactory->create($params->getId());
@@ -95,6 +109,7 @@ class Service
/**
* @throws Error
* @throws Forbidden
*/
public function testConnection(Params $params): void
{
@@ -106,6 +121,14 @@ class Service
->withImapHandlerClassName($account->getImapHandlerClassName());
}
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
) {
throw new Forbidden("Not allowed internal host.");
}
try {
$storage = $this->storageFactory->createWithParams($params);
$storage->getFolderNames();

23
application/Espo/Core/Mail/Account/PersonalAccount/Service.php
View File

@@ -30,9 +30,11 @@
namespace Espo\Core\Mail\Account\PersonalAccount;
use Espo\Core\Exceptions\ErrorSilent;
use Espo\Core\Mail\Account\Util\AddressUtil;
use Espo\Core\Mail\Account\Util\NotificationHelper;
use Espo\Core\Mail\Exceptions\ImapError;
use Espo\Core\Mail\Exceptions\NoImap;
use Espo\Core\Utils\Config;
use Espo\Core\Utils\Log;
use Espo\Core\Mail\Account\Account as Account;
use Espo\Core\Exceptions\Forbidden;
@@ -40,6 +42,7 @@ use Espo\Core\Exceptions\Error;
use Espo\Core\Mail\Account\Fetcher;
use Espo\Core\Mail\Account\Storage\Params;
use Espo\Core\Mail\Account\StorageFactory;
use Espo\Core\Utils\Security\HostCheck;
use Espo\Entities\User;
use Espo\Core\Mail\Sender\Message;
@@ -53,7 +56,9 @@ class Service
private StorageFactory $storageFactory,
private User $user,
private Log $log,
private NotificationHelper $notificationHelper
private NotificationHelper $notificationHelper,
private HostCheck $hostCheck,
private AddressUtil $addressUtil,
) {}
/**
@@ -95,6 +100,14 @@ class Service
throw new Forbidden();
}
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
) {
throw new Forbidden("Not allowed internal host.");
}
if ($params->getId()) {
$account = $this->accountFactory->create($params->getId());
@@ -128,6 +141,14 @@ class Service
throw new Forbidden();
}
if (
$params->getHost() &&
!$this->addressUtil->isAllowedAddress($params) &&
!$this->hostCheck->isNotInternalHost($params->getHost())
) {
throw new Forbidden("Not allowed host.");
}
if ($params->getId()) {
$account = $this->accountFactory->create($params->getId());

69
application/Espo/Core/Mail/Account/Util/AddressUtil.php Normal file
View File

@@ -0,0 +1,69 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2026 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Mail\Account\Util;
use Espo\Core\Mail\Account\Storage\Params;
use Espo\Core\Mail\SmtpParams;
use Espo\Core\Utils\Config;
/**
* @internal
*/
class AddressUtil
{
public function __construct(
private Config $config,
) {}
/**
* @internal
*/
public function isAllowedAddress(Params|SmtpParams $params): bool
{
$host = $params instanceof Params ? $params->getHost() : $params->getServer();
$port = $params->getPort();
if ($port === null || !$host) {
return false;
}
$address = $host . ':' . $port;
return in_array($address, $this->getAllowedAddressList());
}
/**
* @return string[]
*/
private function getAllowedAddressList(): array
{
return $this->config->get('emailServerAllowedAddressList') ?? [];
}
}

4
application/Espo/Core/Mail/Importer/DefaultImporter.php
View File

@@ -420,8 +420,8 @@ class DefaultImporter implements Importer
$subject = '(No Subject)';
}
if (strlen($subject) > self::SUBJECT_MAX_LENGTH) {
$subject = substr($subject, 0, self::SUBJECT_MAX_LENGTH);
if (mb_strlen($subject) > self::SUBJECT_MAX_LENGTH) {
$subject = mb_substr($subject, 0, self::SUBJECT_MAX_LENGTH);
}
return $subject;

75
application/Espo/Core/Utils/Security/HostCheck.php Normal file
View File

@@ -0,0 +1,75 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2026 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Utils\Security;
use const DNS_A;
use const FILTER_FLAG_NO_PRIV_RANGE;
use const FILTER_FLAG_NO_RES_RANGE;
use const FILTER_VALIDATE_IP;
class HostCheck
{
public function isNotInternalHost(string $host): bool
{
$records = dns_get_record($host, DNS_A);
if (filter_var($host, FILTER_VALIDATE_IP)) {
return $this->ipAddressIsNotInternal($host);
}
if (!$records) {
return true;
}
foreach ($records as $record) {
/** @var ?string $idAddress */
$idAddress = $record['ip'] ?? null;
if (!$idAddress) {
return false;
}
if (!$this->ipAddressIsNotInternal($idAddress)) {
return false;
}
}
return true;
}
private function ipAddressIsNotInternal(string $ipAddress): bool
{
return (bool) filter_var(
$ipAddress,
FILTER_VALIDATE_IP,
FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
);
}
}

42
application/Espo/Core/Utils/Security/UrlCheck.php
View File

@@ -29,15 +29,15 @@
namespace Espo\Core\Utils\Security;
use const DNS_A;
use const FILTER_FLAG_NO_PRIV_RANGE;
use const FILTER_FLAG_NO_RES_RANGE;
use const FILTER_VALIDATE_IP;
use const FILTER_VALIDATE_URL;
use const PHP_URL_HOST;
class UrlCheck
{
public function __construct(
private HostCheck $hostCheck,
) {}
public function isUrl(string $url): bool
{
return filter_var($url, FILTER_VALIDATE_URL) !== false;
@@ -58,38 +58,6 @@ class UrlCheck
return false;
}
$records = dns_get_record($host, DNS_A);
if (filter_var($host, FILTER_VALIDATE_IP)) {
return $this->ipAddressIsNotInternal($host);
}
if (!$records) {
return false;
}
foreach ($records as $record) {
/** @var ?string $idAddress */
$idAddress = $record['ip'] ?? null;
if (!$idAddress) {
return false;
}
if (!$this->ipAddressIsNotInternal($idAddress)) {
return false;
}
}
return true;
}
private function ipAddressIsNotInternal(string $ipAddress): bool
{
return (bool) filter_var(
$ipAddress,
FILTER_VALIDATE_IP,
FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
);
return $this->hostCheck->isNotInternalHost($host);
}
}

79
application/Espo/Core/Webhook/AddressUtil.php Normal file
View File

@@ -0,0 +1,79 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2026 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Webhook;
use Espo\Core\Utils\Config;
/**
* @internal
*/
class AddressUtil
{
public function __construct(
private Config $config,
) {}
/**
* @internal
*/
public function isAllowedUrl(string $url): bool
{
/** @var string[] $allowedAddressList */
$allowedAddressList = $this->config->get('webhookAllowedAddressList') ?? [];
if (!$allowedAddressList) {
return false;
}
$host = parse_url($url, PHP_URL_HOST);
$port = parse_url($url, PHP_URL_PORT);
$scheme = parse_url($url, PHP_URL_SCHEME);
if (!is_string($host)) {
return false;
}
if (!is_int($port)) {
if ($scheme === 'https') {
$port = 443;
} else if ($scheme === 'http') {
$port = 80;
}
}
if (!is_int($port)) {
return false;
}
$address = $host . ':' . $port;
return in_array($address, $allowedAddressList);
}
}

19
application/Espo/Core/Webhook/Sender.php
View File

@@ -32,6 +32,7 @@ namespace Espo\Core\Webhook;
use Espo\Core\Exceptions\Error;
use Espo\Core\Utils\Config;
use Espo\Core\Utils\Json;
use Espo\Core\Utils\Security\UrlCheck;
use Espo\Entities\Webhook;
/**
@@ -42,8 +43,11 @@ class Sender
private const CONNECT_TIMEOUT = 5;
private const TIMEOUT = 10;
public function __construct(private Config $config)
{}
public function __construct(
private Config $config,
private UrlCheck $urlCheck,
private AddressUtil $addressUtil,
) {}
/**
* @param array<int, mixed> $dataList
@@ -85,6 +89,17 @@ class Sender
throw new Error("Webhook does not have URL.");
}
if (!$this->urlCheck->isUrl($url)) {
throw new Error("'$url' is not valid URL.");
}
if (
!$this->addressUtil->isAllowedUrl($url) &&
!$this->urlCheck->isNotInternalUrl($url)
) {
throw new Error("URL '$url' points to an internal host, not allowed.");
}
$handler = curl_init($url);
if ($handler === false) {

3
application/Espo/Modules/Crm/Resources/metadata/entityDefs/Contact.json
View File

@@ -221,7 +221,8 @@
}
},
"customizationOptionsDisabled": true,
"textFilterDisabled": true
"textFilterDisabled": true,
"importEnabled": true
},
"description": {
"type": "text"

12
application/Espo/Resources/metadata/entityDefs/EmailAccount.json
View File

@@ -21,14 +21,16 @@
"default": "Active"
},
"host": {
"type": "varchar"
"type": "varchar",
"massUpdateDisabled": true
},
"port": {
"type": "int",
"min": 0,
"max": 65535,
"default": 993,
"disableFormatting": true
"disableFormatting": true,
"massUpdateDisabled": true
},
"security": {
"type": "enum",
@@ -112,14 +114,16 @@
"tooltip": true
},
"smtpHost": {
"type": "varchar"
"type": "varchar",
"massUpdateDisabled": true
},
"smtpPort": {
"type": "int",
"min": 0,
"max": 65535,
"default": 587,
"disableFormatting": true
"disableFormatting": true,
"massUpdateDisabled": true
},
"smtpAuth": {
"type": "bool",

12
application/Espo/Resources/metadata/entityDefs/InboundEmail.json
View File

@@ -21,14 +21,16 @@
"default": "Active"
},
"host": {
"type": "varchar"
"type": "varchar",
"massUpdateDisabled": true
},
"port": {
"type": "int",
"min": 0,
"max": 65535,
"default": 993,
"disableFormatting": true
"disableFormatting": true,
"massUpdateDisabled": true
},
"security": {
"type": "enum",
@@ -122,14 +124,16 @@
"tooltip": true
},
"smtpHost": {
"type": "varchar"
"type": "varchar",
"massUpdateDisabled": true
},
"smtpPort": {
"type": "int",
"min": 0,
"max": 65535,
"default": 587,
"disableFormatting": true
"disableFormatting": true,
"massUpdateDisabled": true
},
"smtpAuth": {
"type": "bool",

5
application/Espo/Resources/metadata/entityDefs/Webhook.json
View File

@@ -10,7 +10,10 @@
"type": "varchar",
"maxLength": 512,
"required": true,
"copyToClipboard": true
"copyToClipboard": true,
"validatorClassNameList": [
"Espo\\Classes\\FieldValidators\\Webhook\\Url\\NotInternal"
]
},
"isActive": {
"type": "bool",

6
application/Espo/Resources/metadata/recordDefs/EmailAccount.json
View File

@@ -15,9 +15,11 @@
],
"beforeCreateHookClassNameList": [
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeCreate",
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSave"
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSave",
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSaveValidateHosts"
],
"beforeUpdateHookClassNameList": [
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSave"
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSave",
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSaveValidateHosts"
]
}

6
application/Espo/Resources/metadata/recordDefs/InboundEmail.json
View File

@@ -18,5 +18,11 @@
],
"listLoaderClassNameList": [
"Espo\\Classes\\FieldProcessing\\InboundEmail\\IsSystemLoader"
],
"beforeCreateHookClassNameList": [
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSaveValidateHosts"
],
"beforeUpdateHookClassNameList": [
"Espo\\Classes\\RecordHooks\\EmailAccount\\BeforeSaveValidateHosts"
]
}

21
application/Espo/Tools/App/SettingsService.php
View File

@@ -56,6 +56,15 @@ use stdClass;
class SettingsService
{
/**
* @var string[]
* @todo Do not use when these parameters moved away from the settings.
*/
private array $ignoreUpdateParamList = [
'loginView',
'loginData',
];
public function __construct(
private ApplicationState $applicationState,
private Config $config,
@@ -87,11 +96,22 @@ class SettingsService
$this->filterData($data);
$this->loadAdditionalParams($data);
/** @noinspection PhpDeprecationInspection */
$metadataData = $this->getMetadataConfigData();
foreach (get_object_vars($metadataData) as $key => $value) {
$data->$key = $value;
}
return $data;
}
/**
* Get metadata to be used in config.
*
* @todo Make private in v9.4.0.
* @todo Move away from settings. Use some different approach.
* @deprecated Since v9.3.2.
*/
public function getMetadataConfigData(): stdClass
{
@@ -208,6 +228,7 @@ class SettingsService
}
$ignoreItemList = array_merge(
$this->ignoreUpdateParamList,
$this->access->getSystemParamList(),
$this->access->getReadOnlyParamList(),
$this->isRestrictedMode() && !$user->isSuperAdmin() ?

13
application/Espo/Tools/Email/Api/PostSendTest.php
View File

@@ -38,8 +38,10 @@ use Espo\Core\Exceptions\BadRequest;
use Espo\Core\Exceptions\Error;
use Espo\Core\Exceptions\Forbidden;
use Espo\Core\Exceptions\NotFound;
use Espo\Core\Mail\Account\Util\AddressUtil;
use Espo\Core\Mail\Exceptions\NoSmtp;
use Espo\Core\Mail\SmtpParams;
use Espo\Core\Utils\Security\HostCheck;
use Espo\Entities\Email;
use Espo\Tools\Email\SendService;
use Espo\Tools\Email\TestSendData;
@@ -51,7 +53,9 @@ class PostSendTest implements Action
{
public function __construct(
private SendService $sendService,
private Acl $acl
private Acl $acl,
private HostCheck $hostCheck,
private AddressUtil $addressUtil,
) {}
/**
@@ -109,6 +113,13 @@ class PostSendTest implements Action
->withAuthMechanism($authMechanism);
}
if (
!$this->addressUtil->isAllowedAddress($smtpParams) &&
!$this->hostCheck->isNotInternalHost($server)
) {
throw new Forbidden("Not allowed internal host.");
}
$data = new TestSendData($emailAddress, $type, $id, $userId);
$this->sendService->sendTestEmail($smtpParams, $data);

2
application/Espo/Tools/GlobalSearch/Service.php
View File

@@ -113,7 +113,7 @@ class Service
$builder->order('relevance', Order::DESC);
}
$builder->order('order', Order::DESC);
$builder->order('order');
$builder->order(Field::NAME);
$unionQuery = $builder->build();

13
application/Espo/Tools/LinkManager/LinkManager.php
View File

@@ -855,7 +855,9 @@ class LinkManager
"links.$link",
]);
$this->metadata->delete('clientDefs', $entity, ["dynamicLogic.fields.$link"]);
$this->metadata->delete('logicDefs', $entity, [
"fields.$link",
]);
$this->metadata->save();
@@ -907,8 +909,13 @@ class LinkManager
->build();
}
$this->metadata->delete('clientDefs', $entity, ["dynamicLogic.fields.$link"]);
$this->metadata->delete('clientDefs', $entityForeign, ["dynamicLogic.fields.$linkForeign"]);
$this->metadata->delete('logicDefs', $entity, [
"fields.$link",
]);
$this->metadata->delete('logicDefs', $entityForeign, [
"fields.$linkForeign",
]);
$this->metadata->delete('entityDefs', $entity, [
"fields.$link",