Merge branch 'seeddms-6.0.x'

check if user is actually set, 'WorkflowByMe' now uses a single sql
statement

CHANGELOG

@@ -1,3 +1,306 @@
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.30
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.37
+- receipt comment can be disabled
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.29
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.36
+- fix regression in FolderNotify
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.28
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.35
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.27
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.34
+- Document/folder check distinguishes between documents which cannot be
+  receiped/revised because of access rights or the recipient/revisor being
+  disabled.
+- fix creating user via rest api
+- checkout info does not depend on whether the logged in user was substituted
+- add new endpoints for managing roles by rest api
+- add transmittals in menu
+- add legacy access check for controllers
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.26
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.33
+- add task to import files from drop folder
+- add substitution of users in bootstrap4 theme
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.25
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.32
+- status log can be turned on with advanced access control
+- scheduler has more condensed layout 
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.24
+--------------------------------------------------------------------------------
+- add task to send list of recent changes by email
+- merge changes up to 5.1.31
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.23
+--------------------------------------------------------------------------------
+- fix setting recipients and revisors
+- check in of a document is allowed for the user having done the check out
+  or those users with unlimited access rights on the document
+- merge changes up to 5.1.30
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.22
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.29
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.21
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.28
+- add new check for documents with identical sequence numbers in a folder
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.20
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.27
+- fix triggering workflow (Closes: #542)
+- create original file name from new document name when uploading document
+  from the library folder. Used to be the original file name
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.19
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.26
+- fix deletion of tasks when using bootstrap4 theme
+- fix deletion of documents when clicking on icon in document list (my documents)
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.18
+--------------------------------------------------------------------------------
+- finish op/op.Cron.php, returns json
+- merge changes up to 5.1.25
+- fix sending trigger workflow notification (Closes: #522)
+- fix updating und deleting items in document lists
+- call hook 'filenameDownloadItem' in search export and transmittal download
+- fix possible xss attack in UsrMgr (CVE-2022-28479)
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.17
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.24
+- send notification when a receiption of a document was submitted
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.16
+--------------------------------------------------------------------------------
+- cancel checkout needs confirmation
+- add input field to filter list of recipients if more then 10
+- add task for creating missing preview images
+- no longer use old PHPExcel classes, use PhpOffice\PhpSpreadsheet\Spreadsheet
+  instead
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.15
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.22
+- add a new task for checking the checksum of all document versions
+- add searching for revision date
+- list of open tasks will no longer contain expired documents but MyDocuments
+  page still list them
+- fixed downloading approval file (Closes: #503)
+- regular users can no longer set owner of document while uploading
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.14
+--------------------------------------------------------------------------------
+- show debug menu only if debug mode is on
+- merge changes up to 5.1.21
+- document links can be added by regular users again
+- add list of checked out documents to tasks
+- issue a warning when removing a document which is checked out
+- checked out can be discarded if it was changed
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.13
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.20
+- create download file for transmittal in system tmp (Closes: #478)
+- sync source code of checkin with update document
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.12
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.19
+- fix various errors concerning workflows
+- show menu tasks even if not admin (Closes: #485)
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.11
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.18
+- fix access restriction for roles (content of documents was visible even if the
+  role and status didn't allow it)
+- fix missing Content-Type in UserList (Closes: #480)
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.10
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.17
+- fix list of previous document versions (Closes: #471)
+- fix uploading files with fine uploader (Closes: #472)
+- clear revision date when all revisors have been deleted
+- improve scheduler task management, tasks can be deleted, fix setting parameters
+- add op.Cron.php for running all scheduled tasks
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.9
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.16
+- fix removal of roles (Closes: #465)
+- fix password forgotten process
+- fix setting role of new user and retrieving role of existing user
+- processes of users can be deleted again, instead of only transfered to
+  another user
+- fix export of search results, headers of excel file can be translated
+- fix arcordeon for folder filters on search page
+- fix upload from dropfolder
+- fix adding new calendar event
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.8
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.15
+- fix syntax error in op/op.EditComment.php
+- fix use of private variable in op/op.SetRecipients.php and op/op.SetRevisors.php
+- fix triggering a transition in advanced workflow mode
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.7
+--------------------------------------------------------------------------------
+- fix editing of document attachments
+- make receipt summary look like approval/review summary
+- merge changes up to 5.1.14
+- do not show the updating user in a revision workflow if the status is 0
+  this is misleading because the user starting the revision workflow is the one
+  first accessing the document
+- rejection of document receipts are turned off by default, but can be turned
+  on in the settings
+- documents in DocumentChooser are sorted by name
+- instead of just removing a user from all processes it can be replaced by a new user
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.6
+--------------------------------------------------------------------------------
+- fix setting attributes when checking in a new document version
+- setting a document revision to 'needs correction' will no longer set the
+  documents status to 'needѕ correction' if this was turned off in the settings
+- a document will not leave draft status when setting the approver/reviewer
+  without setting a reviewer/approver
+- tasks to be counted in menu can be configured
+- add number of documents which need correction to menu
+- minor 2 factor auth. fixes when initially setting the secret
+- remove ѕome unneeded code from AddDocument which just caused php warnings
+- do not set the uploader of new documents to owner if the owner is different from
+  the uploader
+- add scheduler
+- add hook showVersionComment in out.ViewDocument.php
+- Various minor corrections of database tables tblWorkflowLog and
+  tblWorkflowDocumentContent
+- merge changes up to 5.1.7
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.5
+--------------------------------------------------------------------------------
+- sync form for updating document by upload and checkin
+- add list of documents which need correction on MyDocuments page
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.4
+--------------------------------------------------------------------------------
+- merge changes up to 5.1.5
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.3
+--------------------------------------------------------------------------------
+- add list of documents without a receiver on MyDocuments page
+- propperly calculate number of documents for each value of value set in attribute mgr
+- output of progress bar for reception of a document can be controlled by access list
+- recipientof a document version can be set when uploading the file
+- fix export of search and display of 2nd, 3rd, ... search page
+- speed up creation of document lists if reception progress bar is shown
+- status of rejected documents can be overriden
+- do not add users from group as recipients if they are the uploader or reviewer
+  of a document
+- add list of documents without a receiver, list of drafts, and list of absolete
+  documents on MyDocuments page
+- add callback onCheckAccessDocument to SeedDMS_Core_Document
+- add new document status 'needs correction', revised documents which do not pass
+  will no longer be in status 'rejected' but 'needs correction'
+- better error handling when indexing documents fails
+- apache xsendfile module is used for downloading documents when installed
+- add view access check for ApprovalSummary, ReviewSummary, ReceiptSummary,
+  WorkflowSummary, DocumentAccess, GroupView, UsrView, WorkflowSummary
+- filter out reviewers and uploader of a document version when setting recipients
+  by user group
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.2
+--------------------------------------------------------------------------------
+- check if user has access on document and is not disabled if set as
+  receiver, revisor
+- check if group has members if set as reviewer, approver, receiver, revisor
+- fix bug in notification of approver after successful review
+- add document check for docs in revision and missing access rights of revisor
+- add document check for docs requiring receptions but user lacks access right
+- fix Acl manager when using pgsql
+- list all open tasks of user in user info of user manager
+- owner of document may see review/approval/receipt/revision log
+- fix sending mails to reviewer/approvers after check in
+- downloading of review/approval files works again
+- optimizing retrieval of open tasks
+- do not show user which has been removed from a process except for admins
+- show scheduled revisions in calendar
+- merge changes up to 5.1.5
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.1
+--------------------------------------------------------------------------------
+- call hook 'rawcontent' when downloading transmittal list or search content
+- speed up list of locked documents on MyDocuments page
+- sql queries and execution times can be written to file in database layer
+
+--------------------------------------------------------------------------------
+                     Changes in version 6.0.0
+--------------------------------------------------------------------------------
+- merge changes up to 5.0.10
+- filter documents by status 'draft' on search page
+- list of documents to look at now contains documents in revision
+- add list of documents waiting for reception on MyDocuments page
+- group document lists on MyDocuments page into three sections
+- show progressbar and comments for reception of document in documentlist
+- restructure page for document/folder check, add check for missing access
+  on documents by recipient or revisor
+- overhaul revision workflow, add hook after revision workflow was finished
+- add two factor authentication based on google authenticator
+- set timeout for ajax call 'mytasks' from 200ms to 1000ms
+- use a similar layout for document list on the ViewDocument page
+- add RSS feed of timeline
+- put more operations under access control
+- add receipent list for documents
+- add revision of documents
+- add substitute user command for regular users
+- add access controll list for many functions
+- add document list which can be exported as an archive
+- search results can be exported
+
 --------------------------------------------------------------------------------
                      Changes in version 5.1.37
 --------------------------------------------------------------------------------

composer-dist.json

@@ -11,6 +11,8 @@
         "slim/slim": "^3.0",
         "erusev/parsedown": "*",
         "erusev/parsedown-extra": "*",
+        "mibe/feedwriter": "^1.1",
+        "phpoffice/phpspreadsheet": "*",
         "pear/log": "*",
         "pear/mail": "*",
         "pear/mail_mime": "*",
@@ -18,6 +20,7 @@
         "pear/auth_sasl": "*",
         "pear/db": "*",
         "alecrabbit/php-console-colour": "*",
+        "dragonmantank/cron-expression": "^3",
         "zf1/zend-search-lucene": "*",
         "symfony/http-foundation": "^5.4",
         "seeddms/core": "dev-master",

conf/settings.xml.template

@@ -296,7 +296,7 @@
       updateNotifyTime = "86400"
       extraPath = ""
       maxExecutionTime = "30"
-      cmdTimeout = "1"
+      cmdTimeout = "10"
     />
     <!--
        - enableNotificationAppRev: set to true if reviewers and approvers shall be informed about a pending review/approval

controllers/class.AddDocument.php

@@ -52,6 +52,7 @@ class SeedDMS_Controller_AddDocument extends SeedDMS_Controller_Common {
 		$sequence = $this->getParam('sequence');
 		$reviewers = $this->getParam('reviewers');
 		$approvers = $this->getParam('approvers');
+		$recipients = $this->getParam('recipients');
 		$reqversion = $this->getParam('reqversion');
 		$version_comment = $this->getParam('versioncomment');
 		$attributes = $this->getParam('attributes');
@@ -160,6 +161,7 @@ class SeedDMS_Controller_AddDocument extends SeedDMS_Controller_Common {
 		$workflow = $this->getParam('workflow');
 		$notificationgroups = $this->getParam('notificationgroups');
 		$notificationusers = $this->getParam('notificationusers');
+		$initialdocumentstatus = $this->getParam('initialdocumentstatus');
 		$maxsizeforfulltext = $this->getParam('maxsizeforfulltext');
 		$defaultaccessdocs = $this->getParam('defaultaccessdocs');
 
@@ -170,7 +172,7 @@ class SeedDMS_Controller_AddDocument extends SeedDMS_Controller_Common {
 															$cats, $userfiletmp, utf8_basename($userfilename),
 	                            $filetype, $userfiletype, $sequence,
 	                            $reviewers, $approvers, $reqversion,
-	                            $version_comment, $attributes, $attributes_version, $workflow);
+	                            $version_comment, $attributes, $attributes_version, $workflow, $initialdocumentstatus);
 
 			if (is_bool($res) && !$res) {
 				$this->errormsg = "error_occured";
@@ -187,6 +189,24 @@ class SeedDMS_Controller_AddDocument extends SeedDMS_Controller_Common {
 				}
 			}
 
+			$lc = $document->getLatestContent();
+			if($recipients) {
+				if($recipients['i']) {
+					foreach($recipients['i'] as $uid) {
+						if($u = $dms->getUser($uid)) {
+							$res = $lc->addIndRecipient($u, $user);
+						}
+					}
+				}
+				if($recipients['g']) {
+					foreach($recipients['g'] as $gid) {
+						if($g = $dms->getGroup($gid)) {
+							$res = $lc->addGrpRecipient($g, $user);
+						}
+					}
+				}
+			}
+
 			/* Add a default notification for the owner of the document */
 			if($settings->_enableOwnerNotification) {
 				$res = $document->addNotify($owner->getID(), true);

controllers/class.ApproveDocument.php

@@ -40,62 +40,76 @@ class SeedDMS_Controller_ApproveDocument extends SeedDMS_Controller_Common {
 		$this->oldstatus = $overallStatus['status'];
 		$this->newstatus = $this->oldstatus;
 
-		if ($approvaltype == "ind") {
-			$approvalLogID = $content->setApprovalByInd($user, $user, $approvalstatus, $approvalcomment, $approvalfile);
-		} elseif ($approvaltype == "grp") {
-			$approvalLogID = $content->setApprovalByGrp($approvalgroup, $user, $approvalstatus, $approvalcomment, $approvalfile);
-		} else {
-			$this->errormsg = "approval_wrong_type";
-			return false;
-		}
-		if($approvalLogID === false || 0 > $approvalLogID) {
-			$this->errormsg = "approval_update_failed";
-			return false;
+		if(!$this->callHook('preApproveDocument', $content)) {
 		}
 
-		if($approvalstatus == -1) {
-			$this->newstatus = S_REJECTED;
-			if($content->setStatus(S_REJECTED, $approvalcomment, $user)) {
-				if(isset($GLOBALS['SEEDDMS_HOOKS']['approveDocument'])) {
-					foreach($GLOBALS['SEEDDMS_HOOKS']['approveDocument'] as $hookObj) {
-						if (method_exists($hookObj, 'postApproveDocument')) {
-							$hookObj->postApproveDocument(null, $content, S_REJECTED);
-						}
-					}
-				}
-			}
-		} else {
-			$docApprovalStatus = $content->getApprovalStatus();
-			if (is_bool($docApprovalStatus) && !$docApprovalStatus) {
-				$this->errormsg = "cannot_retrieve_approval_snapshot";
+		$result = $this->callHook('approveDocument', $content);
+		if($result === null) {
+			if ($approvaltype == "ind") {
+				$approvalLogID = $content->setApprovalByInd($user, $user, $approvalstatus, $approvalcomment, $approvalfile);
+			} elseif ($approvaltype == "grp") {
+				$approvalLogID = $content->setApprovalByGrp($approvalgroup, $user, $approvalstatus, $approvalcomment, $approvalfile);
+			} else {
+				$this->errormsg = "approval_wrong_type";
 				return false;
 			}
-			$approvalCT = 0;
-			$approvalTotal = 0;
-			foreach ($docApprovalStatus as $drstat) {
-				if ($drstat["status"] == 1) {
-					$approvalCT++;
-				}
-				if ($drstat["status"] != -2) {
-					$approvalTotal++;
-				}
+			if($approvalLogID === false || 0 > $approvalLogID) {
+				$this->errormsg = "approval_update_failed";
+				return false;
 			}
-			// If all approvals have been received and there are no rejections, retrieve a
-			// count of the approvals required for this document.
-			if ($approvalCT == $approvalTotal) {
-				// Change the status to released.
-				$this->newstatus=S_RELEASED;
-				if($content->setStatus($this->newstatus, getMLText("automatic_status_update"), $user)) {
+		}
+
+		$result = $this->callHook('approveUpdateDocumentStatus', $content);
+		if($result === null) {
+			if($approvalstatus == -1) {
+				$this->newstatus = S_REJECTED;
+				if($content->setStatus(S_REJECTED, $approvalcomment, $user)) {
 					if(isset($GLOBALS['SEEDDMS_HOOKS']['approveDocument'])) {
 						foreach($GLOBALS['SEEDDMS_HOOKS']['approveDocument'] as $hookObj) {
 							if (method_exists($hookObj, 'postApproveDocument')) {
-								$hookObj->postApproveDocument(null, $content, S_RELEASED);
+								$hookObj->postApproveDocument(null, $content, S_REJECTED);
+							}
+						}
+					}
+				}
+			} else {
+				$docApprovalStatus = $content->getApprovalStatus();
+				if (is_bool($docApprovalStatus) && !$docApprovalStatus) {
+					$this->errormsg = "cannot_retrieve_approval_snapshot";
+					return false;
+				}
+				$approvalCT = 0;
+				$approvalTotal = 0;
+				foreach ($docApprovalStatus as $drstat) {
+					if ($drstat["status"] == 1) {
+						$approvalCT++;
+					}
+					if ($drstat["status"] != -2) {
+						$approvalTotal++;
+					}
+				}
+				// If all approvals have been received and there are no rejections, retrieve a
+				// count of the approvals required for this document.
+				if ($approvalCT == $approvalTotal) {
+					// Change the status to released.
+					$this->newstatus=S_RELEASED;
+					if($content->setStatus($this->newstatus, getMLText("automatic_status_update"), $user)) {
+						if(isset($GLOBALS['SEEDDMS_HOOKS']['approveDocument'])) {
+							foreach($GLOBALS['SEEDDMS_HOOKS']['approveDocument'] as $hookObj) {
+								if (method_exists($hookObj, 'postApproveDocument')) {
+									$hookObj->postApproveDocument(null, $content, S_RELEASED);
+								}
 							}
 						}
 					}
 				}
 			}
 		}
+
+		if(!$this->callHook('postApproveDocument', $content)) {
+		}
+
 		return true;
 	} /* }}} */
 }
+

controllers/class.CheckInDocument.php

@@ -0,0 +1,114 @@
+<?php
+/**
+ * Implementation of CheckInDocument controller
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2024 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class which does the busines logic for downloading a document
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2024 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Controller_CheckInDocument extends SeedDMS_Controller_Common {
+
+	public function run() { /* {{{ */
+		$name = $this->getParam('name');
+		$comment = $this->getParam('comment');
+
+		/* Call preCheckInDocument early, because it might need to modify some
+		 * of the parameters.
+		 */
+		if(false === $this->callHook('preCheckInDocument', $this->params['document'])) {
+			if(empty($this->errormsg))
+				$this->errormsg = 'hook_preCheckInDocument_failed';
+			return null;
+		}
+
+		$comment = $this->getParam('comment');
+		$dms = $this->params['dms'];
+		$user = $this->params['user'];
+		$document = $this->params['document'];
+		$settings = $this->params['settings'];
+		$fulltextservice = $this->params['fulltextservice'];
+		$folder = $this->params['folder'];
+		$userfiletmp = $this->getParam('userfiletmp');
+		$userfilename = $this->getParam('userfilename');
+		$filetype = $this->getParam('filetype');
+		$userfiletype = $this->getParam('userfiletype');
+		$reviewers = $this->getParam('reviewers');
+		$approvers = $this->getParam('approvers');
+		$recipients = $this->getParam('recipients');
+		$reqversion = $this->getParam('reqversion');
+		$comment = $this->getParam('comment');
+		$attributes = $this->getParam('attributes');
+		$workflow = $this->getParam('workflow');
+		$maxsizeforfulltext = $this->getParam('maxsizeforfulltext');
+		$initialdocumentstatus = $this->getParam('initialdocumentstatus');
+
+		$content = $this->callHook('checkinDocument');
+		if($content === null) {
+			if($contentResult=$document->checkIn($comment, $user, $reviewers, $approvers, $version=0, $attributes, $workflow, $initialdocumentstatus)) {
+
+				if ($this->hasParam('expires')) {
+					if($document->setExpires($this->getParam('expires'))) {
+					} else {
+					}
+				}
+
+				if(!empty($recipients['i'])) {
+					foreach($recipients['i'] as $uid) {
+						if($u = $dms->getUser($uid)) {
+							$res = $contentResult->getContent()->addIndRecipient($u, $user);
+						}
+					}
+				}
+				if(!empty($recipients['g'])) {
+					foreach($recipients['g'] as $gid) {
+						if($g = $dms->getGroup($gid)) {
+							$res = $contentResult->getContent()->addGrpRecipient($g, $user);
+						}
+					}
+				}
+
+				$content = $contentResult->getContent();
+			} else {
+				$this->errormsg = 'error_checkin_document';
+				$result = false;
+			}
+		} elseif($result === false) {
+			if(empty($this->errormsg))
+				$this->errormsg = 'hook_checkinDocument_failed';
+			return false;
+		}
+
+		if($fulltextservice && ($index = $fulltextservice->Indexer()) && $content) {
+			$idoc = $fulltextservice->IndexedDocument($document);
+			if(false !== $this->callHook('preIndexDocument', $document, $idoc)) {
+				$lucenesearch = $fulltextservice->Search();
+				if($hit = $lucenesearch->getDocument((int) $document->getId())) {
+					$index->delete($hit->id);
+				}
+				$index->addDocument($idoc);
+				$index->commit();
+			}
+		}
+
+		if(false === $this->callHook('postCheckInDocument', $document, $content)) {
+		}
+
+		return $content;
+	} /* }}} */
+}
+
+

controllers/class.Cron.php

@@ -0,0 +1,108 @@
+<?php
+/**
+ * Implementation of Cron controller
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2020 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class which does the busines logic for the regular cron job
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2020 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Controller_Cron extends SeedDMS_Controller_Common {
+
+	public function run() { /* {{{ */
+		$dms = $this->params['dms'];
+		$user = $this->params['user'];
+		$settings = $this->params['settings'];
+		$logger = $this->params['logger'];
+		$mode = $this->params['mode'];
+		$seltask = $this->params['task'];
+		$db = $dms->getDb();
+
+		$scheduler = new SeedDMS_Scheduler($db);
+		$tasks = $scheduler->getTasks();
+
+		$jsonarr = [];
+		foreach($tasks as $task) {
+			if($seltask && $seltask != $task->getExtension()."::".$task->getTask())
+				continue;
+			if(isset($GLOBALS['SEEDDMS_SCHEDULER']['tasks'][$task->getExtension()]) && is_object($taskobj = resolveTask($GLOBALS['SEEDDMS_SCHEDULER']['tasks'][$task->getExtension()][$task->getTask()]))) {
+				$arr = array(
+					'extension'=>$task->getExtension(),
+					'name'=>$task->getTask(),
+					'mode'=>$mode,
+					'disabled' => (bool) $task->getDisabled(),
+					'isdue' => $task->isDue(),
+				);
+				switch($mode) {
+				case "run":
+				case "dryrun":
+					if(method_exists($taskobj, 'execute')) {
+            if(!$task->getDisabled() && $task->isDue()) {
+							if($mode == 'run') {
+								/* Schedule the next run right away to prevent a second execution
+								 * of the task when the cron job of the scheduler is called before
+								 * the last run was finished. The task itself can still be scheduled
+								 * to fast, but this is up to the admin of seeddms.
+								 */
+								$task->updateLastNextRun();
+								if($taskobj->execute($task)) {
+									add_log_line("Execution of task ".$task->getExtension()."::".$task->getTask()." successful.");
+									$arr['success'] = true;
+								} else {
+									add_log_line("Execution of task ".$task->getExtension()."::".$task->getTask()." failed, task has been disabled.", PEAR_LOG_ERR);
+									$arr['success'] = false;
+									$task->setDisabled(1);
+								}
+							} elseif($mode == 'dryrun') {
+								$arr['success'] = true;
+							}
+            }
+					}
+					break;
+				case "check":
+					$arr['error'] = false;
+					if(!method_exists($taskobj, 'execute')) {
+						$arr['error'] = true;
+						$arr['messages'][] = 'Missing method execute()';
+					}
+					if(get_parent_class($taskobj) != 'SeedDMS_SchedulerTaskBase') {
+						$arr['error'] = true;
+						$arr['error'][] = "Wrong parent class";
+					}
+					break;
+				case "list":
+				default:
+					header("Content-Type: application/json");
+					$arr['nextrun']=$task->getNextRun();
+					$arr['frequency']=$task->getFrequency();
+					$arr['params']=array();
+					if($params = $task->getParameter()) {
+						foreach($params as $key=>$value) {
+							$p = $taskobj->getAdditionalParamByName($key);
+							$arr['params'][$key] = ($p['type'] == 'password') ? '*******' : $value;
+						}
+					}
+					break;
+				}
+				$jsonarr[] = $arr;
+			}
+		}
+		echo json_encode($jsonarr);
+
+		return true;
+	} /* }}} */
+}
+

controllers/class.Download.php

@@ -22,49 +22,192 @@
  */
 class SeedDMS_Controller_Download extends SeedDMS_Controller_Common {
 
-	public function run() {
+	public function version() { /* {{{ */
+		$dms = $this->params['dms'];
+		$version = $this->params['version'];
+		$document = $this->params['document'];
+		if($version < 1) {
+			$content = $this->callHook('documentLatestContent', $document);
+			if($content === null)
+				$content = $document->getLatestContent();
+		} else {
+			$content = $this->callHook('documentContent', $document, $version);
+			if($content === null)
+				$content = $document->getContentByVersion($version);
+		}
+		if (!is_object($content)) {
+			$this->errormsg = 'invalid_version';
+			return false;
+		}
+		/* set params['content'] for compatiblity with older extensions which
+		 * expect the content in the controller
+		 */
+		$this->params['content'] = $content;
+		if(null === $this->callHook('version')) {
+			if(file_exists($dms->contentDir . $content->getPath())) {
+				header("Content-Transfer-Encoding: binary");
+				$efilename = rawurlencode($content->getOriginalFileName());
+				header("Content-Disposition: attachment; filename=\"" . $efilename . "\"; filename*=UTF-8''".$efilename);
+				header("Content-Type: " . $content->getMimeType());
+				header("Cache-Control: must-revalidate");
+				header("ETag: ".$content->getChecksum());
+
+				sendFile($dms->contentDir . $content->getPath());
+			}
+		}
+		return true;
+	} /* }}} */
+
+	public function file() { /* {{{ */
+		$dms = $this->params['dms'];
+		$file = $this->params['file'];
+
+		if(null === $this->callHook('file')) {
+			if(file_exists($dms->contentDir . $file->getPath())) {
+				header("Content-Transfer-Encoding: binary");
+				header("Content-Disposition: attachment; filename=\"" . $file->getOriginalFileName() . "\"");
+				header("Content-Type: " . $file->getMimeType());
+				header("Cache-Control: must-revalidate");
+
+				sendFile($dms->contentDir . $file->getPath());
+			}
+		}
+		return true;
+	} /* }}} */
+
+	public function archive() { /* {{{ */
+		$dms = $this->params['dms'];
+		$filename = $this->params['file'];
+		$basedir = $this->params['basedir'];
+
+		if(null === $this->callHook('archive')) {
+			if(file_exists($basedir . $filename)) {
+				header('Content-Description: File Transfer');
+				header("Content-Type: application/zip");
+				header("Content-Transfer-Encoding: binary");
+				$efilename = rawurlencode($filename);
+				header("Content-Disposition: attachment; filename=\"" .$efilename . "\"; filename*=UTF-8''".$efilename);
+				header("Cache-Control: public");
+				
+				sendFile($basedir .$filename );
+			}
+		}
+		return true;
+	} /* }}} */
+
+	public function log() { /* {{{ */
+		$dms = $this->params['dms'];
+		$filename = $this->params['file'];
+		$basedir = $this->params['basedir'];
+
+		if(null === $this->callHook('log')) {
+			if(file_exists($basedir . $filename)) {
+				header("Content-Type: text/plain; name=\"" . $filename . "\"");
+				header("Content-Transfer-Encoding: binary");
+				$efilename = rawurlencode($filename);
+				header("Content-Disposition: attachment; filename=\"" .$efilename . "\"; filename*=UTF-8''".$efilename);
+				header("Cache-Control: must-revalidate");
+
+				sendFile($basedir.$filename);
+			}
+		}
+		return true;
+	} /* }}} */
+
+	public function sqldump() { /* {{{ */
+		$dms = $this->params['dms'];
+		$filename = $this->params['file'];
+		$basedir = $this->params['basedir'];
+
+		if(null === $this->callHook('sqldump')) {
+			if(file_exists($basedir . $filename)) {
+				header("Content-Type: application/zip");
+				header("Content-Transfer-Encoding: binary");
+				$efilename = rawurlencode($filename);
+				header("Content-Disposition: attachment; filename=\"" .$efilename . "\"; filename*=UTF-8''".$efilename);
+				header("Cache-Control: must-revalidate");
+				
+				sendFile($basedir.$filename);
+			}
+		}
+		return true;
+	} /* }}} */
+
+	public function approval() { /* {{{ */
+		$dms = $this->params['dms'];
+		$document = $this->params['document'];
+		$logid = $this->params['approvelogid'];
+
+		$filename = $dms->contentDir . $document->getDir().'a'.$logid;
+		if (!file_exists($filename) ) {
+			$this->error = 1;
+			return false;
+		}
+
+		if(null === $this->callHook('approval')) {
+			$finfo = finfo_open(FILEINFO_MIME_TYPE);
+			$mimetype = finfo_file($finfo, $filename);
+
+			header("Content-Type: ".$mimetype);
+			header("Content-Transfer-Encoding: binary");
+			header("Content-Disposition: attachment; filename=\"approval-" . $document->getID()."-".(int) $_GET['approvelogid'] . get_extension($mimetype) . "\"");
+			header("Cache-Control: must-revalidate");
+			sendFile($filename);
+		}
+		return true;
+	} /* }}} */
+
+	public function review() { /* {{{ */
+		$dms = $this->params['dms'];
+		$document = $this->params['document'];
+		$logid = $this->params['reviewlogid'];
+
+		$filename = $dms->contentDir . $document->getDir().'r'.$logid;
+		if (!file_exists($filename) ) {
+			$this->error = 1;
+			return false;
+		}
+
+		if(null === $this->callHook('review')) {
+			$finfo = finfo_open(FILEINFO_MIME_TYPE);
+			$mimetype = finfo_file($finfo, $filename);
+
+			header("Content-Type: ".$mimetype);
+			header("Content-Transfer-Encoding: binary");
+			header("Content-Length: " . filesize($filename ));
+			header("Content-Disposition: attachment; filename=\"review-" . $document->getID()."-".(int) $_GET['reviewlogid'] . get_extension($mimetype) . "\"");
+			header("Cache-Control: must-revalidate");
+			sendFile($filename);
+		}
+		return true;
+	} /* }}} */
+
+	public function run() { /* {{{ */
 		$dms = $this->params['dms'];
 		$type = $this->params['type'];
 
 		switch($type) {
 			case "version":
-				if(empty($this->params['content'])) {
-					$version = $this->params['version'];
-					$document = $this->params['document'];
-					if($version < 1) {
-						$content = $this->callHook('documentLatestContent', $document);
-						if($content === null)
-							$content = $document->getLatestContent();
-					} else {
-						$content = $this->callHook('documentContent', $document, $version);
-						if($content === null)
-							$content = $document->getContentByVersion($version);
-					}
-					if (!is_object($content)) {
-						$this->errormsg = 'invalid_version';
-						return false;
-					}
-					/* set params['content'] for compatiblity with older extensions which
-					 * expect the content in the controller
-					 */
-					$this->params['content'] = $content;
-				} else {
-					$content = $this->params['content'];
-				}
-				if(null === $this->callHook('version')) {
-					if(file_exists($dms->contentDir . $content->getPath())) {
-						header("Content-Transfer-Encoding: binary");
-						$efilename = rawurlencode($content->getOriginalFileName());
-						header("Content-Disposition: attachment; filename=\"" . $efilename . "\"; filename*=UTF-8''".$efilename);
-						header("Content-Type: " . $content->getMimeType());
-						header("Cache-Control: must-revalidate");
-						header("ETag: ".$content->getChecksum());
-
-						sendFile($dms->contentDir.$content->getPath());
-					}
-				}
+				return $this->version();
+				break;
+			case "file":
+				return $this->file();
+				break;
+			case "archive":
+				return $this->archive();
+				break;
+			case "log":
+				return $this->log();
+				break;
+			case "sqldump":
+				return $this->sqldump();
+				break;
+			case "approval":
+				return $this->approval();
+				break;
+			case "review":
+				return $this->review();
 				break;
 		}
-		return true;
-	}
+	} /* }}} */
 }

controllers/class.Login.php

@@ -64,6 +64,16 @@ class SeedDMS_Controller_Login extends SeedDMS_Controller_Common {
 			return false;
 		}
 
+		if($settings->_enable2FactorAuthentication) {
+			if($user->getSecret()) {
+				$tfa = new \RobThree\Auth\TwoFactorAuth('SeedDMS');
+				if($tfa->verifyCode($user->getSecret(), $_POST['twofactauth']) !== true) {
+					$this->setErrorMsg("login_error_text");
+					return false;
+				}
+			}
+		}
+
 		/* Run any additional checks which may prevent login */
 		if(false === $this->callHook('restrictLogin', $user)) {
 			if(empty($this->errormsg))

controllers/class.ReceiptDocument.php

@@ -0,0 +1,67 @@
+<?php
+/**
+ * Implementation of ReceiptDocument controller
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class which does the busines logic for downloading a document
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Controller_ReceiptDocument extends SeedDMS_Controller_Common {
+
+	public function run() {
+		$dms = $this->params['dms'];
+		$user = $this->params['user'];
+		$settings = $this->params['settings'];
+		$document = $this->params['document'];
+		$content = $this->params['content'];
+		$receiptstatus = $this->params['receiptstatus'];
+		$receipttype = $this->params['receipttype'];
+		$group = $this->params['group'];
+		$comment = $this->params['comment'];
+
+		/* Get the document id and name before removing the document */
+		$docname = $document->getName();
+		$documentid = $document->getID();
+
+		if(!$this->callHook('preReceiptDocument', $content)) {
+		}
+
+		$result = $this->callHook('receiptDocument', $content);
+		if($result === null) {
+
+			if ($receipttype == "ind") {
+				if(0 > $content->setReceiptByInd($user, $user, $receiptstatus, $comment)) {
+					$this->error = 1;
+					$this->errormsg = "receipt_update_failed";
+					return false;
+				}
+			} elseif ($receipttype == "grp") {
+				if(0 > $content->setReceiptByGrp($group, $user, $receiptstatus, $comment)) {
+					$this->error = 1;
+					$this->errormsg = "receipt_update_failed";
+					return false;
+				}
+			}
+		}
+
+		if(!$this->callHook('postReceiptDocument', $content)) {
+		}
+
+		return true;
+	}
+}
+

controllers/class.ReviewDocument.php

@@ -36,83 +36,96 @@ class SeedDMS_Controller_ReviewDocument extends SeedDMS_Controller_Common {
 		$this->oldstatus = $overallStatus['status'];
 		$this->newstatus = $this->oldstatus;
 
-		if ($reviewtype == "ind") {
-			$reviewLogID = $content->setReviewByInd($user, $user, $reviewstatus, $reviewcomment, $reviewfile);
-		} elseif($reviewtype == "grp") {
-			$reviewLogID = $content->setReviewByGrp($reviewgroup, $user, $reviewstatus, $reviewcomment, $reviewfile);
-		} else {
-			$this->errormsg = "review_wrong_type";
-			return false;
-		}
-		if($reviewLogID === false || 0 > $reviewLogID) {
-			$this->errormsg = "review_update_failed";
-			return false;
+		if(!$this->callHook('preReviewDocument', $content)) {
 		}
 
-		if($reviewstatus == -1) {
-			$this->newstatus = S_REJECTED;
-			if($content->setStatus(S_REJECTED, $reviewcomment, $user)) {
-				if(isset($GLOBALS['SEEDDMS_HOOKS']['reviewDocument'])) {
-					foreach($GLOBALS['SEEDDMS_HOOKS']['reviewDocument'] as $hookObj) {
-						if (method_exists($hookObj, 'postReviewDocument')) {
-							$hookObj->postReviewDocument(null, $content, S_REJECTED);
-						}
-					}
-				}
-			}
-		} else {
-			$docReviewStatus = $content->getReviewStatus();
-			if (is_bool($docReviewStatus) && !$docReviewStatus) {
-				$this->errormsg = "cannot_retrieve_review_snapshot";
+		$result = $this->callHook('reviewDocument', $content);
+		if($result === null) {
+			if ($reviewtype == "ind") {
+				$reviewLogID = $content->setReviewByInd($user, $user, $reviewstatus, $reviewcomment, $reviewfile);
+			} elseif($reviewtype == "grp") {
+				$reviewLogID = $content->setReviewByGrp($reviewgroup, $user, $reviewstatus, $reviewcomment, $reviewfile);
+			} else {
+				$this->errormsg = "review_wrong_type";
 				return false;
 			}
-			$reviewCT = 0;
-			$reviewTotal = 0;
-			foreach ($docReviewStatus as $drstat) {
-				if ($drstat["status"] == 1) {
-					$reviewCT++;
-				}
-				if ($drstat["status"] != -2) {
-					$reviewTotal++;
-				}
+			if($reviewLogID === false || 0 > $reviewLogID) {
+				$this->errormsg = "review_update_failed";
+				return false;
 			}
-			// If all reviews have been received and there are no rejections, retrieve a
-			// count of the approvals required for this document.
-			if ($reviewCT == $reviewTotal) {
-				$docApprovalStatus = $content->getApprovalStatus();
-				if (is_bool($docApprovalStatus) && !$docApprovalStatus) {
-					$this->errormsg = "cannot_retrieve_approval_snapshot";
-					return false;
-				}
-				$approvalCT = 0;
-				$approvalTotal = 0;
-				foreach($docApprovalStatus as $dastat) {
-					if($dastat["status"] == 1) {
-						$approvalCT++;
-					}
-					if($dastat["status"] != -2) {
-						$approvalTotal++;
-					}
-				}
-				// If the approvals received is less than the approvals total, then
-				// change status to pending approval.
-				if($approvalCT < $approvalTotal) {
-					$this->newstatus = S_DRAFT_APP;
-				} else {
-					// Otherwise, change the status to released.
-					$this->newstatus = S_RELEASED;
-				}
-				if($content->setStatus($this->newstatus, getMLText("automatic_status_update"), $user)) {
+		}
+
+		$result = $this->callHook('reviewUpdateDocumentStatus', $content);
+		if($result === null) {
+			if($reviewstatus == -1) {
+				$this->newstatus = S_REJECTED;
+				if($content->setStatus(S_REJECTED, $reviewcomment, $user)) {
 					if(isset($GLOBALS['SEEDDMS_HOOKS']['reviewDocument'])) {
 						foreach($GLOBALS['SEEDDMS_HOOKS']['reviewDocument'] as $hookObj) {
 							if (method_exists($hookObj, 'postReviewDocument')) {
-								$hookObj->postReviewDocument(null, $content, $this->newstatus);
+								$hookObj->postReviewDocument(null, $content, S_REJECTED);
+							}
+						}
+					}
+				}
+			} else {
+				$docReviewStatus = $content->getReviewStatus();
+				if (is_bool($docReviewStatus) && !$docReviewStatus) {
+					$this->errormsg = "cannot_retrieve_review_snapshot";
+					return false;
+				}
+				$reviewCT = 0;
+				$reviewTotal = 0;
+				foreach ($docReviewStatus as $drstat) {
+					if ($drstat["status"] == 1) {
+						$reviewCT++;
+					}
+					if ($drstat["status"] != -2) {
+						$reviewTotal++;
+					}
+				}
+				// If all reviews have been received and there are no rejections, retrieve a
+				// count of the approvals required for this document.
+				if ($reviewCT == $reviewTotal) {
+					$docApprovalStatus = $content->getApprovalStatus();
+					if (is_bool($docApprovalStatus) && !$docApprovalStatus) {
+						$this->errormsg = "cannot_retrieve_approval_snapshot";
+						return false;
+					}
+					$approvalCT = 0;
+					$approvalTotal = 0;
+					foreach($docApprovalStatus as $dastat) {
+						if($dastat["status"] == 1) {
+							$approvalCT++;
+						}
+						if($dastat["status"] != -2) {
+							$approvalTotal++;
+						}
+					}
+					// If the approvals received is less than the approvals total, then
+					// change status to pending approval.
+					if($approvalCT < $approvalTotal) {
+						$this->newstatus = S_DRAFT_APP;
+					} else {
+						// Otherwise, change the status to released.
+						$this->newstatus = S_RELEASED;
+					}
+					if($content->setStatus($this->newstatus, getMLText("automatic_status_update"), $user)) {
+						if(isset($GLOBALS['SEEDDMS_HOOKS']['reviewDocument'])) {
+							foreach($GLOBALS['SEEDDMS_HOOKS']['reviewDocument'] as $hookObj) {
+								if (method_exists($hookObj, 'postReviewDocument')) {
+									$hookObj->postReviewDocument(null, $content, $this->newstatus);
+								}
 							}
 						}
 					}
 				}
 			}
 		}
+
+		if(!$this->callHook('postReviewDocument', $content)) {
+		}
+
 		return true;
 	} /* }}} */
 }

controllers/class.ReviseDocument.php

@@ -0,0 +1,143 @@
+<?php
+/**
+ * Implementation of ReviseDocument controller
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class which does the busines logic for downloading a document
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Controller_ReviseDocument extends SeedDMS_Controller_Common {
+
+	public $oldstatus;
+
+	public $newstatus;
+
+	public function run() {
+		$dms = $this->params['dms'];
+		$user = $this->params['user'];
+		$settings = $this->params['settings'];
+		$document = $this->params['document'];
+		$content = $this->params['content'];
+		$revisionstatus = $this->params['revisionstatus'];
+		$revisiontype = $this->params['revisiontype'];
+		$group = $this->params['group'];
+		$comment = $this->params['comment'];
+		$overallStatus = $content->getStatus();
+		$this->oldstatus = $overallStatus['status'];
+		$this->newstatus = $this->oldstatus;
+
+		/* if set to true, a single reject will reject the doc. If set to false
+		 * all revisions will be collected first and afterwards the doc is rejected
+		 * if one has rejected it. So in the very end the doc is rejected, but
+		 * doc remainѕ in S_IN_REVISION until all have revised the doc
+		 */
+		$onevotereject = $this->params['onevotereject'];
+
+		/* Get the document id and name before removing the document */
+		$docname = $document->getName();
+		$documentid = $document->getID();
+
+		if(!$this->callHook('preReviseDocument', $content)) {
+		}
+
+		$result = $this->callHook('reviseDocument', $content);
+		if($result === null) {
+
+			if ($revisiontype == "ind") {
+				if(0 > $content->setRevision($user, $user, $revisionstatus, $comment)) {
+					$this->error = 1;
+					$this->errormsg = "revision_update_failed";
+					return false;
+				}
+			} elseif ($revisiontype == "grp") {
+				if(0 > $content->setRevision($group, $user, $revisionstatus, $comment)) {
+					$this->error = 1;
+					$this->errormsg = $ll."revision_update_failed";
+					return false;
+				}
+			}
+		}
+
+		/* Check to see if the overall status for the document version needs to be
+		 * updated.
+		 */
+		$result = $this->callHook('reviseUpdateDocumentStatus', $content);
+		if($result === null) {
+			if ($onevotereject && $revisionstatus == -1){
+				$this->newstatus = S_NEEDS_CORRECTION;
+				if(!$content->setStatus(S_NEEDS_CORRECTION,$comment,$user)) {
+					$this->error = 1;
+					$this->errormsg = "revision_update_failed";
+					return false;
+				}
+			} else {
+				$docRevisionStatus = $content->getRevisionStatus();
+				if (is_bool($docRevisionStatus) && !$docRevisionStatus) {
+					$this->error = 1;
+					$this->errormsg = "cannot_retrieve_revision_snapshot";
+					return false;
+				}
+				$revisionok = 0;
+				$revisionnotok = 0;
+				$revisionTotal = 0;
+				foreach ($docRevisionStatus as $drstat) {
+					if ($drstat["status"] == 1) {
+						$revisionok++;
+					}
+					if ($drstat["status"] == -1) {
+						$revisionnotok++;
+					}
+					if ($drstat["status"] != -2) {
+						$revisionTotal++;
+					}
+				}
+				// If all revisions have been done and there are no rejections,
+				// then release the document. If all revisions have been done but some
+				// of them were rejections then documents needs correction.
+				// Otherwise put it back into revision workflow
+				if ($revisionok == $revisionTotal) {
+					$this->newstatus=S_RELEASED;
+					if ($content->finishRevision($user, $this->newstatus, 'Finished revision workflow', getMLText("automatic_status_update"))) {
+						if(!$this->callHook('finishReviseDocument', $content)) {
+						}
+					}
+				} elseif (($revisionok + $revisionnotok) == $revisionTotal) {
+					$this->newstatus=S_NEEDS_CORRECTION;
+//					if ($content->finishRevision($user, $this->newstatus, 'Finished revision workflow', getMLText("automatic_status_update"))) {
+					if(!$content->setStatus($this->newstatus,$comment,$user)) {
+						$this->error = 1;
+						$this->errormsg = "revision_update_failed";
+						return false;
+					}
+				} else {
+					$this->newstatus=S_IN_REVISION;
+					if(!$content->setStatus($this->newstatus,$comment,$user)) {
+						$this->error = 1;
+						$this->errormsg = "revision_update_failed";
+						return false;
+					}
+				}
+			}
+		}
+
+		if(!$this->callHook('postReviseDocument', $content)) {
+		}
+
+		return true;
+	}
+}
+

controllers/class.RoleMgr.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * Implementation of Role manager controller
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class which does the busines logic for role manager
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Controller_RoleMgr extends SeedDMS_Controller_Common {
+
+	public function run() {
+	}
+
+	public function addrole() {
+		$dms = $this->params['dms'];
+		$name = $this->params['name'];
+		$role = $this->params['role'];
+
+		return($dms->addRole($name, $role));
+	}
+
+	public function removerole() {
+		$roleobj = $this->params['roleobj'];
+		return $roleobj->remove();
+	}
+
+	public function editrole() {
+		$dms = $this->params['dms'];
+		$name = $this->params['name'];
+		$role = $this->params['role'];
+		$roleobj = $this->params['roleobj'];
+		$noaccess = $this->params['noaccess'];
+
+		if ($roleobj->getName() != $name)
+			$roleobj->setName($name);
+		if ($roleobj->getRole() != $role)
+			$roleobj->setRole($role);
+		$roleobj->setNoAccess($noaccess);
+
+		return true;
+	}
+}

controllers/class.TransmittalDownload.php

@@ -0,0 +1,68 @@
+<?php
+/**
+ * Implementation of Transmittal Download controller
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class which does the busines logic for downloading a transmittal
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2010-2013 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Controller_TransmittalDownload extends SeedDMS_Controller_Common {
+
+	public function run() {
+		$dms = $this->params['dms'];
+		$user = $this->params['user'];
+		$transmittal = $this->params['transmittal'];
+
+		$items = $transmittal->getItems();
+		if($items) {
+			include("../inc/inc.ClassDownloadMgr.php");
+			$downmgr = new SeedDMS_Download_Mgr();
+			if($extraheader = $this->callHook('extraDownloadHeader'))
+				$downmgr->addHeader($extraheader);
+
+			foreach($items as $item) {
+				$content = $item->getContent();
+				$document = $content->getDocument();
+				if ($document->getAccessMode($user) >= M_READ) {
+					$extracols = $this->callHook('extraDownloadColumns', $document);
+					$filename = $this->callHook('filenameDownloadItem', $content);
+					if($rawcontent = $this->callHook('rawcontent', $content)) {
+						$downmgr->addItem($content, $extracols, $rawcontent, $filename);
+					} else
+						$downmgr->addItem($content, $extracols, null, $filename);
+				}
+			}
+
+			$filename = tempnam(sys_get_temp_dir(), 'transmittal-download-');
+			if($filename) {
+				if($downmgr->createArchive($filename)) {
+					header("Content-Transfer-Encoding: binary");
+					header("Content-Length: " . filesize($filename));
+					header("Content-Disposition: attachment; filename=\"export-" .date('Y-m-d') . ".zip\"");
+					header("Content-Type: application/zip");
+					header("Cache-Control: must-revalidate");
+
+					readfile($filename);
+				} else {
+				}
+				unlink($filename);
+			}
+			exit;
+		}
+	}
+}
+

controllers/class.UpdateDocument.php

@@ -48,16 +48,18 @@ class SeedDMS_Controller_UpdateDocument extends SeedDMS_Controller_Common {
 		$userfiletype = $this->getParam('userfiletype');
 		$reviewers = $this->getParam('reviewers');
 		$approvers = $this->getParam('approvers');
+		$recipients = $this->getParam('recipients');
 		$reqversion = $this->getParam('reqversion');
 		$comment = $this->getParam('comment');
 		$attributes = $this->getParam('attributes');
 		$workflow = $this->getParam('workflow');
 		$maxsizeforfulltext = $this->getParam('maxsizeforfulltext');
+		$initialdocumentstatus = $this->getParam('initialdocumentstatus');
 
 		$content = $this->callHook('updateDocument');
 		if($content === null) {
 			$filesize = SeedDMS_Core_File::fileSize($userfiletmp);
-			if($contentResult=$document->addContent($comment, $user, $userfiletmp, utf8_basename($userfilename), $filetype, $userfiletype, $reviewers, $approvers, $version=0, $attributes, $workflow)) {
+			if($contentResult=$document->addContent($comment, $user, $userfiletmp, utf8_basename($userfilename), $filetype, $userfiletype, $reviewers, $approvers, $version=0, $attributes, $workflow, $initialdocumentstatus)) {
 
 				if ($this->hasParam('expires')) {
 					if($document->setExpires($this->getParam('expires'))) {
@@ -65,6 +67,21 @@ class SeedDMS_Controller_UpdateDocument extends SeedDMS_Controller_Common {
 					}
 				}
 
+				if(!empty($recipients['i'])) {
+					foreach($recipients['i'] as $uid) {
+						if($u = $dms->getUser($uid)) {
+							$res = $contentResult->getContent()->addIndRecipient($u, $user);
+						}
+					}
+				}
+				if(!empty($recipients['g'])) {
+					foreach($recipients['g'] as $gid) {
+						if($g = $dms->getGroup($gid)) {
+							$res = $contentResult->getContent()->addGrpRecipient($g, $user);
+						}
+					}
+				}
+
 				$content = $contentResult->getContent();
 			} else {
 				$this->errormsg = 'error_update_document';

develop/retrieveml.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 # This command retrieves the strings that need to be translated
-sgrep -o "%r\n" '"getMLText(\"" __ "\""' */*.php|sort|uniq -c
+sgrep -o "%r\n" '"getMLText(\"" __ "\""' */*.php views/bootstrap/*.php |sort|uniq -c

develop/transcomp.php

@@ -1,7 +1,7 @@
 <?php
 /* Determine all languages keys used in the php files */
 $output = array();
-if(exec('sgrep -o "%r\n" \'"tMLText(\"" __ "\""\' */*.php|sort|uniq -c', $output)) {
+if(exec('sgrep -o "%r\n" \'"tMLText(\"" __ "\""\' */*.php views/bootstrap/*.php|sort|uniq -c', $output)) {
 	$allkeys = array();
 	foreach($output as $line) {
 		$data = explode(' ', trim($line));
@@ -9,8 +9,9 @@ if(exec('sgrep -o "%r\n" \'"tMLText(\"" __ "\""\' */*.php|sort|uniq -c', $output
 	}
 }
 
+$languages = array('ar_EG', 'bg_BG', 'ca_ES', 'cs_CZ', 'de_DE', 'en_GB', 'es_ES', 'fr_FR', 'hu_HU', 'it_IT', 'nl_NL', 'pl_PL', 'pt_BR', 'ro_RO', 'ru_RU', 'sk_SK', 'sv_SE', 'tr_TR', 'zh_CN', 'zh_TW');
 /* Reading languages */
-foreach(array('en_GB', 'de_DE', 'it_IT', 'sk_SK', 'cs_CZ') as $lang) {
+foreach($languages as $lang) {
 	include('languages/'.$lang.'/lang.inc');
 	ksort($text);
 	$langarr[$lang] = $text;
@@ -20,7 +21,7 @@ foreach(array('en_GB', 'de_DE', 'it_IT', 'sk_SK', 'cs_CZ') as $lang) {
 echo "List of missing keys\n";
 echo "-----------------------------\n";
 foreach(array_keys($allkeys) as $key) {
-	foreach(array('en_GB', 'de_DE', 'it_IT', 'sk_SK', 'cs_CZ') as $lang) {
+	foreach($languages as $lang) {
 		if(!isset($langarr[$lang][$key])) {
 			echo "Missing key '".$key."' in language ".$lang."\n";
 		}
@@ -31,7 +32,7 @@ echo "\n";
 /* Check for phrases not used anymore */
 echo "List of superflous keys\n";
 echo "-----------------------------\n";
-foreach(array('en_GB', 'de_DE', 'it_IT', 'sk_SK', 'cs_CZ') as $lang) {
+foreach($languages as $lang) {
 	$n = 0;
 	foreach($langarr[$lang] as $key=>$value) {
 		if(!isset($allkeys[$key])) {

doc/README.Notification

@@ -126,3 +126,28 @@ op/op.TriggerWorkflow.php
 op/op.UpdateDocument.php
 * document was updated
   subscribers of the document
+
+op/op.ReceiptDocument.php
+* document was received
+  subscribers of the document
+
+op/op.ReviseDocument.php
+* document was revised
+  subscribers of the document
+
+op/op.SetRevisors.php
+* Revisors were added/deleted
+  subscribers of the document
+  uploader of version
+  revisor
+
+op/op.ReceiptDocument.php
+* document was receipt
+  subscribers of the document
+
+op/op.SetRecipients.php
+* Recipients were added/deleted
+  subscribers of the document
+  uploader of version
+  recipient
+

doc/README.Scheduler.md

@@ -0,0 +1,26 @@
+Scheduler
+==========
+
+The scheduler in SeedDMS manages frequently run tasks. It is very similar
+to regular unix cron jobs. A task in SeedDMS is an instanciation of a task
+class which itself is defined by an extension or SeedDMS itself.
+SeedDMS has some predefined classes e.g. core::expireddocs.
+
+In order for tasks to be runnalbe, a user `cli_scheduler` must exists in
+SeedDMS.
+
+All tasks are executed by a single cronjob in the directory `utils`
+
+> */5 * * * * /home/www-data/seeddms60x/seeddms/utils/seeddms-schedulercli --mode=run
+
+Please keep in mind, that the php interpreter used for the cronjob may be
+different from the php interpreter used für the web application. Hence, two
+different php.ini files might be used. php and the php extensions may differ as
+well. This can cause some extensions to be disabled and consequently some task
+classes are not defined.
+
+`utils/seeddms-schedulercli` can also be run on the command line. If you
+do that, run it with the same system user used for the web server. On Debian
+this is www-data. Hence run it like
+
+sudo -u www-data utils/seeddms-schedulercli --mode=list

doc/README.cron

@@ -0,0 +1,42 @@
+Running the scheduler
+======================
+
+Since version 6 of SeedDMS a scheduler is implemented which runs
+scheduled tasks. Such tasks must be implemented in an extension
+and can be scheduled by the administrator within the user interface.
+
+In order to check frequently for tasks ready to run, a system cron job
+must be installed. On Linux this can be done by adding the following line
+to the crontab
+
+*/5 * * * * /var/www/seeddms60x/seeddms/utils/seeddms-schedulercli --mode=run
+
+(Of course you need to change the path to `seeddms-schedulercli`)
+
+This will install a cronjob running every 5 minutes. `seeddms-schedulercli` will check
+for tasks ready to run and execute them in that case. You can decrease the time between
+two calls of the cronjob, but keep in mind that seeddms tasks may take longer and
+are being started again before the previous task has been ended.
+
+If the configuration file of SeedDMS is not found, its path can be passed
+on the command, though this should not be needed in a regular installation
+obeying the directory structure of the quickstart archive.
+
+*/5 * * * * /var/www/seeddms60x/seeddms/utils/seeddms-schedulercli --config /var/www/seeddms60x/seeddms/conf/settings.xml --mode=run
+
+For testing purposes it may be usefull to run `seeddms-schedulercli` in list mode.
+
+seeddms-schedulercli --mode=list
+
+This will just list all tasks and its scheduled exection time. Tasks ready to run,
+because its scheduled execution time is already in the past will be marked with
+a `*`. Tasks which are disabled will be marked with a `-`.
+
+Executing `seeddms-schedulercli` in `dryrun` mode will behave just like in `run` mode
+but instead of running the task it will just issue a line.
+
+Instead of running utils/seeddms-schedulercli you may as well access
+op/op.Cron.php which also runs all scheduled tasks. On Linux you do this
+by setting up a cronjob like
+
+*/5 * * * * wget -q -O - "http://<your domain>/op/op.Cron.php"

ext/example/class.example.php

@@ -177,7 +177,32 @@ class SeedDMS_ExtExample_ViewFolder {
  * @package SeedDMS
  * @subpackage  example
  */
-class SeedDMS_ExtExample_Task {
-	public function execute() {
+class SeedDMS_ExtExample_Task extends SeedDMS_SchedulerTaskBase {
+
+	/**
+	 * Run the task
+	 *
+	 * @param $task task to be executed
+	 * @return boolean true if task was executed succesfully, otherwise false
+	 */
+	public function execute($task) {
+		$dms = $this->dms;
+		$user = $this->user;
+    $settings = $this->settings;
+    $logger = $this->logger;
+		$taskparams = $task->getParameter();
+		return true;
+	}
+
+	public function getDescription() {
+		return 'Description';
+	}
+
+	public function getAdditionalParams() {
+		return array(array(
+			'name'=>'email',
+			'type'=>'string',
+			'description'=> '',
+		));
 	}
 }

ext/example/conf.php

@@ -1,7 +1,7 @@
 <?php
 $EXT_CONF['example'] = array(
 	'title' => 'Example Extension',
-	'description' => 'This sample extension demonstrate the use of various hooks',
+	'description' => 'This sample extension demonstrates the use of various hooks',
 	'disable' => true,
 	'version' => '1.0.1',
 	'releasedate' => '2018-03-21',

ext/example/lang.php

@@ -1,4 +1,9 @@
 <?php
 $__lang['de_DE'] = array(
 	'folder_contents' => 'Dies war mal "Ordner enthält". Wurde von sample Extension geändert.',
+	'task_example_example_email' => 'Email',
+);
+$__lang['en_GB'] = array(
+	'folder_contents' => 'This used to be "Folder contents". Was changed by sample Extension.',
+	'task_example_example_email' => 'Email',
 );

inc/inc.Authentication.php

@@ -21,17 +21,23 @@ if (!strncmp("/op", $refer, 3)) {
 } else {
 	$refer = urlencode($refer);
 }
+
+/* Check if this is a ajax call. In that case do not redirect to any page */
+$isajax = isset($_GET['action']) && ($_GET['action'] != 'show');
+
 if (!isset($_COOKIE["mydms_session"])) {
 	if($settings->_enableGuestLogin && $settings->_enableGuestAutoLogin) {
 		$session = new SeedDMS_Session($db);
 		if(!$dms_session = $session->create(array('userid'=>$settings->_guestID, 'theme'=>$settings->_theme, 'lang'=>$settings->_language))) {
-			header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
+			if(!$isajax)
+				header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 			exit;
 		}
 		$resArr = $session->load($dms_session);
 	}	elseif($settings->_autoLoginUser) {
 		if(!($user = $dms->getUser($settings->_autoLoginUser))/* || !$user->isGuest()*/) {
-			header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
+			if(!$isajax)
+				header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 			exit;
 		}
 		$theme = $user->getTheme();
@@ -46,12 +52,14 @@ if (!isset($_COOKIE["mydms_session"])) {
 		}
 		$session = new SeedDMS_Session($db);
 		if(!$dms_session = $session->create(array('userid'=>$user->getID(), 'theme'=>$theme, 'lang'=>$lang))) {
-			header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
+			if(!$isajax)
+				header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 			exit;
 		}
 		$resArr = $session->load($dms_session);
 	} else {
-		header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
+		if(!$isajax)
+			header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 		exit;
 	}
 } else {
@@ -60,7 +68,8 @@ if (!isset($_COOKIE["mydms_session"])) {
 	$session = new SeedDMS_Session($db);
 	if(!$resArr = $session->load($dms_session)) {
 		setcookie("mydms_session", $dms_session, time()-3600, $settings->_httpRoot); //delete cookie
-		header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
+		if(!$isajax)
+			header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 		exit;
 	}
 }
@@ -73,13 +82,16 @@ if((int)$resArr['lastAccess']+60 < time())
 $user = $dms->getUser($resArr["userID"]);
 if (!is_object($user)) {
 	setcookie("mydms_session", $dms_session, time()-3600, $settings->_httpRoot); //delete cookie
-	header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
+	if(!$isajax)
+		header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 	exit;
 }
 
-if($user->isAdmin()) {
-	if($resArr["su"]) {
-		$user = $dms->getUser($resArr["su"]);
+$origuser = null;
+if($resArr["su"] && $su = $dms->getUser($resArr["su"])) {
+	if($user->isAdmin() || $user->maySwitchToUser($su)) {
+		$origuser = $user;
+		$user = $su;
 	} else {
 	//	$session->resetSu();
 	}
@@ -92,6 +104,8 @@ if($settings->_useHomeAsRootFolder && !$user->isAdmin() && $user->getHomeFolder(
 	$dms->checkWithinRootDir = true;
 	$dms->setRootFolderID($user->getHomeFolder());
 }
+$role = $user->getRole();
+$dms->noReadForStatus = $role->getNoAccess();
 
 /* Include additional language file for view
  * This file must set $LANG[xx][]
@@ -100,13 +114,17 @@ if(file_exists($settings->_rootDir . "view/".$theme."/languages/" . $lang . "/la
 	include $settings->_rootDir . "view/".$theme."/languages/" . $lang . "/lang.inc";
 }
 
+/* if this is a ajax call, then exit early as the rest of the script is irrelevant */
+if($isajax)
+	return;
+
 /* Check if password needs to be changed because it expired. If it needs
  * to be changed redirect to out/out.ForcePasswordChange.php. Do this
  * check only if password expiration is turned on, we are not on the
  * page to change the password or the page that changes the password, the
  * current user is not admin, and no user substitution has occured. */
 
-if (!$user->isAdmin() && !$resArr['su']) {
+if (!$user->isAdmin() && $origuser == null) {
 	if($settings->_passwordExpiration > 0) {
 		if(basename($_SERVER['SCRIPT_NAME']) != 'out.ForcePasswordChange.php' && basename($_SERVER['SCRIPT_NAME']) != 'op.EditUserData.php' && basename($_SERVER['SCRIPT_NAME']) != 'op.Logout.php') {
 			$pwdexp = $user->getPwdExpiration();
@@ -121,6 +139,17 @@ if (!$user->isAdmin() && !$resArr['su']) {
 	}
 }
 
+/* Check if secret is set for 2-factor authentication. Redirect to Setup2Factor.php
+ * if secret is not set and 2-factor authentication is turned on. Also check if
+ * already on the page Setup2Factor.php and no user substiation has occured.
+ */
+if($settings->_enable2FactorAuthentication && $settings->_guestID != $user->getID() && $settings->_autoLoginUser != $user->getID() && $origuser == null && $user->getSecret() == '') {
+	if(basename($_SERVER['SCRIPT_NAME']) != 'out.Setup2Factor.php' && basename($_SERVER['SCRIPT_NAME']) != 'op.Setup2Factor.php') {
+		header("Location: ../out/out.Setup2Factor.php");
+		exit;
+	}
+}
+
 /* Update cookie lifetime */
 if($settings->_cookieLifetime) {
 	$lifetime = time() + intval($settings->_cookieLifetime);

inc/inc.BasicAuthentication.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Do authentication of users and session management
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Markus Westphal, Malcolm Cowe, Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2002-2005 Markus Westphal,
+ *             2006-2008 Malcolm Cowe, 2010 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+require_once("inc.Utils.php");
+require_once("inc.ClassNotificationService.php");
+require_once("inc.ClassEmailNotify.php");
+require_once("inc.ClassSession.php");
+require_once("inc.ClassAccessOperation.php");
+
+if (!isset($_SERVER['PHP_AUTH_USER'])) {
+	header('WWW-Authenticate: Basic realm="'.$settings->_siteName.'"');
+	header('HTTP/1.0 401 Unauthorized');
+	echo getMLText('cancel_basic_authentication');
+	exit;
+} else {
+	if(!($user = $authenticator->authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']))) {
+		header('WWW-Authenticate: Basic realm="'.$settings->_siteName.'"');
+		header('HTTP/1.0 401 Unauthorized');
+		echo getMLText('cancel_basic_authentication');
+		exit;
+	}
+}
+
+/* Clear login failures if login was successful */
+$user->clearLoginFailures();
+
+$dms->setUser($user);
+
+require_once('inc/inc.Notification.php');
+

inc/inc.ClassAccessOperation.php

@@ -11,6 +11,8 @@
  * @version    Release: @package_version@
  */
 
+require_once "inc.ClassAcl.php";
+
 /**
  * Class to check certain access restrictions
  *
@@ -27,33 +29,32 @@ class SeedDMS_AccessOperation {
 	 */
 	private $dms;
 
-	/**
-	 * @var object $obj object being accessed
-	 * @access protected
-	 */
-	private $obj;
-
 	/**
 	 * @var object $user user requesting the access
 	 * @access protected
 	 */
-	private $user;
+	protected $user;
 
 	/**
 	 * @var object $settings SeedDMS Settings
 	 * @access protected
 	 */
-	private $settings;
+	protected $settings;
 
 	/**
-	 * @var array $legacy_access list of objects with access
+	 * @var object $aro access request object for caching
+	 * @access protected
+	 */
+	private $_aro;
+
+	/**
+	 * @var array $legacy_access list of objects with access use for view and controller
 	 * @access protected
 	 */
 	private $legacy_access;
 
-	function __construct($dms, $obj, $user, $settings) { /* {{{ */
+	function __construct($dms, $user, $settings) { /* {{{ */
 		$this->dms = $dms;
-		$this->obj = $obj;
 		$this->user = $user;
 		$this->settings = $settings;
 		$this->legacy_access['guest'] = array(
@@ -163,15 +164,15 @@ class SeedDMS_AccessOperation {
 	 * document may delete versions. The admin may even delete a version
 	 * even if is disallowed in the settings.
 	 */
-	function mayEditVersion($vno=0) { /* {{{ */
-		if($this->obj->isType('document')) {
+	function mayEditVersion($document, $vno=0) { /* {{{ */
+		if($document->isType('document')) {
 			if($vno)
-				$version = $this->obj->getContentByVersion($vno);
+				$version = $document->getContentByVersion($vno);
 			else
-				$version = $this->obj->getLatestContent();
+				$version = $document->getLatestContent();
 			if (!isset($this->settings->_editOnlineFileTypes) || !is_array($this->settings->_editOnlineFileTypes) || (!in_array(strtolower($version->getFileType()), $this->settings->_editOnlineFileTypes) && !in_array(strtolower($version->getMimeType()), $this->settings->_editOnlineFileTypes)))
 				return false;
-			if ($this->obj->getAccessMode($this->user) == M_ALL || $this->user->isAdmin()) {
+			if ($document->getAccessMode($this->user) == M_ALL || $this->user->isAdmin()) {
 				return true;
 			}
 		}
@@ -187,10 +188,10 @@ class SeedDMS_AccessOperation {
 	 * document may delete versions. The admin may even delete a version
 	 * even if is disallowed in the settings.
 	 */
-	function mayRemoveVersion() { /* {{{ */
-		if($this->obj->isType('document')) {
-			$versions = $this->obj->getContent();
-			if ((($this->settings->_enableVersionDeletion && ($this->obj->getAccessMode($this->user, 'removeVersion') == M_ALL)) || $this->user->isAdmin() ) && (count($versions) > 1)) {
+	function mayRemoveVersion($document) { /* {{{ */
+		if($document->isType('document')) {
+			$versions = $document->getContent();
+			if ((($this->settings->_enableVersionDeletion && ($document->getAccessMode($this->user, 'removeVersion') == M_ALL)) || $this->user->isAdmin() ) && (count($versions) > 1)) {
 				return true;
 			}
 		}
@@ -207,11 +208,11 @@ class SeedDMS_AccessOperation {
 	 * The admin may even modify the status
 	 * even if is disallowed in the settings.
 	 */
-	function mayOverwriteStatus() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($latestContent = $this->obj->getLatestContent()) {
+	function mayOverrideStatus($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
 				$status = $latestContent->getStatus();
-				if ((($this->settings->_enableVersionModification && ($this->obj->getAccessMode($this->user) == M_ALL)) || $this->user->isAdmin()) && ($status["status"]==S_RELEASED || $status["status"]==S_OBSOLETE )) {
+				if ((($this->settings->_enableVersionModification && ($document->getAccessMode($this->user) == M_ALL)) || $this->user->isAdmin()) && ($status["status"]==S_DRAFT || $status["status"]==S_RELEASED || $status["status"]==S_REJECTED || $status["status"]==S_OBSOLETE || $status["status"]==S_NEEDS_CORRECTION)) {
 					return true;
 				}
 			}
@@ -226,12 +227,13 @@ class SeedDMS_AccessOperation {
 	 * reviewers/approvers is only allowed if version modification is turned on
 	 * in the settings and the document has not been reviewed/approved by any
 	 * user/group already.
-	 * The admin may even set reviewers/approvers if is disallowed in the
-	 * settings.
+	 * The admin may even set reviewers/approvers after the review/approval
+	 * process has been started, but only if _allowChangeRevAppInProcess
+	 * explicitly allows it.
 	 */
-	function maySetReviewersApprovers() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($latestContent = $this->obj->getLatestContent()) {
+	function maySetReviewersApprovers($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
 				$status = $latestContent->getStatus();
 				$reviewstatus = $latestContent->getReviewStatus();
 				$hasreview = false;
@@ -245,7 +247,49 @@ class SeedDMS_AccessOperation {
 					if($r['status'] == 1 || $r['status'] == -1)
 						$hasapproval = true;
 				}
-				if ((($this->settings->_enableVersionModification && ($this->obj->getAccessMode($this->user) == M_ALL)) || $this->user->isAdmin()) && (($status["status"]==S_DRAFT_REV && !$hasreview) || ($status["status"]==S_DRAFT_APP && !$hasreview && !$hasapproval))) {
+				if ((($this->settings->_enableVersionModification && ($document->getAccessMode($this->user) == M_ALL)) || $this->user->isAdmin()) && (($status["status"]==S_DRAFT_REV && (!$hasreview || ($this->user->isAdmin() && $this->settings->_allowChangeRevAppInProcess))) || ($status["status"]==S_DRAFT_APP && ((!$hasreview && !$hasapproval) || ($this->user->isAdmin() && $this->settings->_allowChangeRevAppInProcess))) || $status["status"]==S_DRAFT)) {
+					return true;
+				}
+			}
+		}
+		return false;
+	} /* }}} */
+
+	/**
+	 * Check if recipients may be edited
+	 *
+	 * This check can only be done for documents. Setting the document
+	 * recipients is only allowed if version modification is turned on
+	 * in the settings.  The
+	 * admin may even set recipients if is disallowed in the
+	 * settings.
+	 */
+	function maySetRecipients($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
+				$status = $latestContent->getStatus();
+				if (($this->settings->_enableVersionModification && ($document->getAccessMode($this->user) >= M_READWRITE)) || $this->user->isAdmin()) {
+					return true;
+				}
+			}
+		}
+		return false;
+	} /* }}} */
+
+	/**
+	 * Check if revisors may be edited
+	 *
+	 * This check can only be done for documents. Setting the document
+	 * revisors is only allowed if version modification is turned on
+	 * in the settings.  The
+	 * admin may even set revisors if is disallowed in the
+	 * settings.
+	 */
+	function maySetRevisors($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
+				$status = $latestContent->getStatus();
+				if ((($this->settings->_enableVersionModification && ($document->getAccessMode($this->user) == M_ALL)) || $this->user->isAdmin()) && ($status["status"]==S_RELEASED || $status["status"]==S_IN_REVISION)) {
 					return true;
 				}
 			}
@@ -262,12 +306,12 @@ class SeedDMS_AccessOperation {
 	 * admin may even set the workflow if is disallowed in the
 	 * settings.
 	 */
-	function maySetWorkflow() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($latestContent = $this->obj->getLatestContent()) {
+	function maySetWorkflow($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
 				$workflow = $latestContent->getWorkflow();
 				$workflowstate = $latestContent->getWorkflowState();
-				if ((($this->settings->_enableVersionModification && ($this->obj->getAccessMode($this->user) == M_ALL)) || $this->user->isAdmin()) && (!$workflow || ($workflowstate && ($workflow->getInitState()->getID() == $workflowstate->getID())))) {
+				if ((($this->settings->_enableVersionModification && ($document->getAccessMode($this->user) == M_ALL)) || $this->user->isAdmin()) && (!$workflow || ($workflowstate && ($workflow->getInitState()->getID() == $workflowstate->getID())))) {
 					return true;
 				}
 			}
@@ -281,11 +325,11 @@ class SeedDMS_AccessOperation {
 	 * This check can only be done for documents. Setting the documents
 	 * expiration date is only allowed if the document has not been obsoleted.
 	 */
-	function maySetExpires() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($latestContent = $this->obj->getLatestContent()) {
+	function maySetExpires($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
 				$status = $latestContent->getStatus();
-				if ((($this->obj->getAccessMode($this->user) == M_ALL) || $this->user->isAdmin()) && ($status["status"]!=S_OBSOLETE)) {
+				if ((($document->getAccessMode($this->user) >= M_READWRITE) || $this->user->isAdmin()) && ($status["status"]!=S_OBSOLETE)) {
 					return true;
 				}
 			}
@@ -302,17 +346,17 @@ class SeedDMS_AccessOperation {
 	 * The admin may set the comment even if is
 	 * disallowed in the settings.
 	 */
-	function mayEditComment() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($this->obj->getAccessMode($this->user) < M_READWRITE)
+	function mayEditComment($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($document->getAccessMode($this->user) < M_READWRITE)
 				return false;
-			if($this->obj->isLocked()) {
-				$lockingUser = $this->obj->getLockingUser();
-				if (($lockingUser->getID() != $this->user->getID()) && ($this->obj->getAccessMode($this->user) != M_ALL)) {
+			if($document->isLocked()) {
+				$lockingUser = $document->getLockingUser();
+				if (($lockingUser->getID() != $this->user->getID()) && ($document->getAccessMode($this->user) != M_ALL)) {
 					return false;
 				}
 			}
-			if($latestContent = $this->obj->getLatestContent()) {
+			if($latestContent = $document->getLatestContent()) {
 				$status = $latestContent->getStatus();
 				if (($this->settings->_enableVersionModification || $this->user->isAdmin()) && !in_array($status["status"], array(S_OBSOLETE, S_EXPIRED))) {
 					return true;
@@ -330,15 +374,15 @@ class SeedDMS_AccessOperation {
 	 * the settings or the document is still in an approval/review
 	 * or intial workflow step.
 	 */
-	function mayEditAttributes() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($latestContent = $this->obj->getLatestContent()) {
+	function mayEditAttributes($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
 				$status = $latestContent->getStatus();
 				$workflow = $latestContent->getWorkflow();
 				$workflowstate = $latestContent->getWorkflowState();
-				if($this->obj->getAccessMode($this->user) < M_READWRITE)
+				if($document->getAccessMode($this->user) < M_READWRITE)
 					return false;
-				if ($this->settings->_enableVersionModification || in_array($status["status"], array(S_DRAFT_REV, S_DRAFT_APP)) || ($workflow && $workflowstate && $workflow->getInitState()->getID() == $workflowstate->getID())) {
+				if ($this->settings->_enableVersionModification || in_array($status["status"], array(S_DRAFT_REV, S_DRAFT_APP, S_IN_REVISION)) || ($workflow && $workflowstate && $workflow->getInitState()->getID() == $workflowstate->getID())) {
 					return true;
 				}
 			}
@@ -353,11 +397,11 @@ class SeedDMS_AccessOperation {
 	 * review. There are other requirements which are not taken into
 	 * account here.
 	 */
-	function mayReview() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($latestContent = $this->obj->getLatestContent()) {
+	function mayReview($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
 				$status = $latestContent->getStatus();
-				if ($status["status"]==S_DRAFT_REV) {
+				if ($document->getAccessMode($this->user) >= M_READ && $status["status"]==S_DRAFT_REV) {
 					return true;
 				}
 			}
@@ -371,9 +415,24 @@ class SeedDMS_AccessOperation {
 	 * A review may only be updated by the user who originaly addedd the
 	 * review and if it is allowed in the settings
 	 */
-	function mayUpdateReview($updateUser) { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($this->settings->_enableUpdateRevApp && ($updateUser == $this->user) && !$this->obj->hasExpired()) {
+	function mayUpdateReview($document, $updateUser) { /* {{{ */
+		if($document->isType('document')) {
+			if($this->settings->_enableUpdateRevApp && ($updateUser == $this->user) && $document->getAccessMode($this->user) >= M_READ && !$document->hasExpired()) {
+				return true;
+			}
+		}
+		return false;
+	} /* }}} */
+
+	/**
+	 * Check if a approval maybe edited
+	 *
+	 * An approval may only be updated by the user who originaly addedd the
+	 * approval and if it is allowed in the settings
+	 */
+	function mayUpdateApproval($document, $updateUser) { /* {{{ */
+		if($document->isType('document')) {
+			if($this->settings->_enableUpdateRevApp && ($updateUser == $this->user) && $document->getAccessMode($this->user) >= M_READ && !$document->hasExpired()) {
 				return true;
 			}
 		}
@@ -389,11 +448,11 @@ class SeedDMS_AccessOperation {
 	 * There are other requirements which are not taken into
 	 * account here.
 	 */
-	function mayApprove() { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($latestContent = $this->obj->getLatestContent()) {
+	function mayApprove($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
 				$status = $latestContent->getStatus();
-				if ($status["status"]==S_DRAFT_APP) {
+				if ($document->getAccessMode($this->user) >= M_READ && $status["status"]==S_DRAFT_APP) {
 					return true;
 				}
 			}
@@ -402,14 +461,70 @@ class SeedDMS_AccessOperation {
 	} /* }}} */
 
 	/**
-	 * Check if a approval maybe edited
+	 * Check if document content may be receipted
 	 *
-	 * An approval may only be updated by the user who originaly addedd the
-	 * approval and if it is allowed in the settings
+	 * Reviewing a document content is only allowed if the document was not
+	 * obsoleted. There are other requirements which are not taken into
+	 * account here.
 	 */
-	function mayUpdateApproval($updateUser) { /* {{{ */
-		if($this->obj->isType('document')) {
-			if($this->settings->_enableUpdateRevApp && ($updateUser == $this->user) && !$this->obj->hasExpired()) {
+	function mayReceipt($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
+				$status = $latestContent->getStatus();
+				if ($document->getAccessMode($this->user) >= M_READ && $status["status"]==S_RELEASED) {
+					return true;
+				}
+			}
+		}
+		return false;
+	} /* }}} */
+
+	/**
+	 * Check if a review maybe edited
+	 *
+	 * A review may only be updated by the user who originaly addedd the
+	 * review and if it is allowed in the settings
+	 */
+	function mayUpdateReceipt($document, $updateUser) { /* {{{ */
+		if($document->isType('document')) {
+			if($this->settings->_enableUpdateReceipt && ($updateUser == $this->user) && $document->getAccessMode($this->user) >= M_READ && !$document->hasExpired()) {
+				return true;
+			}
+		}
+		return false;
+	} /* }}} */
+
+	/**
+	 * Check if document content may be revised
+	 *
+	 * Revising a document content is only allowed if the document was not
+	 * obsoleted. There may be other requirements which are not taken into
+	 * account here.
+	 */
+	function mayRevise($document) { /* {{{ */
+		if($document->isType('document')) {
+			if($latestContent = $document->getLatestContent()) {
+				$status = $latestContent->getStatus();
+				if ($document->getAccessMode($this->user) >= M_READ && $status["status"]!=S_OBSOLETE) {
+					return true;
+				}
+			}
+		}
+		return false;
+	} /* }}} */
+
+	/**
+	 * Check if document content may be checked in
+	 *
+	 *
+	 */
+	function mayCheckIn($document) { /* {{{ */
+		if($document->isType('document')) {
+			$checkoutinfo = $document->getCheckOutInfo();
+			if(!$checkoutinfo)
+				return false;
+			$info = $checkoutinfo[0];
+			if($this->user->getID() == $info['userID'] || $document->getAccessMode($this->user) == M_ALL) {
 				return true;
 			}
 		}
@@ -448,11 +563,44 @@ class SeedDMS_AccessOperation {
 		return false;
 	} /* }}} */
 
+	protected function check_controller_legacy_access($controller, $get=array()) { /* {{{ */
+		if($this->user->isAdmin())
+			return true;
+
+		if(is_string($controller)) {
+			$scripts = array($controller);
+		} elseif(is_array($controller)) {
+			$scripts = $controller;
+		} elseif(is_subclass_of($controller, 'SeedDMS_Controller_Common')) {
+			$scripts = array($controller->getParam('class'));
+		} else {
+			return false;
+		}
+
+		if($this->user->isGuest()) {
+			$user_allowed = $this->legacy_access['guest'];
+		} else {
+			$user_allowed = $this->legacy_access['user'];
+		}
+
+		if(array_intersect($scripts, $user_allowed))
+			return true;
+
+		return false;
+	} /* }}} */
+
 	/**
 	 * Check for access permission on view
 	 *
-	 * This function will always return true because it was added to smooth
-	 * migration from 5.1.x to 6.0.x
+	 * If the parameter $view is an array then each element is considered the
+	 * name of a view and true will be returned if one of them is accessible.
+	 * Whether access is allowed also depends on the currently logged in user
+	 * stored in the view object. If the user is an admin the access 
+	 * on a view must be explicitly disallowed. For regular users the access
+	 * must be explicitly allowed.
+	 *
+	 * If advanced access control is turn off, this function will always return
+	 * true for admins and false for other users.
 	 *
 	 * @param mixed $view Instanz of view, name of view or array of view names
 	 * @param string $get query parameters possible containing the element 'action'
@@ -460,20 +608,79 @@ class SeedDMS_AccessOperation {
 	 * no specific access right is set, otherwise false
 	 */
 	function check_view_access($view, $get=array()) { /* {{{ */
-		return $this->check_view_legacy_access($view, $get);
+		if(!$this->settings->_advancedAcl) {
+			return $this->check_view_legacy_access($view, $get);
+		}
+		if(is_string($view)) {
+			$scripts = array($view);
+		} elseif(is_array($view)) {
+			$scripts = $view;
+		} elseif(is_subclass_of($view, 'SeedDMS_View_Common')) {
+			$scripts = array($view->getParam('class'));
+		} else {
+			return false;
+		}
+		$scope = 'Views';
+		$action = (isset($get['action']) && $get['action']) ? $get['action'] : 'show';
+		$acl = new SeedDMS_Acl($this->dms);
+		if(!$this->_aro)
+			$this->_aro = SeedDMS_Aro::getInstance($this->user->getRole(), $this->dms);
+		foreach($scripts as $script) {
+			$aco = SeedDMS_Aco::getInstance($scope.'/'.$script.'/'.$action, $this->dms);
+			$ll = $acl->check($this->_aro, $aco);
+			if($ll === 1 && !$this->user->isAdmin() || $ll !== -1 && $this->user->isAdmin())
+				return true;
+		}
+		return false;
 	} /* }}} */
 
 	/**
 	 * Check for access permission on controller
 	 *
-	 * This function will always return true because it was added to smooth
-	 * migration from 5.1.x to 6.0.x
+	 * If the parameter $controller is an array then each element is considered the
+	 * name of a controller and true will be returned if one is accesible.
+	 * If advanced access controll is turn off, this function will return false
+	 * for guest users and true otherwise.
 	 *
 	 * @param mixed $controller Instanz of controller, name of controller or array of controller names
 	 * @param string $get query parameters
 	 * @return boolean true if access is allowed otherwise false
 	 */
 	function check_controller_access($controller, $get=array()) { /* {{{ */
-		return true;
+		if(!$this->settings->_advancedAcl) {
+			return $this->check_controller_legacy_access($controller, $get);
+			/*
+			if($this->user->isGuest())
+				return false;
+			elseif($this->user->isAdmin())
+				return true;
+			else {
+				if($controller == 'AddDocument' && isset($get['action']) && $get['action'] == 'setOwner')
+					return false;
+				return true;
+			}
+			 */
+		}
+		if(is_string($controller)) {
+			$scripts = array($controller);
+		} elseif(is_array($controller)) {
+			$scripts = $controller;
+		} elseif(is_subclass_of($controller, 'SeedDMS_Controller_Common')) {
+			$scripts = array($controller->getParam('class'));
+		} else {
+			return false;
+		}
+		$scope = 'Controllers';
+		$action = (isset($get['action']) && $get['action']) ? $get['action'] : 'run';
+		$acl = new SeedDMS_Acl($this->dms);
+		if(!$this->_aro)
+			$this->_aro = SeedDMS_Aro::getInstance($this->user->getRole(), $this->dms);
+		foreach($scripts as $script) {
+			$aco = SeedDMS_Aco::getInstance($scope.'/'.$script.'/'.$action, $this->dms);
+			$ll = $acl->check($this->_aro, $aco);
+			if($ll === 1 && !$this->user->isAdmin() || $ll !== -1 && $this->user->isAdmin())
+				return true;
+		}
+		return false;
 	} /* }}} */
 }

inc/inc.ClassAcl.php

@@ -0,0 +1,390 @@
+<?php
+/**
+ * Implementation of a access control list.
+ *
+ * SeedDMS uses access control list for setting permission,
+ * on various operations.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2016 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class to represent an access request object
+ *
+ * This class provides a model for access request objects.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2016 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Acl { /* {{{ */
+	/**
+	 * @var object $dms reference to dms object.
+	 * @access public
+	 */
+	public $_dms;
+
+	/**
+	 * Create a new instance of an acl
+	 *
+	 * @param object $dms object of dms
+	 * @return object instance of SeedDMS_Acl
+	 */
+	public function __construct($dms) { /* {{{ */
+		$this->_dms = $dms;
+	} /* }}} */
+
+	/**
+	 * Check if Aro has access on Aco
+	 *
+	 * @param object $aro access request object
+	 * @param object $aco access control object
+	 * @return integer/boolean -1 if access is explictly denied, 1 if access
+	 * is explictly allow, 0 if no access restrictions exists, false if
+	 * an error occured.
+	 */
+	public function check($aro, $aco) { /* {{{ */
+		$db = $this->_dms->getDB();
+
+		while($aco) {
+			$acoid = $aco->getID();
+			$queryStr = "SELECT * FROM `tblArosAcos` WHERE `aro`=".$aro->getID()." AND `aco`=".$acoid;
+			$resArr = $db->getResultArray($queryStr);
+			if (is_bool($resArr) && $resArr === false)
+				return false;
+			if (count($resArr) == 1)
+				return((int) $resArr[0]['read']);
+
+			$aco = $aco->getParent();
+		}
+
+		return 0;
+	} /* }}} */
+
+	public function toggle($aro, $aco) { /* {{{ */
+		$db = $this->_dms->getDB();
+		$queryStr = "SELECT * FROM `tblArosAcos` WHERE `aro`=".$aro->getID()." AND `aco`=".$aco->getID();
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr === false)
+			return false;
+		if (count($resArr) != 1)
+			return false;
+		$resArr = $resArr[0];
+
+		$newperm = $resArr['read'] == 1 ? -1 : 1;
+		$queryStr = "UPDATE `tblArosAcos` SET `read`=".$newperm." WHERE `aro`=".$aro->getID()." AND `aco`=".$aco->getID();
+		if (!$db->getResult($queryStr))
+			return false;
+		return true;
+
+	} /* }}} */
+
+	public function add($aro, $aco, $perm=-1) { /* {{{ */
+		$db = $this->_dms->getDB();
+		$queryStr = "SELECT * FROM `tblArosAcos` WHERE `aro`=".$aro->getID()." AND `aco`=".$aco->getID();
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr === false)
+			return false;
+		if (count($resArr) == 1) {
+			$resArr = $resArr[0];
+
+			$newperm = $resArr['read'] == 1 ? -1 : 1;
+			$queryStr = "UPDATE `tblArosAcos` SET `read`=".$newperm." WHERE `aro`=".$aro->getID()." AND `aco`=".$aco->getID();
+			if (!$db->getResult($queryStr))
+				return false;
+		} else {
+			$queryStr = "INSERT INTO `tblArosAcos` (`aro`, `aco`, `read`) VALUES (".$aro->getID().", ".$aco->getID().", ".$perm.")";
+			if (!$db->getResult($queryStr))
+				return false;
+		}
+		return true;
+
+	} /* }}} */
+
+	public function remove($aro, $aco) { /* {{{ */
+		$db = $this->_dms->getDB();
+		$queryStr = "DELETE FROM `tblArosAcos` WHERE `aro`=".$aro->getID()." AND `aco`=".$aco->getID();
+		if (!$db->getResult($queryStr))
+			return false;
+		return true;
+	} /* }}} */
+} /* }}} */
+
+/**
+ * Class to represent an access request/controll object
+ *
+ * This class provides a model for access request/controll objects.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2016 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_AroAco { /* {{{ */
+	/**
+	 * @var object $dms reference to dms object.
+	 * @access protected
+	 */
+	public $_dms;
+
+	/**
+	 * @var integer id of access request object
+	 */
+	protected $_id;
+
+	/**
+	 * @var integer id of parent of access request object
+	 */
+	protected $_parent;
+
+	/**
+	 * @var string alias of access request object
+	 */
+	protected $_alias;
+
+	/**
+	 * @var object object of access request object
+	 */
+	protected $_object;
+
+	/**
+	 * Create a new instance of an aro
+	 *
+	 * @param object $dms object of dms
+	 * @return object instance of SeedDMS_Aco
+	 */
+	function __construct($dms, $id, $parent, $object, $alias) { /* {{{ */
+		$this->_dms = $dms;
+		$this->_id = $id;
+		$this->_parent = $parent;
+		$this->_object = $object;
+		$this->_alias = $alias;
+	} /* }}} */
+
+	public function setDMS($dms) { /* {{{ */
+		$this->_dms = $dms;
+	} /* }}} */
+
+	public function getDMS() { /* {{{ */
+		return($this->_dms);
+	} /* }}} */
+
+	public function getID() { /* {{{ */
+		return $this->_id;
+	} /* }}} */
+
+	public function getAlias() { /* {{{ */
+		return $this->_alias;
+	} /* }}} */
+
+	public function getObject() { /* {{{ */
+		return $this->_object;
+	} /* }}} */
+} /* }}} */
+
+/**
+ * Class to represent an access request object
+ *
+ * This class provides a model for access request objects.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2016 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Aro extends SeedDMS_AroAco { /* {{{ */
+
+	/**
+	 * Create a new instance of an aro
+	 *
+	 * @param object $dms object to access the underlying database
+	 * @return object instance of SeedDMS_Aro
+	 */
+	public static function getInstance($id, $dms) { /* {{{ */
+		$db = $dms->getDB();
+		if(is_int($id)) {
+			$queryStr = "SELECT * FROM `tblAros` WHERE `id` = " . (int) $id;
+			$resArr = $db->getResultArray($queryStr);
+			if (is_bool($resArr) && $resArr === false)
+				return null;
+			if (count($resArr) != 1)
+				return null;
+			$resArr = $resArr[0];
+		} elseif(is_object($id)) {
+			if($dms->getClassname('role') == get_class($id)) {
+				$model = 'Role';
+				$queryStr = "SELECT * FROM `tblAros` WHERE `model`=".$db->qstr($model)." AND `foreignid`=".$id->getID();
+				$resArr = $db->getResultArray($queryStr);
+				if (is_bool($resArr) && $resArr === false)
+					return null;
+				if (count($resArr) == 0) {
+					$queryStr = "INSERT INTO `tblAros` (`parent`, `model`, `foreignid`) VALUES (0, ".$db->qstr($model).", ".$id->getID().")";
+					if (!$db->getResult($queryStr))
+						return null;
+					$id = $db->getInsertID();
+					$queryStr = "SELECT * FROM `tblAros` WHERE `id` = " . $id;
+					$resArr = $db->getResultArray($queryStr);
+				}
+				$resArr = $resArr[0];
+			} else {
+				return null;
+			}
+		}
+
+		if($resArr['model'] == 'Role') {
+			$classname = $dms->getClassname('role');
+			$object = $classname::getInstance($resArr['foreignid'], $dms);
+		} else {
+			$object = null;
+		}
+
+		$aro = new SeedDMS_Aro($dms, $resArr["id"], $resArr['parent'], $object, $resArr['alias']);
+		$aro->setDMS($dms);
+		return $aro;
+	} /* }}} */
+
+} /* }}} */
+
+/**
+ * Class to represent an access control object
+ *
+ * This class provides a model for access control objects.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2016 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Aco extends SeedDMS_AroAco{ /* {{{ */
+
+	/**
+	 * Create a new instance of an aco
+	 *
+	 * @param object $dms object to access the underlying database
+	 * @return object instance of SeedDMS_Aco
+	 */
+	public static function getInstance($id, $dms) { /* {{{ */
+		$db = $dms->getDB();
+		if(is_int($id)) {
+			$queryStr = "SELECT * FROM `tblAcos` WHERE `id` = " . (int) $id;
+			$resArr = $db->getResultArray($queryStr);
+			if (is_bool($resArr) && $resArr === false)
+				return null;
+			if (count($resArr) == 0) {
+				return null;
+			}
+			$resArr = $resArr[0];
+		} elseif(is_string($id)) {
+			$tmp = explode('/', $id);
+			$parentid = 0;
+			foreach($tmp as $part) {
+				$queryStr = "SELECT * FROM `tblAcos` WHERE `alias` = " . $db->qstr($part);
+//				if($parentid)
+				$queryStr .= " AND parent=".$parentid;
+				$resArr = $db->getResultArray($queryStr);
+				if (is_bool($resArr) && $resArr === false)
+					return null;
+				if (count($resArr) == 0) {
+					$queryStr = "INSERT INTO `tblAcos` (`parent`, `alias`, `model`) VALUES (".$parentid.",".$db->qstr($part).", '')";
+					if (!$db->getResult($queryStr))
+						return null;
+					$id = $db->getInsertID();
+					$queryStr = "SELECT * FROM `tblAcos` WHERE `id` = " . $id;
+					$resArr = $db->getResultArray($queryStr);
+				}
+				$parentid = (int) $resArr[0]['id'];
+			}
+			$resArr = $resArr[0];
+		}
+
+		if($resArr['model'] == 'Document') {
+			$classname = $dms->getClassname('document');
+			$object = $classname::getInstance($resArr['foreignid'], $dms);
+		} elseif($resArr['model'] == 'Folder') {
+			$classname = $dms->getClassname('focument');
+			$object = $classname::getInstance($resArr['foreignid'], $dms);
+		} else {
+			$object = null;
+		}
+
+		$aco = new SeedDMS_Aco($dms, $resArr["id"], $resArr['parent'], $object, $resArr['alias']);
+		$aco->setDMS($dms);
+		return $aco;
+	} /* }}} */
+
+	public function getChildren() { /* {{{ */
+		$dms = $this->getDMS();
+		$db = $dms->getDB();
+		$queryStr = "SELECT * FROM `tblAcos` WHERE `parent` = ".$this->_id." ORDER BY `alias`";
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr === false)
+			return null;
+		if (count($resArr) == 0)
+			return null;
+
+		$acos = array();
+		foreach($resArr as $row) {
+			$aco = new SeedDMS_Aco($dms, $row["id"], $row['parent'], null, $row['alias']);
+			$aco->setDMS($dms);
+			$acos[] = $aco;
+		}
+		return $acos;
+	} /* }}} */
+
+	public function getPermission($aro) { /* {{{ */
+		if(!$aro)
+			return 0;
+		$dms = $this->getDMS();
+		$db = $dms->getDB();
+		$queryStr = "SELECT * FROM `tblArosAcos` WHERE `aro`=".$aro->getID()." AND `aco`=".$this->_id;
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr === false)
+			return false;
+		if (count($resArr) != 1)
+			return 0;
+		return (int) $resArr[0]['read'];
+	} /* }}} */
+
+	public static function getRoot($dms) { /* {{{ */
+		$db = $dms->getDB();
+		$queryStr = "SELECT * FROM `tblAcos` WHERE `parent` = 0 ORDER BY `alias`";
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr === false)
+			return null;
+
+		$acos = array();
+		foreach($resArr as $row) {
+			$aco = new SeedDMS_Aco($dms, $row["id"], $row['parent'], null, $row['alias']);
+			$aco->setDMS($dms);
+			$acos[] = $aco;
+		}
+		return $acos;
+	} /* }}} */
+
+	public function getParent() { /* {{{ */
+		$dms = $this->getDMS();
+		$db = $dms->getDB();
+		$queryStr = "SELECT * FROM `tblAcos` WHERE `id` = ".$this->_parent;
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr === false)
+			return null;
+		if (count($resArr) != 1)
+			return null;
+
+		$row = $resArr[0];
+		$aco = new SeedDMS_Aco($dms, $row["id"], $row['parent'], null, $row['alias']);
+		$aco->setDMS($dms);
+		return $aco;
+	} /* }}} */
+} /* }}} */

inc/inc.ClassController.php

@@ -52,6 +52,7 @@ class Controller {
 			require_once($filename);
 			$controller = new $classname($params);
 			/* Set some configuration parameters */
+			$controller->setParam('class', $class);
 			$controller->setParam('postVars', $_POST);
 			$controller->setParam('getVars', $_GET);
 			$controller->setParam('requestVars', $_REQUEST);

inc/inc.ClassControllerCommon.php

@@ -316,4 +316,26 @@ class SeedDMS_Controller_Common {
 		}
 		return false;
 	} /* }}} */
+
+	/**
+	 * Check if the access on the contoller with given name or the current
+	 * controller itself may be accessed.
+	 *
+	 * The function requires the parameter 'accessobject' to be available in the
+	 * controller, because it calls SeedDMS_AccessOperation::check_controller_access()
+	 * to check access rights. If the the optional $name is not set the
+	 * current controller is used.
+	 *
+	 * @param string|array $name name of controller or list of controller names
+	 * @return boolean true if access is allowed otherwise false
+	 */
+	protected function check_access($name='') { /* {{{ */
+		if(!$name)
+			$name = $this;
+		if(!isset($this->params['accessobject']))
+			return false;
+		$access = $this->params['accessobject']->check_controller_access($name);
+		return $access;
+	} /* }}} */
+
 }

inc/inc.ClassEmailNotify.php

@@ -120,7 +120,6 @@ class SeedDMS_EmailNotify extends SeedDMS_Notify {
 			$from = $this->from_address;
 		}
 
-
 		$body = '';
 		if(!isset($params['__skip_header__']) || !$params['__skip_header__']) {
 			if(!isset($params['__header__']))
@@ -278,10 +277,12 @@ class SeedDMS_EmailNotify extends SeedDMS_Notify {
 	 * The dispatching is now done in SeedDMS_NotificationService::toList()
 	 */
 	function toList($sender, $recipients, $subject, $message, $params=array()) { /* {{{ */
+		/*
 		if ((!is_object($sender) && strcasecmp(get_class($sender), $this->_dms->getClassname('user'))) ||
 				(!is_array($recipients) && count($recipients)==0)) {
 			return false;
 		}
+		 */
 
 		$ret = true;
 		foreach ($recipients as $recipient) {

inc/inc.ClassExtensionMgr.php

@@ -148,6 +148,10 @@ class SeedDMS_Extension_Mgr {
 		}
 	} /* }}} */
 
+	public function getRepositoryUrl() { /* {{{ */
+		return $this->reposurl;
+	} /* }}} */
+
 	private function getStreamContext() { /* {{{ */
 		if(!$this->proxyurl)
 			return null;
@@ -619,14 +623,15 @@ class SeedDMS_Extension_Mgr {
 		$result = array();
 		$vcache = array(); // keep highest version of extension
 		foreach($list as $e) {
-			if($e[0] != '#') {
-				$re = json_decode($e, true);
-				if(!isset($result[$re['name']])) {
-					$result[$re['name']] = $re;
-					$vcache[$re['name']] = $re['version'];
-				} elseif(self::cmpVersion($re['version'], $vcache[$re['name']]) > 0) {
-					$result[$re['name']] = $re;
-					$vcache[$re['name']] = $re['version'];
+			if($e[0] != '#' && trim($e)) {
+				if($re = json_decode($e, true)) {
+					if(!isset($result[$re['name']])) {
+						$result[$re['name']] = $re;
+						$vcache[$re['name']] = $re['version'];
+					} elseif(self::cmpVersion($re['version'], $vcache[$re['name']]) > 0) {
+						$result[$re['name']] = $re;
+						$vcache[$re['name']] = $re['version'];
+					}
 				}
 			}
 		}

inc/inc.ClassNotificationService.php

@@ -51,6 +51,8 @@ class SeedDMS_NotificationService {
 	const RECV_APPROVER = 4;
 	const RECV_WORKFLOW = 5;
 	const RECV_UPLOADER = 6;
+	const RECV_REVISOR = 7;
+	const RECV_RECIPIENT = 8;
 
 	public function __construct($logger = null, $settings = null) { /* {{{ */
 		$this->services = array();
@@ -1175,6 +1177,80 @@ class SeedDMS_NotificationService {
 			$this->toIndividual($user, $content->getUser(), $subject, $message, $params, SeedDMS_NotificationService::RECV_UPLOADER);
 	} /* }}} */
 
+	public function sendSubmittedReceiptMail($content, $user, $receiptlog) { /* {{{ */
+		$document = $content->getDocument();
+		$nl=$document->getNotifyList();
+		$folder = $document->getFolder();
+		$subject = "receipt_submit_email_subject";
+		$message = "receipt_submit_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['document_id'] = $document->getId();
+		$params['version'] = $content->getVersion();
+		$params['folder_path'] = $folder->getFolderPathPlain();
+		$params['status'] = getReceiptStatusText($receiptlog["status"]);
+		$params['comment'] = $receiptlog['comment'];
+		$params['username'] = $user->getFullName();
+		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+		$params['sitename'] = $this->settings->_siteName;
+		$params['http_root'] = $this->settings->_httpRoot;
+		$this->toList($user, $nl["users"], $subject, $message, $params, SeedDMS_NotificationService::RECV_NOTIFICATION);
+		foreach ($nl["groups"] as $grp) {
+			$this->toGroup($user, $grp, $subject, $message, $params, SeedDMS_NotificationService::RECV_NOTIFICATION);
+		}
+		/* Send mail to owner only if the currently logged in user is not the
+		 * owner and the owner is not already in the list of notifiers.
+		 */
+		/*
+		if($user->getID() != $document->getOwner()->getID() && false === SeedDMS_Core_DMS::inList($document->getOwner(), $nl['users']))
+			$this->toIndividual($user, $document->getOwner(), $subject, $message, $params, SeedDMS_NotificationService::RECV_OWNER);
+		 */
+
+		/* Send mail to uploader of version only if the uploader is not the owner and
+		 * the currently logged in user is not the
+		 * owner and the owner is not already in the list of notifiers.
+		 */
+		if($user->getID() != $content->getUser()->getID() /* && $content->getUser()->getID() != $document->getOwner()->getID() */ && false === SeedDMS_Core_DMS::inList($content->getUser(), $nl['users']))
+			$this->toIndividual($user, $content->getUser(), $subject, $message, $params, SeedDMS_NotificationService::RECV_UPLOADER);
+	} /* }}} */
+
+	public function sendSubmittedRevisionMail($content, $user, $revisionlog) { /* {{{ */
+		$document = $content->getDocument();
+		$nl=$document->getNotifyList();
+		$folder = $document->getFolder();
+		$subject = "revision_submit_email_subject";
+		$message = "revision_submit_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['document_id'] = $document->getId();
+		$params['version'] = $content->getVersion();
+		$params['folder_path'] = $folder->getFolderPathPlain();
+		$params['status'] = getRevisionStatusText($revisionlog["status"]);
+		$params['comment'] = $revisionlog['comment'];
+		$params['username'] = $user->getFullName();
+		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+		$params['sitename'] = $this->settings->_siteName;
+		$params['http_root'] = $this->settings->_httpRoot;
+		$this->toList($user, $nl["users"], $subject, $message, $params, SeedDMS_NotificationService::RECV_NOTIFICATION);
+		foreach ($nl["groups"] as $grp) {
+			$this->toGroup($user, $grp, $subject, $message, $params, SeedDMS_NotificationService::RECV_NOTIFICATION);
+		}
+		/* Send mail to owner only if the currently logged in user is not the
+		 * owner and the owner is not already in the list of notifiers.
+		 */
+		/*
+		if($user->getID() != $document->getOwner()->getID() && false === SeedDMS_Core_DMS::inList($document->getOwner(), $nl['users']))
+			$this->toIndividual($user, $document->getOwner(), $subject, $message, $params, SeedDMS_NotificationService::RECV_OWNER);
+		 */
+
+		/* Send mail to uploader of version only if the uploader is not the owner and
+		 * the currently logged in user is not the
+		 * owner and the owner is not already in the list of notifiers.
+		 */
+		if($user->getID() != $content->getUser()->getID() /* && $content->getUser()->getID() != $document->getOwner()->getID() */ && false === SeedDMS_Core_DMS::inList($content->getUser(), $nl['users']))
+			$this->toIndividual($user, $content->getUser(), $subject, $message, $params, SeedDMS_NotificationService::RECV_UPLOADER);
+	} /* }}} */
+
 	public function sendDeleteApprovalMail($content, $user, $approver) { /* {{{ */
 		$document = $content->getDocument();
 		$folder = $document->getFolder();
@@ -1208,7 +1284,11 @@ class SeedDMS_NotificationService {
 		$params['folder_path'] = $folder->getFolderPathPlain();
 		$params['version'] = $content->getVersion();
 		$params['comment'] = $content->getComment();
-		$params['username'] = $user->getFullName();
+		if($reviewer->isType('user'))
+			$params['reviewer'] = $reviewer->getFullName();
+		elseif($reviewer->isType('group'))
+			$params['reviewer'] = $reviewer->getName();
+		$params['username'] = $user->getName();
 		$params['sitename'] = $this->settings->_siteName;
 		$params['http_root'] = $this->settings->_httpRoot;
 		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
@@ -1219,6 +1299,58 @@ class SeedDMS_NotificationService {
 			$this->toGroup($user, $reviewer, $subject, $message, $params, SeedDMS_NotificationService::RECV_REVIEWER);
 	} /* }}} */
 
+	public function sendDeleteRevisionMail($content, $user, $revisor) { /* {{{ */
+		$document = $content->getDocument();
+		$folder = $document->getFolder();
+		$subject = "revision_deletion_email_subject";
+		$message = "revision_deletion_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['document_id'] = $document->getId();
+		$params['folder_path'] = $folder->getFolderPathPlain();
+		$params['version'] = $content->getVersion();
+		$params['comment'] = $content->getComment();
+		if($revisor->isType('user'))
+			$params['revisor'] = $revisor->getFullName();
+		elseif($revisor->isType('group'))
+			$params['revisor'] = $revisor->getName();
+		$params['username'] = $user->getFullName();
+		$params['sitename'] = $this->settings->_siteName;
+		$params['http_root'] = $this->settings->_httpRoot;
+		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+
+		if($revisor->isType('user'))
+			$this->toIndividual($user, $revisor, $subject, $message, $params, SeedDMS_NotificationService::RECV_REVISOR);
+		elseif($revisor->isType('group'))
+			$this->toGroup($user, $revisor, $subject, $message, $params, SeedDMS_NotificationService::RECV_REVISOR);
+	} /* }}} */
+
+	public function sendDeleteReceiptMail($content, $user, $recipient) { /* {{{ */
+		$document = $content->getDocument();
+		$folder = $document->getFolder();
+		$subject = "receipt_deletion_email_subject";
+		$message = "receipt_deletion_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['document_id'] = $document->getId();
+		$params['folder_path'] = $folder->getFolderPathPlain();
+		$params['version'] = $content->getVersion();
+		$params['comment'] = $content->getComment();
+		if($recipient->isType('user'))
+			$params['recipient'] = $recipient->getFullName();
+		elseif($recipient->isType('group'))
+			$params['recipient'] = $recipient->getName();
+		$params['username'] = $user->getFullName();
+		$params['sitename'] = $this->settings->_siteName;
+		$params['http_root'] = $this->settings->_httpRoot;
+		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+
+		if($recipient->isType('user'))
+			$this->toIndividual($user, $recipient, $subject, $message, $params, SeedDMS_NotificationService::RECV_RECIPIENT);
+		elseif($recipient->isType('group'))
+			$this->toGroup($user, $recipient, $subject, $message, $params, SeedDMS_NotificationService::RECV_RECIPIENT);
+	} /* }}} */
+
 	/**
 	 * This notification is send if a new approver is added.
 	 *
@@ -1270,6 +1402,10 @@ class SeedDMS_NotificationService {
 		$params['folder_path'] = $folder->getFolderPathPlain();
 		$params['version'] = $content->getVersion();
 		$params['comment'] = $content->getComment();
+		if($reviewer->isType('user'))
+			$params['reviewer'] = $reviewer->getFullName();
+		elseif($reviewer->isType('group'))
+			$params['reviewer'] = $reviewer->getName();
 		$params['username'] = $user->getFullName();
 		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
 		$params['sitename'] = $this->settings->_siteName;
@@ -1281,6 +1417,60 @@ class SeedDMS_NotificationService {
 			$this->toGroup($user, $reviewer, $subject, $message, $params, SeedDMS_NotificationService::RECV_REVIEWER);
 	} /* }}} */
 
+	public function sendAddRevisionMail($content, $user, $revisor) { /* {{{ */
+		$document = $content->getDocument();
+		$folder = $document->getFolder();
+
+		$subject = "revision_request_email_subject";
+		$message = "revision_request_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['document_id'] = $document->getId();
+		$params['folder_path'] = $folder->getFolderPathPlain();
+		$params['version'] = $content->getVersion();
+		$params['comment'] = $content->getComment();
+		if($revisor->isType('user'))
+			$params['revisor'] = $revisor->getFullName();
+		elseif($revisor->isType('group'))
+			$params['revisor'] = $user->getName();
+		$params['username'] = $user->getFullName();
+		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+		$params['sitename'] = $this->settings->_siteName;
+		$params['http_root'] = $this->settings->_httpRoot;
+
+		if($revisor->isType('user'))
+			$this->toIndividual($user, $revisor, $subject, $message, $params, SeedDMS_NotificationService::RECV_REVISOR);
+		elseif($revisor->isType('group'))
+			$this->toGroup($user, $revisor, $subject, $message, $params, SeedDMS_NotificationService::RECV_REVISOR);
+	} /* }}} */
+
+	public function sendAddReceiptMail($content, $user, $recipient) { /* {{{ */
+		$document = $content->getDocument();
+		$folder = $document->getFolder();
+
+		$subject = "receipt_request_email_subject";
+		$message = "receipt_request_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['document_id'] = $document->getId();
+		$params['folder_path'] = $folder->getFolderPathPlain();
+		$params['version'] = $content->getVersion();
+		$params['comment'] = $content->getComment();
+		if($recipient->isType('user'))
+			$params['recipient'] = $recipient->getFullName();
+		elseif($recipient->isType('group'))
+			$params['recipient'] = $user->getName();
+		$params['username'] = $user->getFullName();
+		$params['url'] = getBaseUrl().$this->settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+		$params['sitename'] = $this->settings->_siteName;
+		$params['http_root'] = $this->settings->_httpRoot;
+
+		if($recipient->isType('user'))
+			$this->toIndividual($user, $recipient, $subject, $message, $params, SeedDMS_NotificationService::RECV_RECIPIENT);
+		elseif($recipient->isType('group'))
+			$this->toGroup($user, $recipient, $subject, $message, $params, SeedDMS_NotificationService::RECV_RECIPIENT);
+	} /* }}} */
+
 	public function sendChangedDocumentOwnerMail($document, $user, $oldowner) { /* {{{ */
 		if($oldowner->getID() != $document->getOwner()->getID()) {
 			$notifyList = $document->getNotifyList();

inc/inc.ClassScheduler.php

@@ -0,0 +1,74 @@
+<?php
+/**
+ * Implementation of an SchedulerTask.
+ *
+ * SeedDMS can be extended by extensions. Extension usually implement
+ * hook.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2018 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class to represent a SchedulerTask
+ *
+ * This class provides some very basic methods to manage extensions.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Markus Westphal, Malcolm Cowe, Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2011 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_Scheduler {
+
+	/**
+	 * Instanz of database
+	 */
+	protected $db;
+
+	public function getTask($id) { /* {{{ */
+		return SeedDMS_SchedulerTask::getInstance($id, $this->db);
+	} /* }}} */
+
+	public function getTasksByExtension($extname, $taskname) { /* {{{ */
+		return SeedDMS_SchedulerTask::getInstancesByExtension($extname, $taskname, $this->db);
+	} /* }}} */
+
+	public function getTasks() { /* {{{ */
+		return SeedDMS_SchedulerTask::getInstances($this->db);
+	} /* }}} */
+
+	public function addTask($extname, $taskname, $name, $description, $frequency, $disabled, $params) { /* {{{ */
+		$db = $this->db;
+		if(!$extname)
+			return false;
+		if(!$taskname)
+			return false;
+		try {
+			$cron = Cron\CronExpression::factory($frequency);
+		} catch (Exception $e) {
+			return false;
+		}
+		$nextrun = $cron->getNextRunDate()->format('Y-m-d H:i:s');
+
+		$queryStr = "INSERT INTO `tblSchedulerTask` (`extension`, `task`, `name`, `description`, `frequency`, `disabled`, `params`, `nextrun`, `lastrun`) VALUES (".$db->qstr($extname).", ".$db->qstr($taskname).", ".$db->qstr($name).", ".$db->qstr($description).", ".$db->qstr($frequency).", ".intval($disabled).", ".$db->qstr(json_encode($params)).", '".$nextrun."', NULL)";
+		$res = $db->getResult($queryStr);
+		if (!$res)
+			return false;
+
+		$task = SeedDMS_SchedulerTask::getInstance($db->getInsertID('tblSchedulerTask'), $db);
+
+		return $task;
+	} /* }}} */
+
+	function __construct($db) {
+		$this->db = $db;
+	}
+
+}

inc/inc.ClassSchedulerTask.php

@@ -0,0 +1,347 @@
+<?php
+/**
+ * Implementation of an SchedulerTask.
+ *
+ * SeedDMS can be extended by extensions. Extension usually implement
+ * hook.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2018 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+/**
+ * Class to represent a SchedulerTask
+ *
+ * This class provides some very basic methods to manage extensions.
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @author     Markus Westphal, Malcolm Cowe, Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  2011 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+class SeedDMS_SchedulerTask {
+	/**
+	 * Instanz of database
+	 */
+	protected $db;
+
+	/**
+	 * @var integer unique id of task
+	 */
+	protected $_id;
+
+	/**
+	 * @var string name of task
+	 */
+	protected $_name;
+
+	/**
+	 * @var string description of task
+	 */
+	protected $_description;
+
+	/**
+	 * @var string extension of task
+	 */
+	protected $_extension;
+
+	/**
+	 * @var string task of task
+	 */
+	protected $_task;
+
+	/**
+	 * @var string frequency of task
+	 */
+	protected $_frequency;
+
+	/**
+	 * @var integer set if disabled
+	 */
+	protected $_disabled;
+
+	/**
+	 * @var array list of parameters
+	 */
+	protected $_params;
+
+	/**
+	 * @var integer last run
+	 */
+	protected $_lastrun;
+
+	/**
+	 * @var integer next run
+	 */
+	protected $_nextrun;
+
+	public static function getInstance($id, $db) { /* {{{ */
+		$queryStr = "SELECT * FROM `tblSchedulerTask` WHERE `id` = " . (int) $id;
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr == false)
+			return false;
+		if (count($resArr) != 1)
+			return null;
+		$row = $resArr[0];
+
+		$task = new self($row["id"], $row['name'], $row["description"], $row["extension"], $row["task"], $row["frequency"], $row['disabled'], json_decode($row['params'], true), $row["nextrun"], $row["lastrun"]);
+		$task->setDB($db);
+
+		return $task;
+	} /* }}} */
+
+	public static function getInstances($db) { /* {{{ */
+		$queryStr = "SELECT * FROM `tblSchedulerTask`";
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr == false)
+			return false;
+		if (count($resArr) == 0)
+			return array();
+
+		$tasks = array();
+		foreach($resArr as $row) {
+			$task = new self($row["id"], $row['name'], $row["description"], $row["extension"], $row["task"], $row["frequency"], $row['disabled'], json_decode($row['params'], true), $row["nextrun"], $row["lastrun"]);
+			$task->setDB($db);
+			$tasks[] = $task;
+		}
+
+		return $tasks;
+	} /* }}} */
+
+	public static function getInstancesByExtension($extname, $taskname, $db) { /* {{{ */
+		$queryStr = "SELECT * FROM `tblSchedulerTask` WHERE `extension` = '".$extname."' AND `task` = '".$taskname."'";
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr == false)
+			return false;
+		if (count($resArr) == 0)
+			return array();
+
+		$tasks = array();
+		foreach($resArr as $row) {
+			$task = new self($row["id"], $row['name'], $row["description"], $row["extension"], $row["task"], $row["frequency"], $row['disabled'], json_decode($row['params'], true), $row["nextrun"], $row["lastrun"]);
+			$task->setDB($db);
+			$tasks[] = $task;
+		}
+
+		return $tasks;
+	} /* }}} */
+
+	function __construct($id, $name, $description, $extension, $task, $frequency, $disabled, $params, $nextrun, $lastrun) {
+		$this->_id = $id;
+		$this->_name = $name;
+		$this->_description = $description;
+		$this->_extension = $extension;
+		$this->_task = $task;
+		$this->_frequency = $frequency;
+		$this->_disabled = $disabled;
+		$this->_params = $params;
+		$this->_nextrun = $nextrun;
+		$this->_lastrun = $lastrun;
+	}
+
+	public function setDB($db) {
+		$this->db = $db;
+	}
+
+	public function getID() {
+		return $this->_id;
+	}
+
+	public function getName() {
+		return $this->_name;
+	}
+
+	public function setName($newName) { /* {{{ */
+		$db = $this->db;
+
+		$queryStr = "UPDATE `tblSchedulerTask` SET `name` =".$db->qstr($newName)." WHERE `id` = " . $this->_id;
+		$res = $db->getResult($queryStr);
+		if (!$res)
+			return false;
+
+		$this->_name = $newName;
+		return true;
+	} /* }}} */
+
+	public function getDescription() {
+		return $this->_description;
+	}
+
+	public function setDescription($newDescripion) { /* {{{ */
+		$db = $this->db;
+
+		$queryStr = "UPDATE `tblSchedulerTask` SET `description` =".$db->qstr($newDescripion)." WHERE `id` = " . $this->_id;
+		$res = $db->getResult($queryStr);
+		if (!$res)
+			return false;
+
+		$this->_description = $newDescripion;
+		return true;
+	} /* }}} */
+
+	public function getExtension() {
+		return $this->_extension;
+	}
+
+	public function getTask() {
+		return $this->_task;
+	}
+
+	public function getFrequency() {
+		return $this->_frequency;
+	}
+
+	public function setFrequency($newFrequency) { /* {{{ */
+		$db = $this->db;
+
+		try {
+			$cron = Cron\CronExpression::factory($newFrequency);
+		} catch (Exception $e) {
+			return false;
+		}
+		$nextrun = $cron->getNextRunDate()->format('Y-m-d H:i:s');
+
+		$queryStr = "UPDATE `tblSchedulerTask` SET `frequency` =".$db->qstr($newFrequency).", `nextrun` = '".$nextrun."' WHERE `id` = " . $this->_id;
+		$res = $db->getResult($queryStr);
+		if (!$res)
+			return false;
+
+		$this->_frequency = $newFrequency;
+		$this->_nextrun = $nextrun;
+		return true;
+	} /* }}} */
+
+	public function getNextRun() {
+		return $this->_nextrun;
+	}
+
+	public function getLastRun() {
+		return $this->_lastrun;
+	}
+
+	public function getDisabled() {
+		return $this->_disabled;
+	}
+
+	public function setDisabled($newDisabled) { /* {{{ */
+		$db = $this->db;
+
+		$queryStr = "UPDATE `tblSchedulerTask` SET `disabled` =".intval($newDisabled)." WHERE `id` = " . $this->_id;
+		$res = $db->getResult($queryStr);
+		if (!$res)
+			return false;
+
+		$this->_disabled = $newDisabled;
+		return true;
+	} /* }}} */
+
+	public function setParameter($newParams) { /* {{{ */
+		$db = $this->db;
+
+		$queryStr = "UPDATE `tblSchedulerTask` SET `params` =".$db->qstr(json_encode($newParams))." WHERE `id` = " . $this->_id;
+		$res = $db->getResult($queryStr);
+		if (!$res)
+			return false;
+
+		$this->_params = $newParams;
+		return true;
+	} /* }}} */
+
+	public function getParameter($name = '') {
+		if($name)
+			return isset($this->_params[$name]) ? $this->_params[$name] : null;
+		return $this->_params;
+	}
+
+	/**
+	 * Check if task is due
+	 *
+	 * This methods compares the current time with the time in the database
+	 * field `nextrun`.
+	 * If nextrun is smaller than the current time, the the task is due.
+	 * The methode does not rely on the value in the class variable `_nextrun`,
+	 * because that value could be 'very old', retrieved at a time
+	 * when the task list was fetched for checking due tasks e.g. by the
+	 * scheduler client. There is good reason to always take the current
+	 * value of nextrun from the database.
+	 *
+	 * Assuming there are two tasks. Task 1 takes 13 mins and task 2 takes only
+	 * 30 sec. Task 1 is run every hour and task 2 starts at 8:06. The cronjob
+	 * runs every 5 min. At e.g. 8:00 the list of tasks is read from the database
+	 * task 1 is due and starts running and before it runs it sets the database
+	 * field nextrun to 9:00. Task 2 isn't due at that time.
+	 * At 8:05 the cron job runs again, task 1 has already a new nextrun value
+	 * and will not run again. Task 2 isn't due yet and task 1 started at 8:00 is
+	 * still running.
+	 * At 8:10 task 1 is still running an not due again, but task 2 is due and
+	 * will be run. The database field `nextrun` of task 2 will be set to 8:06
+	 * on the next day.
+	 * At 8:13 task 1 which started at 8:00 is finished and the list of tasks
+	 * from that time will be processed further. Task 2 still has the old value
+	 * in the class variable `_nextrun` (8:06 the current day),
+	 * though the database field `nextrun` has been updated in
+	 * between. Taking the value of the class variable would rerun task 2 again,
+	 * though it ran at 8:10 already.
+	 * That's why this method always takes the current value of nextrun
+	 * from the database.
+	 *
+	 * @return boolean true if task is due, otherwise false
+	 */
+	public function isDue() {
+		$db = $this->db;
+
+		$queryStr = "SELECT * FROM `tblSchedulerTask` WHERE `id` = " . $this->_id;
+		$resArr = $db->getResultArray($queryStr);
+		if (is_bool($resArr) && $resArr == false)
+			return false;
+		if (count($resArr) != 1)
+			return false;
+		$row = $resArr[0];
+		$this->_nextrun = $row['nextrun'];
+
+		return $this->_nextrun < date('Y-m-d H:i:s');
+	}
+
+	public function updateLastNextRun() {
+		$db = $this->db;
+
+		$lastrun = date('Y-m-d H:i:s');
+		try {
+			$cron = Cron\CronExpression::factory($this->_frequency);
+			$nextrun = $cron->getNextRunDate()->format('Y-m-d H:i:s');
+		} catch (Exception $e) {
+			$nextrun = null;
+		}
+
+		$queryStr = "UPDATE `tblSchedulerTask` SET `lastrun`=".$db->qstr($lastrun).", `nextrun`=".($nextrun ? $db->qstr($nextrun) : "NULL")." WHERE `id` = " . $this->_id;
+		$res = $db->getResult($queryStr);
+		if (!$res)
+			return false;
+
+		$this->_lastrun = $lastrun;
+		$this->_nextrun = $nextrun;
+	}
+
+	/**
+	 * Delete task
+	 *
+	 * @return boolean true on success or false in case of an error
+	 */
+	function remove() { /* {{{ */
+		$db = $this->db;
+
+		$queryStr = "DELETE FROM `tblSchedulerTask` WHERE `id` = " . $this->_id;
+		if (!$db->getResult($queryStr)) {
+			return false;
+		}
+
+		return true;
+	} /* }}} */
+
+}

inc/inc.ClassSchedulerTaskBase.php

@@ -0,0 +1,139 @@
+<?php
+/***************************************************************
+*  Copyright notice
+*
+*  (c) 2018 Uwe Steinmann <uwe@steinmann.cx>
+*  All rights reserved
+*
+*  This script is part of the SeedDMS project. The SeedDMS project is
+*  free software; you can redistribute it and/or modify
+*  it under the terms of the GNU General Public License as published by
+*  the Free Software Foundation; either version 2 of the License, or
+*  (at your option) any later version.
+*
+*  The GNU General Public License can be found at
+*  http://www.gnu.org/copyleft/gpl.html.
+*
+*  This script is distributed in the hope that it will be useful,
+*  but WITHOUT ANY WARRANTY; without even the implied warranty of
+*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*  GNU General Public License for more details.
+*
+*  This copyright notice MUST APPEAR in all copies of the script!
+***************************************************************/
+
+/**
+ * Base class for scheduler task
+ *
+ * @author  Uwe Steinmann <uwe@steinmann.cx>
+ * @package SeedDMS
+ */
+class SeedDMS_SchedulerTaskBase {
+	var $dms;
+
+	var $user;
+
+	var $settings;
+
+	var $logger;
+
+	var $fulltextservice;
+
+	var $notifier;
+
+	var $conversionmgr;
+
+	/**
+	 * Call a hook with a given name
+	 *
+	 * Checks if a hook with the given name and for the current task
+	 * exists and executes it. The name of the current task is taken
+	 * from the current class name by lower casing the first char.
+	 * This function will execute all registered hooks in the order
+	 * they were registered.
+	 *
+	 * Attention: as func_get_arg() cannot handle references passed to the hook,
+	 * callHook() should not be called if that is required. In that case get
+	 * a list of hook objects with getHookObjects() and call the hooks yourself.
+	 *
+	 * @params string $hook name of hook
+	 * @return string concatenated string, merged arrays or whatever the hook
+	 * function returns
+	 */
+	public function callHook($hook) { /* {{{ */
+		$tmps = array();
+		$tmp = explode('_', get_class($this));
+		$tmps[] = $tmp[1];
+		$tmp = explode('_', get_parent_class($this));
+		$tmps[] = $tmp[1];
+		/* Run array_unique() in case the parent class has the same suffix */
+		$tmps = array_unique($tmps);
+		$ret = null;
+		foreach($tmps as $tmp)
+		if(isset($GLOBALS['SEEDDMS_HOOKS']['task'][lcfirst($tmp)])) {
+			foreach($GLOBALS['SEEDDMS_HOOKS']['task'][lcfirst($tmp)] as $hookObj) {
+				if (method_exists($hookObj, $hook)) {
+					switch(func_num_args()) {
+						case 1:
+							$tmpret = $hookObj->$hook($this);
+							break;
+						case 2:
+							$tmpret = $hookObj->$hook($this, func_get_arg(1));
+							break;
+						case 3:
+							$tmpret = $hookObj->$hook($this, func_get_arg(1), func_get_arg(2));
+							break;
+						case 4:
+							$tmpret = $hookObj->$hook($this, func_get_arg(1), func_get_arg(2), func_get_arg(3));
+							break;
+						default:
+						case 5:
+							$tmpret = $hookObj->$hook($this, func_get_arg(1), func_get_arg(2), func_get_arg(3), func_get_arg(4));
+							break;
+					}
+					if($tmpret !== null) {
+						if(is_string($tmpret)) {
+							$ret = ($ret === null) ? $tmpret : (is_string($ret) ? $ret.$tmpret : array_merge($ret, array($tmpret)));
+						} elseif(is_array($tmpret) || is_object($tmpret)) {
+							$ret = ($ret === null) ? $tmpret : (is_string($ret) ? array_merge(array($ret), $tmpret) : array_merge($ret, $tmpret));
+						} else
+							$ret = $tmpret;
+					}
+				}
+			}
+		}
+		return $ret;
+	} /* }}} */
+
+	public function __construct($dms=null, $user=null, $settings=null, $logger=null, $fulltextservice=null, $notifier=null, $conversionmgr=null) { /* {{{ */
+		$this->dms = $dms;
+		$this->user = $user;
+		$this->settings = $settings;
+		$this->logger = $logger;
+		$this->fulltextservice = $fulltextservice;
+		$this->notifier = $notifier;
+		$this->conversionmgr = $conversionmgr;
+	} /* }}} */
+
+	public function execute(SeedDMS_SchedulerTask $task) { /* {{{ */
+		return true;
+	} /* }}} */
+
+	public function getDescription() { /* {{{ */
+		return '';
+	} /* }}} */
+
+	public function getAdditionalParams() { /* {{{ */
+		return array();
+	} /* }}} */
+
+	public function getAdditionalParamByName($name) { /* {{{ */
+		foreach($this->getAdditionalParams() as $param) {
+			if($param['name'] == $name)
+				return $param;
+		}
+		return null;
+	} /* }}} */
+}
+
+?>

inc/inc.ClassSettings.php

@@ -45,6 +45,8 @@ class Settings { /* {{{ */
 	var $_enableGuestLogin = false;
 	// If you even want guest to be logged in automatically, set the following to true
 	var $_enableGuestAutoLogin = false;
+	// Set to true for 2-factor Authentication
+	var $_enable2FactorAuthentication = false;
 	// If you want to allow login by email, set the following to true
 	var $_enableLoginByEmail = false;
 	// Allow users to reset their password
@@ -116,6 +118,12 @@ class Settings { /* {{{ */
 	var $_dropFolderDir = null;
 	// Where the backup directory is located
 	var $_backupDir = null;
+	// Where the library folder is located
+	var $_libraryFolder = 1;
+	// Where the checked out files are located
+	var $_checkOutDir = null;
+	// Create checkout dir if it doesn't exists
+	var $_createCheckOutDir = false;
 	// Where the repository for extensions is located
 	var $_repositoryUrl = null;
 	// URL of proxy
@@ -186,6 +194,18 @@ class Settings { /* {{{ */
 	var $_enableUpdateRevApp = false;
 	// enable/disable removal of a review/approval by the administrator
 	var $_enableRemoveRevApp = false;
+	// enable/disable listing logged in user as recipient
+	var $_enableSelfReceipt = false;
+	// enable/disable hidden user as recipient
+	var $_enableHiddenReceipt = true;
+	// enable/disable update of a receipt by the recipient
+	var $_enableUpdateReceipt = false;
+	// enable/disable listing administrator as recipient
+	var $_enableAdminReceipt = false;
+	// enable/disable listing owner as recipient
+	var $_enableOwnerReceipt = false;
+	// enable/disable filter for receipt by the recipient
+	var $_enableFilterReceipt = false;
 	// group manager is mandatory reviewer
 	var $_addManagerAsReviewer = false;
 	// group manager is mandatory approver
@@ -208,8 +228,12 @@ class Settings { /* {{{ */
 	var $_enableDuplicateDocNames = true;
 	// enable/disable duplicate names of a subfolder in a folder
 	var $_enableDuplicateSubFolderNames = true;
+	// allow/disallow to cancel a checkout
+	var $_enableCancelCheckout = true;
 	// override mimetype set by browser when uploading a file
 	var $_overrideMimeType = false;
+	// advanced access control lists
+	var $_advancedAcl = false;
 	// enable/disable notification when added as a reviewer/approver
 	var $_enableNotificationAppRev = true;
 	// enable/disable notification of users/group who need to take action for
@@ -219,12 +243,26 @@ class Settings { /* {{{ */
 	var $_enableNotificationWorkflow = false;
 	// preset expiration date
 	var $_presetExpirationDate = "";
+	// initial document status
+	var $_initialDocumentStatus = 2; //S_RELEASED;
 	// the name of the versioning info file created by the backup tool
 	var $_versioningFileName = "versioning_info.txt";
 	// the mode of workflow
 	var $_workflowMode = "traditional";
+	// enable/disable acknowledge workflow
+	var $_enableReceiptWorkflow = true;
+	// enable/disable reject of reception
+	var $_enableReceiptReject = false;
+	// enable/disable comment of reception
+	var $_disableReceiptComment = false;
+	// enable/disable revision workflow
+	var $_enableRevisionWorkflow = true;
+	// enable/disable revision on vote reject
+	var $_enableRevisionOneVoteReject = true;
 	// Allow to set just a reviewer in tradional workflow
 	var $_allowReviewerOnly = true;
+	// Allow to change reviewer/approver after review/approval has started
+	var $_allowChangeRevAppInProcess = false;
 	// enable/disable log system
 	var $_logFileEnable = true;
 	// enable/disable log system
@@ -259,8 +297,12 @@ class Settings { /* {{{ */
 	var $_enableClipboard = true;
 	// show always clipboard in main menu, even if empty
 	var $_alwaysShowClipboard = false;
+	// enable/disable list of transmittals in main menu
+	var $_enableMenuTransmittals = false;
 	// enable/disable list of tasks in main menu
 	var $_enableMenuTasks = true;
+	// select which tasks show up in main menu
+	var $_tasksInMenu = array();
 	// show always tasks in main menu, even if none are due
 	var $_alwaysShowMenuTasks = true;
 	// enable/disable list of files in drop folder
@@ -433,6 +475,18 @@ class Settings { /* {{{ */
 		return $out;
 	} /* }}} */
 
+	/**
+	 * Check if a variable is a string and returns an array
+	 *
+	 * @param array $var value
+	 * @return true/false
+	 */
+	function arrayVal($var) { /* {{{ */
+		if((string) $var)
+			return explode(';', $var);
+		return array();
+	} /* }}} */
+
 	/**
 	 * Return ';' seperated string from array
 	 *
@@ -557,8 +611,10 @@ class Settings { /* {{{ */
 		$this->_enableSessionList = Settings::boolVal($tab["enableSessionList"]);
 		$this->_enableClipboard = Settings::boolVal($tab["enableClipboard"]);
 		$this->_alwaysShowClipboard = Settings::boolVal($tab["alwaysShowClipboard"]);
+		$this->_enableMenuTransmittals = Settings::boolVal($tab["enableMenuTransmittals"]);
 		$this->_enableMenuTasks = Settings::boolVal($tab["enableMenuTasks"]);
 		$this->_alwaysShowMenuTasks = Settings::boolVal($tab["alwaysShowMenuTasks"]);
+		$this->_tasksInMenu = Settings::arrayVal($tab["tasksInMenu"]);
 		$this->_enableDropFolderList = Settings::boolVal($tab["enableDropFolderList"]);
 		$this->_enableDropUpload = Settings::boolVal($tab["enableDropUpload"]);
 		$this->_enableMultiUpload = Settings::boolVal($tab["enableMultiUpload"]);
@@ -582,6 +638,7 @@ class Settings { /* {{{ */
 		$this->_sortUsersInList = strval($tab["sortUsersInList"]);
 		$this->_sortFoldersDefault = strval($tab["sortFoldersDefault"]);
 		$this->_expandFolderTree = intval($tab["expandFolderTree"]);
+		$this->_libraryFolder = intval($tab["libraryFolder"]);
 		$this->_defaultDocPosition = strval($tab["defaultDocPosition"]);
 		$this->_defaultFolderPosition = strval($tab["defaultFolderPosition"]);
 
@@ -625,6 +682,8 @@ class Settings { /* {{{ */
 			$this->_luceneDir = strval($tab["luceneDir"]);
 			$this->_dropFolderDir = strval($tab["dropFolderDir"]);
 			$this->_backupDir = strval($tab["backupDir"]);
+			$this->_checkOutDir = strval($tab["checkOutDir"]);
+			$this->_createCheckOutDir = Settings::boolVal($tab["createCheckOutDir"]);
 			$this->_repositoryUrl = strval($tab["repositoryUrl"]);
 			$this->_proxyUrl = strval($tab["proxyUrl"]);
 			$this->_proxyUser = strval($tab["proxyUser"]);
@@ -636,14 +695,13 @@ class Settings { /* {{{ */
 			$this->_partitionSize = strval($tab["partitionSize"]);
 			$this->_maxUploadSize = strval($tab["maxUploadSize"]);
 			$this->_enableXsendfile = Settings::boolVal($tab["enableXsendfile"]);
-		}
 
-		// XML Path: /configuration/system/authentication
-		$node = $xml->xpath('/configuration/system/authentication');
-		if($node) {
+			// XML Path: /configuration/system/authentication
+			$node = $xml->xpath('/configuration/system/authentication');
 			$tab = $node[0]->attributes();
 			$this->_enableGuestLogin = Settings::boolVal($tab["enableGuestLogin"]);
 			$this->_enableGuestAutoLogin = Settings::boolVal($tab["enableGuestAutoLogin"]);
+			$this->_enable2FactorAuthentication = Settings::boolVal($tab["enable2FactorAuthentication"]);
 			$this->_enableLoginByEmail = Settings::boolVal($tab["enableLoginByEmail"]);
 			$this->_enablePasswordForgotten = Settings::boolVal($tab["enablePasswordForgotten"]);
 			$this->_passwordStrength = intval($tab["passwordStrength"]);
@@ -781,6 +839,11 @@ class Settings { /* {{{ */
 			$this->_enableHiddenRevApp = Settings::boolval($tab["enableHiddenRevApp"]);
 			$this->_enableUpdateRevApp = Settings::boolval($tab["enableUpdateRevApp"]);
 			$this->_enableRemoveRevApp = Settings::boolval($tab["enableRemoveRevApp"]);
+			$this->_enableSelfReceipt = Settings::boolval($tab["enableSelfReceipt"]);
+			$this->_enableAdminReceipt = Settings::boolval($tab["enableAdminReceipt"]);
+			$this->_enableOwnerReceipt = Settings::boolval($tab["enableOwnerReceipt"]);
+			$this->_enableUpdateReceipt = Settings::boolval($tab["enableUpdateReceipt"]);
+			$this->_enableFilterReceipt = Settings::boolval($tab["enableFilterReceipt"]);
 			$this->_addManagerAsReviewer = Settings::boolval($tab["addManagerAsReviewer"]);
 			$this->_addManagerAsApprover = Settings::boolval($tab["addManagerAsApprover"]);
 			if(trim(strval($tab["globalReviewer"])))
@@ -792,14 +855,23 @@ class Settings { /* {{{ */
 			if(trim(strval($tab["globalGroupApprover"])))
 				$this->_globalGroupApprover = explode(',',strval($tab["globalGroupApprover"]));
 			$this->_presetExpirationDate = strval($tab["presetExpirationDate"]);
+			$this->_initialDocumentStatus = intval($tab["initialDocumentStatus"]);
 			$this->_versioningFileName = strval($tab["versioningFileName"]);
 			$this->_workflowMode = strval($tab["workflowMode"]);
+			$this->_enableReceiptWorkflow = Settings::boolval($tab["enableReceiptWorkflow"]);
+			$this->_enableReceiptReject = Settings::boolval($tab["enableReceiptReject"]);
+			$this->_disableReceiptComment = Settings::boolval($tab["disableReceiptComment"]);
+			$this->_enableRevisionWorkflow = Settings::boolval($tab["enableRevisionWorkflow"]);
+			$this->_enableRevisionOneVoteReject = Settings::boolval($tab["enableRevisionOneVoteReject"]);
 			$this->_allowReviewerOnly = Settings::boolval($tab["allowReviewerOnly"]);
+			$this->_allowChangeRevAppInProcess = Settings::boolval($tab["allowChangeRevAppInProcess"]);
 			$this->_enableVersionDeletion = Settings::boolval($tab["enableVersionDeletion"]);
 			$this->_enableVersionModification = Settings::boolval($tab["enableVersionModification"]);
 			$this->_enableDuplicateDocNames = Settings::boolval($tab["enableDuplicateDocNames"]);
 			$this->_enableDuplicateSubFolderNames = Settings::boolval($tab["enableDuplicateSubFolderNames"]);
+			$this->_enableCancelCheckout = Settings::boolval($tab["enableCancelCheckout"]);
 			$this->_overrideMimeType = Settings::boolval($tab["overrideMimeType"]);
+			$this->_advancedAcl = Settings::boolval($tab["advancedAcl"]);
 			$this->_removeFromDropFolder = Settings::boolval($tab["removeFromDropFolder"]);
 			$this->_uploadedAttachmentIsPublic = Settings::boolval($tab["uploadedAttachmentIsPublic"]);
 		}
@@ -884,6 +956,8 @@ class Settings { /* {{{ */
 				$attributValue = "true";
 			else
 				$attributValue = "false";
+		} elseif(is_array($attributValue)) {
+			$attributValue = implode(';', $attributValue);
 		}
 
 		if (isset($node[$attributName])) {
@@ -967,8 +1041,10 @@ class Settings { /* {{{ */
 		$this->setXMLAttributValue($node, "enableSessionList", $this->_enableSessionList);
 		$this->setXMLAttributValue($node, "enableClipboard", $this->_enableClipboard);
 		$this->setXMLAttributValue($node, "alwaysShowClipboard", $this->_alwaysShowClipboard);
+		$this->setXMLAttributValue($node, "enableMenuTransmittals", $this->_enableMenuTransmittals);
 		$this->setXMLAttributValue($node, "enableMenuTasks", $this->_enableMenuTasks);
 		$this->setXMLAttributValue($node, "alwaysShowMenuTasks", $this->_alwaysShowMenuTasks);
+		$this->setXMLAttributValue($node, "tasksInMenu", $this->_tasksInMenu);
 		$this->setXMLAttributValue($node, "enableDropFolderList", $this->_enableDropFolderList);
 		$this->setXMLAttributValue($node, "enableDropUpload", $this->_enableDropUpload);
 		$this->setXMLAttributValue($node, "enableMultiUpload", $this->_enableMultiUpload);
@@ -990,6 +1066,7 @@ class Settings { /* {{{ */
     $this->setXMLAttributValue($node, "stopWordsFile", $this->_stopWordsFile);
     $this->setXMLAttributValue($node, "sortUsersInList", $this->_sortUsersInList);
     $this->setXMLAttributValue($node, "sortFoldersDefault", $this->_sortFoldersDefault);
+    $this->setXMLAttributValue($node, "libraryFolder", $this->_libraryFolder);
     $this->setXMLAttributValue($node, "defaultDocPosition", $this->_defaultDocPosition);
     $this->setXMLAttributValue($node, "defaultFolderPosition", $this->_defaultFolderPosition);
 
@@ -1021,6 +1098,8 @@ class Settings { /* {{{ */
     $this->setXMLAttributValue($node, "luceneDir", $this->_luceneDir);
     $this->setXMLAttributValue($node, "dropFolderDir", $this->_dropFolderDir);
     $this->setXMLAttributValue($node, "backupDir", $this->_backupDir);
+    $this->setXMLAttributValue($node, "checkOutDir", $this->_checkOutDir);
+    $this->setXMLAttributValue($node, "createCheckOutDir", $this->_createCheckOutDir);
     $this->setXMLAttributValue($node, "repositoryUrl", $this->_repositoryUrl);
     $this->setXMLAttributValue($node, "proxyUrl", $this->_proxyUrl);
     $this->setXMLAttributValue($node, "proxyUser", $this->_proxyUser);
@@ -1037,6 +1116,7 @@ class Settings { /* {{{ */
     $node = $this->getXMLNode($xml, '/configuration/system', 'authentication');
     $this->setXMLAttributValue($node, "enableGuestLogin", $this->_enableGuestLogin);
     $this->setXMLAttributValue($node, "enableGuestAutoLogin", $this->_enableGuestAutoLogin);
+    $this->setXMLAttributValue($node, "enable2FactorAuthentication", $this->_enable2FactorAuthentication);
     $this->setXMLAttributValue($node, "enableLoginByEmail", $this->_enableLoginByEmail);
     $this->setXMLAttributValue($node, "enablePasswordForgotten", $this->_enablePasswordForgotten);
     $this->setXMLAttributValue($node, "passwordStrength", $this->_passwordStrength);
@@ -1148,6 +1228,13 @@ class Settings { /* {{{ */
 		$this->setXMLAttributValue($node, "enableHiddenRevApp", $this->_enableHiddenRevApp);
 		$this->setXMLAttributValue($node, "enableUpdateRevApp", $this->_enableUpdateRevApp);
 		$this->setXMLAttributValue($node, "enableRemoveRevApp", $this->_enableRemoveRevApp);
+		$this->setXMLAttributValue($node, "enableSelfReceipt", $this->_enableSelfReceipt);
+		$this->setXMLAttributValue($node, "enableAdminReceipt", $this->_enableAdminReceipt);
+		$this->setXMLAttributValue($node, "enableOwnerReceipt", $this->_enableOwnerReceipt);
+		$this->setXMLAttributValue($node, "enableUpdateReceipt", $this->_enableUpdateReceipt);
+		$this->setXMLAttributValue($node, "enableFilterReceipt", $this->_enableFilterReceipt);
+		$this->setXMLAttributValue($node, "presetExpirationDate", $this->_presetExpirationDate);
+		$this->setXMLAttributValue($node, "initialDocumentStatus", $this->_initialDocumentStatus);
 		$this->setXMLAttributValue($node, "addManagerAsReviewer", $this->_addManagerAsReviewer);
 		$this->setXMLAttributValue($node, "addManagerAsApprover", $this->_addManagerAsApprover);
 		$this->setXMLAttributValue($node, "globalReviewer", implode(',', $this->_globalReviewer));
@@ -1157,14 +1244,21 @@ class Settings { /* {{{ */
 		$this->setXMLAttributValue($node, "presetExpirationDate", $this->_presetExpirationDate);
 		$this->setXMLAttributValue($node, "apiOrigin", $this->_apiOrigin);
 		$this->setXMLAttributValue($node, "versioningFileName", $this->_versioningFileName);
-		$this->setXMLAttributValue($node, "presetExpirationDate", $this->_presetExpirationDate);
 		$this->setXMLAttributValue($node, "workflowMode", $this->_workflowMode);
+		$this->setXMLAttributValue($node, "enableReceiptWorkflow", $this->_enableReceiptWorkflow);
+		$this->setXMLAttributValue($node, "enableReceiptReject", $this->_enableReceiptReject);
+		$this->setXMLAttributValue($node, "disableReceiptComment", $this->_disableReceiptComment);
+		$this->setXMLAttributValue($node, "enableRevisionWorkflow", $this->_enableRevisionWorkflow);
+		$this->setXMLAttributValue($node, "enableRevisionOneVoteReject", $this->_enableRevisionOneVoteReject);
 		$this->setXMLAttributValue($node, "allowReviewerOnly", $this->_allowReviewerOnly);
+		$this->setXMLAttributValue($node, "allowChangeRevAppInProcess", $this->_allowChangeRevAppInProcess);
 		$this->setXMLAttributValue($node, "enableVersionDeletion", $this->_enableVersionDeletion);
 		$this->setXMLAttributValue($node, "enableVersionModification", $this->_enableVersionModification);
 		$this->setXMLAttributValue($node, "enableDuplicateDocNames", $this->_enableDuplicateDocNames);
 		$this->setXMLAttributValue($node, "enableDuplicateSubFolderNames", $this->_enableDuplicateSubFolderNames);
+		$this->setXMLAttributValue($node, "enableCancelCheckout", $this->_enableCancelCheckout);
 		$this->setXMLAttributValue($node, "overrideMimeType", $this->_overrideMimeType);
+		$this->setXMLAttributValue($node, "advancedAcl", $this->_advancedAcl);
 		$this->setXMLAttributValue($node, "removeFromDropFolder", $this->_removeFromDropFolder);
 		$this->setXMLAttributValue($node, "uploadedAttachmentIsPublic", $this->_uploadedAttachmentIsPublic);
 

inc/inc.ClassUI.php

@@ -20,6 +20,7 @@
 
 require_once('inc.ClassUI_Default.php');
 require_once('inc.ClassViewCommon.php');
+require_once('inc.ClassAccessOperation.php');
 
 /* $theme was possibly set in inc.Authentication.php */
 if (!isset($theme) || strlen($theme)==0) {
@@ -45,7 +46,7 @@ class UI extends UI_Default {
 	 * @return object an object of a class implementing the view
 	 */
 	static function factory($theme, $class='', $params=array()) { /* {{{ */
-		global $settings, $session, $extMgr, $request, $logger, $notifier;
+		global $settings, $dms, $user, $session, $extMgr, $request, $logger, $notifier;
 		if(!$class) {
 			$class = 'Bootstrap';
 			$class = 'Style';
@@ -127,6 +128,7 @@ class UI extends UI_Default {
 			$params['settings'] = $settings;
 			$view = new $classname($params, $theme);
 			/* Set some configuration parameters */
+			$view->setParam('accessobject', new SeedDMS_AccessOperation($dms, $user, $settings));
 			$view->setParam('referer', isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '');
 			$view->setParam('requesturi', $_SERVER['REQUEST_URI']);
 			$view->setParam('absbaseprefix', $settings->_httpRoot.$httpbasedir);
@@ -153,11 +155,14 @@ class UI extends UI_Default {
 			$view->setParam('enablefoldertree', $settings->_enableFolderTree);
 			$view->setParam('enablelanguageselector', $settings->_enableLanguageSelector);
 			$view->setParam('enableclipboard', $settings->_enableClipboard);
+			$view->setParam('enablemenutransmittals', $settings->_enableMenuTransmittals);
 			$view->setParam('enablemenutasks', $settings->_enableMenuTasks);
+			$view->setParam('tasksinmenu', $settings->_tasksInMenu);
 			$view->setParam('enabledropfolderlist', $settings->_enableDropFolderList);
 			$view->setParam('dropfolderdir', $settings->_dropFolderDir);
 			$view->setParam('enablesessionlist', $settings->_enableSessionList);
 			$view->setParam('workflowmode', $settings->_workflowMode);
+			$view->setParam('checkoutdir', $settings->_checkOutDir);
 			$view->setParam('partitionsize', SeedDMS_Core_File::parse_filesize( $settings->_partitionSize));
 			$view->setParam('maxuploadsize', $settings->getMaximumUploadSize());
 			$view->setParam('showmissingtranslations', $settings->_showMissingTranslations);
@@ -193,7 +198,6 @@ class UI extends UI_Default {
 
 	static function exitError($pagetitle, $error, $noexit=false, $plain=false) {
 		global $theme, $dms, $user, $settings;
-		$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
 		$view = UI::factory($theme, 'ErrorDlg');
 		$request = $view->getParam('request');
 		if($request) {
@@ -201,7 +205,6 @@ class UI extends UI_Default {
 		}
 		$view->setParam('dms', $dms);
 		$view->setParam('user', $user);
-		$view->setParam('accessobject', $accessop);
 		$view->setParam('pagetitle', $pagetitle);
 		$view->setParam('errormsg', $error);
 		$view->setParam('plain', $plain);

inc/inc.ClassViewCommon.php

@@ -322,8 +322,10 @@ class SeedDMS_View_Common {
 	 */
 	protected function html_url($view, $urlparams=array()) { /* {{{ */
 		$url = $this->params['settings']->_httpRoot."out/out.".$view.".php";
-		if($urlparams)
+		if(is_array($urlparams))
 			$url .= "?".http_build_query($urlparams);
+		elseif(is_string($urlparams))
+			$url .= "?".$urlparams;
 		return $url;
 	} /* }}} */
 

inc/inc.DBInit.php

@@ -87,6 +87,7 @@ if(isset($GLOBALS['SEEDDMS_HOOKS']['initDMS'])) {
 	}
 }
 
+require_once('inc/inc.Tasks.php');
 require_once("inc.ConversionInit.php");
 require_once('inc.FulltextInit.php');
 require_once('inc.AuthenticationInit.php');

inc/inc.Extension.php

@@ -14,6 +14,7 @@
 global $logger;
 
 require "inc.ClassExtensionMgr.php";
+require_once "inc.ClassSchedulerTaskBase.php";
 require_once "inc.ClassExtBase.php";
 
 $extMgr = new SeedDMS_Extension_Mgr($settings->_rootDir."/ext", $settings->_cacheDir, $settings->_repositoryUrl, $settings->_proxyUrl, $settings->_proxyUser, $settings->_proxyPassword);

inc/inc.FulltextInit.php

@@ -26,6 +26,7 @@ $fulltextservice = null;
 if($settings->_enableFullSearch) {
 	require_once("inc.ClassFulltextService.php");
 	$fulltextservice = new SeedDMS_FulltextService();
+	$fulltextservice->setLogger($logger);
 
 	if($settings->_fullSearchEngine == 'sqlitefts') {
 		$indexconf = array(

inc/inc.Language.php

@@ -174,6 +174,68 @@ function getReviewStatusText($status, $date=0) { /* {{{ */
 	}
 } /* }}} */
 
+function printReceiptStatusText($status, $date=0) { /* {{{ */
+	print getReceiptStatusText($status, $date);
+} /* }}} */
+
+function getReceiptStatusText($status, $date=0) { /* {{{ */
+	if (is_null($status)) {
+		return getMLText("status_unknown");
+	}
+	else {
+		switch ($status) {
+			case -2:
+				return getMLText("status_recipient_removed");
+				break;
+			case -1:
+				return getMLText("status_receipt_rejected").($date !=0 ? " ".$date : "");
+				break;
+			case 0:
+				return getMLText("status_not_receipted");
+				break;
+			case 1:
+				return getMLText("status_receipted").($date !=0 ? " ".$date : "");
+				break;
+			default:
+				return getMLText("status_unknown");
+				break;
+		}
+	}
+} /* }}} */
+
+function printRevisionStatusText($status, $date=0) { /* {{{ */
+	print getRevisionStatusText($status, $date);
+} /* }}} */
+
+function getRevisionStatusText($status, $date=0) { /* {{{ */
+	if (is_null($status)) {
+		return getMLText("status_unknown");
+	}
+	else {
+		switch ($status) {
+			case -3:
+				return getMLText("status_revision_sleeping");
+				break;
+			case -2:
+				return getMLText("status_revisor_removed");
+				break;
+			case -1:
+				return getMLText("status_needs_correction").($date !=0 ? " ".$date : "");
+				return getMLText("status_revision_rejected").($date !=0 ? " ".$date : "");
+				break;
+			case 0:
+				return getMLText("status_not_revised");
+				break;
+			case 1:
+				return getMLText("status_revised").($date !=0 ? " ".$date : "");
+				break;
+			default:
+				return getMLText("status_unknown");
+				break;
+		}
+	}
+} /* }}} */
+
 function printApprovalStatusText($status, $date=0) { /* {{{ */
 	if (is_null($status)) {
 		print getMLText("status_unknown");
@@ -255,6 +317,15 @@ function getOverallStatusText($status) { /* {{{ */
 			case S_EXPIRED:
 				return getMLText("expired");
 				break;
+			case S_IN_REVISION:
+				return getMLText("in_revision");
+				break;
+			case S_DRAFT:
+				return getMLText("draft");
+				break;
+			case S_NEEDS_CORRECTION:
+				return getMLText("needs_correction");
+				break;
 			default:
 				return getMLText("status_unknown");
 				break;

inc/inc.Scheduler.php

@@ -0,0 +1,17 @@
+<?php
+/**
+ * Initialize scheduler
+ *
+ * @category   DMS
+ * @package    SeedDMS
+ * @license    GPL 2
+ * @version    @version@
+ * @author     Uwe Steinmann <uwe@steinmann.cx>
+ * @copyright  Copyright (C) 2018 Uwe Steinmann
+ * @version    Release: @package_version@
+ */
+
+require_once "inc.ClassSchedulerTaskBase.php";
+require_once "inc.ClassScheduler.php";
+require_once "inc.ClassSchedulerTask.php";
+

inc/inc.Utils.php

@@ -447,7 +447,7 @@ function utf8_basename($path, $suffix='') { /* {{{ */
  * @return string valid file name
  */
 function getFilenameByDocname($content) { /* {{{ */
-	if(is_string) {
+	if(is_string($content)) {
 		$filename = $content;
 	} else {
 		$document = $content->getDocument();
@@ -795,6 +795,18 @@ function addDirSep($str, $chr=DIRECTORY_SEPARATOR) { /* {{{ */
 } /* }}} */
 
 /**
+ * Formats comments for aknowledge of reception.
+ *
+ * Only use in documentListRow()
+ */
+function formatComment($an) { /* {{{ */
+	$t = array();
+	foreach($an as $a)
+		$t[] = $a['n']." × ".$a['c'];
+	return $t;
+} /* }}} */
+
+/*
  * Determines if a command exists on the current environment
  *
  * @param string $command The command to check
@@ -970,6 +982,19 @@ function seed_pass_verify($password, $hash) { /* {{{ */
 	return $hash === md5($password);
 } /* }}} */
 
+function resolveTask($task) { /* {{{ */
+	global $dms, $user, $settings, $logger, $fulltextservice, $notifier, $conversionmgr;
+
+	if(is_object($task))
+		return $task;
+	if(is_string($task)) {
+		if(class_exists($task)) {
+			$task = new $task($dms, $user, $settings, $logger, $fulltextservice, $notifier, $conversionmgr);
+		}
+	}
+	return $task;
+} /* }}} */
+
 /**
  * Return nonce for CSP
  *

inc/inc.Version.php

@@ -20,7 +20,7 @@
 
 class SeedDMS_Version { /* {{{ */
 
-	const _number = "5.1.37";
+	const _number = "6.0.30";
 	const _string = "SeedDMS";
 
 	function __construct() {

install/create_tables-innodb.sql

@@ -47,19 +47,35 @@ CREATE TABLE `tblAttributeDefinitions` (
 -- --------------------------------------------------------
 
 --
--- Table structure for table `tblUsers`
+-- Table structure for table `tblRoles`
 --
 
+CREATE TABLE `tblRoles` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(50) DEFAULT NULL,
+  `role` smallint(1) NOT NULL DEFAULT '0',
+  `noaccess` varchar(30) NOT NULL DEFAULT '',
+  PRIMARY KEY (`id`),
+  UNIQUE (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for table `tblUsers`
+-- 
+
 CREATE TABLE `tblUsers` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `login` varchar(50) DEFAULT NULL,
   `pwd` varchar(50) DEFAULT NULL,
+  `secret` varchar(50) DEFAULT NULL,
   `fullName` varchar(100) DEFAULT NULL,
   `email` varchar(70) DEFAULT NULL,
   `language` varchar(32) NOT NULL,
   `theme` varchar(32) NOT NULL,
   `comment` text NOT NULL,
-  `role` smallint(1) NOT NULL DEFAULT '0',
+  `role` int(11) NOT NULL,
   `hidden` smallint(1) NOT NULL DEFAULT '0',
   `pwdExpiration` datetime DEFAULT NULL,
   `loginfailures` tinyint(4) NOT NULL DEFAULT '0',
@@ -67,11 +83,28 @@ CREATE TABLE `tblUsers` (
   `quota` bigint(20) DEFAULT NULL,
   `homefolder` int(11) DEFAULT NULL,
   PRIMARY KEY (`id`),
-  UNIQUE KEY `login` (`login`)
+  UNIQUE KEY `login` (`login`),
+  CONSTRAINT `tblUsers_role` FOREIGN KEY (`role`) REFERENCES `tblRoles` (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `tblUserSubstitutes`
+--
+
+CREATE TABLE `tblUserSubstitutes` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `user` int(11) DEFAULT null,
+  `substitute` int(11) DEFAULT null,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `user` (`user`,`substitute`),
+  CONSTRAINT `tblUserSubstitutes_user` FOREIGN KEY (`user`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblUserSubstitutes_substitute` FOREIGN KEY (`user`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+);
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblUserPasswordRequest`
 --
@@ -222,6 +255,7 @@ CREATE TABLE `tblDocumentApprovers` (
   UNIQUE KEY `documentID` (`documentID`,`version`,`type`,`required`),
   CONSTRAINT `tblDocumentApprovers_document` FOREIGN KEY (`documentID`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+CREATE INDEX `indDocumentApproversRequired` ON `tblDocumentApprovers` (`required`);
 
 -- --------------------------------------------------------
 
@@ -262,6 +296,7 @@ CREATE TABLE `tblDocumentContent` (
   `mimeType` varchar(100) NOT NULL DEFAULT '',
   `fileSize` bigint(20) DEFAULT NULL,
   `checksum` char(32) DEFAULT NULL,
+  `revisiondate` datetime DEFAULT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `document` (`document`,`version`),
   CONSTRAINT `tblDocumentContent_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`)
@@ -350,6 +385,23 @@ CREATE TABLE `tblDocumentLocks` (
 -- --------------------------------------------------------
 
 --
+-- Table structure for table `tblDocumentCheckOuts`
+--
+
+CREATE TABLE `tblDocumentCheckOuts` (
+  `document` int(11) NOT NULL DEFAULT '0',
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `userID` int(11) NOT NULL DEFAULT '0',
+  `date` datetime NOT NULL,
+  `filename` varchar(255) NOT NULL DEFAULT '',
+  PRIMARY KEY (`document`),
+  CONSTRAINT `tblDocumentCheckOuts_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblDocumentCheckOuts_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+-- 
 -- Table structure for table `tblDocumentReviewers`
 --
 
@@ -363,6 +415,7 @@ CREATE TABLE `tblDocumentReviewers` (
   UNIQUE KEY `documentID` (`documentID`,`version`,`type`,`required`),
   CONSTRAINT `tblDocumentReviewers_document` FOREIGN KEY (`documentID`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+CREATE INDEX `indDocumentReviewersRequired` ON `tblDocumentReviewers` (`required`);
 
 -- --------------------------------------------------------
 
@@ -386,6 +439,83 @@ CREATE TABLE `tblDocumentReviewLog` (
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `tblDocumentRecipients`
+--
+
+CREATE TABLE `tblDocumentRecipients` (
+  `receiptID` int(11) NOT NULL AUTO_INCREMENT,
+  `documentID` int(11) NOT NULL DEFAULT '0',
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `type` tinyint(4) NOT NULL DEFAULT '0',
+  `required` int(11) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`receiptID`),
+  UNIQUE KEY `documentID` (`documentID`,`version`,`type`,`required`),
+  CONSTRAINT `tblDocumentRecipients_document` FOREIGN KEY (`documentID`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+CREATE INDEX `indDocumentRecipientsRequired` ON `tblDocumentRecipients` (`required`);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblDocumentReceiptLog`
+--
+
+CREATE TABLE `tblDocumentReceiptLog` (
+  `receiptLogID` int(11) NOT NULL AUTO_INCREMENT,
+  `receiptID` int(11) NOT NULL DEFAULT '0',
+  `status` tinyint(4) NOT NULL DEFAULT '0',
+  `comment` text NOT NULL,
+  `date` datetime NOT NULL,
+  `userID` int(11) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`receiptLogID`),
+  KEY `tblDocumentReceiptLog_receipt` (`receiptID`),
+  KEY `tblDocumentReceiptLog_user` (`userID`),
+  CONSTRAINT `tblDocumentReceiptLog_recipient` FOREIGN KEY (`receiptID`) REFERENCES `tblDocumentRecipients` (`receiptID`) ON DELETE CASCADE,
+  CONSTRAINT `tblDocumentReceiptLog_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblDocumentRevisors`
+--
+
+CREATE TABLE `tblDocumentRevisors` (
+  `revisionID` int(11) NOT NULL AUTO_INCREMENT,
+  `documentID` int(11) NOT NULL DEFAULT '0',
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `type` tinyint(4) NOT NULL DEFAULT '0',
+  `required` int(11) NOT NULL DEFAULT '0',
+  `startdate` datetime DEFAULT NULL,
+  PRIMARY KEY (`revisionID`),
+  UNIQUE KEY `documentID` (`documentID`,`version`,`type`,`required`),
+  CONSTRAINT `tblDocumentRevisors_document` FOREIGN KEY (`documentID`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+CREATE INDEX `indDocumentRevisorsRequired` ON `tblDocumentRevisors` (`required`);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblDocumentRevisionLog`
+--
+
+CREATE TABLE `tblDocumentRevisionLog` (
+  `revisionLogID` int(11) NOT NULL AUTO_INCREMENT,
+  `revisionID` int(11) NOT NULL DEFAULT '0',
+  `status` tinyint(4) NOT NULL DEFAULT '0',
+  `comment` text NOT NULL,
+  `date` datetime NOT NULL,
+  `userID` int(11) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`revisionLogID`),
+  KEY `tblDocumentRevisionLog_revision` (`revisionID`),
+  KEY `tblDocumentRevisionLog_user` (`userID`),
+  CONSTRAINT `tblDocumentRevisionLog_revision` FOREIGN KEY (`revisionID`) REFERENCES `tblDocumentRevisors` (`revisionID`) ON DELETE CASCADE,
+  CONSTRAINT `tblDocumentRevisionLog_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblDocumentStatus`
 --
@@ -608,6 +738,7 @@ CREATE TABLE `tblWorkflows` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `name` text NOT NULL,
   `initstate` int(11) NOT NULL,
+  `layoutdata` text DEFAULT NULL,
   PRIMARY KEY (`id`),
   KEY `tblWorkflow_initstate` (`initstate`),
   CONSTRAINT `tblWorkflow_initstate` FOREIGN KEY (`initstate`) REFERENCES `tblWorkflowStates` (`id`) ON DELETE CASCADE
@@ -674,53 +805,52 @@ CREATE TABLE `tblWorkflowTransitionGroups` (
 
 -- --------------------------------------------------------
 
---
--- Table structure for table `tblWorkflowLog`
---
-
-CREATE TABLE `tblWorkflowLog` (
-  `id` int(11) NOT NULL AUTO_INCREMENT,
-  `document` int(11) DEFAULT NULL,
-  `version` smallint(5) DEFAULT NULL,
-  `workflow` int(11) DEFAULT NULL,
-  `userid` int(11) DEFAULT NULL,
-  `transition` int(11) DEFAULT NULL,
-  `date` datetime NOT NULL,
-  `comment` text,
-  PRIMARY KEY (`id`),
-  KEY `tblWorkflowLog_document` (`document`),
-  KEY `tblWorkflowLog_workflow` (`workflow`),
-  KEY `tblWorkflowLog_userid` (`userid`),
-  KEY `tblWorkflowLog_transition` (`transition`),
-  CONSTRAINT `tblWorkflowLog_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
-  CONSTRAINT `tblWorkflowLog_transition` FOREIGN KEY (`transition`) REFERENCES `tblWorkflowTransitions` (`id`) ON DELETE CASCADE,
-  CONSTRAINT `tblWorkflowLog_userid` FOREIGN KEY (`userid`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
-  CONSTRAINT `tblWorkflowLog_workflow` FOREIGN KEY (`workflow`) REFERENCES `tblWorkflows` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- --------------------------------------------------------
-
 --
 -- Table structure for table `tblWorkflowDocumentContent`
 --
 
 CREATE TABLE `tblWorkflowDocumentContent` (
-  `parentworkflow` int(11) DEFAULT '0',
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `parent` int(11) DEFAULT NULL,
   `workflow` int(11) DEFAULT NULL,
   `document` int(11) DEFAULT NULL,
   `version` smallint(5) DEFAULT NULL,
   `state` int(11) DEFAULT NULL,
   `date` datetime NOT NULL,
+  PRIMARY KEY (`id`),
   KEY `tblWorkflowDocument_document` (`document`),
   KEY `tblWorkflowDocument_workflow` (`workflow`),
   KEY `tblWorkflowDocument_state` (`state`),
   CONSTRAINT `tblWorkflowDocument_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
   CONSTRAINT `tblWorkflowDocument_state` FOREIGN KEY (`state`) REFERENCES `tblWorkflowStates` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblWorkflowDocumentContent_parent` FOREIGN KEY (`parent`) REFERENCES `tblWorkflowDocumentContent` (`id`) ON DELETE CASCADE,
   CONSTRAINT `tblWorkflowDocument_workflow` FOREIGN KEY (`workflow`) REFERENCES `tblWorkflows` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `tblWorkflowLog`
+--
+
+CREATE TABLE `tblWorkflowLog` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `workflowdocumentcontent` int(11) NOT NULL DEFAULT '0',
+  `userid` int(11) DEFAULT NULL,
+  `transition` int(11) DEFAULT NULL,
+  `date` datetime NOT NULL,
+  `comment` text,
+  PRIMARY KEY (`id`),
+  KEY `tblWorkflowLog_userid` (`userid`),
+  KEY `tblWorkflowLog_transition` (`transition`),
+  KEY `tblWorkflowLog_workflowdocumentcontent` (`workflowdocumentcontent`),
+  CONSTRAINT `tblWorkflowLog_workflowdocumentcontent` FOREIGN KEY (`workflowdocumentcontent`) REFERENCES `tblWorkflowDocumentContent` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblWorkflowLog_transition` FOREIGN KEY (`transition`) REFERENCES `tblWorkflowTransitions` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblWorkflowLog_userid` FOREIGN KEY (`userid`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblWorkflowMandatoryWorkflow`
 --
@@ -736,6 +866,127 @@ CREATE TABLE `tblWorkflowMandatoryWorkflow` (
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for transmittal
+--
+
+CREATE TABLE `tblTransmittals` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` text NOT NULL,
+  `comment` text NOT NULL,
+  `userID` int(11) NOT NULL DEFAULT '0',
+  `date` datetime DEFAULT NULL,
+  `public` tinyint(1) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`id`),
+  CONSTRAINT `tblTransmittals_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for transmittal item
+--
+
+CREATE TABLE `tblTransmittalItems` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `transmittal` int(11) NOT NULL DEFAULT '0',
+  `document` int(11) DEFAULT NULL,
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `date` datetime DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE (transmittal, document, version),
+  CONSTRAINT `tblTransmittalItems_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblTransmittalItem_transmittal` FOREIGN KEY (`transmittal`) REFERENCES `tblTransmittals` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for cached read access
+-- 
+
+CREATE TABLE `tblCachedAccess` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `document` int(11) DEFAULT NULL,
+  `user` int(11) DEFAULT null,
+  `mode` tinyint(4) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`id`),
+  CONSTRAINT `tblCachedAccess_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblCachedAccess_user` FOREIGN KEY (`user`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for access request objects
+-- 
+
+CREATE TABLE `tblAros` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `parent` int(11),
+  `model` text NOT NULL,
+  `foreignid` int(11) NOT NULL DEFAULT '0',
+  `alias` varchar(255),
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for access control objects
+-- 
+
+CREATE TABLE `tblAcos` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `parent` int(11),
+  `model` text NOT NULL,
+  `foreignid` int(11) NOT NULL DEFAULT '0',
+  `alias` varchar(255),
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for acos/aros relation
+-- 
+
+CREATE TABLE `tblArosAcos` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `aro` int(11) NOT NULL DEFAULT '0',
+  `aco` int(11) NOT NULL DEFAULT '0',
+  `create` tinyint(4) NOT NULL DEFAULT '-1',
+  `read` tinyint(4) NOT NULL DEFAULT '-1',
+  `update` tinyint(4) NOT NULL DEFAULT '-1',
+  `delete` tinyint(4) NOT NULL DEFAULT '-1',
+  PRIMARY KEY (`id`),
+  UNIQUE (aco, aro),
+  CONSTRAINT `tblArosAcos_acos` FOREIGN KEY (`aco`) REFERENCES `tblAcos` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblArosAcos_aros` FOREIGN KEY (`aro`) REFERENCES `tblAros` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblSchedulerTask`
+--
+
+CREATE TABLE `tblSchedulerTask` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) DEFAULT NULL,
+  `description` text DEFAULT NULL,
+  `disabled` smallint(1) NOT NULL DEFAULT '0',
+  `extension` varchar(100) DEFAULT NULL,
+  `task` varchar(100) DEFAULT NULL,
+  `frequency` varchar(100) DEFAULT NULL,
+  `params` text DEFAULT NULL,
+  `nextrun` datetime DEFAULT NULL,
+  `lastrun` datetime DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblVersion`
 --
@@ -753,7 +1004,10 @@ CREATE TABLE `tblVersion` (
 -- Initial content for database
 --
 
-INSERT INTO tblUsers VALUES (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', 'Administrator', 'info@seeddms.org', '', '', '', 1, 0, NULL, 0, 0, 0, NULL);
-INSERT INTO tblUsers VALUES (2, 'guest', NULL, 'Guest User', NULL, '', '', '', 2, 0, NULL, 0, 0, 0, NULL);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (1, 'Admin', 1);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (2, 'Guest', 2);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (3, 'User', 0);
+INSERT INTO tblUsers VALUES (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', '', 'Administrator', 'info@seeddms.org', '', '', '', 1, 0, NULL, 0, 0, 0, NULL);
+INSERT INTO tblUsers VALUES (2, 'guest', NULL, '', 'Guest User', NULL, '', '', '', 2, 0, NULL, 0, 0, 0, NULL);
 INSERT INTO tblFolders VALUES (1, 'DMS', 0, '', 'DMS root', UNIX_TIMESTAMP(), 1, 0, 2, 0);
-INSERT INTO tblVersion VALUES (NOW(), 5, 1, 0);
+INSERT INTO tblVersion VALUES (NOW(), 6, 0, 0);

install/create_tables-postgres.sql

@@ -43,6 +43,19 @@ CREATE TABLE "tblAttributeDefinitions" (
 
 -- --------------------------------------------------------
 
+-- 
+-- Table structure for table `tblRoles`
+-- 
+
+CREATE TABLE "tblRoles" (
+  "id" SERIAL UNIQUE,
+  "name" varchar(50) default NULL,
+  "role" INTEGER NOT NULL default '0',
+  "noaccess" varchar(30) NOT NULL default ''
+) ;
+
+-- --------------------------------------------------------
+
 -- 
 -- Table structure for table "tblUsers"
 -- 
@@ -51,6 +64,7 @@ CREATE TABLE "tblUsers" (
   "id" SERIAL UNIQUE,
   "login" varchar(50) default NULL,
   "pwd" varchar(50) default NULL,
+  "secret" varchar(50) default NULL,
   "fullName" varchar(100) default NULL,
   "email" varchar(70) default NULL,
   "language" varchar(32) NOT NULL,
@@ -68,6 +82,18 @@ CREATE TABLE "tblUsers" (
 
 -- --------------------------------------------------------
 
+-- 
+-- Table structure for table `tblUserSubstitutes`
+-- 
+
+CREATE TABLE "tblUserSubstitutes" (
+  "id" SERIAL UNIQUE,
+  "user" INTEGER NOT NULL default '0' REFERENCES "tblUsers" ("id") ON DELETE CASCADE,
+  "substitute" INTEGER NOT NULL default '0' REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+);
+
+-- --------------------------------------------------------
+
 -- 
 -- Table structure for table "tblUserPasswordRequest"
 -- 
@@ -225,6 +251,7 @@ CREATE TABLE "tblDocumentContent" (
   "mimeType" varchar(100) NOT NULL default '',
   "fileSize" BIGINT,
   "checksum" char(32),
+  "revisiondate" TIMESTAMP default NULL,
   UNIQUE ("document","version")
 ) ;
 
@@ -290,6 +317,21 @@ CREATE TABLE "tblDocumentLocks" (
 
 -- --------------------------------------------------------
 
+-- 
+-- Table structure for table `tblDocumentCheckOuts`
+-- 
+
+CREATE TABLE "tblDocumentCheckOuts" (
+  "document" INTEGER REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
+  "version" INTEGER NOT NULL default '0',
+  "userID" INTEGER NOT NULL default '0' REFERENCES "tblUsers" ("id"),
+  "date" TEXT NOT NULL,
+  "filename" varchar(255) NOT NULL default '',
+  UNIQUE ("document")
+) ;
+
+-- --------------------------------------------------------
+
 -- 
 -- Table structure for table "tblDocumentReviewers"
 -- 
@@ -320,6 +362,67 @@ CREATE TABLE "tblDocumentReviewLog" (
 
 -- --------------------------------------------------------
 
+-- 
+-- Table structure for table `tblDocumentRecipients`
+-- 
+
+CREATE TABLE "tblDocumentRecipients" (
+  "receiptID" SERIAL UNIQUE,
+  "documentID" INTEGER NOT NULL default '0' REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
+  "version" INTEGER NOT NULL default '0',
+  "type" INTEGER NOT NULL default '0',
+  "required" INTEGER NOT NULL default '0',
+  UNIQUE ("documentID","version","type","required")
+) ;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for table "tblDocumentReceiptLog"
+-- 
+
+CREATE TABLE "tblDocumentReceiptLog" (
+  "receiptLogID" SERIAL UNIQUE,
+  "receiptID" INTEGER NOT NULL default 0 REFERENCES "tblDocumentRecipients" ("receiptID") ON DELETE CASCADE,
+  "status" INTEGER NOT NULL default 0,
+  "comment" TEXT NOT NULL,
+  "date" TEXT NOT NULL,
+  "userID" INTEGER NOT NULL default 0 REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+) ;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for table `tblDocumentRevisors`
+-- 
+
+CREATE TABLE "tblDocumentRevisors" (
+  "revisionID" SERIAL UNIQUE,
+  "documentID" INTEGER NOT NULL default '0' REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
+  "version" INTEGER NOT NULL default '0',
+  "type" INTEGER NOT NULL default '0',
+  "required" INTEGER NOT NULL default '0',
+  "startdate" TIMESTAMP default NULL,
+  UNIQUE ("documentID","version","type","required")
+) ;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for table "tblDocumentRevisionLog"
+-- 
+
+CREATE TABLE "tblDocumentRevisionLog" (
+  "revisionLogID" SERIAL UNIQUE,
+  "revisionID" INTEGER NOT NULL default 0 REFERENCES "tblDocumentRevisors" ("revisionID") ON DELETE CASCADE,
+  "status" INTEGER NOT NULL default 0,
+  "comment" TEXT NOT NULL,
+  "date" TIMESTAMP default NULL,
+  "userID" INTEGER NOT NULL default 0 REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+) ;
+
+-- --------------------------------------------------------
+
 -- 
 -- Table structure for table "tblDocumentStatus"
 -- 
@@ -433,7 +536,7 @@ CREATE TABLE "tblSessions" (
   "theme" varchar(30) NOT NULL default '',
   "language" varchar(30) NOT NULL default '',
   "clipboard" text default NULL,
-	"su" INTEGER DEFAULT NULL,
+  "su" INTEGER DEFAULT NULL,
   "splashmsg" text default NULL
 ) ;
 
@@ -514,7 +617,8 @@ CREATE TABLE "tblWorkflowActions" (
 CREATE TABLE "tblWorkflows" (
   "id" SERIAL UNIQUE,
   "name" text NOT NULL,
-  "initstate" INTEGER NOT NULL REFERENCES "tblWorkflowStates" ("id") ON DELETE CASCADE
+  "initstate" INTEGER NOT NULL REFERENCES "tblWorkflowStates" ("id") ON DELETE CASCADE,
+  "layoutdata" text default NULL
 ) ;
 
 -- --------------------------------------------------------
@@ -559,29 +663,13 @@ CREATE TABLE "tblWorkflowTransitionGroups" (
 
 -- --------------------------------------------------------
 
--- 
--- Table structure for workflow log
--- 
-
-CREATE TABLE "tblWorkflowLog" (
-  "id" SERIAL UNIQUE,
-  "document" INTEGER default NULL REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
-  "version" INTEGER default NULL,
-  "workflow" INTEGER default NULL REFERENCES "tblWorkflows" ("id") ON DELETE CASCADE,
-  "userid" INTEGER default NULL REFERENCES "tblUsers" ("id") ON DELETE CASCADE,
-  "transition" INTEGER default NULL REFERENCES "tblWorkflowTransitions" ("id") ON DELETE CASCADE,
-  "date" TIMESTAMP default NULL,
-  "comment" text
-) ;
-
--- --------------------------------------------------------
-
 -- 
 -- Table structure for workflow document relation
 -- 
 
 CREATE TABLE "tblWorkflowDocumentContent" (
-  "parentworkflow" INTEGER DEFAULT 0,
+  "id" SERIAL UNIQUE,
+  "parent" INTEGER DEFAULT NULL REFERENCES "tblWorkflowDocumentContent" ("id") ON DELETE CASCADE,
   "workflow" INTEGER DEFAULT NULL REFERENCES "tblWorkflows" ("id") ON DELETE CASCADE,
   "document" INTEGER DEFAULT NULL REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
   "version" INTEGER DEFAULT NULL,
@@ -591,6 +679,21 @@ CREATE TABLE "tblWorkflowDocumentContent" (
 
 -- --------------------------------------------------------
 
+-- 
+-- Table structure for workflow log
+-- 
+
+CREATE TABLE "tblWorkflowLog" (
+  "id" SERIAL UNIQUE,
+  "workflowdocumentcontent" INTEGER DEFAULT NULL REFERENCES "tblWorkflowDocumentContent" ("id") ON DELETE CASCADE,
+  "userid" INTEGER default NULL REFERENCES "tblUsers" ("id") ON DELETE CASCADE,
+  "transition" INTEGER default NULL REFERENCES "tblWorkflowTransitions" ("id") ON DELETE CASCADE,
+  "date" TIMESTAMP default NULL,
+  "comment" text
+) ;
+
+-- --------------------------------------------------------
+
 -- 
 -- Table structure for mandatory workflows
 -- 
@@ -603,6 +706,101 @@ CREATE TABLE "tblWorkflowMandatoryWorkflow" (
 
 -- --------------------------------------------------------
 
+-- 
+-- Table structure for transmittal
+-- 
+
+CREATE TABLE "tblTransmittals" (
+  "id" SERIAL UNIQUE,
+  "name" text NOT NULL,
+  "comment" text NOT NULL,
+  "userID" INTEGER NOT NULL default '0' REFERENCES "tblUsers" ("id") ON DELETE CASCADE,
+  "date" TIMESTAMP default NULL,
+  "public" INTEGER NOT NULL default '0'
+);
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for transmittal item
+-- 
+
+CREATE TABLE "tblTransmittalItems" (
+  "id" SERIAL UNIQUE,
+  "transmittal" INTEGER NOT NULL DEFAULT '0' REFERENCES "tblTransmittals" ("id") ON DELETE CASCADE,
+  "document" INTEGER default NULL REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
+  "version" INTEGER NOT NULL default '0',
+  "date" TIMESTAMP default NULL,
+  UNIQUE (transmittal, document, version)
+);
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for access request objects
+-- 
+
+CREATE TABLE "tblAros" (
+  "id" SERIAL UNIQUE,
+  "parent" INTEGER,
+  "model" TEXT NOT NULL,
+  "foreignid" INTEGER NOT NULL DEFAULT '0',
+  "alias" TEXT
+) ;
+
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for access control objects
+-- 
+
+CREATE TABLE "tblAcos" (
+  "id" SERIAL UNIQUE,
+  "parent" INTEGER,
+  "model" TEXT NOT NULL,
+  "foreignid" INTEGER NOT NULL DEFAULT '0',
+  "alias" TEXT
+) ;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for acos/aros relation
+-- 
+
+CREATE TABLE "tblArosAcos" (
+  "id" SERIAL UNIQUE,
+  "aro" INTEGER NOT NULL DEFAULT '0' REFERENCES "tblAros" ("id") ON DELETE CASCADE,
+  "aco" INTEGER NOT NULL DEFAULT '0' REFERENCES "tblAcos" ("id") ON DELETE CASCADE,
+  "create" INTEGER NOT NULL DEFAULT '-1',
+  "read" INTEGER NOT NULL DEFAULT '-1',
+  "update" INTEGER NOT NULL DEFAULT '-1',
+  "delete" INTEGER NOT NULL DEFAULT '-1',
+  UNIQUE (aco, aro)
+) ;
+
+-- --------------------------------------------------------
+
+-- 
+-- Table structure for tblSchedulerTask
+-- 
+
+CREATE TABLE "tblSchedulerTask" (
+  "id" SERIAL UNIQUE,
+  "name" varchar(100) DEFAULT NULL,
+  "description" TEXT DEFAULT NULL,
+  "disabled" INTEGER NOT NULL DEFAULT '0',
+  "extension" varchar(100) DEFAULT NULL,
+  "task" varchar(100) DEFAULT NULL,
+  "frequency" varchar(100) DEFAULT NULL,
+  "params" TEXT DEFAULT NULL,
+  "nextrun" TIMESTAMP DEFAULT NULL,
+  "lastrun" TIMESTAMP DEFAULT NULL
+) ;
+
+-- --------------------------------------------------------
+
 -- 
 -- Table structure for version
 -- 
@@ -620,10 +818,16 @@ CREATE TABLE "tblVersion" (
 -- Initial content for database
 --
 
-INSERT INTO "tblUsers" VALUES (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', 'Administrator', 'info@seeddms.org', '', '', '', 1, 0, NULL, 0, 0, 0, NULL);
+INSERT INTO "tblRoles" ("id", "name", "role") VALUES (1, 'Admin', 1);
+SELECT nextval('"tblRoles_id_seq"');
+INSERT INTO "tblRoles" ("id", "name", "role") VALUES (2, 'Guest', 2);
+SELECT nextval('"tblRoles_id_seq"');
+INSERT INTO "tblRoles" ("id", "name", "role") VALUES (3, 'User', 0);
+SELECT nextval('"tblRoles_id_seq"');
+INSERT INTO "tblUsers" VALUES (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', '', 'Administrator', 'info@seeddms.org', '', '', '', 1, 0, NULL, 0, 0, 0, NULL);
 SELECT nextval('"tblUsers_id_seq"');
-INSERT INTO "tblUsers" VALUES (2, 'guest', NULL, 'Guest User', NULL, '', '', '', 2, 0, NULL, 0, 0, 0, NULL);
+INSERT INTO "tblUsers" VALUES (2, 'guest', NULL, '', 'Guest User', NULL, '', '', '', 2, 0, NULL, 0, 0, 0, NULL);
 SELECT nextval('"tblUsers_id_seq"');
 INSERT INTO "tblFolders" VALUES (1, 'DMS', 0, '', 'DMS root', extract(epoch from now()), 1, 0, 2, 0);
 SELECT nextval('"tblFolders_id_seq"');
-INSERT INTO "tblVersion" VALUES (CURRENT_TIMESTAMP, 5, 1, 0);
+INSERT INTO "tblVersion" VALUES (CURRENT_TIMESTAMP, 6, 0, 0);

install/create_tables-sqlite3.sql

@@ -43,6 +43,20 @@ CREATE TABLE `tblAttributeDefinitions` (
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `tblRoles`
+--
+
+CREATE TABLE `tblRoles` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `name` varchar(50) default NULL,
+  `role` INTEGER NOT NULL default '0',
+  `noaccess` varchar(30) NOT NULL default '',
+  UNIQUE (`name`)
+) ;
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblUsers`
 --
@@ -51,12 +65,13 @@ CREATE TABLE `tblUsers` (
   `id` INTEGER PRIMARY KEY AUTOINCREMENT,
   `login` varchar(50) default NULL,
   `pwd` varchar(50) default NULL,
+  `secret` varchar(50) default NULL,
   `fullName` varchar(100) default NULL,
   `email` varchar(70) default NULL,
   `language` varchar(32) NOT NULL,
   `theme` varchar(32) NOT NULL,
   `comment` text NOT NULL,
-  `role` INTEGER NOT NULL default '0',
+  `role` INTEGER NOT NULL REFERENCES `tblRoles` (`id`),
   `hidden` INTEGER NOT NULL default '0',
   `pwdExpiration` TEXT default NULL,
   `loginfailures` INTEGER NOT NULL default '0',
@@ -68,6 +83,19 @@ CREATE TABLE `tblUsers` (
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `tblUserSubstitutes`
+--
+
+CREATE TABLE `tblUserSubstitutes` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `user` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  `substitute` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  UNIQUE (`user`, `substitute`)
+);
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblUserPasswordRequest`
 --
@@ -135,7 +163,7 @@ CREATE TABLE `tblFolderAttributes` (
   `folder` INTEGER default NULL REFERENCES `tblFolders` (`id`) ON DELETE CASCADE,
   `attrdef` INTEGER default NULL REFERENCES `tblAttributeDefinitions` (`id`),
   `value` text default NULL,
-  UNIQUE (folder, attrdef)
+  UNIQUE (`folder`, `attrdef`)
 ) ;
  
 -- --------------------------------------------------------
@@ -171,7 +199,7 @@ CREATE TABLE `tblDocumentAttributes` (
   `document` INTEGER default NULL REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
   `attrdef` INTEGER default NULL REFERENCES `tblAttributeDefinitions` (`id`),
   `value` text default NULL,
-  UNIQUE (document, attrdef)
+  UNIQUE (`document`, `attrdef`)
 ) ;
 
 -- --------------------------------------------------------
@@ -188,6 +216,7 @@ CREATE TABLE `tblDocumentApprovers` (
   `required` INTEGER NOT NULL default '0',
   UNIQUE (`documentID`,`version`,`type`,`required`)
 ) ;
+CREATE INDEX `indDocumentApproversRequired` ON `tblDocumentApprovers` (`required`);
 
 -- --------------------------------------------------------
 
@@ -203,6 +232,7 @@ CREATE TABLE `tblDocumentApproveLog` (
   `date` TEXT NOT NULL,
   `userID` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
 ) ;
+CREATE INDEX `indDocumentApproveLogApproveID` ON `tblDocumentApproveLog` (`approveID`);
 
 -- --------------------------------------------------------
 
@@ -223,6 +253,7 @@ CREATE TABLE `tblDocumentContent` (
   `mimeType` varchar(100) NOT NULL default '',
   `fileSize` INTEGER,
   `checksum` char(32),
+  `revisiondate` TEXT default NULL,
   UNIQUE (`document`,`version`)
 ) ;
 
@@ -237,7 +268,7 @@ CREATE TABLE `tblDocumentContentAttributes` (
   `content` INTEGER default NULL REFERENCES `tblDocumentContent` (`id`) ON DELETE CASCADE,
   `attrdef` INTEGER default NULL REFERENCES `tblAttributeDefinitions` (`id`),
   `value` text default NULL,
-  UNIQUE (content, attrdef)
+  UNIQUE (`content`, `attrdef`)
 ) ;
 
 -- --------------------------------------------------------
@@ -288,6 +319,21 @@ CREATE TABLE `tblDocumentLocks` (
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `tblDocumentCheckOuts`
+--
+
+CREATE TABLE `tblDocumentCheckOuts` (
+  `document` INTEGER REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `userID` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`),
+  `date` TEXT NOT NULL,
+  `filename` varchar(255) NOT NULL default '',
+  UNIQUE (`document`)
+) ;
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblDocumentReviewers`
 --
@@ -300,6 +346,7 @@ CREATE TABLE `tblDocumentReviewers` (
   `required` INTEGER NOT NULL default '0',
   UNIQUE (`documentID`,`version`,`type`,`required`)
 ) ;
+CREATE INDEX `indDocumentReviewersRequired` ON `tblDocumentReviewers` (`required`);
 
 -- --------------------------------------------------------
 
@@ -315,6 +362,72 @@ CREATE TABLE `tblDocumentReviewLog` (
   `date` TEXT NOT NULL,
   `userID` INTEGER NOT NULL default 0 REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
 ) ;
+CREATE INDEX `indDocumentReviewLogReviewID` ON `tblDocumentReviewLog` (`reviewID`);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblDocumentRecipients`
+--
+
+CREATE TABLE `tblDocumentRecipients` (
+  `receiptID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `documentID` INTEGER NOT NULL default '0' REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `type` INTEGER NOT NULL default '0',
+  `required` INTEGER NOT NULL default '0',
+  UNIQUE (`documentID`,`version`,`type`,`required`)
+) ;
+CREATE INDEX `indDocumentRecipientsRequired` ON `tblDocumentRecipients` (`required`);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblDocumentReceiptLog`
+--
+
+CREATE TABLE `tblDocumentReceiptLog` (
+  `receiptLogID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `receiptID` INTEGER NOT NULL default 0 REFERENCES `tblDocumentRecipients` (`receiptID`) ON DELETE CASCADE,
+  `status` INTEGER NOT NULL default 0,
+  `comment` TEXT NOT NULL,
+  `date` TEXT NOT NULL,
+  `userID` INTEGER NOT NULL default 0 REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ;
+CREATE INDEX `indDocumentReceiptLogReceiptID` ON `tblDocumentReceiptLog` (`receiptID`);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblDocumentRevisors`
+--
+
+CREATE TABLE `tblDocumentRevisors` (
+  `revisionID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `documentID` INTEGER NOT NULL default '0' REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `type` INTEGER NOT NULL default '0',
+  `required` INTEGER NOT NULL default '0',
+  `startdate` TEXT default NULL,
+  UNIQUE (`documentID`,`version`,`type`,`required`)
+) ;
+CREATE INDEX `indDocumentRevisorsRequired` ON `tblDocumentRevisors` (`required`);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblDocumentRevisionLog`
+--
+
+CREATE TABLE `tblDocumentRevisionLog` (
+  `revisionLogID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `revisionID` INTEGER NOT NULL default 0 REFERENCES `tblDocumentRevisors` (`revisionID`) ON DELETE CASCADE,
+  `status` INTEGER NOT NULL default 0,
+  `comment` TEXT NOT NULL,
+  `date` TEXT NOT NULL,
+  `userID` INTEGER NOT NULL default 0 REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ;
+CREATE INDEX `indDocumentRevisionLogRevisionID` ON `tblDocumentRevisionLog` (`revisionID`);
 
 -- --------------------------------------------------------
 
@@ -343,6 +456,7 @@ CREATE TABLE `tblDocumentStatusLog` (
   `date` TEXT NOT NULL,
   `userID` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
 ) ;
+CREATE INDEX `indDocumentStatusLogStatusID` ON `tblDocumentStatusLog` (`StatusID`);
 
 -- --------------------------------------------------------
 
@@ -512,7 +626,8 @@ CREATE TABLE `tblWorkflowActions` (
 CREATE TABLE `tblWorkflows` (
   `id` INTEGER PRIMARY KEY AUTOINCREMENT,
   `name` text NOT NULL,
-  `initstate` INTEGER NOT NULL REFERENCES `tblWorkflowStates` (`id`) ON DELETE CASCADE
+  `initstate` INTEGER NOT NULL REFERENCES `tblWorkflowStates` (`id`) ON DELETE CASCADE,
+  `layoutdata` text default NULL
 ) ;
 
 -- --------------------------------------------------------
@@ -557,29 +672,13 @@ CREATE TABLE `tblWorkflowTransitionGroups` (
 
 -- --------------------------------------------------------
 
---
--- Table structure for table `tblWorkflowLog`
---
-
-CREATE TABLE `tblWorkflowLog` (
-  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
-  `document` INTEGER default NULL REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
-  `version` INTEGER default NULL,
-  `workflow` INTEGER default NULL REFERENCES `tblWorkflows` (`id`) ON DELETE CASCADE,
-  `userid` INTEGER default NULL REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
-  `transition` INTEGER default NULL REFERENCES `tblWorkflowTransitions` (`id`) ON DELETE CASCADE,
-  `date` datetime NOT NULL,
-  `comment` text
-) ;
-
--- --------------------------------------------------------
-
 --
 -- Table structure for table `tblWorkflowDocumentContent`
 --
 
 CREATE TABLE `tblWorkflowDocumentContent` (
-  `parentworkflow` INTEGER DEFAULT 0,
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `parent` INTEGER DEFAULT NULL REFERENCES `tblWorkflowDocumentContent` (`id`) ON DELETE CASCADE,
   `workflow` INTEGER DEFAULT NULL REFERENCES `tblWorkflows` (`id`) ON DELETE CASCADE,
   `document` INTEGER DEFAULT NULL REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
   `version` INTEGER DEFAULT NULL,
@@ -589,6 +688,21 @@ CREATE TABLE `tblWorkflowDocumentContent` (
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `tblWorkflowLog`
+--
+
+CREATE TABLE `tblWorkflowLog` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `workflowdocumentcontent` INTEGER DEFAULT NULL REFERENCES `tblWorkflowDocumentContent`   (`id`) ON DELETE CASCADE,
+  `userid` INTEGER default NULL REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  `transition` INTEGER default NULL REFERENCES `tblWorkflowTransitions` (`id`) ON DELETE CASCADE,
+  `date` datetime NOT NULL,
+  `comment` text
+) ;
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `tblWorkflowMandatoryWorkflow`
 --
@@ -596,7 +710,102 @@ CREATE TABLE `tblWorkflowDocumentContent` (
 CREATE TABLE `tblWorkflowMandatoryWorkflow` (
   `userid` INTEGER default NULL REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
   `workflow` INTEGER default NULL REFERENCES `tblWorkflows` (`id`) ON DELETE CASCADE,
-  UNIQUE(userid, workflow)
+  UNIQUE(`userid`, `workflow`)
+) ;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for transmittal
+--
+
+CREATE TABLE `tblTransmittals` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `name` text NOT NULL,
+  `comment` text NOT NULL,
+  `userID` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  `date` TEXT default NULL,
+  `public` INTEGER NOT NULL default '0'
+);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for transmittal item
+--
+
+CREATE TABLE `tblTransmittalItems` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `transmittal` INTEGER NOT NULL DEFAULT '0' REFERENCES `tblTransmittals` (`id`) ON DELETE CASCADE,
+  `document` INTEGER default NULL REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `date` TEXT default NULL,
+  UNIQUE (`transmittal`, `document`, `version`)
+);
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for access request objects
+--
+
+CREATE TABLE `tblAros` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `parent` INTEGER,
+  `model` TEXT NOT NULL,
+  `foreignid` INTEGER NOT NULL DEFAULT '0',
+  `alias` TEXT
+) ;
+
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for access control objects
+--
+
+CREATE TABLE `tblAcos` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `parent` INTEGER,
+  `model` TEXT NOT NULL,
+  `foreignid` INTEGER NOT NULL DEFAULT '0',
+  `alias` TEXT
+) ;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for acos/aros relation
+--
+
+CREATE TABLE `tblArosAcos` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `aro` INTEGER NOT NULL DEFAULT '0' REFERENCES `tblAros` (`id`) ON DELETE CASCADE,
+  `aco` INTEGER NOT NULL DEFAULT '0' REFERENCES `tblAcos` (`id`) ON DELETE CASCADE,
+  `create` INTEGER NOT NULL DEFAULT '-1',
+  `read` INTEGER NOT NULL DEFAULT '-1',
+  `update` INTEGER NOT NULL DEFAULT '-1',
+  `delete` INTEGER NOT NULL DEFAULT '-1',
+  UNIQUE (`aco`, `aro`)
+) ;
+
+-- --------------------------------------------------------
+
+--
+-- Table structure for table `tblSchedulerTask`
+--
+
+CREATE TABLE `tblSchedulerTask` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `name` varchar(100) DEFAULT NULL,
+  `description` TEXT DEFAULT NULL,
+  `disabled` INTEGER NOT NULL DEFAULT '0',
+  `extension` varchar(100) DEFAULT NULL,
+  `task` varchar(100) DEFAULT NULL,
+  `frequency` varchar(100) DEFAULT NULL,
+  `params` TEXT DEFAULT NULL,
+  `nextrun` TEXT DEFAULT NULL,
+  `lastrun` TEXT DEFAULT NULL
 ) ;
 
 -- --------------------------------------------------------
@@ -618,7 +827,10 @@ CREATE TABLE `tblVersion` (
 -- Initial content for database
 --
 
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (1, 'Admin', 1);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (2, 'Guest', 2);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (3, 'User', 0);
 INSERT INTO `tblUsers` (`id`, `login`, `pwd`, `fullName`, `email`, `language`, `theme`, `comment`, `role`, `hidden`, `pwdExpiration`, `loginfailures`, `disabled`, `quota`, `homefolder`) VALUES (1, 'admin', '21232f297a57a5a743894a0e4a801fc3', 'Administrator', 'info@seeddms.org', '', '', '', 1, 0, '', 0, 0, 0, NULL);
 INSERT INTO `tblUsers` (`id`, `login`, `pwd`, `fullName`, `email`, `language`, `theme`, `comment`, `role`, `hidden`, `pwdExpiration`, `loginfailures`, `disabled`, `quota`, `homefolder`) VALUES (2, 'guest', NULL, 'Guest User', NULL, '', '', '', 2, 0, '', 0, 0, 0, NULL);
 INSERT INTO `tblFolders` (`id`, `name`, `parent`, `folderList`, `comment`, `date`, `owner`, `inheritAccess`, `defaultAccess`, `sequence`) VALUES (1, 'DMS', NULL, '', 'DMS root', strftime('%s','now'), 1, 0, 2, 0);
-INSERT INTO `tblVersion` VALUES (DATETIME(), 5, 1, 0);
+INSERT INTO `tblVersion` VALUES (DATETIME(), 6, 0, 0);

install/update-6.0.0/update-postgres.sql

@@ -0,0 +1,181 @@
+START TRANSACTION;
+
+ALTER TABLE "tblDocumentContent" ADD COLUMN "revisiondate" TIMESTAMP default NULL;
+
+ALTER TABLE "tblUsers" ADD COLUMN "secret" varchar(50) default NULL;
+
+ALTER TABLE "tblWorkflows" ADD COLUMN "layoutdata" text default NULL;
+
+ALTER TABLE "tblWorkflowDocumentContent" ADD COLUMN "id" SERIAL UNIQUE;
+
+ALTER TABLE "tblWorkflowLog" ADD COLUMN "workflowdocumentcontent" INTEGER NOT NULL DEFAULT '0';
+
+UPDATE "tblWorkflowLog" SET "workflowdocumentcontent" = "tblWorkflowDocumentContent"."id" FROM "tblWorkflowDocumentContent" WHERE "tblWorkflowLog"."document" = "tblWorkflowDocumentContent"."document" AND "tblWorkflowLog"."version" = "tblWorkflowDocumentContent"."version" AND "tblWorkflowLog"."workflow" = "tblWorkflowDocumentContent"."workflow";
+
+INSERT INTO "tblWorkflowDocumentContent" ("parentworkflow", "workflow", "document", "version", "state", "date") SELECT 0 AS "parentworkflow", "workflow", "document", "version", NULL AS "state", max("date") AS "date" FROM "tblWorkflowLog" WHERE "workflowdocumentcontent" = 0 GROUP BY "workflow", "document", "version";
+
+UPDATE "tblWorkflowLog" SET "workflowdocumentcontent" = "tblWorkflowDocumentContent"."id" FROM "tblWorkflowDocumentContent" WHERE "tblWorkflowLog"."document" = "tblWorkflowDocumentContent"."document" AND "tblWorkflowLog"."version" = "tblWorkflowDocumentContent"."version" AND "tblWorkflowLog"."workflow" = "tblWorkflowDocumentContent"."workflow";
+
+ALTER TABLE "tblWorkflowLog" ADD CONSTRAINT "tblWorkflowLog_workflowdocumentcontent" FOREIGN KEY ("workflowdocumentcontent") REFERENCES "tblWorkflowDocumentContent" ("id") ON DELETE CASCADE;
+
+ALTER TABLE "tblWorkflowDocumentContent" ADD COLUMN "parent" INTEGER DEFAULT NULL;
+
+ALTER TABLE "tblWorkflowDocumentContent" ADD CONSTRAINT "tblWorkflowDocumentContent_parent" FOREIGN KEY ("parent") REFERENCES "tblWorkflowDocumentContent" ("id") ON DELETE CASCADE;
+
+ALTER TABLE "tblWorkflowDocumentContent" DROP COLUMN "parentworkflow";
+
+ALTER TABLE "tblWorkflowLog" DROP COLUMN "document";
+
+ALTER TABLE "tblWorkflowLog" DROP COLUMN "version";
+
+ALTER TABLE "tblWorkflowLog" DROP COLUMN "workflow";
+
+CREATE TABLE "tblUserSubstitutes" (
+  "id" SERIAL UNIQUE,
+  "user" INTEGER default null,
+  "substitute" INTEGER default null,
+  UNIQUE ("user", "substitute"),
+  CONSTRAINT "tblUserSubstitutes_user" FOREIGN KEY ("user") REFERENCES "tblUsers" ("id") ON DELETE CASCADE,
+  CONSTRAINT "tblUserSubstitutes_substitute" FOREIGN KEY ("user") REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblDocumentCheckOuts" (
+  "document" INTEGER NOT NULL default '0',
+  "version" INTEGER NOT NULL default '0',
+  "userID" INTEGER NOT NULL default '0',
+  "date" TIMESTAMP NOT NULL,
+  "filename" varchar(255) NOT NULL default '',
+  CONSTRAINT "tblDocumentCheckOuts_document" FOREIGN KEY ("document") REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
+  CONSTRAINT "tblDocumentCheckOuts_user" FOREIGN KEY ("userID") REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblDocumentRecipients" (
+  "receiptID" SERIAL UNIQUE,
+  "documentID" INTEGER NOT NULL default '0',
+  "version" INTEGER NOT NULL default '0',
+  "type" INTEGER NOT NULL default '0',
+  "required" INTEGER NOT NULL default '0',
+  UNIQUE ("documentID","version","type","required"),
+  CONSTRAINT "tblDocumentRecipients_document" FOREIGN KEY ("documentID") REFERENCES "tblDocuments" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblDocumentReceiptLog" (
+  "receiptLogID" SERIAL UNIQUE,
+  "receiptID" INTEGER NOT NULL default '0',
+  "status" INTEGER NOT NULL default '0',
+  "comment" text NOT NULL,
+  "date" TIMESTAMP NOT NULL,
+  "userID" INTEGER NOT NULL default '0',
+  CONSTRAINT "tblDocumentReceiptLog_recipient" FOREIGN KEY ("receiptID") REFERENCES "tblDocumentRecipients" ("receiptID") ON DELETE CASCADE,
+  CONSTRAINT "tblDocumentReceiptLog_user" FOREIGN KEY ("userID") REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblDocumentRevisors" (
+  "revisionID" SERIAL UNIQUE,
+  "documentID" INTEGER NOT NULL default '0',
+  "version" INTEGER NOT NULL default '0',
+  "type" INTEGER NOT NULL default '0',
+  "required" INTEGER NOT NULL default '0',
+  "startdate" TIMESTAMP default NULL,
+  UNIQUE ("documentID","version","type","required"),
+  CONSTRAINT "tblDocumentRevisors_document" FOREIGN KEY ("documentID") REFERENCES "tblDocuments" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblDocumentRevisionLog" (
+  "revisionLogID" SERIAL UNIQUE,
+  "revisionID" INTEGER NOT NULL default '0',
+  "status" INTEGER NOT NULL default '0',
+  "comment" text NOT NULL,
+  "date" TIMESTAMP NOT NULL,
+  "userID" INTEGER NOT NULL default '0',
+  CONSTRAINT "tblDocumentRevisionLog_revision" FOREIGN KEY ("revisionID") REFERENCES "tblDocumentRevisors" ("revisionID") ON DELETE CASCADE,
+  CONSTRAINT "tblDocumentRevisionLog_user" FOREIGN KEY ("userID") REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblTransmittals" (
+  "id" SERIAL UNIQUE,
+  "name" text NOT NULL,
+  "comment" text NOT NULL,
+  "userID" INTEGER NOT NULL default '0',
+  "date" TIMESTAMP default NULL,
+  "public" INTEGER NOT NULL default '0',
+  CONSTRAINT "tblTransmittals_user" FOREIGN KEY ("userID") REFERENCES "tblUsers" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblTransmittalItems" (
+  "id" SERIAL UNIQUE,
+	"transmittal" INTEGER NOT NULL DEFAULT '0',
+  "document" INTEGER default NULL,
+  "version" INTEGER NOT NULL default '0',
+  "date" TIMESTAMP default NULL,
+  UNIQUE ("transmittal", "document", "version"),
+  CONSTRAINT "tblTransmittalItems_document" FOREIGN KEY ("document") REFERENCES "tblDocuments" ("id") ON DELETE CASCADE,
+  CONSTRAINT "tblTransmittalItem_transmittal" FOREIGN KEY ("transmittal") REFERENCES "tblTransmittals" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblRoles" (
+  "id" SERIAL UNIQUE,
+  "name" varchar(50) default NULL,
+  "role" INTEGER NOT NULL default '0',
+  "noaccess" varchar(30) NOT NULL default '',
+  UNIQUE ("name")
+);
+
+INSERT INTO "tblRoles" ("id", "name", "role") VALUES (1, 'Admin', 1);
+SELECT nextval('"tblRoles_id_seq"');
+INSERT INTO "tblRoles" ("id", "name", "role") VALUES (2, 'Guest', 2);
+SELECT nextval('"tblRoles_id_seq"');
+INSERT INTO "tblRoles" ("id", "name", "role") VALUES (3, 'User', 0);
+SELECT nextval('"tblRoles_id_seq"');
+
+ALTER TABLE "tblUsers" ALTER "role" DROP DEFAULT;
+ALTER TABLE "tblUsers" ALTER "role" SET NOT NULL;
+UPDATE "tblUsers" SET role=3 WHERE role=0;
+ALTER TABLE "tblUsers" ADD CONSTRAINT "tblUsers_role" FOREIGN KEY ("role") REFERENCES "tblRoles" ("id");
+
+CREATE TABLE "tblAros" (
+  "id" SERIAL UNIQUE,
+  "parent" INTEGER,
+  "model" text NOT NULL,
+  "foreignid" INTEGER NOT NULL DEFAULT '0',
+  "alias" varchar(255)
+);
+
+CREATE TABLE "tblAcos" (
+  "id" SERIAL UNIQUE,
+  "parent" INTEGER,
+  "model" text NOT NULL,
+  "foreignid" INTEGER NOT NULL DEFAULT '0',
+  "alias" varchar(255)
+);
+
+CREATE TABLE "tblArosAcos" (
+  "id" SERIAL UNIQUE,
+  "aro" INTEGER NOT NULL DEFAULT '0',
+  "aco" INTEGER NOT NULL DEFAULT '0',
+  "create" INTEGER NOT NULL DEFAULT '-1',
+  "read" INTEGER NOT NULL DEFAULT '-1',
+  "update" INTEGER NOT NULL DEFAULT '-1',
+  "delete" INTEGER NOT NULL DEFAULT '-1',
+  UNIQUE ("aco", "aro"),
+  CONSTRAINT "tblArosAcos_acos" FOREIGN KEY ("aco") REFERENCES "tblAcos" ("id") ON DELETE CASCADE,
+  CONSTRAINT "tblArosAcos_aros" FOREIGN KEY ("aro") REFERENCES "tblAros" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "tblSchedulerTask" (
+  "id" SERIAL UNIQUE,
+  "name" varchar(100) DEFAULT NULL,
+  "description" TEXT DEFAULT NULL,
+  "disabled" INTEGER NOT NULL DEFAULT '0',
+  "extension" varchar(100) DEFAULT NULL,
+  "task" varchar(100) DEFAULT NULL,
+  "frequency" varchar(100) DEFAULT NULL,
+  "params" TEXT DEFAULT NULL,
+  "nextrun" TIMESTAMP DEFAULT NULL,
+  "lastrun" TIMESTAMP DEFAULT NULL
+) ;
+
+UPDATE "tblVersion" set "major"=6, "minor"=0, "subminor"=0;
+
+COMMIT;
+

install/update-6.0.0/update-sqlite3.sql

@@ -0,0 +1,206 @@
+BEGIN;
+
+ALTER TABLE `tblDocumentContent` ADD COLUMN `revisiondate` TEXT default NULL;
+
+ALTER TABLE `tblUsers` ADD COLUMN `secret` varchar(50) default NULL;
+
+ALTER TABLE `tblWorkflows` ADD COLUMN `layoutdata` text default NULL;
+
+CREATE TABLE `new_tblWorkflowDocumentContent` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `parent` INTEGER DEFAULT NULL REFERENCES `tblWorkflowDocumentContent` (`id`) ON DELETE CASCADE,
+  `workflow` INTEGER DEFAULT NULL REFERENCES `tblWorkflows` (`id`) ON DELETE CASCADE,
+  `document` INTEGER DEFAULT NULL REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER DEFAULT NULL,
+  `state` INTEGER DEFAULT NULL REFERENCES `tblWorkflowStates` (`id`) ON DELETE CASCADE,
+  `date` datetime NOT NULL
+) ;
+
+INSERT INTO `new_tblWorkflowDocumentContent` (`parent`, `workflow`, `document`, `version`,     `state`, `date`) SELECT NULL as `parent`, `workflow`, `document`, `version`, `state`, `date` FROM `tblWorkflowDocumentContent`;
+
+INSERT INTO `new_tblWorkflowDocumentContent` (`parent`, `workflow`, `document`, `version`, `state`, `date`) SELECT NULL, `a`.`workflow`, `a`.`document`, `a`.`version`, NULL AS `state`, max(`a`.`date`) FROM `tblWorkflowLog` `a` LEFT JOIN `tblWorkflowDocumentContent` `b` ON `a`.`document`=`b`.`document` AND `a`.`version`=`b`.`version` AND `a`.`workflow`=`b`.`workflow` WHERE `b`.`document` IS NULL GROUP BY `a`.`document`, `a`.`version`, `a`.`workflow`;
+
+CREATE TABLE `new_tblWorkflowLog` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+	`workflowdocumentcontent` INTEGER DEFAULT NULL REFERENCES `tblWorkflowDocumentContent` (`id`) ON DELETE CASCADE,
+  `userid` INTEGER default NULL REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  `transition` INTEGER default NULL REFERENCES `tblWorkflowTransitions` (`id`) ON DELETE CASCADE,
+  `date` datetime NOT NULL,
+  `comment` text
+) ;
+
+INSERT INTO `new_tblWorkflowLog` (`id`, `workflowdocumentcontent`, `userid`, `transition`, `date`, `comment`) SELECT `a`.`id`, `b`.`id`, `a`.`userid`, `a`.`transition`, `a`.`date`, `a`.`comment` FROM `tblWorkflowLog` `a` LEFT JOIN `new_tblWorkflowDocumentContent` `b` ON `a`.`document`=`b`.`document` AND `a`.`version`=`b`.`version` AND `a`.`workflow`=`b`.`workflow` WHERE `b`.`document` IS NOT NULL;
+
+DROP TABLE `tblWorkflowLog`;
+
+ALTER TABLE `new_tblWorkflowLog` RENAME TO `tblWorkflowLog`;
+
+DROP TABLE `tblWorkflowDocumentContent`;
+
+ALTER TABLE `new_tblWorkflowDocumentContent` RENAME TO `tblWorkflowDocumentContent`;
+
+CREATE TABLE `tblUserSubstitutes` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `user` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  `substitute` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  UNIQUE (`user`, `substitute`)
+);
+
+CREATE TABLE `tblDocumentCheckOuts` (
+  `document` INTEGER REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `userID` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`),
+  `date` TEXT NOT NULL,
+  `filename` varchar(255) NOT NULL default '',
+  UNIQUE (`document`)
+) ;
+
+CREATE TABLE `tblDocumentRecipients` (
+  `receiptID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `documentID` INTEGER NOT NULL default '0' REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `type` INTEGER NOT NULL default '0',
+  `required` INTEGER NOT NULL default '0',
+  UNIQUE (`documentID`,`version`,`type`,`required`)
+) ;
+CREATE INDEX `indDocumentRecipientsRequired` ON `tblDocumentRecipients` (`required`);
+
+CREATE TABLE `tblDocumentReceiptLog` (
+  `receiptLogID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `receiptID` INTEGER NOT NULL default 0 REFERENCES `tblDocumentRecipients` (`receiptID`) ON DELETE CASCADE,
+  `status` INTEGER NOT NULL default 0,
+  `comment` TEXT NOT NULL,
+  `date` TEXT NOT NULL,
+  `userID` INTEGER NOT NULL default 0 REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ;
+CREATE INDEX `indDocumentReceiptLogReceiptID` ON `tblDocumentReceiptLog` (`receiptID`);
+
+CREATE TABLE `tblDocumentRevisors` (
+  `revisionID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `documentID` INTEGER NOT NULL default '0' REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `type` INTEGER NOT NULL default '0',
+  `required` INTEGER NOT NULL default '0',
+  `startdate` TEXT default NULL,
+  UNIQUE (`documentID`,`version`,`type`,`required`)
+) ;
+CREATE INDEX `indDocumentRevisorsRequired` ON `tblDocumentRevisors` (`required`);
+
+CREATE TABLE `tblDocumentRevisionLog` (
+  `revisionLogID` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `revisionID` INTEGER NOT NULL default 0 REFERENCES `tblDocumentRevisors` (`revisionID`) ON DELETE CASCADE,
+  `status` INTEGER NOT NULL default 0,
+  `comment` TEXT NOT NULL,
+  `date` TEXT NOT NULL,
+  `userID` INTEGER NOT NULL default 0 REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ;
+CREATE INDEX `indDocumentRevisionLogRevisionID` ON `tblDocumentRevisionLog` (`revisionID`);
+
+CREATE TABLE `tblTransmittals` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `name` text NOT NULL,
+  `comment` text NOT NULL,
+  `userID` INTEGER NOT NULL default '0' REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  `date` TEXT default NULL,
+  `public` INTEGER NOT NULL default '0'
+);
+
+CREATE TABLE `tblTransmittalItems` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+	`transmittal` INTEGER NOT NULL DEFAULT '0' REFERENCES `tblTransmittals` (`id`) ON DELETE CASCADE,
+  `document` INTEGER default NULL REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  `version` INTEGER unsigned NOT NULL default '0',
+  `date` TEXT default NULL,
+  UNIQUE (transmittal, document, version)
+);
+
+CREATE TABLE `tblRoles` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `name` varchar(50) default NULL,
+  `role` INTEGER NOT NULL default '0',
+  `noaccess` varchar(30) NOT NULL default '',
+  UNIQUE (`name`)
+);
+
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (1, 'Admin', 1);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (2, 'Guest', 2);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (3, 'User', 0);
+
+UPDATE `tblUsers` SET role=3 WHERE role=0;
+
+CREATE TABLE `new_tblUsers` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `login` varchar(50) default NULL,
+  `pwd` varchar(50) default NULL,
+  `fullName` varchar(100) default NULL,
+  `email` varchar(70) default NULL,
+  `language` varchar(32) NOT NULL,
+  `theme` varchar(32) NOT NULL,
+  `comment` text NOT NULL,
+  `role` INTEGER NOT NULL REFERENCES `tblRoles` (`id`),
+  `hidden` INTEGER NOT NULL default '0',
+  `pwdExpiration` TEXT default NULL,
+  `loginfailures` INTEGER NOT NULL default '0',
+  `disabled` INTEGER NOT NULL default '0',
+  `quota` INTEGER,
+  `homefolder` INTEGER default NULL REFERENCES `tblFolders` (`id`),
+  `secret` varchar(50) default NULL,
+  UNIQUE (`login`)
+);
+
+INSERT INTO new_tblUsers SELECT * FROM tblUsers;
+
+DROP TABLE tblUsers;
+
+ALTER TABLE new_tblUsers RENAME TO tblUsers;
+
+CREATE TABLE `tblAros` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `parent` INTEGER,
+  `model` TEXT NOT NULL,
+  `foreignid` INTEGER NOT NULL DEFAULT '0',
+  `alias` TEXT
+) ;
+
+CREATE TABLE `tblAcos` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `parent` INTEGER,
+  `model` TEXT NOT NULL,
+  `foreignid` INTEGER NOT NULL DEFAULT '0',
+  `alias` TEXT
+) ;
+
+CREATE TABLE `tblArosAcos` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `aro` INTEGER NOT NULL DEFAULT '0' REFERENCES `tblAros` (`id`) ON DELETE CASCADE,
+  `aco` INTEGER NOT NULL DEFAULT '0' REFERENCES `tblAcos` (`id`) ON DELETE CASCADE,
+  `create` INTEGER NOT NULL DEFAULT '-1',
+  `read` INTEGER NOT NULL DEFAULT '-1',
+  `update` INTEGER NOT NULL DEFAULT '-1',
+  `delete` INTEGER NOT NULL DEFAULT '-1',
+  UNIQUE (aco, aro)
+) ;
+
+CREATE INDEX `indDocumentStatusLogStatusID` ON `tblDocumentStatusLog` (`StatusID`);
+CREATE INDEX `indDocumentApproversRequired` ON `tblDocumentApprovers` (`required`);
+CREATE INDEX `indDocumentApproveLogApproveID` ON `tblDocumentApproveLog` (`approveID`);
+CREATE INDEX `indDocumentReviewersRequired` ON `tblDocumentReviewers` (`required`);
+CREATE INDEX `indDocumentReviewLogReviewID` ON `tblDocumentReviewLog` (`reviewID`);
+
+CREATE TABLE `tblSchedulerTask` (
+  `id` INTEGER PRIMARY KEY AUTOINCREMENT,
+  `name` varchar(100) DEFAULT NULL,
+  `description` TEXT DEFAULT NULL,
+  `disabled` INTEGER NOT NULL DEFAULT '0',
+  `extension` varchar(100) DEFAULT NULL,
+  `task` varchar(100) DEFAULT NULL,
+  `frequency` varchar(100) DEFAULT NULL,
+  `params` TEXT DEFAULT NULL,
+  `nextrun` TEXT DEFAULT NULL,
+  `lastrun` TEXT DEFAULT NULL
+) ;
+
+UPDATE tblVersion set major=6, minor=0, subminor=0;
+
+COMMIT;
+

install/update-6.0.0/update.sql

@@ -0,0 +1,200 @@
+START TRANSACTION;
+
+ALTER TABLE `tblDocumentContent` ADD COLUMN `revisiondate` datetime DEFAULT NULL;
+
+ALTER TABLE `tblUsers` ADD COLUMN `secret` varchar(50) DEFAULT NULL AFTER `pwd`;
+
+ALTER TABLE `tblWorkflows` ADD COLUMN `layoutdata` text DEFAULT NULL AFTER `initstate`;
+
+ALTER TABLE `tblWorkflowDocumentContent` ADD COLUMN `id` int(11) NOT NULL AUTO_INCREMENT FIRST, ADD PRIMARY KEY (`id`);
+
+ALTER TABLE `tblWorkflowLog` ADD COLUMN `workflowdocumentcontent` int(11) NOT NULL DEFAULT '0' AFTER `id`;
+
+UPDATE `tblWorkflowLog` a, `tblWorkflowDocumentContent` b SET a.`workflowdocumentcontent` = b.`id` WHERE a.`document` = b.`document` AND a.`version` = b.`version` AND a.`workflow` = b.`workflow`;
+
+INSERT INTO `tblWorkflowDocumentContent` (`parentworkflow`, `workflow`, `document`, `version`, `state`, `date`) SELECT 0 AS `parentworkflow`, `workflow`, `document`, `version`, NULL AS `state`, max(`date`) AS `date` FROM `tblWorkflowLog` WHERE `workflowdocumentcontent` = 0 GROUP BY `workflow`, `document`, `version`;
+
+UPDATE `tblWorkflowLog` a, `tblWorkflowDocumentContent` b SET a.`workflowdocumentcontent` = b.`id` WHERE a.`document` = b.`document` AND a.`version` = b.`version` AND a.`workflow` = b.`workflow`;
+
+ALTER TABLE `tblWorkflowLog` ADD CONSTRAINT `tblWorkflowLog_workflowdocumentcontent` FOREIGN KEY (`workflowdocumentcontent`) REFERENCES `tblWorkflowDocumentContent` (`id`) ON DELETE CASCADE;
+
+ALTER TABLE `tblWorkflowDocumentContent` ADD COLUMN `parent` int(11) DEFAULT NULL AFTER `id`;
+
+ALTER TABLE `tblWorkflowDocumentContent` ADD CONSTRAINT `tblWorkflowDocumentContent_parent` FOREIGN KEY (`parent`) REFERENCES `tblWorkflowDocumentContent` (`id`) ON DELETE CASCADE;
+
+ALTER TABLE `tblWorkflowDocumentContent` DROP COLUMN `parentworkflow`;
+
+ALTER TABLE `tblWorkflowLog` DROP FOREIGN KEY `tblWorkflowLog_document`;
+
+ALTER TABLE `tblWorkflowLog` DROP COLUMN `document`;
+
+ALTER TABLE `tblWorkflowLog` DROP COLUMN `version`;
+
+ALTER TABLE `tblWorkflowLog` DROP FOREIGN KEY `tblWorkflowLog_workflow`;
+
+ALTER TABLE `tblWorkflowLog` DROP COLUMN `workflow`;
+
+CREATE TABLE `tblUserSubstitutes` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `user` int(11) DEFAULT null,
+  `substitute` int(11) DEFAULT null,
+  PRIMARY KEY (`id`),
+  UNIQUE (`user`, `substitute`),
+  CONSTRAINT `tblUserSubstitutes_user` FOREIGN KEY (`user`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblUserSubstitutes_substitute` FOREIGN KEY (`user`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblDocumentCheckOuts` (
+  `document` int(11) NOT NULL DEFAULT '0',
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `userID` int(11) NOT NULL DEFAULT '0',
+  `date` datetime NOT NULL,
+  `filename` varchar(255) NOT NULL DEFAULT '',
+  PRIMARY KEY (`document`),
+  CONSTRAINT `tblDocumentCheckOuts_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblDocumentCheckOuts_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblDocumentRecipients` (
+  `receiptID` int(11) NOT NULL AUTO_INCREMENT,
+  `documentID` int(11) NOT NULL DEFAULT '0',
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `type` tinyint(4) NOT NULL DEFAULT '0',
+  `required` int(11) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`receiptID`),
+  UNIQUE KEY `documentID` (`documentID`,`version`,`type`,`required`),
+  CONSTRAINT `tblDocumentRecipients_document` FOREIGN KEY (`documentID`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+CREATE INDEX `indDocumentRecipientsRequired` ON `tblDocumentRecipients` (`required`);
+
+CREATE TABLE `tblDocumentReceiptLog` (
+  `receiptLogID` int(11) NOT NULL AUTO_INCREMENT,
+  `receiptID` int(11) NOT NULL DEFAULT '0',
+  `status` tinyint(4) NOT NULL DEFAULT '0',
+  `comment` text NOT NULL,
+  `date` datetime NOT NULL,
+  `userID` int(11) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`receiptLogID`),
+  KEY `tblDocumentReceiptLog_receipt` (`receiptID`),
+  KEY `tblDocumentReceiptLog_user` (`userID`),
+  CONSTRAINT `tblDocumentReceiptLog_recipient` FOREIGN KEY (`receiptID`) REFERENCES `tblDocumentRecipients` (`receiptID`) ON DELETE CASCADE,
+  CONSTRAINT `tblDocumentReceiptLog_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblDocumentRevisors` (
+  `revisionID` int(11) NOT NULL AUTO_INCREMENT,
+  `documentID` int(11) NOT NULL DEFAULT '0',
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `type` tinyint(4) NOT NULL DEFAULT '0',
+  `required` int(11) NOT NULL DEFAULT '0',
+  `startdate` datetime DEFAULT NULL,
+  PRIMARY KEY (`revisionID`),
+  UNIQUE KEY `documentID` (`documentID`,`version`,`type`,`required`),
+  CONSTRAINT `tblDocumentRevisors_document` FOREIGN KEY (`documentID`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+CREATE INDEX `indDocumentRevisorsRequired` ON `tblDocumentRevisors` (`required`);
+
+CREATE TABLE `tblDocumentRevisionLog` (
+  `revisionLogID` int(11) NOT NULL AUTO_INCREMENT,
+  `revisionID` int(11) NOT NULL DEFAULT '0',
+  `status` tinyint(4) NOT NULL DEFAULT '0',
+  `comment` text NOT NULL,
+  `date` datetime NOT NULL,
+  `userID` int(11) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`revisionLogID`),
+  KEY `tblDocumentRevisionLog_revision` (`revisionID`),
+  KEY `tblDocumentRevisionLog_user` (`userID`),
+  CONSTRAINT `tblDocumentRevisionLog_revision` FOREIGN KEY (`revisionID`) REFERENCES `tblDocumentRevisors` (`revisionID`) ON DELETE CASCADE,
+  CONSTRAINT `tblDocumentRevisionLog_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblTransmittals` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` text NOT NULL,
+  `comment` text NOT NULL,
+  `userID` int(11) NOT NULL DEFAULT '0',
+  `date` datetime DEFAULT NULL,
+  `public` tinyint(1) NOT NULL DEFAULT '0',
+  PRIMARY KEY  (`id`),
+  CONSTRAINT `tblTransmittals_user` FOREIGN KEY (`userID`) REFERENCES `tblUsers` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblTransmittalItems` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `transmittal` int(11) NOT NULL DEFAULT '0',
+  `document` int(11) DEFAULT NULL,
+  `version` smallint(5) unsigned NOT NULL DEFAULT '0',
+  `date` datetime DEFAULT NULL,
+  PRIMARY KEY  (`id`),
+  UNIQUE (transmittal, document, version),
+  CONSTRAINT `tblTransmittalItems_document` FOREIGN KEY (`document`) REFERENCES `tblDocuments` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblTransmittalItem_transmittal` FOREIGN KEY (`transmittal`) REFERENCES `tblTransmittals` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblRoles` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(50) DEFAULT NULL,
+  `role` smallint(1) NOT NULL DEFAULT '0',
+  `noaccess` varchar(30) NOT NULL DEFAULT '',
+  PRIMARY KEY (`id`),
+  UNIQUE (`name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (1, 'Admin', 1);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (2, 'Guest', 2);
+INSERT INTO `tblRoles` (`id`, `name`, `role`) VALUES (3, 'User', 0);
+ALTER TABLE `tblRoles` AUTO_INCREMENT=4;
+
+ALTER TABLE tblUsers CHANGE role role int(11) NOT NULL;
+UPDATE `tblUsers` SET role=3 WHERE role=0;
+ALTER TABLE tblUsers ADD CONSTRAINT `tblUsers_role` FOREIGN KEY (`role`) REFERENCES `tblRoles` (`id`);
+
+CREATE TABLE `tblAros` (
+  `id` int(11) NOT NULL auto_increment,
+  `parent` int(11),
+  `model` text NOT NULL,
+  `foreignid` int(11) NOT NULL DEFAULT '0',
+  `alias` varchar(255),
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblAcos` (
+  `id` int(11) NOT NULL auto_increment,
+  `parent` int(11),
+  `model` text NOT NULL,
+  `foreignid` int(11) NOT NULL DEFAULT '0',
+  `alias` varchar(255),
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblArosAcos` (
+  `id` int(11) NOT NULL auto_increment,
+  `aro` int(11) NOT NULL DEFAULT '0',
+  `aco` int(11) NOT NULL DEFAULT '0',
+  `create` tinyint(4) NOT NULL DEFAULT '-1',
+  `read` tinyint(4) NOT NULL DEFAULT '-1',
+  `update` tinyint(4) NOT NULL DEFAULT '-1',
+  `delete` tinyint(4) NOT NULL DEFAULT '-1',
+  PRIMARY KEY (`id`),
+  UNIQUE (aco, aro),
+  CONSTRAINT `tblArosAcos_acos` FOREIGN KEY (`aco`) REFERENCES `tblAcos` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `tblArosAcos_aros` FOREIGN KEY (`aro`) REFERENCES `tblAros` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `tblSchedulerTask` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `name` varchar(100) DEFAULT NULL,
+  `description` text DEFAULT NULL,
+  `disabled` smallint(1) NOT NULL DEFAULT '0',
+  `extension` varchar(100) DEFAULT NULL,
+  `task` varchar(100) DEFAULT NULL,
+  `frequency` varchar(100) DEFAULT NULL,
+  `params` text DEFAULT NULL,
+  `nextrun` datetime DEFAULT NULL,
+  `lastrun` datetime DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+UPDATE tblVersion set major=6, minor=0, subminor=0;
+
+COMMIT;

install/update-6.0.0/update.txt

@@ -0,0 +1,52 @@
+Caution when you update seeddms with workflow mode `advanced`
+=============================================================
+
+The previous database layout for tracking the workflow state of a
+document content was not very well done. It did not allow to run
+the document through another workflow at a later time, expecially
+the same workflow, e.g. for a scheduled revision of a document.
+
+Technical details
+==================
+This update modifies the tables tblWorkflowDocumentContent and
+tblWorkflowLog. It adds a new autoincrement field as a primary key
+(id) to tblWorkflowDocumentContent and references that field in
+tblWorkflowLog (workflowdocumentcontent). Till now the two tables
+where linked by the fields `document`, `version`, and `workflow` which will
+be replaced by the two new fields. The fields `document`, `version`, and
+`workflow` will be removed from tblWorkflowLog. tblWorkflowDocumentContent
+contained just the workflows currently active for a particlar document.
+From now on the table will also contain finished workflows, which
+will have the field `state` set to null. This allows to run even the
+same workflow again and still be able to distinguish the log entries.
+
+MySQL
+------
+
+The update process will first add the new auto incrementing, primary
+field to tblWorkflowDocumentContent and a referencing field to
+tblWorkflowLog. It will then fill out the referencing field with the
+automatically incremented field value from tblWorkflowDocumentContent
+by joining the two tables with its common fields document, version,
+and workflow.  This will not fill out all referencing field values,
+because once a workflow has ended the record in
+tblWorkflowDocumentContent will be deleted and just the records in
+tblWorkflowLog are kept. The still missing records in
+tblWorkflowDocumentContent for already completed workflows will be
+reconstructed from the records in tblWorkflowLog which do not have a
+reference to tblWorkflowDocumentContent yet. Once that is done the
+referencing field in tblWorkflowLog can be filled in a second pass.
+The date of the new records in tblWorkflowDocumentContent will be
+taken from the last record for that workflow in tblWorkflowLog.  The
+state of the new records will be set null, indicating that this
+workflow is no longer active.
+
+SQLite
+-------
+
+The update process will first create new table for tblWorkflowDocumentContent
+containing a new field for the primary key field. It then copies the
+records from the old table to the new table. The missing records for
+workflows which has been finished already are recreated from the old
+table `tblWorkflowLog`. Which is then replaced by a new table having
+the foreign key to table `tblWorkflowDocumentContent`.

op/op.Acl.php

@@ -0,0 +1,118 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2012 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+require_once("../inc/inc.Settings.php");
+require_once("../inc/inc.Utils.php");
+require_once("../inc/inc.LogInit.php");
+require_once("../inc/inc.Language.php");
+require_once("../inc/inc.Init.php");
+require_once("../inc/inc.Extension.php");
+require_once("../inc/inc.DBInit.php");
+require_once("../inc/inc.ClassUI.php");
+require_once("../inc/inc.Authentication.php");
+
+if (!$user->isAdmin()) {
+	$result = array('type'=>'error', 'msg'=>getMLText("access_denied"));
+	echo json_encode($result);
+	exit;
+}
+
+if (isset($_GET["action"])) $action=$_GET["action"];
+else $action=NULL;
+
+if($action == 'add_aro') {
+	if (isset($_GET["roleid"])) {
+		if(!($role = SeedDMS_Core_Role::getInstance((int) $_GET["roleid"], $dms))) {
+			$result = array('type'=>'error', 'msg'=>getMLText("access_denied"));
+			echo json_encode($result);
+			exit;
+		}
+	} else {
+		$result = array('type'=>'error', 'msg'=>getMLText("access_denied"));
+		echo json_encode($result);
+		exit;
+	}
+
+} else {
+	if (isset($_GET["aroid"])) {
+		if(!($aro = SeedDMS_Aro::getInstance((int) $_GET["aroid"], $dms))) {
+			$result = array('type'=>'error', 'msg'=>getMLText("access_denied"));
+			echo json_encode($result);
+			exit;
+		}
+	} else {
+		$result = array('type'=>'error', 'msg'=>getMLText("access_denied"));
+		echo json_encode($result);
+		exit;
+	}
+
+	if (isset($_GET["acoid"])) {
+		if(!($aco = SeedDMS_Aco::getInstance((int) $_GET["acoid"], $dms))) {
+			$result = array('type'=>'error', 'msg'=>getMLText("access_denied"));
+			echo json_encode($result);
+			exit;
+		}
+	} else {
+		$result = array('type'=>'error', 'msg'=>getMLText("access_denied"));
+		echo json_encode($result);
+		exit;
+	}
+}
+
+switch($action) {
+case "toggle_permission":
+	$acl = new SeedDMS_Acl($dms);
+	if($acl->toggle($aro, $aco))
+		$result = array('type'=>'success', 'msg'=>getMLText('success_toogle_permission'));
+	else
+		$result = array('type'=>'error', 'msg'=>getMLText('error_toogle_permission'));
+	header('Content-Type: application/json');
+	echo json_encode($result);
+	break;
+case "add_permission":
+	$acl = new SeedDMS_Acl($dms);
+	if($acl->add($aro, $aco))
+		$result = array('type'=>'success', 'msg'=>getMLText('success_add_permission'));
+	else
+		$result = array('type'=>'error', 'msg'=>getMLText('error_add_permission'));
+	header('Content-Type: application/json');
+	echo json_encode($result);
+	break;
+case "remove_permission":
+	$acl = new SeedDMS_Acl($dms);
+	if($acl->remove($aro, $aco))
+		$result = array('type'=>'success', 'msg'=>getMLText('success_remove_permission'));
+	else
+		$result = array('type'=>'error', 'msg'=>getMLText('error_remove_permission'));
+	header('Content-Type: application/json');
+	echo json_encode($result);
+	break;
+case "add_aro":
+	if(SeedDMS_Aro::getInstance($role, $dms)) {
+		$result = array('type'=>'success', 'msg'=>getMLText('success_add_aro'));
+	} else {
+		$result = array('type'=>'error', 'msg'=>getMLText('error_add_aro'));
+	}
+	header('Content-Type: application/json');
+	echo json_encode($result);
+	break;
+}
+

op/op.AddDocument.php

@@ -69,8 +69,9 @@ if($settings->_quota > 0) {
 	}
 }
 
-if($user->isAdmin()) {
-	$ownerid = !empty($_POST['ownerid']) ? (int) $_POST["ownerid"] : null;
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if ($accessop->check_controller_access($controller, array('action'=>'setOwner'))) {
+	$ownerid = (int) $_POST["ownerid"];
 	if($ownerid) {
 		if(!($owner = $dms->getUser($ownerid))) {
 			UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("error_occured"));
@@ -173,10 +174,13 @@ default:
 // Get the list of reviewers and approvers for this document.
 $reviewers = array();
 $approvers = array();
+$recipients = array();
 $reviewers["i"] = array();
 $reviewers["g"] = array();
 $approvers["i"] = array();
 $approvers["g"] = array();
+$recipients["i"] = array();
+$recipients["g"] = array();
 $workflow = null;
 
 if($settings->_workflowMode == 'traditional' || $settings->_workflowMode == 'traditional_only_approval') {
@@ -193,6 +197,16 @@ if($settings->_workflowMode == 'traditional' || $settings->_workflowMode == 'tra
 				$reviewers["g"][] = $grp;
 			}
 		}
+		// Retrieve the list of reviewer groups whose members become individual reviewers
+		if (isset($_POST["grpIndReviewers"])) {
+			foreach ($_POST["grpIndReviewers"] as $grp) {
+				if($group = $dms->getGroup($grp)) {
+					$members = $group->getUsers();
+					foreach($members as $member)
+						$reviewers["i"][] = $member->getID();
+				}
+			}
+		}
 	}
 
 	// Retrieve the list of individual approvers from the form.
@@ -207,6 +221,17 @@ if($settings->_workflowMode == 'traditional' || $settings->_workflowMode == 'tra
 			$approvers["g"][] = $grp;
 		}
 	}
+	// Retrieve the list of reviewer groups whose members become individual approvers
+	if (isset($_POST["grpIndApprovers"])) {
+		foreach ($_POST["grpIndApprovers"] as $grp) {
+			if($group = $dms->getGroup($grp)) {
+				$members = $group->getUsers();
+				foreach($members as $member)
+					$approvers["i"][] = $member->getID();
+			}
+		}
+	}
+
 	// add mandatory reviewers/approvers
 	if($settings->_workflowMode == 'traditional') {
 		$mreviewers = getMandatoryReviewers($folder, null, $user);
@@ -244,6 +269,35 @@ if($settings->_workflowMode == 'traditional' || $settings->_workflowMode == 'tra
 	}
 }
 
+// Retrieve the list of individual recipients from the form.
+$recipients["i"] = array();
+if (isset($_POST["indRecipients"])) {
+	foreach ($_POST["indRecipients"] as $ind) {
+		$recipients["i"][] = $ind;
+	}
+}
+// Retrieve the list of recipient groups from the form.
+$recipients["g"] = array();
+if (isset($_POST["grpRecipients"])) {
+	foreach ($_POST["grpRecipients"] as $grp) {
+		$recipients["g"][] = $grp;
+	}
+}
+// Retrieve the list of recipient groups whose members become individual recipients
+if (isset($_POST["grpIndRecipients"])) {
+	foreach ($_POST["grpIndRecipients"] as $grp) {
+		if($group = $dms->getGroup($grp)) {
+			$members = $group->getUsers();
+			foreach($members as $member) {
+				/* Do not add the uploader itself and reviewers */
+				if(!$settings->_enableFilterReceipt || ($member->getID() != $user->getID() && !in_array($member->getID(), $reviewers['i'])))
+					if(!in_array($member->getID(), $recipients["i"]))
+						$recipients["i"][] = $member->getID();
+			}
+		}
+	}
+}
+
 function reArrayFiles(&$file_post) {
 	$file_ary = array();
 	$file_count = count($file_post['name']);
@@ -306,6 +360,31 @@ if(isset($_POST[$prefix.'-fine-uploader-uuids']) && $_POST[$prefix.'-fine-upload
 	}
 }
 
+if($settings->_libraryFolder) {
+	if(isset($_POST["librarydoc"]) && $_POST["librarydoc"]) {
+		if($clonedoc = $dms->getDocument($_POST["librarydoc"])) {
+			if($content = $clonedoc->getLatestContent()) {
+				$docsource = 'library';
+				$fullfile = tempnam(sys_get_temp_dir(), '');
+				if(SeedDMS_Core_File::copyFile($dms->contentDir . $content->getPath(), $fullfile)) {
+					if($_POST["name"]!="") {
+						$oext = pathinfo($content->getOriginalFileName(), PATHINFO_EXTENSION);
+						$origfilename = getFilenameByDocname(trim($_POST['name'])).".".$oext;
+					} else
+						$origfilename = $content->getOriginalFileName();
+					$file_ary[] = array(
+						'tmp_name' => $fullfile,
+						'type' => $content->getMimeType(),
+						'name' => $origfilename,
+						'size' => $content->getFileSize(),
+						'error' => 0,
+						'source' => 'library',
+					);
+				}
+			}
+		}
+	}
+}
 if($controller->hasHook('getDocument')) {
 	$file_ary = array_merge($file_ary, $controller->callHook('getDocument', $_POST));
 }
@@ -393,6 +472,7 @@ foreach($file_ary as $file) {
 	$controller->setParam('sequence', $sequence);
 	$controller->setParam('reviewers', $reviewers);
 	$controller->setParam('approvers', $approvers);
+	$controller->setParam('recipients', $recipients);
 	$controller->setParam('reqversion', $reqversion);
 	$controller->setParam('versioncomment', $version_comment);
 	$controller->setParam('attributes', $attributes);
@@ -400,6 +480,7 @@ foreach($file_ary as $file) {
 	$controller->setParam('workflow', $workflow);
 	$controller->setParam('notificationgroups', $notgroups);
 	$controller->setParam('notificationusers', $notusers);
+	$controller->setParam('initialdocumentstatus', $settings->_initialDocumentStatus);
 	$controller->setParam('maxsizeforfulltext', $settings->_maxSizeForFullText);
 	$controller->setParam('defaultaccessdocs', $settings->_defaultAccessDocs);
 

op/op.AddDocumentLink.php

@@ -73,4 +73,5 @@ if (!$document->addDocumentLink($docid, $user->getID(), $public)){
 }
 
 header("Location:../out/out.ViewDocument.php?documentid=".$documentid."&currenttab=links");
+
 ?>

op/op.AddToTransmittal.php

@@ -0,0 +1,85 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('addtotransmittal')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+$documentid = $_POST["documentid"];
+$document = $dms->getDocument($documentid);
+
+if (!is_object($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+if ($document->getAccessMode($user) < M_READ) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
+
+if (!isset($_POST["version"]) || !is_numeric($_POST["version"]) || intval($_POST["version"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$version_num = $_POST["version"];
+$version = $document->getContentByVersion($version_num);
+
+if (!is_object($version)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+if (!isset($_POST["assignTo"]) || !is_numeric($_POST["assignTo"]) || intval($_POST["assignTo"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$transmittalid = $_POST["assignTo"];
+$transmittal = $dms->getTransmittal($transmittalid);
+
+if (!is_object($transmittal)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+if ($transmittal->getUser()->getID() != $user->getID()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_transmittal"));
+}
+
+if($transmittal->addContent($version)) {
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_add_to_transmittal')));
+} else {
+	$session->setSplashMsg(array('type'=>'error', 'msg'=>getMLText('splash_error_add_to_transmittal')));
+}
+
+add_log_line("?documentid=".$documentid."&version".$version_num);
+
+header("Location:../out/out.ViewDocument.php?documentid=".$documentid);
+
+?>

op/op.AddTransmittal.php

@@ -0,0 +1,49 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('addtransmittal')) {
+	UI::exitError(getMLText("my_documents"), getMLText("invalid_request_token"));
+}
+
+$name = $_POST["name"];
+$comment = $_POST["comment"];
+
+$transmittal = $dms->addTransmittal($name, $comment, $user);
+
+if (!is_object($transmittal)) {
+	UI::exitError(getMLText("my_documents"), getMLText("error_occured"));
+}
+
+add_log_line("?name=".$name);
+
+header("Location:../out/out.MyDocuments.php");
+
+?>

op/op.Ajax.php

@@ -53,9 +53,12 @@ if (isset($_COOKIE["mydms_session"])) {
 		echo json_encode(array('error'=>1));
 		exit;
 	}
-	if($user->isAdmin()) {
-		if($resArr["su"]) {
-			$user = $dms->getUser($resArr["su"]);
+
+	if($resArr["su"] && $su = $dms->getUser($resArr["su"])) {
+		if($user->isAdmin() || $user->maySwitchToUser($su)) {
+			$user = $su;
+		} else {
+			$session->resetSu();
 		}
 	}
 	$dms->setUser($user);
@@ -63,6 +66,8 @@ if (isset($_COOKIE["mydms_session"])) {
 		$dms->checkWithinRootDir = true;
 		$dms->setRootFolderID($user->getHomeFolder());
 	}
+	$role = $user->getRole();
+	$dms->noReadForStatus = $role->getNoAccess();
 
 	include $settings->_rootDir . "languages/" . $resArr["language"] . "/lang.inc";
 } else {
@@ -105,11 +110,13 @@ switch($command) {
 		}	
 		break; /* }}} */
 
+		/* Used for document chooser */
 	case 'searchdocument': /* {{{ */
 		if($user) {
 			$query = $_GET['query'];
+			$status = isset($_GET['status']) ? (is_array($_GET['status']) ? $_GET['status'] : array($_GET['status'])) : array();
 
-			$hits = $dms->search($query, $limit=0, $offset=0, $logicalmode='AND', $searchin=array(), $startFolder=$dms->getRootFolder(), $owner=null, $status = array(), $creationstartdate=array(), $creationenddate=array(), $modificationstartdate=array(), $modificationenddate=array(), $categories=array(), $attributes=array(), $mode=0x1, $expirationstartdate=array(), $expirationenddate=array());
+			$hits = $dms->search($query, $limit=0, $offset=0, $logicalmode='AND', $searchin=array(), $startFolder=$dms->getRootFolder(), $owner=null, $status, $creationstartdate=array(), $creationenddate=array(), $modificationstartdate=array(), $modificationenddate=array(), $categories=array(), $attributes=array(), $mode=0x1, $expirationstartdate=array(), $expirationenddate=array());
 			if($hits) {
 				$result = array();
 				foreach($hits['docs'] as $hit) {
@@ -896,6 +903,7 @@ switch($command) {
 				$controller->setParam('workflow', $workflow);
 				$controller->setParam('notificationgroups', array());
 				$controller->setParam('notificationusers', array());
+				$controller->setParam('initialdocumentstatus', $settings->_initialDocumentStatus);
 				$controller->setParam('maxsizeforfulltext', $settings->_maxSizeForFullText);
 				$controller->setParam('defaultaccessdocs', $settings->_defaultAccessDocs);
 
@@ -927,6 +935,41 @@ switch($command) {
 		}
 		break; /* }}} */
 
+		/* Deprecated, has moved to op/op.TransmittalMgr.php */
+	case '___removetransmittalitem': /* {{{ */
+		if($user) {
+			if(!checkFormKey('removetransmittalitem', 'GET')) {
+				header('Content-Type: application/json');
+				echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_request_token'), 'data'=>''));
+			} else {
+				$item = SeedDMS_Core_TransmittalItem::getInstance((int) $_REQUEST['id'], $dms);
+				if($item) {
+					$transmittal = $item->getTransmittal();
+					if($transmittal) {
+						if ($transmittal->getUser()->getID() == $user->getID()) {
+							if($item->remove()) {
+								header('Content-Type: application/json');
+								echo json_encode(array('success'=>true, 'message'=>'', 'data'=>''));
+							} else {
+								header('Content-Type: application/json');
+								echo json_encode(array('success'=>false, 'message'=>'Error removing transmittal item', 'data'=>''));
+							}
+						} else {
+							header('Content-Type: application/json');
+							echo json_encode(array('success'=>false, 'message'=>'No access', 'data'=>''));
+						}
+					} else {
+						header('Content-Type: application/json');
+						echo json_encode(array('success'=>false, 'message'=>'No transmittal', 'data'=>''));
+					}
+				} else {
+					header('Content-Type: application/json');
+					echo json_encode(array('success'=>false, 'message'=>'No transmittal item', 'data'=>''));
+				}
+			}
+		}
+		break; /* }}} */
+
 	case 'updatedocument': /* {{{ */
 		if($user) {
 			if(checkFormKey('')) {
@@ -1083,6 +1126,41 @@ switch($command) {
 		}
 		break; /* }}} */
 
+		/* Deprecated, has moved to op/op.TransmittalMgr.php */
+	case '___updatetransmittalitem': /* {{{ */
+		if($user) {
+			if(!checkFormKey('updatetransmittalitem', 'GET')) {
+				header('Content-Type: application/json');
+				echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_request_token'), 'data'=>''));
+			} else {
+				$item = SeedDMS_Core_TransmittalItem::getInstance((int) $_REQUEST['id'], $dms);
+				if($item) {
+					$transmittal = $item->getTransmittal();
+					if($transmittal) {
+						if ($transmittal->getUser()->getID() == $user->getID()) {
+							if($item->updateContent()) {
+								header('Content-Type: application/json');
+								echo json_encode(array('success'=>true, 'message'=>'', 'data'=>''));
+							} else {
+								header('Content-Type: application/json');
+								echo json_encode(array('success'=>false, 'message'=>'Error removing transmittal item', 'data'=>''));
+							}
+						} else {
+							header('Content-Type: application/json');
+							echo json_encode(array('success'=>false, 'message'=>'No access', 'data'=>''));
+						}
+					} else {
+						header('Content-Type: application/json');
+						echo json_encode(array('success'=>false, 'message'=>'No transmittal', 'data'=>''));
+					}
+				} else {
+					header('Content-Type: application/json');
+					echo json_encode(array('success'=>false, 'message'=>'No transmittal item', 'data'=>''));
+				}
+			}
+		}
+		break; /* }}} */
+
 	case 'addfolder': /* {{{ */
 		if($user) {
 			if(checkFormKey('')) {

op/op.ApproveDocument.php

@@ -32,6 +32,7 @@ include("../inc/inc.ClassController.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('approvedocument')) {
@@ -72,11 +73,8 @@ if ($latestContent->getVersion()!=$version) {
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
 }
 
-/* Create object for checking access to certain operations */
-$accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
-
 // verify if document may be approved
-if (!$accessop->mayApprove()){
+if (!$accessop->mayApprove($document)){
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
 }
 
@@ -96,7 +94,7 @@ $controller->setParam('type', $_POST['approvalType']);
 $controller->setParam('status', $_POST['approvalStatus']);
 $controller->setParam('content', $latestContent);
 $controller->setParam('file', !empty($_FILES["approvalfile"]["tmp_name"]) ? $_FILES["approvalfile"]["tmp_name"] : '');
-$controller->setParam('group', !empty($_POST['approvalGroup']) ?	$dms->getGroup($_POST['approvalGroup']) : null);
+$controller->setParam('group', !empty($_POST['approvalGroup']) ? $dms->getGroup($_POST['approvalGroup']) : null);
 if(!$controller()) {
 	$err = $controller->getErrorMsg();
 	if(is_string($err))

op/op.CancelCheckOut.php

@@ -0,0 +1,56 @@
+<?php
+//    SeedDMS. Document Management System
+//    Copyright (C) 2015 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('cancelcheckout')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+$documentid = $_POST["documentid"];
+$document = $dms->getDocument($documentid);
+
+$checkoutstatus = $document->checkOutStatus();
+/* Check out of files which has been changed, can only be canceled if allowed in the configuration */
+if($checkoutstatus == 0 && empty($settings->_enableCancelCheckout)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("operation_disallowed"));
+}
+
+if(empty($_POST['confirm'])) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("operation_disallowed"));
+}
+
+if(!$document->cancelCheckOut()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_cancel_checkout"));
+}
+$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_cancel_checkout')));
+add_log_line("?documentid=".$documentid);
+header("Location:../out/out.ViewDocument.php?documentid=".$documentid);

op/op.CheckInDocument.php

@@ -0,0 +1,311 @@
+<?php
+//    SeedDMS. Document Management System
+//    Copyright (C) 2015 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.Authentication.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.ClassController.php");
+
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
+/* if post_max_size is to small, then $_POST will not be set and the content
+ * lenght will exceed post_max_size
+ */
+if(empty($_POST) && $_SERVER['CONTENT_LENGTH'] > SeedDMS_Core_File::parse_filesize(ini_get('post_max_size'))) {
+	UI::exitError(getMLText("folder_title", array("foldername" => '')),getMLText("uploading_postmaxsize"));
+}
+
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('checkindocument')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+$documentid = $_POST["documentid"];
+$document = $dms->getDocument($documentid);
+$folder = $document->getFolder();
+
+if (!is_object($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+if ($document->getAccessMode($user, 'checkinDocument') < M_READWRITE) {
+	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied"));
+}
+
+if($settings->_quota > 0) {
+	$remain = checkQuota($user);
+	if ($remain < 0) {
+		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("quota_exceeded", array('bytes'=>SeedDMS_Core_File::format_filesize(abs($remain)))));
+	}
+}
+
+if ($document->isLocked()) {
+	$lockingUser = $document->getLockingUser();
+	if (($lockingUser->getID() != $user->getID()) && ($document->getAccessMode($user) != M_ALL)) {
+		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("no_update_cause_locked"));
+	}
+	else $document->setLocked(false);
+}
+
+if(!$accessop->mayCheckIn($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied"));
+}
+
+if(isset($_POST["comment"]))
+	$comment  = $_POST["comment"];
+else
+	$comment = "";
+
+$oldexpires = $document->getExpires();
+switch($_POST["presetexpdate"]) {
+case "date":
+	$expires = makeTsFromDate($_POST["expdate"]);
+//	$tmp = explode('-', $_POST["expdate"]);
+//	$expires = mktime(0,0,0, $tmp[1], $tmp[2], $tmp[0]);
+	break;
+case "1w":
+	$tmp = explode('-', date('Y-m-d'));
+	$expires = mktime(0,0,0, $tmp[1], $tmp[2]+7, $tmp[0]);
+	break;
+case "1m":
+	$tmp = explode('-', date('Y-m-d'));
+	$expires = mktime(0,0,0, $tmp[1]+1, $tmp[2], $tmp[0]);
+	break;
+case "1y":
+	$tmp = explode('-', date('Y-m-d'));
+	$expires = mktime(0,0,0, $tmp[1], $tmp[2], $tmp[0]+1);
+	break;
+case "2y":
+	$tmp = explode('-', date('Y-m-d'));
+	$expires = mktime(0,0,0, $tmp[1], $tmp[2], $tmp[0]+2);
+	break;
+case "never":
+default:
+	$expires = null;
+	break;
+}
+
+	// Get the list of reviewers and approvers for this document.
+	$reviewers = array();
+	$approvers = array();
+	$recipients = array();
+	$reviewers["i"] = array();
+	$reviewers["g"] = array();
+	$approvers["i"] = array();
+	$approvers["g"] = array();
+	$recipients["i"] = array();
+	$recipients["g"] = array();
+	$workflow = null;
+
+	if($settings->_workflowMode == 'traditional' || $settings->_workflowMode == 'traditional_only_approval') {
+		if($settings->_workflowMode == 'traditional') {
+			// Retrieve the list of individual reviewers from the form.
+			$reviewers["i"] = array();
+			if (isset($_POST["indReviewers"])) {
+				foreach ($_POST["indReviewers"] as $ind) {
+					$reviewers["i"][] = $ind;
+				}
+			}
+			// Retrieve the list of reviewer groups from the form.
+			$reviewers["g"] = array();
+			if (isset($_POST["grpReviewers"])) {
+				foreach ($_POST["grpReviewers"] as $grp) {
+					$reviewers["g"][] = $grp;
+				}
+			}
+			// Retrieve the list of reviewer groups whose members become individual reviewers
+			if (isset($_POST["grpIndReviewers"])) {
+				foreach ($_POST["grpIndReviewers"] as $grp) {
+					if($group = $dms->getGroup($grp)) {
+						$members = $group->getUsers();
+						foreach($members as $member)
+							$reviewers["i"][] = $member->getID();
+					}
+				}
+			}
+		}
+
+		// Retrieve the list of individual approvers from the form.
+		$approvers["i"] = array();
+		if (isset($_POST["indApprovers"])) {
+			foreach ($_POST["indApprovers"] as $ind) {
+				$approvers["i"][] = $ind;
+			}
+		}
+		// Retrieve the list of approver groups from the form.
+		$approvers["g"] = array();
+		if (isset($_POST["grpApprovers"])) {
+			foreach ($_POST["grpApprovers"] as $grp) {
+				$approvers["g"][] = $grp;
+			}
+		}
+		// Retrieve the list of reviewer groups whose members become individual approvers
+		if (isset($_POST["grpIndApprovers"])) {
+			foreach ($_POST["grpIndApprovers"] as $grp) {
+				if($group = $dms->getGroup($grp)) {
+					$members = $group->getUsers();
+					foreach($members as $member)
+						$approvers["i"][] = $member->getID();
+				}
+			}
+		}
+
+		// add mandatory reviewers/approvers
+		if($settings->_workflowMode == 'traditional') {
+			$mreviewers = getMandatoryReviewers($folder, $document, $user);
+			if($mreviewers['i'])
+				$reviewers['i'] = array_merge($reviewers['i'], $mreviewers['i']);
+			if($mreviewers['g'])
+				$reviewers['g'] = array_merge($reviewers['g'], $mreviewers['g']);
+		}
+		$mapprovers = getMandatoryApprovers($folder, $document, $user);
+		if($mapprovers['i'])
+			$approvers['i'] = array_merge($approvers['i'], $mapprovers['i']);
+		if($mapprovers['g'])
+			$approvers['g'] = array_merge($approvers['g'], $mapprovers['g']);
+
+		if($settings->_workflowMode == 'traditional' && !$settings->_allowReviewerOnly) {
+			/* Check if reviewers are send but no approvers */
+			if(($reviewers["i"] || $reviewers["g"]) && !$approvers["i"] && !$approvers["g"]) {
+				UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("error_uploading_reviewer_only"));
+			}
+		}
+	} elseif($settings->_workflowMode == 'advanced') {
+		if(!$workflows = $user->getMandatoryWorkflows()) {
+			if(isset($_POST["workflow"]))
+				$workflow = $dms->getWorkflow($_POST["workflow"]);
+			else
+				$workflow = null;
+		} else {
+			/* If there is excactly 1 mandatory workflow, then set no matter what has
+			 * been posted in 'workflow', otherwise check if the posted workflow is in the
+			 * list of mandatory workflows. If not, then take the first one.
+			 */
+			$workflow = array_shift($workflows);
+			foreach($workflows as $mw)
+				if($mw->getID() == $_POST['workflow']) {$workflow = $mw; break;}
+		}
+	}
+
+	// Retrieve the list of individual recipients from the form.
+	$recipients["i"] = array();
+	if (isset($_POST["indRecipients"])) {
+		foreach ($_POST["indRecipients"] as $ind) {
+			$recipients["i"][] = $ind;
+		}
+	}
+	// Retrieve the list of recipient groups from the form.
+	$recipients["g"] = array();
+	if (isset($_POST["grpRecipients"])) {
+		foreach ($_POST["grpRecipients"] as $grp) {
+			$recipients["g"][] = $grp;
+		}
+	}
+	// Retrieve the list of recipient groups whose members become individual recipients
+	if (isset($_POST["grpIndRecipients"])) {
+		foreach ($_POST["grpIndRecipients"] as $grp) {
+			if($group = $dms->getGroup($grp)) {
+				$members = $group->getUsers();
+				foreach($members as $member) {
+					/* Do not add the uploader itself as recipient */
+					if(!$settings->_enableFilterReceipt || ($member->getID() != $user->getID() && !in_array($member->getID(), $reviewers['i'])))
+						if(!in_array($member->getID(), $recipients["i"]))
+							$recipients["i"][] = $member->getID();
+				}
+			}
+		}
+	}
+
+	if(isset($_POST["attributes_version"]) && $_POST["attributes_version"]) {
+		$attributes = $_POST["attributes_version"];
+		foreach($attributes as $attrdefid=>$attribute) {
+			$attrdef = $dms->getAttributeDefinition($attrdefid);
+			if($attribute) {
+				switch($attrdef->getType()) {
+				case SeedDMS_Core_AttributeDefinition::type_date:
+					$attribute = date('Y-m-d', makeTsFromDate($attribute));
+					break;
+				}
+				if(!$attrdef->validate($attribute, null, true)) {
+					$errmsg = getAttributeValidationText($attrdef->getValidationError(), $attrdef->getName(), $attribute);
+					UI::exitError(getMLText("document_title", array("documentname" => $document->getName())), $errmsg);
+				}
+			} elseif($attrdef->getMinValues() > 0) {
+				UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("attr_min_values", array("attrname"=>$attrdef->getName())));
+			}
+		}
+	} else {
+		$attributes = array();
+	}
+
+	$controller->setParam('documentsource', 'checkin');
+	$controller->setParam('folder', $folder);
+	$controller->setParam('document', $document);
+	$controller->setParam('fulltextservice', $fulltextservice);
+	$controller->setParam('comment', $comment);
+	if($oldexpires != $expires)
+		$controller->setParam('expires', $expires);
+	$controller->setParam('reviewers', $reviewers);
+	$controller->setParam('approvers', $approvers);
+	$controller->setParam('recipients', $recipients);
+	$controller->setParam('attributes', $attributes);
+	$controller->setParam('workflow', $workflow);
+	$controller->setParam('initialdocumentstatus', $settings->_initialDocumentStatus);
+	$controller->setParam('maxsizeforfulltext', $settings->_maxSizeForFullText);
+
+	if(!$content = $controller()) {
+		$err = $controller->getErrorMsg();
+		if(is_string($err))
+			$errmsg = getMLText($err);
+		elseif(is_array($err)) {
+			$errmsg = getMLText($err[0], $err[1]);
+		} else {
+			$errmsg = $err;
+		}
+		UI::exitError(getMLText("document_title", array("documentname" => $document->getName())), $errmsg);
+	} else {
+		if($controller->hasHook('cleanUpDocument')) {
+			$controller->callHook('cleanUpDocument', $document, $file);
+		}
+		// Send notification to subscribers.
+		if($notifier) {
+			$notifier->sendNewDocumentVersionMail($document, $user);
+
+			$notifier->sendChangedExpiryMail($document, $user, $oldexpires);
+		}
+
+	}
+
+add_log_line("checkin document ".$documentid." with version ".$content->getVersion());
+header("Location:../out/out.ViewDocument.php?documentid=".$documentid);
+

op/op.CheckOutDocument.php

@@ -0,0 +1,79 @@
+<?php
+//    SeedDMS. Document Management System
+//    Copyright (C) 2015 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+$documentid = $_GET["documentid"];
+$document = $dms->getDocument($documentid);
+
+if (!is_object($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+if(!$settings->_checkOutDir) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("checkout_is_disabled"));
+}
+
+if ($document->getAccessMode($user) < M_READWRITE) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
+
+if ($document->isLocked()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("document_already_locked"));
+}
+
+if ($document->isCheckedOut()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("document_already_checkedout"));
+}
+
+if($session->getSu()) {
+	$origuser = $dms->getUser($session->getUser());
+	$checkoutpath = sprintf($settings->_checkOutDir.'/', preg_replace('/[^A-Za-z0-9_-]/', '', $origuser->getLogin()));
+} else {
+	$checkoutpath = sprintf($settings->_checkOutDir.'/', preg_replace('/[^A-Za-z0-9_-]/', '', $user->getLogin()));
+}
+if(!file_exists($checkoutpath) && $settings->_createCheckOutDir) {
+	SeedDMS_Core_File::makeDir($checkoutpath);
+}
+if(!file_exists($checkoutpath)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("checkoutpath_does_not_exist"));
+}
+
+if (!$document->checkOut($user, $checkoutpath)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
+}
+
+$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_document_checkedout')));
+
+add_log_line();
+header("Location:../out/out.ViewDocument.php?documentid=".$documentid);
+
+?>
+

op/op.Cron.php

@@ -0,0 +1,60 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2016 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+require_once("../inc/inc.Settings.php");
+require_once("../inc/inc.Utils.php");
+require_once("../inc/inc.LogInit.php");
+require_once("../inc/inc.Language.php");
+require_once("../inc/inc.Init.php");
+require_once("../inc/inc.Extension.php");
+require_once("../inc/inc.DBInit.php");
+require_once("../inc/inc.ClassController.php");
+require_once("../inc/inc.Scheduler.php");
+require_once("../inc/inc.BasicAuthentication.php");
+
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+
+if($user->getLogin() != 'cli_scheduler') {
+	header('WWW-Authenticate: Basic realm="'.$settings->_siteName.'"');
+	header('HTTP/1.0 401 Unauthorized');
+	echo "Wrong user";
+	exit;
+}
+$mode = 'list';
+if(!empty($_GET['mode']) && in_array($_GET['mode'], array('list', 'run', 'dryrun', 'check')))
+	$mode = $_GET['mode'];
+$task = '';
+if(!empty($_GET['task']))
+	$task = $_GET['task'];
+
+$controller->setParam('settings', $settings);
+$controller->setParam('logger', $logger);
+$controller->setParam('mode', $mode);
+$controller->setParam('task', $task);
+if(!$controller->run()) {
+	echo getMLText("error_occured");
+	exit;
+}
+
+add_log_line();
+exit();
+

op/op.Download.php

@@ -32,6 +32,10 @@ include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => "")),getMLText("access_denied"));
+}
 
 if (isset($_GET["version"])) { /* {{{ */
 
@@ -98,19 +102,9 @@ elseif (isset($_GET["file"])) { /* {{{ */
 		UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_file_id"));
 	}
 
-	if(!file_exists($dms->contentDir . $file->getPath())) {
-		UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("missing_file"));
-	}
-
-	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($dms->contentDir . $file->getPath() ));
-	$efilename = rawurlencode($file->getOriginalFileName());
-	header("Content-Disposition: attachment; filename=\"" . $efilename . "\"; filename*=UTF-8''".$efilename);
-	header("Content-Type: " . $file->getMimeType());
-	header("Cache-Control: must-revalidate");
-
-	sendFile($dms->contentDir . $file->getPath());
-
+	$controller->setParam('file', $file);
+	$controller->setParam('type', 'file');
+	$controller->run();
 } /* }}} */
 elseif (isset($_GET["arkname"])) { /* {{{ */
 	$filename = basename($_GET["arkname"]);
@@ -130,16 +124,9 @@ elseif (isset($_GET["arkname"])) { /* {{{ */
 		UI::exitError(getMLText("admin_tools"),getMLText("missing_file"));
 	}
 
-	header('Content-Description: File Transfer');
-	header("Content-Type: application/zip");
-	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($backupdir . $filename ));
-	$efilename = rawurlencode($filename);
-	header("Content-Disposition: attachment; filename=\"" .$efilename . "\"; filename*=UTF-8''".$efilename);
-	header("Cache-Control: must-revalidate");
-	
-	sendFile($backupdir .$filename );
-	
+	$controller->setParam('basedir', $backupdir);
+	$controller->setParam('file', $filename);
+	$controller->archive();
 } /* }}} */
 elseif (isset($_GET["logname"])) { /* {{{ */
 	$filename = basename($_GET["logname"], '.log').'.log';
@@ -158,15 +145,10 @@ elseif (isset($_GET["logname"])) { /* {{{ */
 		UI::exitError(getMLText("admin_tools"),getMLText("missing_file"));
 	}
 
-	header("Content-Type: text/plain");
-	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($settings->_contentDir.'log/' . $filename ));
-	$efilename = rawurlencode($filename);
-	header("Content-Disposition: attachment; filename=\"" .$efilename . "\"; filename*=UTF-8''".$efilename);
-	header("Cache-Control: must-revalidate");
+	$controller->setParam('file', $filename);
+	$controller->setParam('basedir', $settings->_contentDir . 'log/');
+	$controller->log();
 
-	sendFile($settings->_contentDir . 'log/' . $filename );
-	
 } /* }}} */
 elseif (isset($_GET["vfile"])) { /* {{{ */
 
@@ -215,14 +197,9 @@ elseif (isset($_GET["dumpname"])) { /* {{{ */
 		UI::exitError(getMLText("admin_tools"),getMLText("missing_file"));
 	}
 
-	header("Content-Type: application/zip");
-	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($backupdir . $filename ));
-	$efilename = rawurlencode($filename);
-	header("Content-Disposition: attachment; filename=\"" .$efilename . "\"; filename*=UTF-8''".$efilename);
-	header("Cache-Control: must-revalidate");
-	
-	sendFile($backupdir .$filename );
+	$controller->setParam('basedir', $backupdir);
+	$controller->setParam('file', $filename);
+	$controller->sqldump();
 } /* }}} */
 elseif (isset($_GET["reviewlogid"])) { /* {{{ */
 	if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
@@ -243,22 +220,15 @@ elseif (isset($_GET["reviewlogid"])) { /* {{{ */
 		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied"));
 	}
 
-	$filename = $dms->contentDir . $document->getDir().'r'.(int) $_GET['reviewlogid'];
-	if (!file_exists($filename) ) {
+	$controller->setParam('document', $document);
+	$controller->setParam('reviewlogid', (int) $_GET['reviewlogid']);
+	$controller->setParam('type', 'review');
+	$controller->run();
+	switch($controller->getErrorNo()) {
+	case 1:
 		UI::exitError(getMLText("admin_tools"),getMLText("missing_file"));
+		break;
 	}
-
-	$finfo = finfo_open(FILEINFO_MIME_TYPE);
-	$mimetype = finfo_file($finfo, $filename);
-
-	header("Content-Type: ".$mimetype);
-	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($filename ));
-	header("Content-Disposition: attachment; filename=\"review-" . $document->getID()."-".(int) $_GET['reviewlogid'] . get_extension($mimetype) . "\"");
-	header("Cache-Control: must-revalidate");
-
-	sendFile($filename);
-
 } /* }}} */
 elseif (isset($_GET["approvelogid"])) { /* {{{ */
 	if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
@@ -279,21 +249,15 @@ elseif (isset($_GET["approvelogid"])) { /* {{{ */
 		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied"));
 	}
 
-	$filename = $dms->contentDir . $document->getDir().'a'.(int) $_GET['approvelogid'];
-	if (!file_exists($filename) ) {
+	$controller->setParam('document', $document);
+	$controller->setParam('approvelogid', (int) $_GET['approvelogid']);
+	$controller->setParam('type', 'approval');
+	$controller->run();
+	switch($controller->getErrorNo()) {
+	case 1:
 		UI::exitError(getMLText("admin_tools"),getMLText("missing_file"));
+		break;
 	}
-
-	$finfo = finfo_open(FILEINFO_MIME_TYPE);
-	$mimetype = finfo_file($finfo, $filename);
-
-	header("Content-Type: ".$mimetype);
-	header("Content-Transfer-Encoding: binary");
-	header("Content-Length: " . filesize($filename ));
-	header("Content-Disposition: attachment; filename=\"approval-" . $document->getID()."-".(int) $_GET['approvelogid'] . get_extension($mimetype) . "\"");
-	header("Cache-Control: must-revalidate");
-
-	sendFile($filename);
 } /* }}} */
 
 add_log_line();

op/op.EditAttributes.php

@@ -34,6 +34,11 @@ if(!checkFormKey('editattributes')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('EditAttributes', $_POST)) {
+	UI::exitError(getMLText("folder_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

op/op.EditComment.php

@@ -34,6 +34,11 @@ if(!checkFormKey('editcomment')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('EditComment', $_POST)) {
+	UI::exitError(getMLText("folder_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

op/op.EditDocument.php

@@ -31,6 +31,10 @@ include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
 
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('editdocument')) {

op/op.EditDocumentFile.php

@@ -32,6 +32,10 @@ include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
 
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('editdocumentfile')) {

op/op.EditFolder.php

@@ -31,6 +31,10 @@ include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("access_denied"));
+}
 
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('editfolder')) {

op/op.EditOnline.php

@@ -28,28 +28,38 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('EditOnline', $_POST)) {
+	echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied')));
+	exit;
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
-	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+	echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id')));
+	exit;
 }
 
 $documentid = $_POST["documentid"];
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {
-	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+	echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id')));
+	exit;
 }
 
 $folder = $document->getFolder();
 $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>";
 
 if ($document->getAccessMode($user, 'editOnline') < M_READWRITE) {
-	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+	echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied')));
+	exit;
 }
 
 if($document->isLocked()) {
 	$lockingUser = $document->getLockingUser();
 	if (($lockingUser->getID() != $user->getID()) && ($document->getAccessMode($user, 'editOnline') != M_ALL)) {
-		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("lock_message", array("email" => $lockingUser->getEmail(), "username" => htmlspecialchars($lockingUser->getFullName()))));
+		echo json_encode(array('success'=>false, 'message'=>getMLText("lock_message", array("email" => $lockingUser->getEmail(), "username" => htmlspecialchars($lockingUser->getFullName())))));
+		exit;
 	}
 }
 

op/op.ImportUsers.php

@@ -125,26 +125,21 @@ function renderGroupData($colname, $objdata) { /* {{{ */
 } /* }}} */
 
 function getRoleData($colname, $coldata, $objdata) { /* {{{ */
-	switch($coldata) {
-	case 'admin':
-		$role = 1;
-		break;
-	case 'guest':
-		$role = 2;
-		break;
-	case 'user':
-		$role = 0;
-		break;
-	default:
-		$role = 0;
+	global $dms;
+	if($role = $dms->getRoleByName($coldata)) {
+		$objdata['role'] = $role;
+	} else {
+		$objdata['role'] = null;
 		$objdata['__logs__'][] = array('type'=>'error', 'msg'=> "No such role with name '".$coldata."'");
 	}
-	$objdata['role'] = $role;
 	return $objdata;
 } /* }}} */
 
 function renderRoleData($colname, $objdata) { /* {{{ */
-	return ($objdata[$colname] == 1 ? 'admin' : ($objdata[$colname] == 2 ? 'guest' : 'user'));
+	$html = '';
+	if($objdata[$colname])
+		$html .= $objdata[$colname]->getName();
+	return $html;
 } /* }}} */
 
 if (!$user->isAdmin()) {
@@ -318,7 +313,7 @@ if (isset($_FILES['userdata']) && $_FILES['userdata']['error'] == 0) {
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
-$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 if($view) {
 	$view->setParam('log', $log);
 	$view->setParam('newusers', $newusers);

op/op.LockDocument.php

@@ -29,6 +29,11 @@ require_once("inc/inc.DBInit.php");
 require_once("inc/inc.ClassUI.php");
 require_once("inc/inc.Authentication.php");
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('LockDocument', $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('lockdocument', 'GET')) {
 	UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
@@ -45,6 +50,11 @@ if (!is_object($document)) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('LockDocument', $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 $folder = $document->getFolder();
 $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>";
 

op/op.MoveDocument.php

@@ -33,6 +33,11 @@ if(!checkFormKey('movedocument', 'GET')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('MoveDocument', $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

op/op.MoveFolder.php

@@ -33,6 +33,11 @@ if(!checkFormKey('movefolder', 'GET')) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('MoveFolder', $_POST)) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("access_denied"));
+}
+
 if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }

op/op.OverrideContentStatus.php

@@ -28,6 +28,13 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+//$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if(!$accessop->check_controller_access($tmp[1] /*$controller*/)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('overridecontentstatus')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
@@ -58,7 +65,7 @@ if (!is_object($content)) {
 }
 
 if (!isset($_POST["overrideStatus"]) || !is_numeric($_POST["overrideStatus"]) ||
-		(intval($_POST["overrideStatus"])<-3 && intval($_POST["overrideStatus"])>2)) {
+		(intval($_POST["overrideStatus"]) != S_RELEASED && intval($_POST["overrideStatus"]) != S_OBSOLETE && intval($_POST["overrideStatus"]) != S_DRAFT && intval($_POST["overrideStatus"]) != S_NEEDS_CORRECTION)) {
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_status"));
 }
 

op/op.ReceiptDocument.php

@@ -0,0 +1,105 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.Authentication.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.ClassController.php");
+
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('receiptdocument')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+$documentid = $_POST["documentid"];
+$document = $dms->getDocument($documentid);
+
+if (!is_object($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+// verify if document may be receіpted
+if (!$accessop->mayReceipt($document)){
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
+
+$folder = $document->getFolder();
+
+if (!isset($_POST["version"]) || !is_numeric($_POST["version"]) || intval($_POST["version"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$version = $_POST["version"];
+$content = $document->getContentByVersion($version);
+
+if (!is_object($content)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+// operation is only allowed for the last document version
+$latestContent = $document->getLatestContent();
+if ($latestContent->getVersion()!=$version) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+if (!isset($_POST["receiptStatus"]) || !is_numeric($_POST["receiptStatus"]) ||
+		(intval($_POST["receiptStatus"])!=1 && intval($_POST["receiptStatus"])!=-1)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_receipt_status"));
+}
+
+$controller->setParam('document', $document);
+$controller->setParam('content', $latestContent);
+$controller->setParam('receiptstatus', $_POST["receiptStatus"]);
+$controller->setParam('receipttype', $_POST["receiptType"]);
+if ($_POST["receiptType"] == "grp") {
+	$group = $dms->getGroup($_POST['receiptGroup']);
+} else {
+	$group = null;
+}
+$controller->setParam('group', $group);
+$controller->setParam('comment', $_POST["comment"]);
+if(!$controller->run()) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText($controller->getErrorMsg()));
+}
+
+if ($_POST["receiptType"] == "ind" || $_POST["receiptType"] == "grp") {
+	if($notifier) {
+		$receiptlog = $latestContent->getReceiptLog();
+		$notifier->sendSubmittedReceiptMail($latestContent, $user, $receiptlog ? $receiptlog[0] : false);
+	}
+}
+
+add_log_line("documentid=".$documentid."&version=".$version);
+
+header("Location:../out/out.ViewDocument.php?documentid=".$documentid."&currenttab=recipients");

op/op.RemoveDocument.php

@@ -31,6 +31,10 @@ include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
 
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('removedocument')) {

op/op.RemoveDocumentFile.php

@@ -27,6 +27,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('RemoveDocumentFile', $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('removedocumentfile')) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));

op/op.RemoveVersion.php

@@ -44,10 +44,10 @@ if (!is_object($document)) {
 }
 
 /* Create object for checking access to certain operations */
-$accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 
 // verify if document may be reviewed
-if (!$accessop->mayRemoveVersion()){
+if (!$accessop->mayRemoveVersion($document)){
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
 }
 

op/op.ReviewDocument.php

@@ -32,6 +32,7 @@ include("../inc/inc.ClassController.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('reviewdocument')) {
@@ -72,11 +73,8 @@ if ($latestContent->getVersion()!=$version) {
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
 }
 
-/* Create object for checking access to certain operations */
-$accessop = new SeedDMS_AccessOperation($dms, $document, $user, $settings);
-
 // verify if document may be reviewed
-if (!$accessop->mayReview()){
+if (!$accessop->mayReview($document)){
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
 }
 

op/op.ReviseDocument.php

@@ -0,0 +1,120 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.Authentication.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.ClassController.php");
+
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('revisedocument')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+$documentid = $_POST["documentid"];
+$document = $dms->getDocument($documentid);
+
+if (!is_object($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+// verify if document maybe revised
+if (!$accessop->mayRevise($document)){
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
+
+$folder = $document->getFolder();
+
+if (!isset($_POST["version"]) || !is_numeric($_POST["version"]) || intval($_POST["version"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$version = $_POST["version"];
+$content = $document->getContentByVersion($version);
+
+if (!is_object($content)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+// operation is only allowed for the last document version
+$latestContent = $document->getLatestContent();
+if ($latestContent->getVersion()!=$version) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$olddocstatus = $content->getStatus();
+
+if (!isset($_POST["revisionStatus"]) || !is_numeric($_POST["revisionStatus"]) ||
+		(!in_array(intval($_POST["revisionStatus"]), array(1, -1, 6)))) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_revision_status"));
+}
+
+$controller->setParam('document', $document);
+$controller->setParam('content', $content);
+$controller->setParam('revisionstatus', $_POST["revisionStatus"]);
+$controller->setParam('revisiontype', $_POST["revisionType"]);
+if ($_POST["revisionType"] == "grp") {
+	$group = $dms->getGroup($_POST['revisionGroup']);
+} else {
+	$group = null;
+}
+$controller->setParam('group', $group);
+$controller->setParam('comment', $_POST["comment"]);
+$controller->setParam('onevotereject', $settings->_enableRevisionOneVoteReject);
+if(!$controller->run()) {
+	$err = $controller->getErrorMsg();
+	if(is_string($err))
+		$errmsg = getMLText($err);
+	elseif(is_array($err)) {
+		$errmsg = getMLText($err[0], $err[1]);
+	} else {
+		$errmsg = $err;
+	}
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText($errmsg));
+}
+
+if($notifier) {
+	if ($_POST["revisionType"] == "ind" || $_POST["revisionType"] == "grp") {
+		$revisionlog = $latestContent->getRevisionLog();
+		$notifier->sendSubmittedRevisionMail($latestContent, $user, $revisionlog ? $revisionlog[0] : false);
+	}
+
+	/* Send notification about status change only if status has actually changed */
+	if($controller->oldstatus != $controller->newstatus)
+		$notifier->sendChangedDocumentStatusMail($latestContent, $user, $controller->oldstatus);
+}
+
+add_log_line("documentid=".$documentid."&version=".$version);
+
+header("Location:../out/out.ViewDocument.php?documentid=".$documentid."&currenttab=revision");

op/op.RoleMgr.php

@@ -0,0 +1,133 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2012 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.ClassController.php");
+include("../inc/inc.Authentication.php");
+
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
+}
+
+if (isset($_POST["action"])) $action=$_POST["action"];
+else $action=NULL;
+
+if(!in_array($action, array('addrole', 'removerole', 'editrole')))
+	UI::exitError(getMLText("admin_tools"),getMLText("unknown_command"));
+
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey($action)) {
+	UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+}
+
+$roleid = 0;
+if(in_array($action, array('removerole', 'editrole'))) {
+	if (isset($_POST["roleid"])) {
+		$roleid = $_POST["roleid"];
+	}
+
+	if (!isset($roleid) || !is_numeric($roleid) || intval($roleid)<1) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_role_id"));
+	}
+
+	$roleobj = $dms->getRole($roleid);
+	
+	if (!is_object($roleobj)) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_role_id"));
+	}
+
+	$controller->setParam('roleobj', $roleobj);
+}
+
+// add new role ---------------------------------------------------------
+if ($action == "addrole") {
+	
+	$name    = $_POST["name"];
+	$role    = preg_replace('/[^0-2]+/', '', $_POST["role"]);
+
+	if (is_object($dms->getRoleByName($name))) {
+		UI::exitError(getMLText("admin_tools"),getMLText("role_exists"));
+	}
+
+	if ($role === '') {
+		UI::exitError(getMLText("admin_tools"),getMLText("missing_role_type"));
+	}
+
+	$controller->setParam('name', $name);
+	$controller->setParam('role', $role);
+
+	$newRole = $controller($_POST);
+	if ($newRole) {
+	}
+	else UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
+	
+	$roleid=$newRole->getID();
+	
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_add_role')));
+
+	add_log_line(".php&action=".$action."&name=".$name);
+}
+
+// delete role ------------------------------------------------------------
+else if ($action == "removerole") {
+
+	if (!$controller($_POST)) {
+		UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
+	}
+		
+	add_log_line(".php&action=".$action."&roleid=".$roleid);
+	
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_rm_role')));
+	$roleid=-1;
+}
+
+// modify role ------------------------------------------------------------
+else if ($action == "editrole") {
+
+	$name    = $_POST["name"];
+	$role    = preg_replace('/[^0-2]+/', '', $_POST["role"]);
+	$noaccess = isset($_POST['noaccess']) ? $_POST['noaccess'] : null;
+	
+	$controller->setParam('name', $name);
+	$controller->setParam('role', $role);
+	$controller->setParam('noaccess', $noaccess);
+
+	if (!$controller($_POST)) {
+		UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
+	}
+
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_edit_role')));
+	add_log_line(".php&action=".$action."&roleid=".$roleid);
+}
+
+header("Location:../out/out.RoleMgr.php?roleid=".$roleid);
+
+?>

op/op.SchedulerTaskMgr.php

@@ -0,0 +1,144 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2012 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.Scheduler.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+if ($user->isGuest()) {
+	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
+}
+
+if (isset($_POST["action"])) $action=$_POST["action"];
+else $action=NULL;
+
+$scheduler = new SeedDMS_Scheduler($dms->getDB());
+
+// add new task ---------------------------------------------------
+if ($action == "addtask") { /* {{{ */
+	
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('addtask')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	$extension = $_POST["extension"];
+	$task    = $_POST["task"];
+	$name    = $_POST["name"];
+	$description = $_POST["description"];
+	$frequency = $_POST["frequency"];
+	$disabled = isset($_POST["disabled"]) ? $_POST["disabled"] : 0;
+	$params = isset($_POST["params"]) ? $_POST["params"] : null;
+
+	$newtask = $scheduler->addTask($extension, $task, $name, $description, $frequency, $disabled, $params);
+	if ($newtask) {
+	}
+	else UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
+	
+	$taskid=$newtask->getID();
+	
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_add_task')));
+
+	add_log_line(".php&action=addtask&name=".$name);
+} /* }}} */
+
+// modify task ----------------------------------------------------
+else if ($action == "edittask") { /* {{{ */
+
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('edittask')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["taskid"]) || !is_numeric($_POST["taskid"]) || intval($_POST["taskid"])<1) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_task"));
+	}
+	
+	$taskid=$_POST["taskid"];
+	$editedtask = $scheduler->getTask($taskid);
+	
+	if (!is_object($editedtask)) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_task"));
+	}
+
+	$name = $_POST["name"];
+	$description = $_POST["description"];
+	$frequency = $_POST["frequency"];
+	$disabled = isset($_POST["disabled"]) ? $_POST["disabled"] : 0;
+	$params = isset($_POST["params"]) ? $_POST["params"] : null;
+
+	if ($editedtask->getName() != $name)
+		$editedtask->setName($name);
+	if ($editedtask->getDescription() != $description)
+		$editedtask->setDescription($description);
+	$editedtask->setDisabled($disabled);
+	$editedtask->setParameter($params);
+	if($editedtask->setFrequency($frequency))
+		$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_edit_task')));
+	else
+		$session->setSplashMsg(array('type'=>'error', 'msg'=>getMLText('error_edit_task')));
+	add_log_line(".php&action=edittask&taskid=".$taskid);
+} /* }}} */
+
+// delete task -------------------------------------------------------------
+else if ($action == "removetask") { /* {{{ */
+	header('Content-Type: application/json');
+	
+	/* Check if the form data comes from a trusted request */
+	if(!checkFormKey('removetask')) {
+		echo json_encode(array('success'=>false, 'message'=>getMLText("invalid_request_token")));
+		exit;
+	}
+
+	if (!isset($_POST["taskid"]) || !is_numeric($_POST["taskid"]) || intval($_POST["taskid"])<1) {
+		echo json_encode(array('success'=>false, 'message'=>getMLText("invalid_task")));
+		exit;
+	}
+	
+	$taskid=$_POST["taskid"];
+	$task = $scheduler->getTask($taskid);
+	
+	if (!is_object($task)) {
+		echo json_encode(array('success'=>false, 'message'=>getMLText("invalid_task")));
+		exit;
+	}
+
+	if (!$task->remove()) {
+		echo json_encode(array('success'=>false, 'message'=>getMLText("error_occured")));
+		exit;
+	}
+	
+	add_log_line("?taskid=".$_POST["taskid"]."&action=removetask");
+
+	echo json_encode(array('success'=>true, 'message'=>getMLText("task_removed")));
+	exit;
+} /* }}} */
+
+
+header("Location:../out/out.SchedulerTaskMgr.php");
+

op/op.SendNotification.php

@@ -31,7 +31,7 @@ include("../inc/inc.ClassController.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
-$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 if (!$accessop->check_controller_access($controller, $_GET)) {
 	header('Content-Type: application/json');
 	echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied')));

op/op.SetRecipients.php

@@ -0,0 +1,279 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2015 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+$documentid = $_POST["documentid"];
+$document = $dms->getDocument($documentid);
+
+if (!is_object($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+if ($document->getAccessMode($user) < M_READWRITE) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
+
+if (!isset($_POST["version"]) || !is_numeric($_POST["version"]) || intval($_POST["version"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$version = $_POST["version"];
+$content = $document->getContentByVersion($version);
+
+if (!is_object($content)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$folder = $document->getFolder();
+
+// Retrieve a list of all users and groups that have read rights.
+// Afterwards, reorganize them in two arrays with its key being the
+// userid or groupid
+$docAccess = $document->getReadAccessList($settings->_enableAdminReceipt, $settings->_enableOwnerReceipt);
+$accessIndex = array("i"=>array(), "g"=>array());
+foreach ($docAccess["users"] as $i=>$da) {
+	$accessIndex["i"][$da->getID()] = $da;
+}
+foreach ($docAccess["groups"] as $i=>$da) {
+	$accessIndex["g"][$da->getID()] = $da;
+}
+
+// Retrieve list of currently assigned recipients, along with
+// their latest status.
+$receiptStatus = $content->getReceiptStatus();
+// Index the receipt results for easy cross-reference with the Approvers List.
+$receiptIndex = array("i"=>array(), "g"=>array());
+foreach ($receiptStatus as $i=>$rs) {
+	if ($rs["status"]!=S_LOG_USER_REMOVED) {
+		if ($rs["type"]==0) {
+			$receiptIndex["i"][$rs["required"]] = array("status"=>$rs["status"], "idx"=>$i);
+		}
+		else if ($rs["type"]==1) {
+			$receiptIndex["g"][$rs["required"]] = array("status"=>$rs["status"], "idx"=>$i);
+		}
+	}
+}
+
+/* Get List of ind. reviewers, because they are taken out from the receivers
+ * if added as group.
+ */
+$reviewStatus = $content->getReviewStatus();
+$reviewerids = [];
+foreach ($reviewStatus as $r) {
+	if($r["type"] == 0 && $r["status"] > -2) {
+		$reviewerids[] = $r['required'];
+	}
+}
+// Get the list of proposed recipients, stripping out any duplicates.
+$pIndRev = (isset($_POST["indRecipients"]) ? array_values(array_unique($_POST["indRecipients"])) : array());
+// Retrieve the list of recipient groups whose members become individual recipients
+if (isset($_POST["grpIndRecipients"])) {
+	foreach ($_POST["grpIndRecipients"] as $grp) {
+		if($group = $dms->getGroup($grp)) {
+			$members = $group->getUsers();
+			foreach($members as $member) {
+				/* Do not add the uploader itself and reviewers */
+				if(!$settings->_enableFilterReceipt || ($member->getID() != $content->getUser()->getID() && !in_array($member->getID(), $reviewerids)))
+					if(!in_array($member->getID(), $pIndRev))
+						$pIndRev[] = $member->getID();
+			}
+		}
+	}
+}
+$pGrpRev = (isset($_POST["grpRecipients"]) ? array_values(array_unique($_POST["grpRecipients"])) : array());
+foreach ($pIndRev as $p) {
+	if (is_numeric($p)) {
+		if (isset($accessIndex["i"][$p])) {
+			// Proposed recipient is on the list of possible recipients.
+			if (!isset($receiptIndex["i"][$p])) {
+				// Proposed recipient is not a current recipient, so add as a new
+				// recipient.
+				$res = $content->addIndRecipient($accessIndex["i"][$p], $user);
+				$unm = $accessIndex["i"][$p]->getFullName();
+				$uml = $accessIndex["i"][$p]->getEmail();
+
+				switch ($res) {
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_already_assigned"));
+						break;
+					case -4:
+						// email error
+						break;
+					default:
+						// Send an email notification to the new recipient.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendAddReceiptMail($content, $user, $accessIndex["i"][$p]);
+							}
+						}
+						break;
+				}
+			}
+			else {
+				// Proposed recipient is already in the list of recipients.
+				// Remove recipient from the index of possible recipients. If there are
+				// any recipients left over in the list of possible recipients, they
+				// will be removed from the receipt process for this document revision.
+				unset($receiptIndex["i"][$p]);
+			}
+		}
+	}
+}
+if (count($receiptIndex["i"]) > 0) {
+	foreach ($receiptIndex["i"] as $rx=>$rv) {
+		if ($rv["status"] == 0) {
+			// User is to be removed from the recipients list.
+			if (!isset($accessIndex["i"][$rx])) {
+				// User does not have any receipt privileges for this document
+				// revision or does not exist.
+				$res = $content->delIndRecipient($dms->getUser($rx), $user, getMLText("removed_recipient"));
+			}
+			else {
+				$res = $content->delIndRecipient($accessIndex["i"][$rx], $user);
+				$unm = $accessIndex["i"][$rx]->getFullName();
+				$uml = $accessIndex["i"][$rx]->getEmail();
+				switch ($res) {
+					case 0:
+						// Send an email notification to the recipients.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendDeleteReceiptMail($content, $user, $accessIndex["i"][$rx]);
+							}
+						}
+						break;
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_already_removed"));
+						break;
+					case -4:
+						// email error
+						break;
+				}
+			}
+		}
+	}
+}
+foreach ($pGrpRev as $p) {
+	if (is_numeric($p)) {
+		if (isset($accessIndex["g"][$p])) {
+			// Proposed recipient is on the list of possible recipients.
+			if (!isset($receiptIndex["g"][$p])) {
+				// Proposed recipient is not a current recipient, so add as a new
+				// recipient.
+				$res = $content->addGrpRecipient($accessIndex["g"][$p], $user);
+				$gnm = $accessIndex["g"][$p]->getName();
+				switch ($res) {
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_already_assigned"));
+						break;
+					case -4:
+						// email error
+						break;
+					default:
+						// Send an email notification to the new recipient.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendAddReceiptMail($content, $user, $accessIndex["g"][$p]);
+							}
+						}
+						break;
+				}
+			}
+			else {
+				// Remove recipient from the index of possible recipients.
+				unset($receiptIndex["g"][$p]);
+			}
+		}
+	}
+}
+if (count($receiptIndex["g"]) > 0) {
+	foreach ($receiptIndex["g"] as $rx=>$rv) {
+		if ($rv["status"] == 0) {
+			// Group is to be removed from the recipientist.
+			if (!isset($accessIndex["g"][$rx])) {
+				// Group does not have any receipt privileges for this document
+				// revision or does not exist.
+				$res = $content->delGrpRecipient($dms->getGroup($rx), $user, getMLText("removed_recipient"));
+			}
+			else {
+				$res = $content->delGrpRecipient($accessIndex["g"][$rx], $user);
+				$gnm = $accessIndex["g"][$rx]->getName();
+				switch ($res) {
+					case 0:
+						// Send an email notification to the recipients group.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendDeleteReceiptMail($content, $user, $accessIndex["g"][$rx]);
+							}
+						}
+						break;
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_already_removed"));
+						break;
+					case -4:
+						// email error
+						break;
+				}
+			}
+		}
+	}
+}
+
+add_log_line("?documentid=".$documentid);
+header("Location:../out/out.DocumentVersionDetail.php?documentid=".$documentid."&version=".$version);
+
+?>

op/op.SetReviewersApprovers.php

@@ -82,7 +82,7 @@ $approvalStatus = $content->getApprovalStatus();
 // Index the review results for easy cross-reference with the reviewers List.
 $reviewIndex = array("i"=>array(), "g"=>array());
 foreach ($reviewStatus as $i=>$rs) {
-	if ($rs["status"]!=-2) {
+	if ($rs["status"]!=S_LOG_USER_REMOVED) {
 		if ($rs["type"]==0) {
 			$reviewIndex["i"][$rs["required"]] = array("status"=>$rs["status"], "idx"=>$i);
 		}
@@ -94,7 +94,7 @@ foreach ($reviewStatus as $i=>$rs) {
 // Index the approval results for easy cross-reference with the approvers List.
 $approvalIndex = array("i"=>array(), "g"=>array());
 foreach ($approvalStatus as $i=>$rs) {
-	if ($rs["status"]!=-2) {
+	if ($rs["status"]!=S_LOG_USER_REMOVED) {
 		if ($rs["type"]==0) {
 			$approvalIndex["i"][$rs["required"]] = array("status"=>$rs["status"], "idx"=>$i);
 		}
@@ -106,6 +106,18 @@ foreach ($approvalStatus as $i=>$rs) {
 
 // Get the list of proposed reviewers, stripping out any duplicates.
 $pIndRev = (isset($_POST["indReviewers"]) ? array_values(array_unique($_POST["indReviewers"])) : array());
+// Retrieve the list of reviewer groups whose members become individual reviewers
+if (isset($_POST["grpIndReviewers"])) {
+	foreach ($_POST["grpIndReviewers"] as $grp) {
+		if($group = $dms->getGroup($grp)) {
+			$members = $group->getUsers();
+			foreach($members as $member) {
+				if(!in_array($member->getID(), $pIndRev))
+					$pIndRev[] = $member->getID();
+			}
+		}
+	}
+}
 $pGrpRev = (isset($_POST["grpReviewers"]) ? array_values(array_unique($_POST["grpReviewers"])) : array());
 if($user->getID() != $owner->getID()) {
 	$res=$owner->getMandatoryReviewers();
@@ -282,6 +294,18 @@ if (count($reviewIndex["g"]) > 0) {
 
 // Get the list of proposed approvers, stripping out any duplicates.
 $pIndApp = (isset($_POST["indApprovers"]) ? array_values(array_unique($_POST["indApprovers"])) : array());
+// Retrieve the list of approver groups whose members become individual reviewers
+if (isset($_POST["grpIndApprovers"])) {
+	foreach ($_POST["grpIndApprovers"] as $grp) {
+		if($group = $dms->getGroup($grp)) {
+			$members = $group->getUsers();
+			foreach($members as $member) {
+				if(!in_array($member->getID(), $pIndApp))
+					$pIndApp[] = $member->getID();
+			}
+		}
+	}
+}
 $pGrpApp = (isset($_POST["grpApprovers"]) ? array_values(array_unique($_POST["grpApprovers"])) : array());
 if($user->getID() != $owner->getID()) {
 	$res=$owner->getMandatoryApprovers();
@@ -458,7 +482,7 @@ if (count($approvalIndex["g"]) > 0) {
 
 
 
-$content->verifyStatus(false,$user);
+$content->verifyStatus(false, $user, '', $settings->_initialDocumentStatus);
 
 add_log_line("?documentid=".$documentid);
 header("Location:../out/out.DocumentVersionDetail.php?documentid=".$documentid."&version=".$version);

op/op.SetRevisors.php

@@ -0,0 +1,286 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2015 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+$documentid = $_POST["documentid"];
+$document = $dms->getDocument($documentid);
+
+if (!is_object($document)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
+}
+
+if ($document->getAccessMode($user) < M_ALL) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+}
+
+if (!isset($_POST["version"]) || !is_numeric($_POST["version"]) || intval($_POST["version"])<1) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+$version = $_POST["version"];
+$content = $document->getContentByVersion($version);
+
+if (!is_object($content)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_version"));
+}
+
+if (isset($_POST["startdate"])) {
+	$ts = makeTsFromDate($_POST["startdate"]);
+} else {
+	$ts = time();
+}
+$startdate = date('Y-m-d', $ts);
+
+if(!$content->setRevisionDate($startdate)) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
+}
+
+$folder = $document->getFolder();
+
+// Retrieve a list of all users and groups that have read rights.
+// Afterwards, reorganize them in two arrays with its key being the
+// userid or groupid
+$docAccess = $document->getReadAccessList($settings->_enableAdminRevApp, $settings->_enableOwnerRevApp);
+$accessIndex = array("i"=>array(), "g"=>array());
+foreach ($docAccess["users"] as $i=>$da) {
+	$accessIndex["i"][$da->getID()] = $da;
+}
+foreach ($docAccess["groups"] as $i=>$da) {
+	$accessIndex["g"][$da->getID()] = $da;
+}
+
+// Retrieve list of currently assigned recipients, along with
+// their latest status.
+$revisionStatus = $content->getRevisionStatus();
+// Index the revision results for easy cross-reference with the Approvers List.
+$revisionIndex = array("i"=>array(), "g"=>array());
+foreach ($revisionStatus as $i=>$rs) {
+	if ($rs["status"]!=S_LOG_USER_REMOVED) {
+		if ($rs["type"]==0) {
+			$revisionIndex["i"][$rs["required"]] = array("status"=>$rs["status"], "idx"=>$i);
+		}
+		else if ($rs["type"]==1) {
+			$revisionIndex["g"][$rs["required"]] = array("status"=>$rs["status"], "idx"=>$i);
+		}
+	}
+}
+
+// Get the list of proposed revisors, stripping out any duplicates.
+$pIndRev = (isset($_POST["indRevisors"]) ? array_values(array_unique($_POST["indRevisors"])) : array());
+// Retrieve the list of revisor groups whose members become individual revisors
+if (isset($_POST["grpIndRevisors"])) {
+	foreach ($_POST["grpIndRevisors"] as $grp) {
+		if($group = $dms->getGroup($grp)) {
+			$members = $group->getUsers();
+			foreach($members as $member) {
+				if(!in_array($member->getID(), $pIndRev))
+					$pIndRev[] = $member->getID();
+			}
+		}
+	}
+}
+$pGrpRev = (isset($_POST["grpRevisors"]) ? array_values(array_unique($_POST["grpRevisors"])) : array());
+foreach ($pIndRev as $p) {
+	if (is_numeric($p)) {
+		if (isset($accessIndex["i"][$p])) {
+			// Proposed recipient is on the list of possible recipients.
+			if (!isset($revisionIndex["i"][$p])) {
+				// Proposed recipient is not a current recipient, so add as a new
+				// recipient.
+				$res = $content->addIndRevisor($accessIndex["i"][$p], $user);
+				$unm = $accessIndex["i"][$p]->getFullName();
+				$uml = $accessIndex["i"][$p]->getEmail();
+				
+				switch ($res) {
+					case 0:
+						// Send an email notification to the new recipient.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendAddRevisionMail($content, $user, $accessIndex["i"][$p]);
+							}
+						}
+						break;
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("revisor_already_assigned"));
+						break;
+					case -4:
+						// email error
+						break;
+				}
+			}
+			else {
+				// Proposed recipient is already in the list of recipients.
+				// Remove revisor from the index of possible revisors. If there are
+				// any revisors left over in the list of possible revisors, they
+				// will be removed from the revision process for this document revision.
+				unset($revisionIndex["i"][$p]);
+			}
+		}
+	}
+}
+if (count($revisionIndex["i"]) > 0) {
+	foreach ($revisionIndex["i"] as $rx=>$rv) {
+	//	if ($rv["status"] == 0) {
+			// User is to be removed from the recipients list.
+			if (!isset($accessIndex["i"][$rx])) {
+				// User does not have any revision privileges for this document
+				// revision or does not exist.
+				$res = $content->delIndRevisor($dms->getUser($rx), $user, getMLText("removed_revisor"));
+			}
+			else {
+				$res = $content->delIndRevisor($accessIndex["i"][$rx], $user);
+				$unm = $accessIndex["i"][$rx]->getFullName();
+				$uml = $accessIndex["i"][$rx]->getEmail();
+				switch ($res) {
+					case 0:
+						// Send an email notification to the recipients.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendDeleteRevisionMail($content, $user, $accessIndex["i"][$rx]);
+							}
+						}
+						break;
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_already_removed"));
+						break;
+					case -4:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_was_active"));
+						break;
+				}
+			}
+//		}
+	}
+}
+foreach ($pGrpRev as $p) {
+	if (is_numeric($p)) {
+		if (isset($accessIndex["g"][$p])) {
+			// Proposed recipient is on the list of possible recipients.
+			if (!isset($revisionIndex["g"][$p])) {
+				// Proposed recipient is not a current recipient, so add as a new
+				// recipient.
+				$res = $content->addGrpRevisor($accessIndex["g"][$p], $user);
+				$gnm = $accessIndex["g"][$p]->getName();
+				switch ($res) {
+					case 0:
+						// Send an email notification to the new recipient.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendAddRevisionMail($content, $user, $accessIndex["g"][$p]);
+							}
+						}
+						break;
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_already_assigned"));
+						break;
+					case -4:
+						// email error
+						break;
+				}
+			}
+			else {
+				// Remove recipient from the index of possible revisors.
+				unset($revisionIndex["g"][$p]);
+			}
+		}
+	}
+}
+if (count($revisionIndex["g"]) > 0) {
+	foreach ($revisionIndex["g"] as $rx=>$rv) {
+//		if ($rv["status"] == 0) {
+			// Group is to be removed from the recipientist.
+			if (!isset($accessIndex["g"][$rx])) {
+				// Group does not have any revision privileges for this document
+				// revision or does not exist.
+				$res = $content->delGrpRevisor($dms->getGroup($rx), $user, getMLText("removed_revisor"));
+			}
+			else {
+				$res = $content->delGrpRevisor($accessIndex["g"][$rx], $user);
+				$gnm = $accessIndex["g"][$rx]->getName();
+				switch ($res) {
+					case 0:
+						// Send an email notification to the recipients group.
+						if($settings->_enableNotificationAppRev) {
+							if ($notifier) {
+								$notifier->sendDeleteRevisionMail($content, $user, $accessIndex["g"][$rx]);
+							}
+						}
+						break;
+					case -1:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("internal_error"));
+						break;
+					case -2:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
+						break;
+					case -3:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_already_removed"));
+						break;
+					case -4:
+						UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("recipient_was_active"));
+						break;
+				}
+			}
+//		}
+	}
+}
+
+/* If all revisors has been removed, then clear the next revision date */
+if(!$pIndRev && !$pGrpRev) {
+	$content->setRevisionDate(false);
+}
+
+/* Recheck status, because all revisors could have been removed */
+$content->verifyStatus(false, $user, getMLText('automatic_status_update'), $settings->_initialDocumentStatus);
+
+add_log_line("?documentid=".$documentid);
+header("Location:../out/out.DocumentVersionDetail.php?documentid=".$documentid."&version=".$version);
+
+?>

op/op.Settings.php

@@ -139,8 +139,10 @@ if ($action == "saveSettings")
   setBoolValue("enableSessionList");
   setBoolValue("enableClipboard");
   setBoolValue("alwaysShowClipboard");
+  setBoolValue("enableMenuTransmittals");
   setBoolValue("enableMenuTasks");
   setBoolValue("alwaysShowMenuTasks");
+  $settings->_tasksInMenu = isset($_POST["tasksInMenu"]) ? $_POST["tasksInMenu"] : array();
   setBoolValue("enableDropFolderList");
   setBoolValue("enableDropUpload");
   setBoolValue("enableMultiUpload");
@@ -157,6 +159,7 @@ if ($action == "saveSettings")
   setStrValue("sortFoldersDefault");
   setStrValue("defaultDocPosition");
   setStrValue("defaultFolderPosition");
+  setIntValue("libraryFolder");
 
   // SETTINGS - SITE - WEBDAV
 	setBoolValue("enableWebdavReplaceDoc");
@@ -182,6 +185,8 @@ if ($action == "saveSettings")
   setDirValue("extraPath");
   setDirValue("dropFolderDir");
   setDirValue("backupDir");
+  setDirValue("checkOutDir");
+  setBoolValue("createCheckOutDir");
   setStrValue("repositoryUrl");
   setDirValue("proxyUrl");
   setDirValue("proxyUser");
@@ -197,6 +202,7 @@ if ($action == "saveSettings")
   // SETTINGS - SYSTEM - AUTHENTICATION
   setBoolValue("enableGuestLogin");
   setBoolValue("enableGuestAutoLogin");
+  setBoolValue("enable2FactorAuthentication");
   setBoolValue("enableLoginByEmail");
   setBoolValue("restricted");
   setBoolValue("enableUserImage");
@@ -249,11 +255,19 @@ if ($action == "saveSettings")
   // SETTINGS - ADVANCED - EDITION
   setStrValue("versioningFileName");
   setStrValue("presetExpirationDate");
+  setStrValue("initialDocumentStatus");
   setStrValue("workflowMode");
+  setBoolValue("enableReceiptWorkflow");
+  setBoolValue("enableReceiptReject");
+  setBoolValue("disableReceiptComment");
+  setBoolValue("enableRevisionWorkflow");
+  setBoolValue("enableRevisionOnVoteReject");
   setBoolValue("allowReviewerOnly");
+  setBoolValue("allowChangeRevAppInProcess");
   setBoolValue("enableAdminRevApp");
   setBoolValue("enableOwnerRevApp");
   setBoolValue("enableSelfRevApp");
+  setBoolValue("enableSelfReceipt");
   setBoolValue("addManagerAsReviewer");
   setBoolValue("addManagerAsApprover");
   setArrayValue("globalReviewer");
@@ -262,11 +276,17 @@ if ($action == "saveSettings")
   setArrayValue("globalGroupApprover");
   setBoolValue("enableUpdateRevApp");
   setBoolValue("enableRemoveRevApp");
+  setBoolValue("enableAdminReceipt");
+  setBoolValue("enableOwnerReceipt");
+  setBoolValue("enableUpdateReceipt");
+  setBoolValue("enableFilterReceipt");
   setBoolValue("enableVersionDeletion");
   setBoolValue("enableVersionModification");
   setBoolValue("enableDuplicateDocNames");
   setBoolValue("enableDuplicateSubFolderNames");
+  setBoolValue("enableCancelCheckout");
   setBoolValue("overrideMimeType");
+  setBoolValue("advancedAcl");
   setBoolValue("removeFromDropFolder");
   setBoolValue("uploadedAttachmentIsPublic");
 

op/op.Setup2Factor.php

@@ -0,0 +1,40 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2009-2012 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+include("../inc/inc.ClassPasswordStrength.php");
+include("../inc/inc.ClassPasswordHistoryManager.php");
+
+if ($user->isGuest()) {
+	UI::exitError(getMLText("2_fact_auth"),getMLText("access_denied"));
+}
+
+$secret = $_POST["secret"];
+
+$user->setSecret($secret);
+
+header("Location:../out/out.Setup2Factor.php");

op/op.SubstituteUser.php

@@ -37,7 +37,17 @@ if (!isset($_GET["userid"])) {
 
 /* Check if user is allowed to switch to a different user */
 if (!$user->isAdmin()) {
-	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
+	$substitutes = $user->getReverseSubstitutes();
+	$found = false;
+	foreach($substitutes as $subsuser) {
+		/* Make sure a substitution is allowed and the substituted user
+		 * is not an admin.
+		 */
+		if($subsuser->getID() == $_GET["userid"] && !$subsuser->isAdmin())
+			$found = true;
+	}
+	if(!$found)
+		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
 $session->setSu($_GET['userid']);

op/op.TimelineFeedPreview.php

@@ -0,0 +1,77 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2016 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.ClassController.php");
+include("../inc/inc.BasicAuthentication.php");
+
+if(empty($_GET['hash']))
+	exit;
+
+$token = new SeedDMS_JwtToken($settings->_encryptionKey);
+if(!($tokenstr = $token->jwtDecode($_GET['hash'])))
+	exit;
+
+$tokendata = json_decode($tokenstr, true);
+
+if (!isset($tokendata['d']) || !is_numeric($tokendata['d'])) {
+	exit;
+}
+
+$document = $dms->getDocument($tokendata['d']);
+if (!is_object($document)) {
+	exit;
+}
+
+if (!isset($tokendata['u']) || !is_numeric($tokendata['u'])) {
+	exit;
+}
+
+$user = $dms->getUser($tokendata['u']);
+if (!is_object($user)) {
+	exit;
+}
+
+if ($document->getAccessMode($user) < M_READ) {
+	exit;
+}
+
+if (!isset($tokendata['v']) || !is_numeric($tokendata['v'])) {
+	exit;
+}
+
+$controller = Controller::factory('Preview', array('dms'=>$dms, 'user'=>$user));
+$controller->setParam('width', !empty($tokendata["w"]) ? $tokendata["w"] : null);
+$controller->setParam('document', $document);
+$controller->setParam('version', $tokendata['v']);
+$controller->setParam('type', 'version');
+if(!$controller->run()) {
+	header('Content-Type: image/svg+xml');
+	readfile('../views/'.$theme.'/images/empty.svg');
+	exit;
+}

op/op.TransferDocument.php

@@ -31,7 +31,7 @@ include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
-$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 if (!$accessop->check_controller_access($controller, $_POST)) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
 }

op/op.TransmittalDownload.php

@@ -0,0 +1,51 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2011-2013 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.ClassController.php");
+include("../inc/inc.Authentication.php");
+
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+
+if(isset($_GET["transmittalid"])) {
+	$transmittalid = $_GET["transmittalid"];
+	$transmittal = $dms->getTransmittal($transmittalid);
+
+	if (!is_object($transmittal)) {
+		UI::exitError(getMLText("my_account"), getMLText("invalid_version"));
+	}
+
+	if($transmittal->getUser()->getID() != $user->getID()) {
+		UI::exitError(getMLText("my_account"), getMLText("access_denied"));
+	}
+
+
+	$controller->setParam('transmittal', $transmittal);
+	$controller->run();
+}

op/op.TransmittalMgr.php

@@ -0,0 +1,197 @@
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010 Matteo Lucarelli
+//    Copyright (C) 2010-2012 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
+include("../inc/inc.Utils.php");
+include("../inc/inc.LogInit.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.Init.php");
+include("../inc/inc.Extension.php");
+include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassUI.php");
+include("../inc/inc.Authentication.php");
+
+if ($user->isGuest()) {
+	UI::exitError(getMLText("my_transmittals"),getMLText("access_denied"));
+}
+
+if (isset($_POST["action"])) $action=$_POST["action"];
+else $action=NULL;
+
+// add new transmittal ---------------------------------------------------
+if ($action == "addtransmittal") { /* {{{ */
+	
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('addtransmittal')) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("invalid_request_token"));
+	}
+
+	$name    = $_POST["name"];
+	$comment = $_POST["comment"];
+
+	$newTransmittal = $dms->addTransmittal($name, $comment, $user);
+	if ($newTransmittal) {
+	}
+	else UI::exitError(getMLText("my_transmittals"),getMLText("access_denied"));
+	
+	$transmittalid=$newTransmittal->getID();
+	
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_add_transmittal')));
+
+	add_log_line(".php&action=addtransmittal&name=".$name);
+} /* }}} */
+
+// delete transmittal ------------------------------------------------------------
+else if ($action == "removetransmittal") { /* {{{ */
+
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('removetransmittal')) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("invalid_request_token"));
+	}
+
+	if (isset($_POST["transmittalid"])) {
+		$transmittalid = $_POST["transmittalid"];
+	}
+
+	if (!isset($transmittalid) || !is_numeric($transmittalid) || intval($transmittalid)<1) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("invalid_transmittal_id"));
+	}
+
+	$transmittalToRemove = $dms->getTransmittal($transmittalid);
+	if (!is_object($transmittalToRemove)) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("invalid_transmittal_id"));
+	}
+
+	if (!$transmittalToRemove->remove()) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("error_occured"));
+	}
+	add_log_line(".php&action=removetransmittal&transmittalid=".$transmittalid);
+	
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_rm_transmittal')));
+	$transmittalid=-1;
+} /* }}} */
+
+// modify transmittal ----------------------------------------------------
+else if ($action == "edittransmittal") { /* {{{ */
+
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('edittransmittal')) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["transmittalid"]) || !is_numeric($_POST["transmittalid"]) || intval($_POST["transmittalid"])<1) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("invalid_transmittal"));
+	}
+	
+	$transmittalid=$_POST["transmittalid"];
+	$editedTransmittal = $dms->getTransmittal($transmittalid);
+	
+	if (!is_object($editedTransmittal)) {
+		UI::exitError(getMLText("my_transmittals"),getMLText("invalid_transmittal"));
+	}
+
+	$name = $_POST["name"];
+	$comment = $_POST["comment"];
+	
+	if ($editedTransmittal->getName() != $name)
+		$editedTransmittal->setName($name);
+	if ($editedTransmittal->getComment() != $comment)
+		$editedTransmittal->setComment($comment);
+
+	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_edit_transmittal')));
+	add_log_line(".php&action=edittransmittal&transmittalid=".$transmittalid);
+} /* }}} */
+
+// remove transmittal item ------------------------------------------------
+else if ($action == "removetransmittalitem") { /* {{{ */
+
+	if(!checkFormKey('removetransmittalitem', 'POST')) {
+		header('Content-Type: application/json');
+		echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_request_token'), 'data'=>''));
+	} else {
+		$item = SeedDMS_Core_TransmittalItem::getInstance((int) $_REQUEST['id'], $dms);
+		if($item) {
+			$transmittal = $item->getTransmittal();
+			if($transmittal) {
+				if ($transmittal->getUser()->getID() == $user->getID()) {
+					if($item->remove()) {
+						header('Content-Type: application/json');
+						echo json_encode(array('success'=>true, 'message'=>'', 'data'=>''));
+					} else {
+						header('Content-Type: application/json');
+						echo json_encode(array('success'=>false, 'message'=>'Error removing transmittal item', 'data'=>''));
+					}
+				} else {
+					header('Content-Type: application/json');
+					echo json_encode(array('success'=>false, 'message'=>'No access', 'data'=>''));
+				}
+			} else {
+				header('Content-Type: application/json');
+				echo json_encode(array('success'=>false, 'message'=>'No transmittal', 'data'=>''));
+			}
+		} else {
+			header('Content-Type: application/json');
+			echo json_encode(array('success'=>false, 'message'=>'No transmittal item', 'data'=>''));
+		}
+	}
+	add_log_line(".php&action=removetransmittalitem&id=".$_REQUEST['id']);
+	exit;
+} /* }}} */
+
+// update transmittal item ------------------------------------------------
+else if ($action == "updatetransmittalitem") { /* {{{ */
+	if(!checkFormKey('updatetransmittalitem', 'POST')) {
+		header('Content-Type: application/json');
+		echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_request_token'), 'data'=>''));
+	} else {
+		$item = SeedDMS_Core_TransmittalItem::getInstance((int) $_REQUEST['id'], $dms);
+		if($item) {
+			$transmittal = $item->getTransmittal();
+			if($transmittal) {
+				if ($transmittal->getUser()->getID() == $user->getID()) {
+					if($item->updateContent()) {
+						header('Content-Type: application/json');
+						echo json_encode(array('success'=>true, 'message'=>'', 'data'=>''));
+					} else {
+						header('Content-Type: application/json');
+						echo json_encode(array('success'=>false, 'message'=>'Error updating transmittal item', 'data'=>''));
+					}
+				} else {
+					header('Content-Type: application/json');
+					echo json_encode(array('success'=>false, 'message'=>'No access', 'data'=>''));
+				}
+			} else {
+				header('Content-Type: application/json');
+				echo json_encode(array('success'=>false, 'message'=>'No transmittal', 'data'=>''));
+			}
+		} else {
+			header('Content-Type: application/json');
+			echo json_encode(array('success'=>false, 'message'=>'No transmittal item', 'data'=>''));
+		}
+	}
+	add_log_line(".php&action=updatetransmittalitem&id=".$_REQUEST['id']);
+	exit;
+} /* }}} */
+else UI::exitError(getMLText("my_transmittals"),getMLText("unknown_command"));
+
+header("Location:../out/out.TransmittalMgr.php?transmittalid=".$transmittalid);
+
+

op/op.UnlockDocument.php

@@ -29,6 +29,11 @@ require_once("inc/inc.DBInit.php");
 require_once("inc/inc.ClassUI.php");
 require_once("inc/inc.Authentication.php");
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('UnlockDocument', $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('unlockdocument', 'GET')) {
 	UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
@@ -44,6 +49,11 @@ if (!is_object($document)) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access('LockDocument', $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
+
 $folder = $document->getFolder();
 $docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>";
 

op/op.UpdateDocument.php

@@ -31,6 +31,10 @@ include("../inc/inc.ClassController.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
 
 /* if post_max_size is to small, then $_POST will not be set and the content
  * lenght will exceed post_max_size
@@ -210,10 +214,13 @@ default:
 	// Get the list of reviewers and approvers for this document.
 	$reviewers = array();
 	$approvers = array();
+	$recipients = array();
 	$reviewers["i"] = array();
 	$reviewers["g"] = array();
 	$approvers["i"] = array();
 	$approvers["g"] = array();
+	$recipients["i"] = array();
+	$recipients["g"] = array();
 	$workflow = null;
 
 	if($settings->_workflowMode == 'traditional' || $settings->_workflowMode == 'traditional_only_approval') {
@@ -232,6 +239,16 @@ default:
 					$reviewers["g"][] = $grp;
 				}
 			}
+			// Retrieve the list of reviewer groups whose members become individual reviewers
+			if (isset($_POST["grpIndReviewers"])) {
+				foreach ($_POST["grpIndReviewers"] as $grp) {
+					if($group = $dms->getGroup($grp)) {
+						$members = $group->getUsers();
+						foreach($members as $member)
+							$reviewers["i"][] = $member->getID();
+					}
+				}
+			}
 		}
 
 		// Retrieve the list of individual approvers from the form.
@@ -248,6 +265,16 @@ default:
 				$approvers["g"][] = $grp;
 			}
 		}
+		// Retrieve the list of reviewer groups whose members become individual approvers
+		if (isset($_POST["grpIndApprovers"])) {
+			foreach ($_POST["grpIndApprovers"] as $grp) {
+				if($group = $dms->getGroup($grp)) {
+					$members = $group->getUsers();
+					foreach($members as $member)
+						$approvers["i"][] = $member->getID();
+				}
+			}
+		}
 
 		// add mandatory reviewers/approvers
 		if($settings->_workflowMode == 'traditional') {
@@ -262,6 +289,13 @@ default:
 			$approvers['i'] = array_merge($approvers['i'], $mapprovers['i']);
 		if($mapprovers['g'])
 			$approvers['g'] = array_merge($approvers['g'], $mapprovers['g']);
+
+		if($settings->_workflowMode == 'traditional' && !$settings->_allowReviewerOnly) {
+			/* Check if reviewers are send but no approvers */
+			if(($reviewers["i"] || $reviewers["g"]) && !$approvers["i"] && !$approvers["g"]) {
+				UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("error_uploading_reviewer_only"));
+			}
+		}
 	} elseif($settings->_workflowMode == 'advanced') {
 		if(!$workflows = $user->getMandatoryWorkflows()) {
 			if(isset($_POST["workflow"]))
@@ -279,6 +313,35 @@ default:
 		}
 	}
 
+	// Retrieve the list of individual recipients from the form.
+	$recipients["i"] = array();
+	if (isset($_POST["indRecipients"])) {
+		foreach ($_POST["indRecipients"] as $ind) {
+			$recipients["i"][] = $ind;
+		}
+	}
+	// Retrieve the list of recipient groups from the form.
+	$recipients["g"] = array();
+	if (isset($_POST["grpRecipients"])) {
+		foreach ($_POST["grpRecipients"] as $grp) {
+			$recipients["g"][] = $grp;
+		}
+	}
+	// Retrieve the list of recipient groups whose members become individual recipients
+	if (isset($_POST["grpIndRecipients"])) {
+		foreach ($_POST["grpIndRecipients"] as $grp) {
+			if($group = $dms->getGroup($grp)) {
+				$members = $group->getUsers();
+				foreach($members as $member) {
+					/* Do not add the uploader itself as recipient */
+					if(!$settings->_enableFilterReceipt || ($member->getID() != $user->getID() && !in_array($member->getID(), $reviewers['i'])))
+						if(!in_array($member->getID(), $recipients["i"]))
+							$recipients["i"][] = $member->getID();
+				}
+			}
+		}
+	}
+
 	if(isset($_POST["attributes_version"]) && $_POST["attributes_version"]) {
 		$attributes = $_POST["attributes_version"];
 		foreach($attributes as $attrdefid=>$attribute) {
@@ -315,8 +378,10 @@ default:
 	$controller->setParam('userfiletype', $userfiletype);
 	$controller->setParam('reviewers', $reviewers);
 	$controller->setParam('approvers', $approvers);
+	$controller->setParam('recipients', $recipients);
 	$controller->setParam('attributes', $attributes);
 	$controller->setParam('workflow', $workflow);
+	$controller->setParam('initialdocumentstatus', $settings->_initialDocumentStatus);
 	$controller->setParam('maxsizeforfulltext', $settings->_maxSizeForFullText);
 
 	if(!$content = $controller()) {

op/op.UpdateDocument2.php

@@ -155,7 +155,7 @@ if( move_uploaded_file( $source_file_path, $target_file_path ) ) {
 		}
 
 		$filesize = SeedDMS_Core_File::fileSize($userfiletmp);
-		$contentResult=$document->addContent($comment, $user, $userfiletmp, basename($userfilename), $fileType, $userfiletype, $reviewers, $approvers);
+		$contentResult=$document->addContent($comment, $user, $userfiletmp, basename($userfilename), $fileType, $userfiletype, $reviewers, $approvers, $version=0, null, null, $settings->_initialDocumentStatus);
 		unlink($userfiletmp);
 		if (is_bool($contentResult) && !$contentResult) {
 			echo getMLText("error_occured");

op/op.UsrMgr.php

@@ -34,7 +34,7 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
-$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 if (!$accessop->check_controller_access('UsrMgr', $_POST)) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
@@ -69,7 +69,7 @@ if ($action == "adduser") {
 	if ($settings->_strictFormCheck && !$comment) {
 		UI::exitError(getMLText("admin_tools"),getMLText("user_comment_missing"));
 	}
-	$role    = preg_replace('/[^0-2]+/', '', $_POST["role"]);
+	$role    = $dms->getRole($_POST["role"]);
 	$isHidden = (isset($_POST["ishidden"]) && $_POST["ishidden"]==1 ? 1 : 0);
 	$isDisabled = (isset($_POST["isdisabled"]) && $_POST["isdisabled"]==1 ? 1 : 0);
 	$homefolder = (isset($_POST["homefolder"]) ? $_POST["homefolder"] : 0);
@@ -103,6 +103,14 @@ if ($action == "adduser") {
 				$group->addUser($newUser);
 			}
 		}
+
+		/* Set substitute user if set */
+		if(isset($_POST["substitute"]) && $_POST["substitute"]) {
+			foreach($_POST["substitute"] as $substitute) {
+				$subsuser = $dms->getUser($substitute);
+				$newUser->addSubstitute($subsuser);
+			}
+		}
 	}
 	else UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	
@@ -227,6 +235,10 @@ else if ($action == "removefromprocesses") {
 			$_POST["status"]["review"] = array();
 		if(!isset($_POST["status"]["approval"]))
 			$_POST["status"]["approval"] = array();
+		if(!isset($_POST["status"]["receipt"]))
+			$_POST["status"]["receipt"] = array();
+		if(!isset($_POST["status"]["revision"]))
+			$_POST["status"]["revision"] = array();
 		if(!empty($_POST['needsdocs']) && empty($_POST['docs'])) {
 			$session->setSplashMsg(array('type'=>'error', 'msg'=>getMLText('error_rm_user_processes_no_docs')));
 		} else {
@@ -362,7 +374,7 @@ else if ($action == "edituser") {
 	$email   = $_POST["email"];
 	$comment = $_POST["comment"];
 	$theme = $_POST["theme"];
-	$role    = preg_replace('/[^0-2]+/', '', $_POST["role"]);
+	$role    = $dms->getRole($_POST["role"]);
 	$isHidden = (isset($_POST["ishidden"]) && $_POST["ishidden"]==1 ? 1 : 0);
 	$isDisabled = (isset($_POST["isdisabled"]) && $_POST["isdisabled"]==1 ? 1 : 0);
 	$homefolder = (isset($_POST["homefolder"]) ? $_POST["homefolder"] : 0);
@@ -384,9 +396,9 @@ else if ($action == "edituser") {
 	}
 	if ($editedUser->getLogin() != $login)
 		$editedUser->setLogin($login);
-	if($pwdexpiration)
+	if($pwdexpiration != 'keep')
 		$editedUser->setPwdExpiration($pwdexpiration);
-	if(($role == SeedDMS_Core_User::role_guest) && $clearpwd) {
+	if($role->isGuest() && $clearpwd) {
 		$editedUser->setPwd('');
 	} else {
 		if (isset($pwd) && ($pwd != "")) {
@@ -478,6 +490,26 @@ else if ($action == "edituser") {
 		$group->removeUser($editedUser);
 	}
 
+	/* Set substitute user if set */
+	if(isset($_POST["substitute"]) && $_POST["substitute"]) 
+		$newsubs = $_POST['substitute'];
+	else
+		$newsubs = array();
+	$oldsubs = array();
+	foreach($editedUser->getSubstitutes() as $k)
+		$oldsubs[] = $k->getID();
+
+	$addsubs = array_diff($newsubs, $oldsubs);
+	foreach($addsubs as $subid) {
+		$subsuser = $dms->getUser($subid);
+		$editedUser->addSubstitute($subsuser);
+	}
+	$delsubs = array_diff($oldsubs, $newsubs);
+	foreach($delsubs as $subid) {
+		$subsuser = $dms->getUser($subid);
+		$editedUser->removeSubstitute($subsuser);
+	}
+
 	$session->setSplashMsg(array('type'=>'success', 'msg'=>getMLText('splash_edit_user')));
 	add_log_line(".php&action=edituser&userid=".$userid);
 }

op/op.ViewOnline.php

@@ -31,6 +31,10 @@ include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => "")),getMLText("access_denied"));
+}
 
 $documentid = $_GET["documentid"];
 if (!isset($documentid) || !is_numeric($documentid) || intval($documentid)<1) {