Merge branch 'develop' into task/FOUR-28803

Author: nolanpro

ProcessMaker/Http/Controllers/Auth/ForgotPasswordController.php

@@ -3,7 +3,10 @@
 namespace ProcessMaker\Http\Controllers\Auth;
 
 use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Password;
 use ProcessMaker\Http\Controllers\Controller;
+use ProcessMaker\Models\User;
 
 class ForgotPasswordController extends Controller
 {
@@ -29,4 +32,30 @@ public function __construct()
     {
         $this->middleware('guest');
     }
+
+    /**
+     * Send a reset link to the given user.
+     * Blocked or inactive users will not receive the reset email for security reasons.
+     *
+     * @param  Request  $request
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
+     */
+    public function sendResetLinkEmail(Request $request)
+    {
+        $this->validateEmail($request);
+
+        $user = User::where('email', $request->input('email'))->first();
+
+        if ($user && ($user->status === 'BLOCKED' || $user->status === 'INACTIVE')) {
+            return $this->sendResetLinkResponse($request, Password::RESET_LINK_SENT);
+        }
+
+        $response = $this->broker()->sendResetLink(
+            $this->credentials($request)
+        );
+
+        return $response == Password::RESET_LINK_SENT
+            ? $this->sendResetLinkResponse($request, $response)
+            : $this->sendResetLinkFailedResponse($request, $response);
+    }
 }

ProcessMaker/Http/Controllers/Auth/ResetPasswordController.php

@@ -4,6 +4,8 @@
 
 use Illuminate\Foundation\Auth\ResetsPasswords;
 use Illuminate\Http\Request;
+use Illuminate\Validation\Rules\Password;
+use Illuminate\Validation\ValidationException;
 use ProcessMaker\Http\Controllers\Controller;
 use ProcessMaker\Models\User;
 
@@ -20,7 +22,9 @@ class ResetPasswordController extends Controller
     |
     */
 
-    use ResetsPasswords;
+    use ResetsPasswords {
+        reset as protected performPasswordReset;
+    }
 
     /**
      * Where to redirect users after resetting their password.
@@ -46,8 +50,96 @@ public function __construct()
      */
     public function showResetForm(Request $request, $token)
     {
-        $username = User::where('email', $request->input('email'))->firstOrFail()->username;
+        $user = User::where('email', $request->input('email'))->firstOrFail();
+
+        if ($user->status === 'BLOCKED') {
+            return redirect()->route('password.request')
+                ->withErrors(['email' => __('passwords.blocked')]);
+        }
+
+        if ($user->status === 'INACTIVE') {
+            return redirect()->route('password.request')
+                ->withErrors(['email' => __('passwords.inactive')]);
+        }
+
+        return view('auth.passwords.reset', [
+            'username' => $user->username,
+            'token' => $token,
+            'email' => $request->input('email'),
+        ]);
+    }
+
+    /**
+     * Reset the given user's password.
+     * Blocked or inactive users cannot reset their password.
+     *
+     * @param  Request  $request
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
+     */
+    public function reset(Request $request)
+    {
+        $user = User::where('email', $request->input('email'))
+            ->where('username', $request->input('username'))
+            ->first();
+
+        if ($user && $user->status === 'BLOCKED') {
+            return $this->sendResetFailedResponse($request, 'passwords.blocked');
+        }
+
+        if ($user && $user->status === 'INACTIVE') {
+            return $this->sendResetFailedResponse($request, 'passwords.inactive');
+        }
+
+        if (!$user) {
+            return redirect()->back()
+                ->withInput($request->only('email', 'username'))
+                ->withErrors(['email' => __('passwords.account_not_found')]);
+        }
+
+        return $this->performPasswordReset($request);
+    }
+
+    /**
+     * Get the password reset validation rules.
+     */
+    protected function rules(): array
+    {
+        return [
+            'token' => 'required',
+            'email' => 'required|email',
+            'username' => 'required|string',
+            'password' => ['required', 'confirmed', Password::defaults()],
+        ];
+    }
+
+    /**
+     * Get the password reset credentials from the request.
+     * Include username so the broker resolves the same user as email+username (not email alone).
+     */
+    protected function credentials(Request $request): array
+    {
+        return $request->only(
+            'email',
+            'username',
+            'password',
+            'password_confirmation',
+            'token'
+        );
+    }
+
+    /**
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
+     */
+    protected function sendResetFailedResponse(Request $request, $response)
+    {
+        if ($request->wantsJson()) {
+            throw ValidationException::withMessages([
+                'email' => [trans($response)],
+            ]);
+        }
 
-        return view('auth.passwords.reset', compact('username', 'token'));
+        return redirect()->back()
+            ->withInput($request->only('email', 'username'))
+            ->withErrors(['email' => trans($response)]);
     }
 }

ProcessMaker/Http/Middleware/EnsureAccountAllowsAccess.php

@@ -0,0 +1,76 @@
+<?php
+
+namespace ProcessMaker\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use ProcessMaker\Models\User;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureAccountAllowsAccess
+{
+    /**
+     * Status values that cannot use the application while authenticated (aligned with LoginController).
+     */
+    private const DENIED_STATUSES = ['BLOCKED', 'INACTIVE'];
+
+    /**
+     * If any active guard has a blocked/inactive user, log out and return the appropriate response.
+     * Used by the web middleware group and by ProcessMakerAuthenticate (covers all auth:api routes, including packages).
+     */
+    public static function blockingResponseForRequest(Request $request): ?Response
+    {
+        foreach (['web', 'api'] as $guard) {
+            if (!Auth::guard($guard)->check()) {
+                continue;
+            }
+
+            /** @var User $user */
+            $user = Auth::guard($guard)->user();
+            if (!$user instanceof User || !in_array($user->status, self::DENIED_STATUSES, true)) {
+                continue;
+            }
+
+            return self::denyAccess($request, $guard, $user);
+        }
+
+        return null;
+    }
+
+    public function handle(Request $request, Closure $next): Response
+    {
+        $blocked = self::blockingResponseForRequest($request);
+        if ($blocked !== null) {
+            return $blocked;
+        }
+
+        return $next($request);
+    }
+
+    public static function denyAccess(Request $request, string $guard, User $user): Response
+    {
+        Auth::guard($guard)->logout();
+
+        if ($request->hasSession()) {
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+        }
+
+        if ($guard === 'api' || $request->expectsJson()) {
+            $message = $user->status === 'BLOCKED'
+                ? __('Account locked after too many failed attempts. Contact administrator.')
+                : __('Unauthorized');
+
+            return response()->json(['message' => $message], 401);
+        }
+
+        return redirect()
+            ->guest(route('login'))
+            ->withErrors([
+                'username' => $user->status === 'BLOCKED'
+                    ? __('Account locked after too many failed attempts. Contact administrator.')
+                    : __('These credentials do not match our records.'),
+            ]);
+    }
+}

ProcessMaker/Http/Middleware/ProcessMakerAuthenticate.php

@@ -2,11 +2,29 @@
 
 namespace ProcessMaker\Http\Middleware;
 
+use Closure;
 use Illuminate\Auth\Middleware\Authenticate;
 use Illuminate\Support\Str;
 
 class ProcessMakerAuthenticate extends Authenticate
 {
+    /**
+     * {@inheritdoc}
+     *
+     * After a successful authenticate(), reject BLOCKED/INACTIVE users so every auth:api route
+     * (core and packages) is covered without listing middleware per route file.
+     */
+    public function handle($request, Closure $next, ...$guards)
+    {
+        $this->authenticate($request, $guards);
+
+        if ($blocked = EnsureAccountAllowsAccess::blockingResponseForRequest($request)) {
+            return $blocked;
+        }
+
+        return $next($request);
+    }
+
     protected function authenticate($request, array $guards)
     {
         $this->addAcceptJsonHeaderIfApiCall($request, $guards);

ProcessMaker/Models/ProcessRequestToken.php

@@ -17,6 +17,8 @@
 use ProcessMaker\Events\ActivityAssigned;
 use ProcessMaker\Events\ActivityReassignment;
 use ProcessMaker\Facades\WorkflowUserManager;
+use ProcessMaker\Managers\DataManager;
+use ProcessMaker\Models\MustacheExpressionEvaluator;
 use ProcessMaker\Nayra\Bpmn\TokenTrait;
 use ProcessMaker\Nayra\Contracts\Bpmn\ActivityInterface;
 use ProcessMaker\Nayra\Contracts\Bpmn\FlowElementInterface;
@@ -1440,6 +1442,59 @@ public function reassign($toUserId, User $requestingUser, $comments = '')
         }
     }
 
+    /**
+     * Build context for Mustache (end event external URL). Same as scripts/screens: _user, _request, process data, APP_URL.
+     */
+    private function getElementDestinationMustacheContext(): array
+    {
+        try {
+            $context = (new DataManager())->getData($this);
+        } catch (Throwable $e) {
+            Log::warning('Failed to load Mustache context via DataManager, falling back to request data', [
+                'token_id' => $this->id,
+                'error' => $e->getMessage(),
+            ]);
+            $request = $this->processRequest;
+            $context = array_merge($request->data ?? [], $request ? (new DataManager())->updateRequestMagicVariable([], $request) : []);
+            $user = $this->user ?? auth()->user();
+            if ($user) {
+                $userData = $user->attributesToArray();
+                unset($userData['remember_token']);
+                $context['_user'] = $userData;
+            }
+        }
+
+        $context['APP_URL'] = config('app.url');
+
+        // Never expose remember_token to Mustache (defense in depth; DataManager/fallback may already strip it)
+        if (isset($context['_user']) && is_array($context['_user'])) {
+            unset($context['_user']['remember_token']);
+        }
+
+        // Normalize to plain arrays/scalars so Mustache resolves all keys (common PHP idiom)
+        $json = json_encode($context, JSON_THROW_ON_ERROR);
+        $normalized = json_decode($json, true, 512, JSON_THROW_ON_ERROR);
+
+        return is_array($normalized) ? $normalized : [];
+    }
+
+    /**
+     * Resolve Mustache in end event external URL. FEEL is not supported here; use Mustache only.
+     * Context: APP_URL, _request, _user, process variables (same as getElementDestinationMustacheContext).
+     *
+     * Example (Mustache):
+     *   {{APP_URL}}/admin/users/{{_request.id}}/edit     -> https://example.com/admin/users/123/edit
+     *   {{APP_URL}}/webentry/{{_request.id}}             -> https://example.com/webentry/123
+     *   {{APP_URL}}/path/{{my_process_var}}               -> uses process variable my_process_var
+     */
+    private function resolveElementDestinationUrl(string $url): string
+    {
+        $url = html_entity_decode($url, ENT_QUOTES | ENT_HTML401, 'UTF-8');
+        $context = $this->getElementDestinationMustacheContext();
+
+        return (new MustacheExpressionEvaluator())->render($url, $context);
+    }
+
     /**
      * Determines the destination based on the type of element destination property
      *
@@ -1481,6 +1536,11 @@ private function getElementDestination($elementDestinationType, $elementDestinat
                         $elementDestination = $elementDestinationProp['value']['url'] ?? null;
                     }
                 }
+                if (is_string($elementDestination) && $elementDestination !== '') {
+                    if ($elementDestinationType === 'externalURL' || $elementDestinationType === 'customDashboard') {
+                        $elementDestination = $this->resolveElementDestinationUrl($elementDestination);
+                    }
+                }
                 break;
             case 'taskList':
                 $elementDestination = route('tasks.index');

ProcessMaker/RollbackProcessRequest.php

@@ -127,6 +127,7 @@ public function rollback(
                 break;
         }
 
+        // update the process request status to active
         $processRequest = $this->newTask->processRequest;
         $processRequest->status = 'ACTIVE';
         $process = $processRequest->process;
@@ -135,9 +136,12 @@ public function rollback(
         )->id;
         $processRequest->saveOrFail();
 
+        // update the current task status to closed
         $currentTask->status = 'CLOSED';
         $currentTask->saveOrFail();
 
+        $this->syncParentProcessStatus($processRequest);
+
         return $this->newTask;
     }
 
@@ -209,4 +213,25 @@ private function addComment() : void
             'case_number' => isset($this->currentTask->case_number) ? $this->currentTask->case_number : null,
         ]);
     }
+
+    /**
+     * When the rolled-back request is a subprocess, reactivate the parent request
+     * and the parent's call activity tokens that were in error.
+     */
+    private function syncParentProcessStatus(ProcessRequest $processRequest): void
+    {
+        $parentRequest = $processRequest->parentRequest;
+        if (!$parentRequest) {
+            return;
+        }
+
+        if (in_array($parentRequest->status, ['ERROR', 'FAILING'])) {
+            $parentRequest->status = 'ACTIVE';
+            $parentRequest->saveOrFail();
+        }
+
+        ProcessRequestToken::where('subprocess_request_id', $processRequest->id)
+            ->whereIn('status', ['ERROR', 'FAILING'])
+            ->update(['status' => 'ACTIVE']);
+    }
 }