From b79afafa7745749f9490eaa72b4c885ef08e8143 Mon Sep 17 00:00:00 2001
From: Victor Ilyushchenko <alt13ri@gmail.com>
Date: Sat, 17 May 2025 00:58:25 +0300
Subject: [PATCH 1/3] EQMS-1302: fixed RBAC bypass for space / team related
 wizards and popups (develop port) (#8979)

Signed-off-by: Victor Ilyushchenko <alt13ri@gmail.com>
---
 plugins/contact-resources/src/utils.ts        | 17 ++++++++++
 plugins/contact/src/types.ts                  |  2 ++
 .../src/components/TeamPopup.svelte           | 14 ++++----
 .../create-doc/steps/LocationStep.svelte      | 10 +++---
 .../src/components/document/DocTeam.svelte    | 32 +++++++++----------
 .../popups/TransferDocumentPopup.svelte       | 10 +++---
 .../src/utils.ts                              |  4 ++-
 7 files changed, 55 insertions(+), 34 deletions(-)

diff --git a/plugins/contact-resources/src/utils.ts b/plugins/contact-resources/src/utils.ts
index 68dc0ea085..b76931500e 100644
--- a/plugins/contact-resources/src/utils.ts
+++ b/plugins/contact-resources/src/utils.ts
@@ -32,6 +32,7 @@ import {
   type PermissionsStore,
   type Person,
   type PersonsByPermission,
+  type MembersBySpace,
   type SocialIdentity
 } from '@hcengineering/contact'
 import core, {
@@ -732,19 +733,33 @@ export async function resolveLocationData (loc: Location): Promise<LocationData>
 }
 
 export function checkMyPermission (_id: Ref<Permission>, space: Ref<TypedSpace>, store: PermissionsStore): boolean {
+  const arePermissionsDisabled = getMetadata(core.metadata.DisablePermissions) ?? false
+  if (arePermissionsDisabled) return true
   return (store.whitelist.has(space) || store.ps[space]?.has(_id)) ?? false
 }
 
+export function getPermittedPersons (
+  _id: Ref<Permission>,
+  space: Ref<TypedSpace>,
+  store: PermissionsStore
+): Array<Ref<Person>> {
+  const arePermissionsDisabled = getMetadata(core.metadata.DisablePermissions) ?? false
+  if (arePermissionsDisabled) return Array.from(store.ms[space] ?? [])
+  return store.whitelist.has(space) ? Array.from(store.ms[space] ?? []) : Array.from(store.ap[space]?.[_id] ?? [])
+}
+
 const spacesStore = writable<Space[]>([])
 
 export const permissionsStore = derived([spacesStore, personRefByAccountUuidStore], ([spaces, personRefByAccount]) => {
   const whitelistedSpaces = new Set<Ref<Space>>()
   const permissionsBySpace: PermissionsBySpace = {}
   const employeesByPermission: PersonsByPermission = {}
+  const membersBySpace: MembersBySpace = {}
   const client = getClient()
   const hierarchy = client.getHierarchy()
 
   for (const s of spaces) {
+    membersBySpace[s._id] = new Set(s.members.map((m) => personRefByAccount.get(m)).filter(notEmpty))
     if (hierarchy.isDerived(s._class, core.class.TypedSpace)) {
       const type = client.getModel().findAllSync(core.class.SpaceType, { _id: (s as TypedSpace).type })[0]
       const mixin = type?.targetClass
@@ -790,6 +805,7 @@ export const permissionsStore = derived([spacesStore, personRefByAccountUuidStor
   return {
     ps: permissionsBySpace,
     ap: employeesByPermission,
+    ms: membersBySpace,
     whitelist: whitelistedSpaces
   }
 })
@@ -815,6 +831,7 @@ spaceTypesQuery.query(core.class.SpaceType, {}, (types) => {
       projection: {
         _id: 1,
         type: 1,
+        members: 1,
         ...targetClasses
       } as any
     }
diff --git a/plugins/contact/src/types.ts b/plugins/contact/src/types.ts
index 334fb0f0d6..6196244546 100644
--- a/plugins/contact/src/types.ts
+++ b/plugins/contact/src/types.ts
@@ -52,9 +52,11 @@ export const AVATAR_COLORS: ColorDefinition[] = [
 
 export type PermissionsBySpace = Record<Ref<Space>, Set<Ref<Permission>>>
 export type PersonsByPermission = Record<Ref<Space>, Record<Ref<Permission>, Set<Ref<Person>>>>
+export type MembersBySpace = Record<Ref<Space>, Set<Ref<Person>>>
 export interface PermissionsStore {
   ps: PermissionsBySpace
   ap: PersonsByPermission
+  ms: MembersBySpace
   whitelist: Set<Ref<Space>>
 }
 
diff --git a/plugins/controlled-documents-resources/src/components/TeamPopup.svelte b/plugins/controlled-documents-resources/src/components/TeamPopup.svelte
index 359d76e06c..7a653492de 100644
--- a/plugins/controlled-documents-resources/src/components/TeamPopup.svelte
+++ b/plugins/controlled-documents-resources/src/components/TeamPopup.svelte
@@ -4,18 +4,18 @@
 //
 -->
 <script lang="ts">
-  import { createEventDispatcher } from 'svelte'
-  import { RequestStatus } from '@hcengineering/request'
-  import { Label, ModernDialog, showPopup } from '@hcengineering/ui'
-  import { getClient } from '@hcengineering/presentation'
   import { Employee } from '@hcengineering/contact'
-  import { Class, Ref } from '@hcengineering/core'
-  import { UserBoxItems, permissionsStore } from '@hcengineering/contact-resources'
+  import { UserBoxItems, getPermittedPersons, permissionsStore } from '@hcengineering/contact-resources'
   import documents, {
     ControlledDocument,
     ControlledDocumentState,
     DocumentRequest
   } from '@hcengineering/controlled-documents'
+  import { Class, Ref } from '@hcengineering/core'
+  import { getClient } from '@hcengineering/presentation'
+  import { RequestStatus } from '@hcengineering/request'
+  import { Label, ModernDialog, showPopup } from '@hcengineering/ui'
+  import { createEventDispatcher } from 'svelte'
 
   import documentsRes from '../plugin'
   import { sendApprovalRequest, sendReviewRequest } from '../utils'
@@ -38,7 +38,7 @@
   const permissionId = isReviewRequest ? documents.permission.ReviewDocument : documents.permission.ApproveDocument
   $: permissionsSpace =
     controlledDoc.space === documents.space.UnsortedTemplates ? documents.space.QualityDocuments : controlledDoc.space
-  $: permittedPeople = $permissionsStore.ap[permissionsSpace]?.[permissionId] ?? new Set()
+  $: permittedPeople = new Set(getPermittedPersons(permissionId, permissionsSpace, $permissionsStore))
   $: permittedEmployees = Array.from(permittedPeople) as Ref<Employee>[]
 
   let docRequest: DocumentRequest | undefined
diff --git a/plugins/controlled-documents-resources/src/components/create-doc/steps/LocationStep.svelte b/plugins/controlled-documents-resources/src/components/create-doc/steps/LocationStep.svelte
index 3b6cbb3c46..7dd94b7ffe 100644
--- a/plugins/controlled-documents-resources/src/components/create-doc/steps/LocationStep.svelte
+++ b/plugins/controlled-documents-resources/src/components/create-doc/steps/LocationStep.svelte
@@ -14,7 +14,7 @@
 -->
 
 <script lang="ts">
-  import { type Doc, type Ref, type Space } from '@hcengineering/core'
+  import { TypedSpace, type Doc, type Ref, type Space } from '@hcengineering/core'
   import documents, {
     type DocumentSpace,
     type DocumentSpaceType,
@@ -23,7 +23,7 @@
   } from '@hcengineering/controlled-documents'
   import { SpaceSelector, getClient } from '@hcengineering/presentation'
   import { Label } from '@hcengineering/ui'
-  import { permissionsStore } from '@hcengineering/contact-resources'
+  import { checkMyPermission, permissionsStore } from '@hcengineering/contact-resources'
 
   import { $locationStep as locationStep, locationStepUpdated } from '../../../stores/wizards/create-document'
   import DocumentParentSelector from '../../hierarchy/DocumentParentSelector.svelte'
@@ -82,9 +82,9 @@
 
   $: canProceed = $locationStep.space !== undefined && $locationStep.project !== undefined
   $: hasParentSelector = $locationStep.space !== documents.space.UnsortedTemplates
-  $: restrictedSpaces = Object.entries($permissionsStore.ps)
-    .filter(([, pss]) => !pss.has(documents.permission.CreateDocument))
-    .map(([s]) => s) as Ref<Space>[]
+  $: restrictedSpaces = Object.keys($permissionsStore.ps).filter(
+    (s) => !checkMyPermission(documents.permission.CreateDocument, s as Ref<TypedSpace>, $permissionsStore)
+  ) as Ref<TypedSpace>[]
 
   $: spaceQuery = isTemplate
     ? { _id: { $nin: restrictedSpaces }, archived: false, _class: { $nin: externalSpaces } }
diff --git a/plugins/controlled-documents-resources/src/components/document/DocTeam.svelte b/plugins/controlled-documents-resources/src/components/document/DocTeam.svelte
index 56e076da6f..1954fcd6af 100644
--- a/plugins/controlled-documents-resources/src/components/document/DocTeam.svelte
+++ b/plugins/controlled-documents-resources/src/components/document/DocTeam.svelte
@@ -13,12 +13,12 @@
 // limitations under the License.
 -->
 <script lang="ts">
-  import { createEventDispatcher } from 'svelte'
-  import { Label } from '@hcengineering/ui'
-  import { TypedSpace, type Data, type Ref, type Permission } from '@hcengineering/core'
-  import { type Employee, type PermissionsStore, getCurrentEmployee } from '@hcengineering/contact'
+  import { getCurrentEmployee, type Employee } from '@hcengineering/contact'
+  import { UserBoxItems, getPermittedPersons, permissionsStore } from '@hcengineering/contact-resources'
   import documents, { type ControlledDocument } from '@hcengineering/controlled-documents'
-  import { UserBoxItems, permissionsStore } from '@hcengineering/contact-resources'
+  import { TypedSpace, type Data, type Ref } from '@hcengineering/core'
+  import { Label } from '@hcengineering/ui'
+  import { createEventDispatcher } from 'svelte'
 
   export let controlledDoc: Data<ControlledDocument>
   export let space: Ref<TypedSpace>
@@ -34,23 +34,23 @@
 
   $: permissionsSpace = space === documents.space.UnsortedTemplates ? documents.space.QualityDocuments : space
 
-  function getPermittedPersons (
-    permission: Ref<Permission>,
-    space: Ref<TypedSpace>,
-    permissionsStore: PermissionsStore
-  ): Ref<Employee>[] {
-    return Array.from(permissionsStore.ap[space]?.[permission] ?? []) as Ref<Employee>[]
-  }
+  $: permittedReviewers = getPermittedPersons(
+    documents.permission.ReviewDocument,
+    permissionsSpace,
+    $permissionsStore
+  ) as Ref<Employee>[]
 
-  $: permittedReviewers = getPermittedPersons(documents.permission.ReviewDocument, permissionsSpace, $permissionsStore)
-
-  $: permittedApprovers = getPermittedPersons(documents.permission.ApproveDocument, permissionsSpace, $permissionsStore)
+  $: permittedApprovers = getPermittedPersons(
+    documents.permission.ApproveDocument,
+    permissionsSpace,
+    $permissionsStore
+  ) as Ref<Employee>[]
 
   $: permittedCoAuthors = getPermittedPersons(
     documents.permission.CoAuthorDocument,
     permissionsSpace,
     $permissionsStore
-  ).filter((person) => person !== currentEmployee)
+  ).filter((person) => person !== currentEmployee) as Ref<Employee>[]
 
   function handleUsersUpdated (type: 'reviewers' | 'approvers' | 'coAuthors', users: Ref<Employee>[]): void {
     dispatch('update', { type, users })
diff --git a/plugins/controlled-documents-resources/src/components/document/popups/TransferDocumentPopup.svelte b/plugins/controlled-documents-resources/src/components/document/popups/TransferDocumentPopup.svelte
index 747b8d9fb7..aefe0b9b28 100644
--- a/plugins/controlled-documents-resources/src/components/document/popups/TransferDocumentPopup.svelte
+++ b/plugins/controlled-documents-resources/src/components/document/popups/TransferDocumentPopup.svelte
@@ -25,10 +25,10 @@
     type Project,
     type ProjectDocument
   } from '@hcengineering/controlled-documents'
-  import { type Doc, type Ref, type Space } from '@hcengineering/core'
+  import { TypedSpace, type Doc, type Ref, type Space } from '@hcengineering/core'
   import presentation, { getClient, SpaceSelector } from '@hcengineering/presentation'
   import { Button, Label } from '@hcengineering/ui'
-  import { permissionsStore } from '@hcengineering/contact-resources'
+  import { checkMyPermission, permissionsStore } from '@hcengineering/contact-resources'
   import { createEventDispatcher } from 'svelte'
 
   import documentsRes from '../../../plugin'
@@ -139,9 +139,9 @@
   const externalSpaces = hierarchy.getDescendants(documents.class.ExternalSpace)
 
   $: hasParentSelector = targetSpaceId !== documents.space.UnsortedTemplates
-  $: permissionRestrictedSpaces = Object.entries($permissionsStore.ps)
-    .filter(([, pss]) => !pss.has(documents.permission.CreateDocument))
-    .map(([s]) => s) as Ref<Space>[]
+  $: permissionRestrictedSpaces = Object.keys($permissionsStore.ps).filter(
+    (s) => !checkMyPermission(documents.permission.CreateDocument, s as Ref<TypedSpace>, $permissionsStore)
+  ) as Ref<TypedSpace>[]
   $: restrictedSpaces =
     sourceSpaceId !== undefined ? permissionRestrictedSpaces.concat(sourceSpaceId) : permissionRestrictedSpaces
 
diff --git a/plugins/controlled-documents-resources/src/utils.ts b/plugins/controlled-documents-resources/src/utils.ts
index 796bc1c455..9957389c4b 100644
--- a/plugins/controlled-documents-resources/src/utils.ts
+++ b/plugins/controlled-documents-resources/src/utils.ts
@@ -703,7 +703,9 @@ export async function getDocumentMetaTitle (
 
   if (object === undefined) return ''
 
-  return object.title
+  const hint = await translate(documentsResources.string.LatestVersionHint, {})
+
+  return object.title + ` (${hint})`
 }
 
 export async function controlledDocumentReferenceObjectProvider (

From 6691ac27a2274d29fe27017b59a7fec68e0d2216 Mon Sep 17 00:00:00 2001
From: Artyom Savchenko <armisav@gmail.com>
Date: Sun, 18 May 2025 23:35:06 +0700
Subject: [PATCH 2/3] UBERF-10632: Fix email thread creation date (#8968)

---
 services/mail/mail-common/src/message.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/services/mail/mail-common/src/message.ts b/services/mail/mail-common/src/message.ts
index ea9c2eb956..60f9e3fc6c 100644
--- a/services/mail/mail-common/src/message.ts
+++ b/services/mail/mail-common/src/message.ts
@@ -221,10 +221,11 @@ async function saveMessageToSpaces (
             archived: false,
             createdBy: modifiedBy,
             modifiedBy,
-            parent: channel
+            parent: channel,
+            createdOn: createdDate
           },
           generateId(),
-          undefined,
+          createdDate,
           modifiedBy
         )
         await client.createMixin(

From 3fcc9035bb2e25d860f36db95ec50d46d6d7b1fc Mon Sep 17 00:00:00 2001
From: Denis Bykhov <bykhov.denis@gmail.com>
Date: Mon, 19 May 2025 00:41:31 +0500
Subject: [PATCH 3/3] Fix calendar service (#8981)

---
 dev/tool/src/calendar.ts                          | 10 +++++++++-
 services/calendar/pod-calendar/src/auth.ts        |  6 +++---
 services/calendar/pod-calendar/src/pushHandler.ts |  4 ++--
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/dev/tool/src/calendar.ts b/dev/tool/src/calendar.ts
index d6ef9ebd02..7cc2659c7e 100644
--- a/dev/tool/src/calendar.ts
+++ b/dev/tool/src/calendar.ts
@@ -1,5 +1,11 @@
 import calendar from '@hcengineering/calendar'
-import { type PersonId, type WorkspaceInfoWithStatus, type WorkspaceUuid, systemAccountUuid } from '@hcengineering/core'
+import {
+  type PersonId,
+  type WorkspaceInfoWithStatus,
+  type WorkspaceUuid,
+  isActiveMode,
+  systemAccountUuid
+} from '@hcengineering/core'
 import { getClient as getKvsClient } from '@hcengineering/kvs-client'
 import { createClient, getAccountClient } from '@hcengineering/server-client'
 import { generateToken } from '@hcengineering/server-token'
@@ -129,6 +135,7 @@ async function migrateCalendarIntegrations (
         if (ws == null) {
           continue
         }
+        if (!isActiveMode(ws.mode)) continue
         token.workspace = ws.uuid
 
         const personId = await getPersonIdByEmail(ws.uuid, token.email, token.userId)
@@ -215,6 +222,7 @@ async function migrateCalendarHistory (
         if (ws == null) {
           continue
         }
+        if (!isActiveMode(ws.mode)) continue
 
         const personId = await getPersonIdByEmail(ws.uuid, history.email, history.userId)
         if (personId == null) {
diff --git a/services/calendar/pod-calendar/src/auth.ts b/services/calendar/pod-calendar/src/auth.ts
index 02c453cec7..d99b6bd6df 100644
--- a/services/calendar/pod-calendar/src/auth.ts
+++ b/services/calendar/pod-calendar/src/auth.ts
@@ -25,7 +25,7 @@ import { getClient } from './client'
 import { addUserByEmail, removeUserByEmail } from './kvsUtils'
 import { IncomingSyncManager, lock } from './sync'
 import { CALENDAR_INTEGRATION, GoogleEmail, SCOPES, State, Token, User } from './types'
-import { getGoogleClient, getServiceToken } from './utils'
+import { getGoogleClient, getWorkspaceToken } from './utils'
 import { WatchController } from './watch'
 
 interface AuthResult {
@@ -58,7 +58,7 @@ export class AuthController {
     await ctx.with('Create auth controller', { workspace: state.workspace, user: state.userId }, async () => {
       const mutex = await lock(`${state.workspace}:${state.userId}`)
       try {
-        const client = await getClient(getServiceToken())
+        const client = await getClient(getWorkspaceToken(state.workspace))
         const txOp = new TxOperations(client, core.account.System)
         const controller = new AuthController(ctx, accountClient, txOp, state)
         await controller.process(code)
@@ -78,7 +78,7 @@ export class AuthController {
     await ctx.with('Signout auth controller', { workspace, userId }, async () => {
       const mutex = await lock(`${workspace}:${userId}`)
       try {
-        const client = await getClient(getServiceToken())
+        const client = await getClient(getWorkspaceToken(workspace))
         const txOp = new TxOperations(client, core.account.System)
         const controller = new AuthController(ctx, accountClient, txOp, {
           userId,
diff --git a/services/calendar/pod-calendar/src/pushHandler.ts b/services/calendar/pod-calendar/src/pushHandler.ts
index 177e1d34fd..bca596c1cd 100644
--- a/services/calendar/pod-calendar/src/pushHandler.ts
+++ b/services/calendar/pod-calendar/src/pushHandler.ts
@@ -19,7 +19,7 @@ import { getClient } from './client'
 import { getUserByEmail } from './kvsUtils'
 import { IncomingSyncManager } from './sync'
 import { GoogleEmail, Token } from './types'
-import { getGoogleClient, getServiceToken } from './utils'
+import { getGoogleClient, getWorkspaceToken } from './utils'
 
 export class PushHandler {
   constructor (
@@ -29,7 +29,7 @@ export class PushHandler {
 
   async sync (token: Token, calendarId: string | null): Promise<void> {
     await this.ctx.with('Push handler', { workspace: token.workspace, user: token.userId }, async () => {
-      const client = await getClient(getServiceToken())
+      const client = await getClient(getWorkspaceToken(token.workspace))
       const txOp = new TxOperations(client, core.account.System)
       const res = getGoogleClient()
       res.auth.setCredentials(token)