The new role would like be assigned to power users and would all such users
access to edit any post by any user.

Agents can always edit their own posts, and department managers can edit all
posts while the ticket is in the department they manage.

Threads can be edited by marking the original as hidden and setting it's PID to
the id of the new entry. The new entry has cloned data from the original and
sets the `updated` timestamp to reflect the time of last edit. An edited flag
is added to the new entry to reflect its origin.

This patch suggests that agents can edit their own posts, department managers
can edit posts while the ticket is in their department, and that help desk
admins can edit anything.

If a post is edited more than once, only the most recent edit is kept.

This feature addresses a major issue with the initial implementation of the
custom data system. The original system confused the usage of
database-backed field (dynamic-fields) and their corresponding
implementation. This created the need to crate awkward caching pieces to
ensure that validation errors and data was maintained. Furthermore, the
system confused the linking between form instances (dynamic-entry) and the
form used to represent that entry.

This patch addresses the confusion in two ways:

Dynamic form entries do not link directly to the dynamic form. Instead, the
::getForm() method returns something from the forms API directly.
Furthermore, the ::getFields() method does not return dynamic field
instances (database backed / designed fields). Instead, the actual
implementation of the fields from the forms API is retrieved. This allows
the fields to *always* be cached, which helps preserve data and validation
state.

Secondly, the dynamic form uses the same system, so that requests to turn a
dynamic form into a form (via ::getForm) will also result in the same
behavior, again, where the fields are represented as forms API fields rather
than the dynamic fields.

So going forward, the dynamic fields are *only* used to create corresponding
forms API field implementations. The are associated with the dynamic
counterparts as sparingly as possible.

Unassign tickets on transfer when the target department has assignment
restriction and the assigned staff is not a member.

Disable claim (quick self-assignment) when above restriction is in effect.

This fixes a slight regression, where, if the locking mechanism were
disabled, then tickets could no longer be responded to.

This addresses the issue where the advanced search dialog was submitted
before the date picker inputs were fixed up. This problem arises out of a
difference between the agent's date formatting preference and the server
being able to process that date format. The date pickers are reformated to
yyyy-mm-dd before submission; however, for advanced search, the submission
happened before the inputs were fixed up.

This patch addresses the issue by manually fixing up the date in the
submission routine for the advanced search dialog.

Also, add warning popup when lock is about to expire and allow the user to
attempt to renew the lock. Also, connect the keyup callback for redactor to
the autoLock.handleEvent for greater update of the lock, and also deadband
the lock to every 10 seconds.

This patch includes a slight database migration, and adjusts the
functionality of a few core components.

  * Move collaborators from the ticket to the thread.
    This concept allows collaborators on any object which has a thread,
    including tasks.

  * Add flags to the thread entry
    This will allow flagging thread entries for different purposes.
    Initially this can be used to flag the original message of a thread in
    case a ticket / thread is created without an initial message.

  * Lock becomes more of a utility
    The lock is now disconnected from the ticket and is a separate utility.
    Separately, the ticket and task objects can have a reference to a lock
    object. Furthermore, when submitting some activities to tickets, the
    lock is verified to be owned by the respective agent, and the lock code
    must match a current lock code. The code is rotated on each acquire()
    call to guard against double submissions.

  * Collaborator is an ORM model
    The TicketUser class is broken up now so that the collaborator instance
    can exist apart from a ticket. Email message ids are now generated for
    collaborators without respect for a ticket so that collaborators can be
    properly supported on any thread.

This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.