This fixes a slight regression, where, if the locking mechanism were
disabled, then tickets could no longer be responded to.

Also, add warning popup when lock is about to expire and allow the user to
attempt to renew the lock. Also, connect the keyup callback for redactor to
the autoLock.handleEvent for greater update of the lock, and also deadband
the lock to every 10 seconds.

This patch includes a slight database migration, and adjusts the
functionality of a few core components.

  * Move collaborators from the ticket to the thread.
    This concept allows collaborators on any object which has a thread,
    including tasks.

  * Add flags to the thread entry
    This will allow flagging thread entries for different purposes.
    Initially this can be used to flag the original message of a thread in
    case a ticket / thread is created without an initial message.

  * Lock becomes more of a utility
    The lock is now disconnected from the ticket and is a separate utility.
    Separately, the ticket and task objects can have a reference to a lock
    object. Furthermore, when submitting some activities to tickets, the
    lock is verified to be owned by the respective agent, and the lock code
    must match a current lock code. The code is rotated on each acquire()
    call to guard against double submissions.

  * Collaborator is an ORM model
    The TicketUser class is broken up now so that the collaborator instance
    can exist apart from a ticket. Email message ids are now generated for
    collaborators without respect for a ticket so that collaborators can be
    properly supported on any thread.

This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.

This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.

Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.

  * Add trashcan icon for newly-added actions
  * Categorize filter actions
  * Use imperative phrases for action descriptions
  * Drop check boxes from simple actions (like reject ticket)
  * Hide empty forms on new ticket pages
  * Do not store config for nondata fields for actions
  * Implement a multi-use feature for actions, which will allow using a
    action more than once (for instance, multiple email sends)
  * Filter actions are sortable
  * Send email has from address configurable
  * %{user} token is valid as a recipient

This patch rebases filters into a row-based layout and redesigns the filter
apply method to be more extensible. It also redesigns the UI to be more
dynamic and to allow for actions to be added without database modification
and actions can also have complex configurations.

Help topics can now specify one or more additional forms to be included on
the help topic and can also specify the sort order of those forms.
Furthermore, individual fields can be disabled per help topic, so that
unnecessary fields can be omitted when necessary, per help topic.

The disabled flag is recorded along side the field data so that the field
will not be accidentally added to the form later automatically. There is no
interface in this commit to enable a field which was disabled by the help
topic when ticket was created.

This script adds a single download script, 'file.php', which provides access
to files of all types to all users. It uses a HMAC signature system with an
expires time, which allows signed URLs to be sent to external users.

This also fixes an issue with the Http::cacheable() method, where the
last-modified and Etag headers were not properly compared, which resulted in
permanent cache misses by the client.

Key permissions definition array
Move canned and faq permissions to their respective classes.

Stop trampolining links via l.php. It was necessary before in order to avoid
the potential of leaking ticket number & email. The authentication mechanism
in place now redirects on successful login.

Allow for permissions to be registered dynamically. This will
allow for the ability for models and plugins to register permissions.

This patch removes the selection of canned responses as well as the canned
responses navigation page from the ui when the canned responses feature is
disabled.

Since the automatic lock was being acquired but not passed to the autoLock
system, the automatically acquired lock was not being release on away
navigation.

This patch addresses the issue by passing the automatically acquired lock id
to the autoLock system on ticket-view page load and change the ::Init()
method so that the lock id is not cleared with the ::Init() method is called
by the page load.

Support duplicate names in different hierarchy
Save path on add/update
Show full department name on transfer

Add ability to add tasks to tickets.

Introduce the initial concept of adding tasks to a ticket.

Auto-close toop tip box when element goes away

Generalize how we show object/data preview. The url to get the preview is
now based on data-preview attribute on the element in question.

The size of the dialog can be auto-adjusted based on the options

Use generic attachment table for all attachments system-wide.
Drop thread entry attachment table