OneTimeAuthentificationLink
10.0.2
Rother OSS GmbH
https://rother-oss.com/
GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
Do not automatically activate CustomerUser creation.
Initial Release.
Automatically creates customer users and gives them access via one time authentification tokens.
10.0.x
2021-03-01 16:33:00
opms
# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2021 Rother OSS GmbH, https://otobo.de/
# --
# $origin: otobo - eaafbcf14a45d967ce10948ca73bf4c8dc464575 - Kernel/System/CustomerAuth.pm
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::CustomerAuth;

use strict;
use warnings;

use Kernel::Language qw(Translatable);

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::System::CustomerUser',
    'Kernel::System::DateTime',
    'Kernel::System::Log',
    'Kernel::System::Main',
    'Kernel::System::SystemMaintenance',
);

=head1 NAME

Kernel::System::CustomerAuth - customer authentication module.

=head1 DESCRIPTION

The authentication module for the customer interface.

=head1 PUBLIC INTERFACE

=head2 new()

Don't use the constructor directly, use the ObjectManager instead:

    my $CustomerAuthObject = $Kernel::OM->Get('Kernel::System::CustomerAuth');

=cut

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    # get needed objects
    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
    my $MainObject   = $Kernel::OM->Get('Kernel::System::Main');

    # load auth modules
    SOURCE:
    for my $Count ( '', 1 .. 10 ) {
        my $GenericModule = $ConfigObject->Get("Customer::AuthModule$Count");
        next SOURCE if !$GenericModule;

        if ( !$MainObject->Require($GenericModule) ) {
            $MainObject->Die("Can't load backend module $GenericModule! $@");
        }
        $Self->{"Backend$Count"} = $GenericModule->new( %{$Self}, Count => $Count );
    }

    # load 2factor auth modules
    SOURCE:
    for my $Count ( '', 1 .. 10 ) {
        my $GenericModule = $ConfigObject->Get("Customer::AuthTwoFactorModule$Count");
        next SOURCE if !$GenericModule;

        if ( !$MainObject->Require($GenericModule) ) {
            $MainObject->Die("Can't load backend module $GenericModule! $@");
        }
        $Self->{"AuthTwoFactorBackend$Count"} = $GenericModule->new( %{$Self}, Count => $Count );
    }

    # Initialize last error message
    $Self->{LastErrorMessage} = '';

    return $Self;
}

=head2 GetOption()

Get module options. Currently there is just one option, "PreAuth".

    if ($AuthObject->GetOption(What => 'PreAuth')) {
        print "No login screen is needed. Authentication is based on other options. E. g. $ENV{REMOTE_USER}\n";
    }

=cut

sub GetOption {
    my ( $Self, %Param ) = @_;

    return $Self->{Backend}->GetOption(%Param);
}

# Rother OSS / OneTimeAuthenticationLink
=head2 ExtendedParamNames()

Get names of extended params which provide authentification information

    my @ParamNames = $AuthObject->ExtendedParamNames();

=cut

sub ExtendedParamNames {
    my ( $Self, %Param ) = @_;

    my %Names;
    COUNT:
    for ( '', 1 .. 10 ) {
        next COUNT if !$Self->{"Backend$_"};
        next COUNT if !$Self->{"Backend$_"}->can('ExtendedParamNames');

        for my $ExtName ( $Self->{"Backend$_"}->ExtendedParamNames() ) {
            $Names{$ExtName} = 1;
        }
    }

    return ( keys %Names );
}
# EO OneTimeAuthenticationLink

=head2 Auth()

The authentication function.

    if ($AuthObject->Auth(User => $User, Pw => $Pw)) {
        print "Auth ok!\n";
    }
    else {
        print "Auth invalid!\n";
    }

=cut

sub Auth {
    my ( $Self, %Param ) = @_;

    # get customer user object
    my $ConfigObject       = $Kernel::OM->Get('Kernel::Config');
    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');

    # use all 11 backends and return on first auth
    my $User;
    COUNT:
    for ( '', 1 .. 10 ) {

        # next on no config setting
        next COUNT if !$Self->{"Backend$_"};

        # check auth backend
        $User = $Self->{"Backend$_"}->Auth(%Param);

# Rother OSS / OneTimeAuthenticationLink
        if ( ref $User && ref $User eq 'HASH' && $User->{Error} ) {
            $Self->{LastErrorMessage} = $User->{Error};
            return;
        }
# EO OneTimeAuthenticationLink

        # next on no success
        next COUNT if !$User;

        # check 2factor auth backends
        my $TwoFactorAuth;
        TWOFACTORSOURCE:
        for my $Count ( '', 1 .. 10 ) {

            # return on no config setting
            next TWOFACTORSOURCE if !$Self->{"AuthTwoFactorBackend$Count"};

            # 2factor backend
            my $AuthOk = $Self->{"AuthTwoFactorBackend$Count"}->Auth(
                TwoFactorToken => $Param{TwoFactorToken},
                User           => $User,
            );
            $TwoFactorAuth = $AuthOk ? 'passed' : 'failed';

            last TWOFACTORSOURCE if $AuthOk;
        }

        # if at least one 2factor auth backend was checked but none was successful,
        # it counts as a failed login
        if ( $TwoFactorAuth && $TwoFactorAuth ne 'passed' ) {
            $User = undef;
            last COUNT;
        }

        # remember auth backend
        if ($User) {
            $CustomerUserObject->SetPreferences(
                Key    => 'UserAuthBackend',
                Value  => $_,
                UserID => $User,
            );
            last COUNT;
        }
    }

    # check if record exists
    if ( !$User ) {
        my %CustomerData = $CustomerUserObject->CustomerUserDataGet( User => $Param{User} );
        if (%CustomerData) {
            my $Count = $CustomerData{UserLoginFailed} || 0;
            $Count++;
            $CustomerUserObject->SetPreferences(
                Key    => 'UserLoginFailed',
                Value  => $Count,
                UserID => $CustomerData{UserLogin},
            );
        }
        return;
    }

    # check if user is valid
    my %CustomerData = $CustomerUserObject->CustomerUserDataGet( User => $User );
    if ( defined $CustomerData{ValidID} && $CustomerData{ValidID} ne 1 ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'notice',
            Message  => "CustomerUser: '$User' is set to invalid, can't login!",
        );
        return;
    }

    return $User if !%CustomerData;

    # reset failed logins
    $CustomerUserObject->SetPreferences(
        Key    => 'UserLoginFailed',
        Value  => 0,
        UserID => $CustomerData{UserLogin},
    );

    # on system maintenance customers
    # shouldn't be allowed get into the system
    my $ActiveMaintenance = $Kernel::OM->Get('Kernel::System::SystemMaintenance')->SystemMaintenanceIsActive();

    # check if system maintenance is active
    if ($ActiveMaintenance) {

        $Self->{LastErrorMessage} =
            $ConfigObject->Get('SystemMaintenance::IsActiveDefaultLoginErrorMessage')
            || Translatable("It is currently not possible to login due to a scheduled system maintenance.");

        return;
    }

    # last login preferences update
    my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');

    $CustomerUserObject->SetPreferences(
        Key    => 'UserLastLogin',
        Value  => $DateTimeObject->ToEpoch(),
        UserID => $CustomerData{UserLogin},
    );

    return $User;
}

=head2 GetLastErrorMessage()

Retrieve $Self->{LastErrorMessage} content.

    my $AuthErrorMessage = $AuthObject->GetLastErrorMessage();

    Result:

        $AuthErrorMessage = "An error string message.";

=cut

sub GetLastErrorMessage {
    my ( $Self, %Param ) = @_;

    return $Self->{LastErrorMessage};
}

1;

# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2021 Rother OSS GmbH, https://otobo.de/
# --
# $origin: otobo - d2d6be92c1665473091303dbf300e0c830d6d9be - Kernel/System/TemplateGenerator.pm
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::TemplateGenerator;
## nofilter(TidyAll::Plugin::OTOBO::Perl::LayoutObject)

use strict;
use warnings;

use Kernel::Language;

use Kernel::System::VariableCheck qw(:all);

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::System::AutoResponse',
    'Kernel::System::CommunicationChannel',
    'Kernel::System::CustomerUser',
    'Kernel::System::DynamicField',
    'Kernel::System::DynamicField::Backend',
    'Kernel::System::Encode',
    'Kernel::System::HTMLUtils',
    'Kernel::System::Log',
    'Kernel::System::Queue',
    'Kernel::System::Salutation',
    'Kernel::System::Signature',
    'Kernel::System::StandardTemplate',
    'Kernel::System::SystemAddress',
    'Kernel::System::Ticket',
    'Kernel::System::Ticket::Article',
    'Kernel::System::User',
    'Kernel::Output::HTML::Layout',
    'Kernel::System::DateTime',
);

=head1 NAME

Kernel::System::TemplateGenerator - signature lib

=head1 DESCRIPTION

All signature functions.

=head1 PUBLIC INTERFACE

=head2 new()

Don't use the constructor directly, use the ObjectManager instead:

    my $TemplateGeneratorObject = $Kernel::OM->Get('Kernel::System::TemplateGenerator');

=cut

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    $Self->{RichText} = $Kernel::OM->Get('Kernel::Config')->Get('Frontend::RichText');

    return $Self;
}

=head2 Salutation()

generate salutation

    my $Salutation = $TemplateGeneratorObject->Salutation(
        TicketID => 123,
        UserID   => 123,
        Data     => $ArticleHashRef,
    );

returns
    Text
    ContentType

=cut

sub Salutation {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID Data UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # Get ticket.
    my %Ticket = $Kernel::OM->Get('Kernel::System::Ticket')->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 1,
    );

    # Get queue.
    my %Queue = $Kernel::OM->Get('Kernel::System::Queue')->QueueGet(
        ID => $Ticket{QueueID},
    );

    # Get salutation.
    my %Salutation = $Kernel::OM->Get('Kernel::System::Salutation')->SalutationGet(
        ID => $Queue{SalutationID},
    );

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $Salutation{ContentType} =~ /text\/plain/i ) {
        $Salutation{ContentType} = 'text/html';
        $Salutation{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Salutation{Text},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $Salutation{ContentType} =~ /text\/html/i ) {
        $Salutation{ContentType} = 'text/plain';
        $Salutation{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Salutation{Text},
        );
    }

    # get list unsupported tags for standard template
    my @ListOfUnSupportedTag = qw(OTOBO_AGENT_SUBJECT OTOBO_AGENT_BODY OTOBO_CUSTOMER_BODY OTOBO_CUSTOMER_SUBJECT);

    my $SalutationText = $Self->_RemoveUnSupportedTag(
        Text                 => $Salutation{Text} || '',
        ListOfUnSupportedTag => \@ListOfUnSupportedTag,
    );

    # replace place holder stuff
    $SalutationText = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $SalutationText,
        TicketData => \%Ticket,
        Data       => $Param{Data},
        UserID     => $Param{UserID},
    );

    # add urls
    if ( $Self->{RichText} ) {
        $SalutationText = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $SalutationText,
        );
    }

    return $SalutationText;
}

=head2 Signature()

generate salutation

    my $Signature = $TemplateGeneratorObject->Signature(
        TicketID => 123,
        UserID   => 123,
        Data     => $ArticleHashRef,
    );

or

    my $Signature = $TemplateGeneratorObject->Signature(
        QueueID => 123,
        UserID  => 123,
        Data    => $ArticleHashRef,
    );

returns
    Text
    ContentType

=cut

sub Signature {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(Data UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # need ticket id or queue id
    if ( !$Param{TicketID} && !$Param{QueueID} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => 'Need TicketID or QueueID!'
        );
        return;
    }

    # Get ticket data.
    my %Ticket;
    if ( $Param{TicketID} ) {
        %Ticket = $Kernel::OM->Get('Kernel::System::Ticket')->TicketGet(
            TicketID      => $Param{TicketID},
            DynamicFields => 1,
        );
    }

    # Get queue.
    my %Queue = $Kernel::OM->Get('Kernel::System::Queue')->QueueGet(
        ID => $Ticket{QueueID} || $Param{QueueID},
    );

    # Get signature.
    my %Signature = $Kernel::OM->Get('Kernel::System::Signature')->SignatureGet(
        ID => $Queue{SignatureID},
    );

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $Signature{ContentType} =~ /text\/plain/i ) {
        $Signature{ContentType} = 'text/html';
        $Signature{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Signature{Text},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $Signature{ContentType} =~ /text\/html/i ) {
        $Signature{ContentType} = 'text/plain';
        $Signature{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Signature{Text},
        );
    }

    # get list unsupported tags for standard template
    my @ListOfUnSupportedTag = qw(OTOBO_AGENT_SUBJECT OTOBO_AGENT_BODY OTOBO_CUSTOMER_BODY OTOBO_CUSTOMER_SUBJECT);

    my $SignatureText = $Self->_RemoveUnSupportedTag(
        Text                 => $Signature{Text} || '',
        ListOfUnSupportedTag => \@ListOfUnSupportedTag,
    );

    # replace place holder stuff
    $SignatureText = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $SignatureText,
        TicketData => \%Ticket,
        Data       => $Param{Data},
        QueueID    => $Param{QueueID},
        UserID     => $Param{UserID},
    );

    # add urls
    if ( $Self->{RichText} ) {
        $SignatureText = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $SignatureText,
        );
    }

    return $SignatureText;
}

=head2 Sender()

generate sender address (FROM string) for emails

    my $Sender = $TemplateGeneratorObject->Sender(
        QueueID    => 123,
        UserID     => 123,
    );

returns:

    John Doe at Super Support <service@example.com>

and it returns the quoted real name if necessary

    "John Doe, Support" <service@example.tld>

=cut

sub Sender {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw( UserID QueueID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # get sender attributes
    my %Address = $Kernel::OM->Get('Kernel::System::Queue')->GetSystemAddress(
        QueueID => $Param{QueueID},
    );

    # get config object
    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    # check config for agent real name
    my $UseAgentRealName = $ConfigObject->Get('Ticket::DefineEmailFrom');
    if ( $UseAgentRealName && $UseAgentRealName =~ /^(AgentName|AgentNameSystemAddressName)$/ ) {

        # get data from current agent
        my %UserData = $Kernel::OM->Get('Kernel::System::User')->GetUserData(
            UserID        => $Param{UserID},
            NoOutOfOffice => 1,
        );

        # set real name with user name
        if ( $UseAgentRealName eq 'AgentName' ) {

            # check for user data
            if ( $UserData{UserFullname} ) {

                # rewrite RealName
                $Address{RealName} = "$UserData{UserFullname}";
            }
        }

        # set real name with user name
        if ( $UseAgentRealName eq 'AgentNameSystemAddressName' ) {

            # check for user data
            if ( $UserData{UserFullname} ) {

                # rewrite RealName
                my $Separator = ' ' . $ConfigObject->Get('Ticket::DefineEmailFromSeparator')
                    || '';
                $Address{RealName} = $UserData{UserFullname} . $Separator . ' ' . $Address{RealName};
            }
        }
    }

    # prepare realname quote
    if ( $Address{RealName} =~ /([.]|,|@|\(|\)|:)/ && $Address{RealName} !~ /^("|')/ ) {
        $Address{RealName} =~ s/"//g;    # remove any quotes that are already present
        $Address{RealName} = '"' . $Address{RealName} . '"';
    }
    my $Sender = "$Address{RealName} <$Address{Email}>";

    return $Sender;
}

=head2 Template()

generate template

    my $Template = $TemplateGeneratorObject->Template(
        TemplateID => 123
        TicketID   => 123,                  # Optional
        Data       => $ArticleHashRef,      # Optional
        UserID     => 123,
    );

Returns:

    $Template =>  'Some text';

=cut

sub Template {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TemplateID UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    my %Template = $Kernel::OM->Get('Kernel::System::StandardTemplate')->StandardTemplateGet(
        ID => $Param{TemplateID},
    );

    # do text/plain to text/html convert
    if (
        $Self->{RichText}
        && $Template{ContentType} =~ /text\/plain/i
        && $Template{Template}
        )
    {
        $Template{ContentType} = 'text/html';
        $Template{Template}    = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Template{Template},
        );
    }

    # do text/html to text/plain convert
    if (
        !$Self->{RichText}
        && $Template{ContentType} =~ /text\/html/i
        && $Template{Template}
        )
    {
        $Template{ContentType} = 'text/plain';
        $Template{Template}    = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Template{Template},
        );
    }

    # Get user language.
    my $Language;
    my %Ticket;
    if ( defined $Param{TicketID} ) {

        # Get ticket data.
        %Ticket = $Kernel::OM->Get('Kernel::System::Ticket')->TicketGet(
            TicketID      => $Param{TicketID},
            DynamicFields => 1,
        );

        # Get recipient.
        my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
            User => $Ticket{CustomerUserID},
        );
        $Language = $User{UserLanguage};
    }

    # If template type is 'Create' and there is customer user information, treat it as a ticket param in order to
    # correctly replace customer user tags. See bug#14455.
    if ( $Template{TemplateType} eq 'Create' && $Param{CustomerUserID} ) {
        $Ticket{CustomerUserID} = $Param{CustomerUserID};
    }

    # if customer language is not defined, set default language
    $Language //= $Kernel::OM->Get('Kernel::Config')->Get('DefaultLanguage') || 'en';

    # get list unsupported tags for standard template
    my @ListOfUnSupportedTag = qw(OTOBO_AGENT_SUBJECT OTOBO_AGENT_BODY OTOBO_CUSTOMER_BODY OTOBO_CUSTOMER_SUBJECT);

    my %SupportedTypes = (
        Answer  => 1,
        Forward => 1,
        Note    => 1,
    );

    my $TemplateText = $Template{Template} || '';
    my $TemplateType = $Template{TemplateType};

    # Remove unsupported tags only for some template types.
    if ( !$SupportedTypes{ $Template{TemplateType} } ) {
        $TemplateText = $Self->_RemoveUnSupportedTag(
            Text                 => $Template{Template} || '',
            ListOfUnSupportedTag => \@ListOfUnSupportedTag,
        );

        # Reset template type for unsupported tag.
        $TemplateType = '';
    }

    # replace place holder stuff
    $TemplateText = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $TemplateText || '',
        TicketData => \%Ticket,
        Data       => $Param{Data} || {},
        UserID     => $Param{UserID},
        Language   => $Language,
        Template   => $TemplateType,
    );

    if ( $Self->{RichText} ) {
        $TemplateText =~ s/&lt;/</g;
        $TemplateText =~ s/&gt;/>/g;
        $TemplateText =~ s/&quot;/"/g;
        $TemplateText =~ s/&apos;/'/g;
        $TemplateText =~ s/&nbsp;/ /g;
    }

    return $TemplateText;
}

=head2 GenericAgentArticle()

generate internal or external notes

    my $GenericAgentArticle = $TemplateGeneratorObject->GenericAgentArticle(
        Notification    => $NotificationDataHashRef,
        TicketID        => 123,
        UserID          => 123,
        Data            => $ArticleHashRef,             # Optional
    );

=cut

sub GenericAgentArticle {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID Notification UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    my %Template = %{ $Param{Notification} };

    # get ticket object
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # Get ticket data.
    my %Ticket = $TicketObject->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 1,
    );

    # do text/plain to text/html convert
    if (
        $Self->{RichText}
        && $Template{ContentType} =~ /text\/plain/i
        && $Template{Body}
        )
    {
        $Template{ContentType} = 'text/html';
        $Template{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Template{Body},
        );
    }

    # do text/html to text/plain convert
    if (
        !$Self->{RichText}
        && $Template{ContentType} =~ /text\/html/i
        && $Template{Body}
        )
    {
        $Template{ContentType} = 'text/plain';
        $Template{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Template{Body},
        );
    }

    # replace place holder stuff
    $Template{Body} = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $Template{Body},
        Recipient  => $Param{Recipient},
        Data       => $Param{Data} || {},
        TicketData => \%Ticket,
        UserID     => $Param{UserID},
    );
    $Template{Subject} = $Self->_Replace(
        RichText   => 0,
        Text       => $Template{Subject},
        Recipient  => $Param{Recipient},
        Data       => $Param{Data} || {},
        TicketData => \%Ticket,
        UserID     => $Param{UserID},
    );

    $Template{Subject} = $TicketObject->TicketSubjectBuild(
        TicketNumber => $Ticket{TicketNumber},
        Subject      => $Template{Subject} || '',
        Type         => 'New',
    );

    # add URLs and verify to be full HTML document
    if ( $Self->{RichText} ) {

        $Template{Body} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $Template{Body},
        );
    }

    return %Template;
}

=head2 Attributes()

generate attributes

    my %Attributes = $TemplateGeneratorObject->Attributes(
        TicketID   => 123,
        ArticleID  => 123,
        ResponseID => 123
        UserID     => 123,
        Action     => 'Forward', # Possible values are Reply and Forward, Reply is default.
    );

returns
    StandardResponse
    Salutation
    Signature

=cut

sub Attributes {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID Data UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # get ticket object
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # get queue
    my %Ticket = $TicketObject->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 0,
    );

    # prepare subject ...
    $Param{Data}->{Subject} = $TicketObject->TicketSubjectBuild(
        TicketNumber => $Ticket{TicketNumber},
        Subject      => $Param{Data}->{Subject} || '',
        Action       => $Param{Action} || '',
    );

    # get sender address
    $Param{Data}->{From} = $Self->Sender(
        QueueID => $Ticket{QueueID},
        UserID  => $Param{UserID},
    );

    return %{ $Param{Data} };
}

=head2 AutoResponse()

generate response

AutoResponse
    TicketID
        Owner
        Responsible
        CUSTOMER_DATA
    ArticleID
        CUSTOMER_SUBJECT
        CUSTOMER_EMAIL
    UserID

    To
    Cc
    Bcc
    Subject
    Body
    ContentType

    my %AutoResponse = $TemplateGeneratorObject->AutoResponse(
        TicketID         => 123,
        OrigHeader       => {},
        AutoResponseType => 'auto reply',
        UserID           => 123,
    );

=cut

sub AutoResponse {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID AutoResponseType OrigHeader UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # get ticket object
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # Get ticket data.
    my %Ticket = $TicketObject->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 1,
    );

    # get auto default responses
    my %AutoResponse = $Kernel::OM->Get('Kernel::System::AutoResponse')->AutoResponseGetByTypeQueueID(
        QueueID => $Ticket{QueueID},
        Type    => $Param{AutoResponseType},
    );

    return if !%AutoResponse;

    # get old article for quoting
    my $ArticleObject = $Kernel::OM->Get('Kernel::System::Ticket::Article');
    my @ArticleList   = $ArticleObject->ArticleList(
        TicketID   => $Param{TicketID},
        SenderType => 'customer',
        OnlyLast   => 1,
    );

    if ( !@ArticleList ) {
        @ArticleList = $ArticleObject->ArticleList(
            TicketID             => $Param{TicketID},
            IsVisibleForCustomer => 1,
            OnlyLast             => 1,
        );
    }

    if (@ArticleList) {
        my %Article = $ArticleObject->BackendForArticle( %{ $ArticleList[0] } )->ArticleGet( %{ $ArticleList[0] } );

        for (qw(From To Cc Subject Body)) {
            if ( !$Param{OrigHeader}->{$_} ) {
                $Param{OrigHeader}->{$_} = $Article{$_} || '';
            }
            chomp $Param{OrigHeader}->{$_};
        }
    }

    # format body (only if longer than 86 chars)
    if ( $Param{OrigHeader}->{Body} ) {
        if ( length $Param{OrigHeader}->{Body} > 86 ) {
            my @Lines = split /\n/, $Param{OrigHeader}->{Body};
            LINE:
            for my $Line (@Lines) {
                my $LineWrapped = $Line =~ s/(^>.+|.{4,86})(?:\s|\z)/$1\n/gm;

                next LINE if $LineWrapped;

                # if the regex does not match then we need
                # to add the missing new line of the split
                # else we will lose e.g. empty lines of the body.
                # (bug#10679)
                $Line .= "\n";
            }
            $Param{OrigHeader}->{Body} = join '', @Lines;
        }
    }

    # fill up required attributes
    for (qw(Subject Body)) {
        if ( !$Param{OrigHeader}->{$_} ) {
            $Param{OrigHeader}->{$_} = "No $_";
        }
    }

    # get recipient
    my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
        User => $Ticket{CustomerUserID},
    );

    # get user language
    my $Language = $User{UserLanguage} || $Kernel::OM->Get('Kernel::Config')->Get('DefaultLanguage') || 'en';

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $AutoResponse{ContentType} =~ /text\/plain/i ) {
        $AutoResponse{ContentType} = 'text/html';
        $AutoResponse{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $AutoResponse{Text},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $AutoResponse{ContentType} =~ /text\/html/i ) {
        $AutoResponse{ContentType} = 'text/plain';
        $AutoResponse{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $AutoResponse{Text},
        );
    }

    # replace place holder stuff
    $AutoResponse{Text} = $Self->_Replace(
        RichText => $Self->{RichText},
        Text     => $AutoResponse{Text},
        Data     => {
            %{ $Param{OrigHeader} },
            From => $Param{OrigHeader}->{To},
            To   => $Param{OrigHeader}->{From},
        },
        TicketData      => \%Ticket,
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            AutoResponse => 1,
        },
    );
    $AutoResponse{Subject} = $Self->_Replace(
        RichText => 0,
        Text     => $AutoResponse{Subject},
        Data     => {
            %{ $Param{OrigHeader} },
            From => $Param{OrigHeader}->{To},
            To   => $Param{OrigHeader}->{From},
        },
        TicketData      => \%Ticket,
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            AutoResponse => 1,
        },
    );

    $AutoResponse{Subject} = $TicketObject->TicketSubjectBuild(
        TicketNumber => $Ticket{TicketNumber},
        Subject      => $AutoResponse{Subject},
        Type         => 'New',
        NoCleanup    => 1,
    );

    # get sender attributes based on auto response type
    if ( $AutoResponse{SystemAddressID} ) {

        my %Address = $Kernel::OM->Get('Kernel::System::SystemAddress')->SystemAddressGet(
            ID => $AutoResponse{SystemAddressID},
        );

        $AutoResponse{SenderAddress}  = $Address{Name};
        $AutoResponse{SenderRealname} = $Address{Realname};
    }

    # get sender attributes based on queue
    else {

        my %Address = $Kernel::OM->Get('Kernel::System::Queue')->GetSystemAddress(
            QueueID => $Ticket{QueueID},
        );

        $AutoResponse{SenderAddress}  = $Address{Email};
        $AutoResponse{SenderRealname} = $Address{RealName};
    }

    # add urls and verify to be full html document
    if ( $Self->{RichText} ) {

        $AutoResponse{Text} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $AutoResponse{Text},
        );

        $AutoResponse{Text} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->DocumentComplete(
            Charset => 'utf-8',
            String  => $AutoResponse{Text},
        );
    }

    return %AutoResponse;
}

=head2 NotificationEvent()

replace all OTOBO smart tags in the notification body and subject

    my %NotificationEvent = $TemplateGeneratorObject->NotificationEvent(
        TicketData            => $TicketDataHashRef,
        Recipient             => $UserDataHashRef,          # Agent or Customer data get result
        Notification          => $NotificationDataHashRef,
        CustomerMessageParams => $ArticleHashRef,           # optional
        UserID                => 123,
    );

=cut

sub NotificationEvent {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed (qw(TicketData Notification Recipient UserID)) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!",
            );
            return;
        }
    }

    if ( !IsHashRefWithData( $Param{Notification} ) ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => "Notification is invalid!",
        );
        return;
    }

    my %Notification = %{ $Param{Notification} };

    # exchanging original reference prevent it to grow up
    if ( ref $Param{CustomerMessageParams} && ref $Param{CustomerMessageParams} eq 'HASH' ) {
        my %LocalCustomerMessageParams = %{ $Param{CustomerMessageParams} };
        $Param{CustomerMessageParams} = \%LocalCustomerMessageParams;
    }

    my $ArticleObject = $Kernel::OM->Get('Kernel::System::Ticket::Article');

    # Get last article from customer.
    my @CustomerArticles = $ArticleObject->ArticleList(
        TicketID   => $Param{TicketData}->{TicketID},
        SenderType => 'customer',
        OnlyLast   => 1,
    );

    my %CustomerArticle;

    ARTICLE:
    for my $Article (@CustomerArticles) {
        next ARTICLE if !$Article->{ArticleID};

        %CustomerArticle = $ArticleObject->BackendForArticle( %{$Article} )->ArticleGet(
            %{$Article},
            DynamicFields => 0,
        );
    }

    # Get last article from agent.
    my @AgentArticles = $ArticleObject->ArticleList(
        TicketID   => $Param{TicketData}->{TicketID},
        SenderType => 'agent',
        OnlyLast   => 1,
    );

    my %AgentArticle;

    AGENTARTICLE:
    for my $Article (@AgentArticles) {
        next AGENTARTICLE if !$Article->{ArticleID};

        %AgentArticle = $ArticleObject->BackendForArticle( %{$Article} )->ArticleGet(
            %{$Article},
            DynamicFields => 0,
        );

        # Include the transmission status, if article is an email.
        my %CommunicationChannel = $Kernel::OM->Get('Kernel::System::CommunicationChannel')->ChannelGet(
            ChannelID => $Article->{CommunicationChannelID},
        );
        if ( $CommunicationChannel{ChannelName} eq 'Email' ) {
            my $TransmissionStatus = $ArticleObject->BackendForArticle( %{$Article} )->ArticleTransmissionStatus(
                ArticleID => $Article->{ArticleID},
            );
            if ( $TransmissionStatus && $TransmissionStatus->{Message} ) {
                $AgentArticle{TransmissionStatusMessage} = $TransmissionStatus->{Message};
            }
        }
    }

    my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

    ARTICLE:
    for my $ArticleData ( \%CustomerArticle, \%AgentArticle ) {
        next ARTICLE if !$ArticleData->{TicketID};
        next ARTICLE if !$ArticleData->{ArticleID};

        # Get article preview in plain text and store it as Body key.
        $ArticleData->{Body} = $LayoutObject->ArticlePreview(
            TicketID   => $ArticleData->{TicketID},
            ArticleID  => $ArticleData->{ArticleID},
            ResultType => 'plain',
            UserID     => $Param{UserID},
        );

        # get accounted time
        my $AccountedTime = $ArticleObject->ArticleAccountedTimeGet(
            ArticleID => $ArticleData->{ArticleID},
        );

        # set the accounted time as part of the articles information
        $ArticleData->{TimeUnit} = $AccountedTime;
    }

    # Populate the hash 'CustomerMessageParams' with all the customer-article data
    # and overwrite it with 'CustomerMessageParams' passed in the Params (bug #13325).
    $Param{CustomerMessageParams} = {
        %CustomerArticle,
        %{ $Param{CustomerMessageParams} || {} },
    };

    # get system default language
    my $DefaultLanguage = $Kernel::OM->Get('Kernel::Config')->Get('DefaultLanguage') || 'en';

    my $Languages = [ $Param{Recipient}->{UserLanguage}, $DefaultLanguage, 'en' ];

    my $Language;
    LANGUAGE:
    for my $Item ( @{$Languages} ) {
        next LANGUAGE if !$Item;
        next LANGUAGE if !$Notification{Message}->{$Item};

        # set language
        $Language = $Item;
        last LANGUAGE;
    }

    # if no language, then take the first one available
    if ( !$Language ) {
        my @NotificationLanguages = sort keys %{ $Notification{Message} };
        $Language = $NotificationLanguages[0];
    }

    # copy the correct language message attributes to a flat structure
    for my $Attribute (qw(Subject Body ContentType)) {
        $Notification{$Attribute} = $Notification{Message}->{$Language}->{$Attribute};
    }

    # Get customer article fields.
    my %CustomerArticleFields;

    if (%CustomerArticle) {
        %CustomerArticleFields = $LayoutObject->ArticleFields(
            TicketID  => $CustomerArticle{TicketID},
            ArticleID => $CustomerArticle{ArticleID},
            UserID    => $Param{UserID},
        );
    }

    ARTICLE_FIELD:
    for my $ArticleField ( sort keys %CustomerArticleFields ) {
        next ARTICLE_FIELD if !defined $CustomerArticleFields{$ArticleField}->{Value};

        if ( !defined $Param{CustomerMessageParams}->{$ArticleField} ) {
            $Param{CustomerMessageParams}->{$ArticleField} = $CustomerArticleFields{$ArticleField}->{Value};
        }
        chomp $Param{CustomerMessageParams}->{$ArticleField};
    }

    # format body (only if longer the 86 chars)
    if ( $Param{CustomerMessageParams}->{Body} ) {
        if ( length $Param{CustomerMessageParams}->{Body} > 86 ) {
            my @Lines = split /\n/, $Param{CustomerMessageParams}->{Body};
            LINE:
            for my $Line (@Lines) {
                my $LineWrapped = $Line =~ s/(^>.+|.{4,86})(?:\s|\z)/$1\n/gm;

                next LINE if $LineWrapped;

                # if the regex does not match then we need
                # to add the missing new line of the split
                # else we will lose e.g. empty lines of the body.
                # (bug#10679)
                $Line .= "\n";
            }
            $Param{CustomerMessageParams}->{Body} = join '', @Lines;
        }
    }

    # fill up required attributes
    for my $Text (qw(Subject Body)) {
        if ( !$Param{CustomerMessageParams}->{$Text} ) {

            # Set to last customer article attribute if it is empty string.
            # For example, if Body is empty string (not undef!), it is maybe sent from NotificationOwnerUpdate event
            # and overrides last customer article body (in %CustomerArticle) above - see bug#14678.
            $Param{CustomerMessageParams}->{$Text} = $CustomerArticle{$Text} || "No $Text";
        }
    }

    my $Start = '<';
    my $End   = '>';
    if ( $Notification{ContentType} =~ m{text\/html} ) {
        $Start = '&lt;';
        $End   = '&gt;';
    }

    # replace <OTOBO_CUSTOMER_DATA_*> tags early from CustomerMessageParams, the rests will be replaced
    # by ticket customer user
    KEY:
    for my $Key ( sort keys %{ $Param{CustomerMessageParams} || {} } ) {

        next KEY if !$Param{CustomerMessageParams}->{$Key};

        $Notification{Body}    =~ s/${Start}OTOBO_CUSTOMER_DATA_$Key${End}/$Param{CustomerMessageParams}->{$Key}/gi;
        $Notification{Subject} =~ s/<OTOBO_CUSTOMER_DATA_$Key>/$Param{CustomerMessageParams}->{$Key}{$Key}/gi;
    }

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $Notification{ContentType} =~ /text\/plain/i ) {
        $Notification{ContentType} = 'text/html';
        $Notification{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Notification{Body},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $Notification{ContentType} =~ /text\/html/i ) {
        $Notification{ContentType} = 'text/plain';
        $Notification{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Notification{Body},
        );
    }

    # get notify texts
    for my $Text (qw(Subject Body)) {
        if ( !$Notification{$Text} ) {
            $Notification{$Text} = "No Notification $Text for $Param{Type} found!";
        }
    }

    # replace place holder stuff
    $Notification{Body} = $Self->_Replace(
        RichText        => $Self->{RichText},
        Text            => $Notification{Body},
        Recipient       => $Param{Recipient},
        Data            => $Param{CustomerMessageParams},
        DataAgent       => \%AgentArticle,
        TicketData      => $Param{TicketData},
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            NotificationEvent => 1,
        },
    );

    $Notification{Subject} = $Self->_Replace(
        RichText        => 0,
        Text            => $Notification{Subject},
        Recipient       => $Param{Recipient},
        Data            => $Param{CustomerMessageParams},
        DataAgent       => \%AgentArticle,
        TicketData      => $Param{TicketData},
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            NotificationEvent => 1,
        },
    );

    # Keep the "original" (unmodified) subject and body for later use.
    $Notification{OriginalSubject} = $Notification{Subject};
    $Notification{OriginalBody}    = $Notification{Body};

    $Notification{Subject} = $Kernel::OM->Get('Kernel::System::Ticket')->TicketSubjectBuild(
        TicketNumber => $Param{TicketData}->{TicketNumber},
        Subject      => $Notification{Subject} || '',
        Type         => 'New',
    );

    # add URLs and verify to be full HTML document
    if ( $Self->{RichText} ) {

        $Notification{Body} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $Notification{Body},
        );
    }

    return %Notification;
}

=begin Internal:

=cut

sub _Replace {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(Text RichText Data UserID)) {
        if ( !defined $Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # check for mailto links
    # since the subject and body of those mailto links are
    # uri escaped we have to uri unescape them, replace
    # possible placeholders and then re-uri escape them
    $Param{Text} =~ s{
        (href="mailto:[^\?]+\?)([^"]+")
    }
    {
        my $MailToHref        = $1;
        my $MailToHrefContent = $2;

        $MailToHrefContent =~ s{
            ((?:subject|body)=)(.+?)("|&)
        }
        {
            my $SubjectOrBodyPrefix  = $1;
            my $SubjectOrBodyContent = $2;
            my $SubjectOrBodySuffix  = $3;

            my $SubjectOrBodyContentUnescaped = URI::Escape::uri_unescape $SubjectOrBodyContent;

            my $SubjectOrBodyContentReplaced = $Self->_Replace(
                %Param,
                Text     => $SubjectOrBodyContentUnescaped,
                RichText => 0,
            );

            my $SubjectOrBodyContentEscaped = URI::Escape::uri_escape_utf8 $SubjectOrBodyContentReplaced;

            $SubjectOrBodyPrefix . $SubjectOrBodyContentEscaped . $SubjectOrBodySuffix;
        }egx;

        $MailToHref . $MailToHrefContent;
    }egx;

    my $Start = '<';
    my $End   = '>';
    if ( $Param{RichText} ) {
        $Start = '&lt;';
        $End   = '&gt;';
        $Param{Text} =~ s/(\n|\r)//g;
    }

    my %Ticket;
    if ( $Param{TicketData} ) {
        %Ticket = %{ $Param{TicketData} };
    }

    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');

    # Determine recipient's timezone if needed.
    my $RecipientTimeZone;
    if ( $Param{AddTimezoneInfo} ) {
        $RecipientTimeZone = $Kernel::OM->Create('Kernel::System::DateTime')->OTOBOTimeZoneGet();

        my %CustomerUser;
        if ( IsHashRefWithData( \%Ticket ) && $Ticket{CustomerUserID} ) {
            %CustomerUser = $CustomerUserObject->CustomerUserDataGet( User => $Ticket{CustomerUserID} );
        }

        my %UserPreferences;

        if ( $Param{AddTimezoneInfo}->{NotificationEvent} && $Param{Recipient}->{Type} eq 'Agent' ) {
            %UserPreferences = $Kernel::OM->Get('Kernel::System::User')->GetPreferences(
                UserID => $Param{Recipient}->{UserID},
            );
        }
        elsif (
            $Param{AddTimezoneInfo}->{NotificationEvent}
            && $Param{Recipient}->{Type} eq 'Customer'
            && $Param{Recipient}->{UserID}
            )
        {
            %UserPreferences = $CustomerUserObject->GetPreferences(
                UserID => $Param{Recipient}->{UserID},
            );
        }
        elsif (
            $Param{AddTimezoneInfo}->{AutoResponse}
            && $Ticket{CustomerUserID}
            && IsHashRefWithData( \%CustomerUser )
            )
        {
            %UserPreferences = $CustomerUserObject->GetPreferences(
                UserID => $Ticket{CustomerUserID},
            );
        }

        if ( $UserPreferences{UserTimeZone} ) {
            $RecipientTimeZone = $UserPreferences{UserTimeZone};
        }
    }

    # Replace Unix time format tags.
    # If language is defined, they will be converted into a correct format in below IF statement.
    for my $UnixFormatTime (
        qw(RealTillTimeNotUsed EscalationResponseTime EscalationUpdateTime EscalationSolutionTime)
        )
    {
        if ( $Ticket{$UnixFormatTime} ) {
            $Ticket{$UnixFormatTime} = $Kernel::OM->Create(
                'Kernel::System::DateTime',
                ObjectParams => {
                    Epoch => $Ticket{$UnixFormatTime},
                },
            )->ToString();
        }
    }

    # translate ticket values if needed
    if ( $Param{Language} ) {

        my $LanguageObject = Kernel::Language->new(
            UserLanguage => $Param{Language},
        );

        # Translate the different values.
        for my $Field (qw(Type State StateType Lock Priority)) {
            $Ticket{$Field} = $LanguageObject->Translate( $Ticket{$Field} );
        }

        # Transform the date values from the ticket data (but not the dynamic field values).
        ATTRIBUTE:
        for my $Attribute ( sort keys %Ticket ) {
            next ATTRIBUTE if $Attribute =~ m{ \A DynamicField_ }xms;
            next ATTRIBUTE if !$Ticket{$Attribute};

            if ( $Ticket{$Attribute} =~ m{\A(\d\d\d\d)-(\d\d)-(\d\d)\s(\d\d):(\d\d):(\d\d)\z}xi ) {

                # Change time to recipient's timezone if needed
                # and later append timezone information.
                # For more information,
                # see bug#13865 (https://bugs.otrs.org/show_bug.cgi?id=13865)
                # and bug#14270 (https://bugs.otrs.org/show_bug.cgi?id=14270).
                if ($RecipientTimeZone) {
                    my $DateTimeObject = $Kernel::OM->Create(
                        'Kernel::System::DateTime',
                        ObjectParams => {
                            String => $Ticket{$Attribute},
                        },
                    );
                    $DateTimeObject->ToTimeZone( TimeZone => $RecipientTimeZone );
                    $Ticket{$Attribute} = $DateTimeObject->ToString();
                }

                $Ticket{$Attribute} = $LanguageObject->FormatTimeString(
                    $Ticket{$Attribute},
                    'DateFormat',
                    'NoSeconds',
                );

                # Append timezone information if needed.
                if ($RecipientTimeZone) {
                    $Ticket{$Attribute} .= " ($RecipientTimeZone)";
                }
            }
        }

        my $LocalLayoutObject = Kernel::Output::HTML::Layout->new(
            Lang => $Param{Language},
        );

        # Convert tags in seconds to more readable appropriate format if language is defined.
        for my $TimeInSeconds (
            qw(UntilTime EscalationTimeWorkingTime EscalationTime FirstResponseTimeWorkingTime FirstResponseTime UpdateTimeWorkingTime
            UpdateTime SolutionTimeWorkingTime SolutionTime)
            )
        {
            if ( $Ticket{$TimeInSeconds} ) {
                $Ticket{$TimeInSeconds} = $LocalLayoutObject->CustomerAge(
                    Age   => $Ticket{$TimeInSeconds},
                    Space => ' '
                );
            }
        }
    }

    my %Queue;
    if ( $Param{QueueID} ) {
        %Queue = $Kernel::OM->Get('Kernel::System::Queue')->QueueGet(
            ID => $Param{QueueID},
        );
    }

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    # Replace config options.
    my $Tag = $Start . 'OTOBO_CONFIG_';
    $Param{Text} =~ s{$Tag(.+?)$End}{
        my $Key   = $1;
        my $Value = $ConfigObject->Get($Key) // '';

        # Mask sensitive config options.
        my $Replace = $Self->_MaskSensitiveValue(
            Key      => $Key,
            Value    => $Value,
            IsConfig => 1,
        );

        $Replace;
    }egx;

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;

    my %Recipient = %{ $Param{Recipient} || {} };

    # get user object
    my $UserObject = $Kernel::OM->Get('Kernel::System::User');

    if ( !%Recipient && $Param{RecipientID} ) {

        %Recipient = $UserObject->GetUserData(
            UserID        => $Param{RecipientID},
            NoOutOfOffice => 1,
        );
    }

    my $HashGlobalReplace = sub {
        my ( $Tag, %H ) = @_;

        # Generate one single matching string for all keys to save performance.
        my $Keys = join '|', map {quotemeta} grep { defined $H{$_} } keys %H;

        # Set all keys as lowercase to be able to match case insensitive,
        #   e. g. <OTOBO_CUSTOMER_From> and <OTOBO_CUSTOMER_FROM>.
        #   Also mask any values containing sensitive data.
        %H = map {
            lc $_ => $Self->_MaskSensitiveValue(
                Key   => $_,
                Value => $H{$_},
            )
        } sort keys %H;

        # If tag is 'OTOBO_CUSTOMER_' add the body alias 'email/note' to be replaced.
        if ( $Tag =~ m/OTOBO_(CUSTOMER|AGENT)_/ ) {
            KEY:
            for my $Key (qw( email note )) {
                my $Value = $H{$Key};
                next KEY if defined($Value);

                $H{$Key} = $H{'body'};
                $Keys .= '|' . ucfirst $Key;
            }
        }

        $Param{Text} =~ s/(?:$Tag)($Keys)$End/$H{ lc $1 }/ieg;
    };

    # get recipient data and replace it with <OTOBO_...
    $Tag = $Start . 'OTOBO_';

    # include more readable tag <OTOBO_NOTIFICATION_RECIPIENT
    my $RecipientTag = $Start . 'OTOBO_NOTIFICATION_RECIPIENT_';

    if (%Recipient) {

        # HTML quoting of content
        if ( $Param{RichText} ) {
            ATTRIBUTE:
            for my $Attribute ( sort keys %Recipient ) {
                next ATTRIBUTE if !$Recipient{$Attribute};
                $Recipient{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Recipient{$Attribute},
                );
            }
        }

        $HashGlobalReplace->( "$Tag|$RecipientTag", %Recipient );
    }

    # cleanup
    $Param{Text} =~ s/$RecipientTag.+?$End/-/gi;

    # get owner data and replace it with <OTOBO_OWNER_...
    $Tag = $Start . 'OTOBO_OWNER_';

    # include more readable version <OTOBO_TICKET_OWNER
    my $OwnerTag = $Start . 'OTOBO_TICKET_OWNER_';

    if ( $Ticket{OwnerID} ) {

        my %Owner = $UserObject->GetUserData(
            UserID        => $Ticket{OwnerID},
            NoOutOfOffice => 1,
        );

        # html quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %Owner ) {
                next ATTRIBUTE if !$Owner{$Attribute};
                $Owner{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Owner{$Attribute},
                );
            }
        }

        $HashGlobalReplace->( "$Tag|$OwnerTag", %Owner );
    }

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;
    $Param{Text} =~ s/$OwnerTag.+?$End/-/gi;

    # get owner data and replace it with <OTOBO_RESPONSIBLE_...
    $Tag = $Start . 'OTOBO_RESPONSIBLE_';

    # include more readable version <OTOBO_TICKET_RESPONSIBLE
    my $ResponsibleTag = $Start . 'OTOBO_TICKET_RESPONSIBLE_';

    if ( $Ticket{ResponsibleID} ) {
        my %Responsible = $UserObject->GetUserData(
            UserID        => $Ticket{ResponsibleID},
            NoOutOfOffice => 1,
        );

        # HTML quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %Responsible ) {
                next ATTRIBUTE if !$Responsible{$Attribute};
                $Responsible{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Responsible{$Attribute},
                );
            }
        }

        $HashGlobalReplace->( "$Tag|$ResponsibleTag", %Responsible );
    }

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;
    $Param{Text} =~ s/$ResponsibleTag.+?$End/-/gi;

    $Tag = $Start . 'OTOBO_Agent_';
    my $Tag2        = $Start . 'OTOBO_CURRENT_';
    my %CurrentUser = $UserObject->GetUserData(
        UserID        => $Param{UserID},
        NoOutOfOffice => 1,
    );

    # HTML quoting of content
    if ( $Param{RichText} ) {

        ATTRIBUTE:
        for my $Attribute ( sort keys %CurrentUser ) {
            next ATTRIBUTE if !$CurrentUser{$Attribute};
            $CurrentUser{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                String => $CurrentUser{$Attribute},
            );
        }
    }

    $HashGlobalReplace->( "$Tag|$Tag2", %CurrentUser );

    # replace other needed stuff
    $Param{Text} =~ s/$Start OTOBO_FIRST_NAME $End/$CurrentUser{UserFirstname}/gxms;
    $Param{Text} =~ s/$Start OTOBO_LAST_NAME $End/$CurrentUser{UserLastname}/gxms;

    # cleanup
    $Param{Text} =~ s/$Tag2.+?$End/-/gi;

    # ticket data
    $Tag = $Start . 'OTOBO_TICKET_';

    # html quoting of content
    if ( $Param{RichText} ) {

        ATTRIBUTE:
        for my $Attribute ( sort keys %Ticket ) {
            next ATTRIBUTE if !$Ticket{$Attribute};
            $Ticket{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                String => $Ticket{$Attribute},
            );
        }
    }

# Rother OSS / OneTimeAuthenticationLink
    # Replace config options.
    $Tag = $Start . 'OTOBO_OTACustomerTicketLink';
    $Param{Text} =~ s{$Tag$End}{
        my $Replace = $Kernel::OM->Get('Kernel::System::CustomerAuth::OneTimeAuthLink')->TicketLink(
            TicketNumber => $Ticket{TicketNumber},
            User         => $Ticket{CustomerUserID},
        );

        $Replace;
    }egx;
# EO OneTimeAuthenticationLink

    # Dropdown, Checkbox and MultipleSelect DynamicFields, can store values (keys) that are
    # different from the the values to display
    # <OTOBO_TICKET_DynamicField_NameX> returns the stored key
    # <OTOBO_TICKET_DynamicField_NameX_Value> returns the display value

    my %DynamicFields;

    # For systems with many Dynamic fields we do not want to load them all unless needed
    # Find what Dynamic Field Values are requested
    while ( $Param{Text} =~ m/$Tag DynamicField_(\S+?)(_Value)? $End/gixms ) {
        $DynamicFields{$1} = 1;
    }

    # to store all the required DynamicField display values
    my %DynamicFieldDisplayValues;

    # get dynamic field objects
    my $DynamicFieldObject        = $Kernel::OM->Get('Kernel::System::DynamicField');
    my $DynamicFieldBackendObject = $Kernel::OM->Get('Kernel::System::DynamicField::Backend');

    # get the dynamic fields for ticket object
    my $DynamicFieldList = $DynamicFieldObject->DynamicFieldListGet(
        Valid      => 1,
        ObjectType => ['Ticket'],
    ) || [];

    # cycle through the activated Dynamic Fields for this screen
    DYNAMICFIELD:
    for my $DynamicFieldConfig ( @{$DynamicFieldList} ) {

        next DYNAMICFIELD if !IsHashRefWithData($DynamicFieldConfig);

        # we only load the ones requested
        next DYNAMICFIELD if !$DynamicFields{ $DynamicFieldConfig->{Name} };

        my $LanguageObject;

        # translate values if needed
        if ( $Param{Language} ) {
            $LanguageObject = Kernel::Language->new(
                UserLanguage => $Param{Language},
            );
        }

        my $DateTimeObject;

        # Change DateTime DF value for ticket if needed.
        if (
            defined $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
            && $DynamicFieldConfig->{FieldType} eq 'DateTime'
            && $RecipientTimeZone
            )
        {
            $DateTimeObject = $Kernel::OM->Create(
                'Kernel::System::DateTime',
                ObjectParams => {
                    String => $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} },
                },
            );
            $DateTimeObject->ToTimeZone( TimeZone => $RecipientTimeZone );
            $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} } = $DateTimeObject->ToString();
        }

        # get the display value for each dynamic field
        my $DisplayValue = $DynamicFieldBackendObject->ValueLookup(
            DynamicFieldConfig => $DynamicFieldConfig,
            Key                => $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} },
            LanguageObject     => $LanguageObject,
        );

        # get the readable value (value) for each dynamic field
        my $DisplayValueStrg = $DynamicFieldBackendObject->ReadableValueRender(
            DynamicFieldConfig => $DynamicFieldConfig,
            Value              => $DisplayValue,
        );

        # fill the DynamicFielsDisplayValues
        if ($DisplayValueStrg) {
            $DynamicFieldDisplayValues{ 'DynamicField_' . $DynamicFieldConfig->{Name} . '_Value' } = $DisplayValueStrg->{Value};

            # Add timezone info if needed.
            if (
                defined $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && length $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && $DynamicFieldConfig->{FieldType} eq 'DateTime'
                && $RecipientTimeZone
                )
            {
                $DynamicFieldDisplayValues{ 'DynamicField_' . $DynamicFieldConfig->{Name} . '_Value' }
                    .= " ($RecipientTimeZone)";
            }
        }

        # get the readable value (key) for each dynamic field
        my $ValueStrg = $DynamicFieldBackendObject->ReadableValueRender(
            DynamicFieldConfig => $DynamicFieldConfig,
            Value              => $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} },
        );

        # replace ticket content with the value from ReadableValueRender (if any)
        if ( IsHashRefWithData($ValueStrg) ) {
            $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} } = $ValueStrg->{Value};

            # Add timezone info if needed.
            if (
                defined $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && length $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && $DynamicFieldConfig->{FieldType} eq 'DateTime'
                && $RecipientTimeZone
                )
            {
                $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} } .= " ($RecipientTimeZone)";
            }
        }
    }

    # replace it
    $HashGlobalReplace->( $Tag, %Ticket, %DynamicFieldDisplayValues );

    # COMPAT
    $Param{Text} =~ s/$Start OTOBO_TICKET_ID $End/$Ticket{TicketID}/gixms;
    $Param{Text} =~ s/$Start OTOBO_TICKET_NUMBER $End/$Ticket{TicketNumber}/gixms;
    if ( $Ticket{TicketID} ) {
        $Param{Text} =~ s/$Start OTOBO_QUEUE $End/$Ticket{Queue}/gixms;
    }
    if ( $Param{QueueID} ) {
        $Param{Text} =~ s/$Start OTOBO_TICKET_QUEUE $End/$Queue{Name}/gixms;
    }

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;

    # Follow-up for bug#10825.
    # Set data for replacing of specific tags in Templates:
    # - OTOBO_AGENT_SUBJECT, OTOBO_AGENT_BODY - subject/body of the CURRENT/LATEST agent article
    # - OTOBO_CUSTOMER_SUBJECT, OTOBO_CUSTOMER_BODY - subject/body of the CURRENT/LATEST customer article
    # - OTOBO_AGENT_SUBJECT[n]    - first n characters of the subject of the CURRENT/LATEST agent article
    # - OTOBO_AGENT_BODY[n]       - first n lines of the body of the CURRENT/LATEST agent article
    # - OTOBO_CUSTOMER_SUBJECT[n] - first n characters of the subject of the CURRENT/LATEST customer article
    # - OTOBO_CUSTOMER_BODY[n]    - first n lines of the body of the CURRENT/LATEST customer article
    #
    # For Note template we need the last article.
    # For Answer, $Param{Data} has selected or last article data, depends whether ArticleID is sent or not.
    # For Forward, $Param{Data} has the following article data:
    # - if ArticleID is sent, data is from selected article.
    # - if ArticleID is not sent, data is from last customer/agent/any article.
    if ( $Param{Template} && $Ticket{TicketID} ) {
        my $ArticleObject = $Kernel::OM->Get('Kernel::System::Ticket::Article');

        if ( $Param{Template} eq 'Note' ) {

            # Get last article from agent.
            my @AgentArticles = $ArticleObject->ArticleList(
                TicketID   => $Param{TicketData}->{TicketID},
                SenderType => 'agent',
                OnlyLast   => 1,
            );

            my %AgentArticle = $ArticleObject->BackendForArticle( %{ $AgentArticles[0] } )->ArticleGet(
                %{ $AgentArticles[0] },
                DynamicFields => 0,
            );

            # Get last article from customer.
            my @CustomerArticles = $ArticleObject->ArticleList(
                TicketID   => $Param{TicketData}->{TicketID},
                SenderType => 'customer',
                OnlyLast   => 1,
            );

            my %CustomerArticle = $ArticleObject->BackendForArticle( %{ $CustomerArticles[0] } )->ArticleGet(
                %{ $CustomerArticles[0] },
                DynamicFields => 0,
            );

            $Param{DataAgent}->{Subject} = $AgentArticle{Subject};
            $Param{DataAgent}->{Body}    = $AgentArticle{Body};
            $Param{Data}->{Subject}      = $CustomerArticle{Subject};
            $Param{Data}->{Body}         = $CustomerArticle{Body};
        }
        elsif ( $Param{Template} eq 'Answer' || $Param{Template} eq 'Forward' ) {

            # If $Param{Data} has agent article data, we will set subject and body in $Param{DataAgent}
            # to values from $Param{Data} in order to right replacing of OTOBO_AGENT_SUBJECT/BODY tags.
            if ( $Param{Data}->{SenderType} && $Param{Data}->{SenderType} eq 'agent' ) {
                $Param{DataAgent}->{Subject} = $Param{Data}->{Subject};
                $Param{DataAgent}->{Body}    = $Param{Data}->{Body};
            }
        }
    }

    # get customer and agent params and replace it with <OTOBO_CUSTOMER_... or <OTOBO_AGENT_...
    my %ArticleData = (
        'OTOBO_CUSTOMER_' => $Param{Data}      || {},
        'OTOBO_AGENT_'    => $Param{DataAgent} || {},
    );

    # use a list to get customer first
    for my $DataType (qw(OTOBO_CUSTOMER_ OTOBO_AGENT_)) {
        my %Data = %{ $ArticleData{$DataType} };

        # HTML quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %Data ) {
                next ATTRIBUTE if !$Data{$Attribute};

                $Data{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Data{$Attribute},
                );
            }
        }

        if (%Data) {

            # replace <OTOBO_CUSTOMER_*> and <OTOBO_AGENT_*> tags
            $Tag = $Start . $DataType;
            $HashGlobalReplace->( $Tag, %Data );

            # prepare body (insert old email) <OTOBO_CUSTOMER_EMAIL[n]>, <OTOBO_CUSTOMER_NOTE[n]>
            #   <OTOBO_CUSTOMER_BODY[n]>, <OTOBO_AGENT_EMAIL[n]>..., <OTOBO_COMMENT>

            # Changed this to a 'while' to allow the same key/tag multiple times and different number of lines.
            while (
                $Param{Text} =~ /$Start(?:$DataType(EMAIL|NOTE|BODY)\[(.+?)\])$End/
                ||
                $Param{Text} =~ /$Start(?:OTOBO_COMMENT(\[(.+?)\])?)$End/
                )
            {

                my $Line       = $2 || 2500;
                my $NewOldBody = '';
                my @Body       = split( /\n/, $Data{Body} );

                for my $Counter ( 0 .. $Line - 1 ) {

                    # 2002-06-14 patch of Pablo Ruiz Garcia
                    # http://lists.otobo.org/pipermail/dev/2002-June/000012.html
                    if ( $#Body >= $Counter ) {

                        # add no quote char, do it later by using DocumentCleanup()
                        if ( $Param{RichText} ) {
                            $NewOldBody .= $Body[$Counter];
                        }

                        # add "> " as quote char
                        else {
                            $NewOldBody .= "> $Body[$Counter]";
                        }

                        # add new line
                        if ( $Counter < ( $Line - 1 ) ) {
                            $NewOldBody .= "\n";
                        }
                    }
                    $Counter++;
                }

                chomp $NewOldBody;

                # HTML quoting of content
                if ( $Param{RichText} && $NewOldBody ) {

                    # remove trailing new lines
                    for ( 1 .. 10 ) {
                        $NewOldBody =~ s/(<br\/>)\s{0,20}$//gs;
                    }

                    # add quote
                    $NewOldBody = "<blockquote type=\"cite\">$NewOldBody</blockquote>";
                    $NewOldBody = $Kernel::OM->Get('Kernel::System::HTMLUtils')->DocumentCleanup(
                        String => $NewOldBody,
                    );
                }

                # replace tag
                $Param{Text}
                    =~ s/$Start(?:(?:$DataType(EMAIL|NOTE|BODY)\[(.+?)\]|(?:OTOBO_COMMENT(\[(.+?)\])?)))$End/$NewOldBody/;
            }

            # replace <OTOBO_CUSTOMER_SUBJECT[]>  and  <OTOBO_AGENT_SUBJECT[]> tags
            $Tag = "$Start$DataType" . 'SUBJECT';
            if ( $Param{Text} =~ /$Tag\[(.+?)\]$End/g ) {

                my $SubjectChar = $1;
                my $Subject     = $Kernel::OM->Get('Kernel::System::Ticket')->TicketSubjectClean(
                    TicketNumber => $Ticket{TicketNumber},
                    Subject      => $Data{Subject},
                );

                $Subject =~ s/^(.{$SubjectChar}).*$/$1 [...]/;
                $Param{Text} =~ s/$Tag\[.+?\]$End/$Subject/g;
            }

            if ( $DataType eq 'OTOBO_CUSTOMER_' ) {

                # Get <OTOBO_EMAIL_DATE[]> from body and replace with received date.
                # This tag will be able to use with supported OTOBO time zones
                #   ( e.g. <OTOBO_EMAIL_DATE[Europe/Berlin]>, <OTOBO_EMAIL_DATE[Asia/Tokyo]>,
                #   <OTOBO_EMAIL_DATE[America/Denver]> , ...).
                # If you use tag without time in simple format as <OTOBO_EMAIL_DATE>,
                #  time will be transformed into OTOBO SystemTimeZone.
                $Tag = $Start . 'OTOBO_EMAIL_DATE';

                my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');
                my $SystemTimeZone = $DateTimeObject->OTOBOTimeZoneGet();
                while ( $Param{Text} =~ /$Tag\[(.+?)\]$End/g ) {
                    my $TimeZone      = $1;
                    my $TimeZoneValid = $DateTimeObject->IsTimeZoneValid( TimeZone => $TimeZone );
                    if ($TimeZoneValid) {
                        $DateTimeObject->ToTimeZone( TimeZone => $TimeZone );
                    }
                    else {
                        $TimeZone = $SystemTimeZone;
                    }

                    my $EmailDate = $DateTimeObject->Format( Format => '%A, %B %e, %Y at %T ' );
                    $EmailDate .= "($TimeZone)";
                    $Param{Text} =~ s/$Tag\[$1\]$End/$EmailDate/g;
                }

                if ( $Param{Text} =~ /$Tag$End/g ) {
                    my $TimeZone = $SystemTimeZone;
                    $DateTimeObject->ToTimeZone( TimeZone => $TimeZone );

                    my $EmailDate = $DateTimeObject->Format( Format => '%A, %B %e, %Y at %T ' );
                    $EmailDate .= "($TimeZone)";
                    $Param{Text} =~ s/$Tag$End/$EmailDate/g;
                }
            }
        }

        if ( $DataType eq 'OTOBO_CUSTOMER_' ) {

            # get and prepare realname
            $Tag = $Start . 'OTOBO_CUSTOMER_REALNAME';
            if ( $Param{Text} =~ /$Tag$End/i ) {

                my $From;

                if ( $Ticket{CustomerUserID} ) {

                    $From = $CustomerUserObject->CustomerName(
                        UserLogin => $Ticket{CustomerUserID}
                    );
                }

                # try to get the real name directly from the data
                $From //= $Recipient{Realname};

                # get real name based on reply-to
                if ( !$From && $Data{ReplyTo} ) {

                    $From = $Data{ReplyTo};

                    # remove email addresses
                    $From =~ s/&lt;.*&gt;|<.*>|\(.*\)|\"|&quot;|;|,//g;

                    # remove leading/trailing spaces
                    $From =~ s/^\s+//g;
                    $From =~ s/\s+$//g;
                }

                # generate real name based on sender line
                if ( !$From ) {
                    $From = $Data{To} || '';

                    # remove email addresses
                    $From =~ s/&lt;.*&gt;|<.*>|\(.*\)|\"|&quot;|;|,//g;

                    # remove leading/trailing spaces
                    $From =~ s/^\s+//g;
                    $From =~ s/\s+$//g;
                }

                # replace <OTOBO_CUSTOMER_REALNAME> with from
                $Param{Text} =~ s/$Tag$End/$From/g;
            }
        }
    }

    # get customer data and replace it with <OTOBO_CUSTOMER_DATA_...
    $Tag  = $Start . 'OTOBO_CUSTOMER_';
    $Tag2 = $Start . 'OTOBO_CUSTOMER_DATA_';

    if ( $Ticket{CustomerUserID} || $Param{Data}->{CustomerUserID} ) {

        my $CustomerUserID = $Param{Data}->{CustomerUserID} || $Ticket{CustomerUserID};

        my %CustomerUser = $CustomerUserObject->CustomerUserDataGet(
            User => $CustomerUserID,
        );

        # HTML quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %CustomerUser ) {
                next ATTRIBUTE if !$CustomerUser{$Attribute};
                $CustomerUser{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $CustomerUser{$Attribute},
                );
            }
        }

        # replace it
        $HashGlobalReplace->( "$Tag|$Tag2", %CustomerUser );
    }

    # cleanup all not needed <OTOBO_CUSTOMER_DATA_ tags
    $Param{Text} =~ s/(?:$Tag|$Tag2).+?$End/-/gi;

    # cleanup all not needed <OTOBO_AGENT_ tags
    $Tag = $Start . 'OTOBO_AGENT_';
    $Param{Text} =~ s/$Tag.+?$End/-/gi;

    return $Param{Text};
}

=head2 _RemoveUnSupportedTag()

cleanup all not supported tags

    my $Text = $TemplateGeneratorObject->_RemoveUnSupportedTag(
        Text => $SomeTextWithTags,
        ListOfUnSupportedTag => \@ListOfUnSupportedTag,
    );

=cut

sub _RemoveUnSupportedTag {

    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Item (qw(Text ListOfUnSupportedTag)) {
        if ( !defined $Param{$Item} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Item!"
            );
            return;
        }
    }

    my $Start = '<';
    my $End   = '>';
    if ( $Self->{RichText} ) {
        $Start = '&lt;';
        $End   = '&gt;';
        $Param{Text} =~ s/(\n|\r)//g;
    }

    # Cleanup all not supported tags with and without number, e.g. OTOBO_CUSTOMER_BODY and OTOBO_CUSTOMER_BODY[n].
    # See https://bugs.otrs.org/show_bug.cgi?id=14369 and https://bugs.otrs.org/show_bug.cgi?id=10825.
    my $NotSupportedTag = $Start . "(?:" . join( "|", @{ $Param{ListOfUnSupportedTag} } ) . ")(\\[.*?\\])?" . $End;
    $Param{Text} =~ s/$NotSupportedTag/-/gi;

    return $Param{Text};

}

=head2 _MaskSensitiveValue()

Mask sensitive value, i.e. a password, a security token, etc.

    my $MaskedValue = $Self->_MaskSensitiveValue(
        Key      => 'DatabasePassword', # (required) Name of the field/key.
        Value    => 'secretvalue',      # (optional) Value to potentially mask.
        IsConfig => 1,                  # (optional) Whether the value is a config option, default: 0.
    );

Returns masked value, in case the key is matched:

   $MaskedValue = 'xxx';

=cut

sub _MaskSensitiveValue {
    my ( $Self, %Param ) = @_;

    return '' if !$Param{Key} || !defined $Param{Value};

    # Skip masking sensitive values for Dynamic Fields.
    return $Param{Value} if $Param{Key} =~ qr{ dynamicfield }xi;

    # Match general key names, i.e. from the user preferences.
    my $Match = qr{ config|secret|passw|userpw|auth|token }xi;

    # Match forbidden config keys.
    if ( $Param{IsConfig} ) {
        $Match = qr{ (?:password|pw) \d* $ }smxi;
    }

    return $Param{Value} if $Param{Key} !~ $Match;

    return 'xxx';
}

=end Internal:

=cut

1;

# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2021 Rother OSS GmbH, https://otobo.de/
# --
# $origin: otobo - b040c799263288a42954e29abb598164fcae2484 - Kernel/System/Web/InterfaceCustomer.pm
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::Web::InterfaceCustomer;

use strict;
use warnings;

# core modules

# CPAN modules

# OTOBO modules
use Kernel::System::Email;
use Kernel::System::VariableCheck qw(IsArrayRefWithData IsHashRefWithData);
use Kernel::Language qw(Translatable);
use Kernel::System::DateTime;

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::Output::HTML::Layout',
    'Kernel::System::AuthSession',
    'Kernel::System::Cache',
    'Kernel::System::CustomerAuth',
    'Kernel::System::CustomerGroup',
    'Kernel::System::CustomerUser',
    'Kernel::System::DB',
    'Kernel::System::Group',
    'Kernel::System::Log',
    'Kernel::System::Main',
    'Kernel::System::Scheduler',
    'Kernel::System::DateTime',
    'Kernel::System::Web::Request',
    'Kernel::System::Valid',
);

=head1 NAME

Kernel::System::Web::InterfaceCustomer - the customer web interface

=head1 DESCRIPTION

the global customer web interface (authentication, session handling, ...)

=head1 PUBLIC INTERFACE

=head2 new()

create customer web interface object

    use Kernel::System::Web::InterfaceCustomer;

    my $Debug = 0;
    my $InterfaceCustomer = Kernel::System::Web::InterfaceCustomer->new(
        Debug      => $Debug,
        WebRequest => CGI::PSGI->new($env), # optional, e. g. if PSGI is used
    );

=cut

sub new {
    my ( $Type, %Param ) = @_;

    # start with an empty hash for the new object
    my $Self = bless {}, $Type;

    # get debug level
    $Self->{Debug} = $Param{Debug} || 0;

    # performance log
    $Self->{PerformanceLogStart} = time();

    # register object params
    $Kernel::OM->ObjectParamAdd(
        'Kernel::System::Log' => {
            LogPrefix => $Kernel::OM->Get('Kernel::Config')->Get('CGILogPrefix'),
        },
        'Kernel::System::Web::Request' => {
            WebRequest => $Param{WebRequest} || 0,
        },
    );

    # debug info
    if ( $Self->{Debug} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'debug',
            Message  => 'Global handle started...',
        );
    }

    return $Self;
}

=head2 Run()

execute the object

    $InterfaceCustomer->Run();

=cut

sub Run {
    my $Self = shift;

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    my $QueryString = $ENV{QUERY_STRING} || '';

    # Check if https forcing is active, and redirect if needed.
    if ( $ConfigObject->Get('HTTPSForceRedirect') ) {

        # Some web servers do not set HTTPS environment variable, so it's not possible to easily know if we are using
        #   https protocol. Look also for similarly named keys in environment hash, since this should prevent loops in
        #   certain cases.
        if (
            (
                !defined $ENV{HTTPS}
                && !grep {/^HTTPS(?:_|$)/} keys %ENV
            )
            || $ENV{HTTPS} ne 'on'
            )
        {
            my $Host = $ENV{HTTP_HOST} || $ConfigObject->Get('FQDN');

            # Redirect with 301 code. Add two new lines at the end, so HTTP headers are validated correctly.
            print "Status: 301 Moved Permanently\nLocation: https://$Host$ENV{REQUEST_URI}\n\n";
            return;
        }
    }

    my $ParamObject = $Kernel::OM->Get('Kernel::System::Web::Request');

    my %Param;

    # get session id
    $Param{SessionName} = $ConfigObject->Get('CustomerPanelSessionName')         || 'CSID';
    $Param{SessionID}   = $ParamObject->GetParam( Param => $Param{SessionName} ) || '';

    # drop old session id (if exists)
    $QueryString =~ s/(\?|&|;|)$Param{SessionName}(=&|=;|=.+?&|=.+?$)/;/g;

    # define framework params
    my $FrameworkParams = {
        Lang         => '',
        Action       => '',
        Subaction    => '',
        RequestedURL => $QueryString,
    };
    for my $Key ( sort keys %{$FrameworkParams} ) {
        $Param{$Key} = $ParamObject->GetParam( Param => $Key )
            || $FrameworkParams->{$Key};
    }

    # validate language
    if ( $Param{Lang} && $Param{Lang} !~ m{\A[a-z]{2}(?:_[A-Z]{2})?\z}xms ) {
        delete $Param{Lang};
    }

    # Check if the browser sends the SessionID cookie and set the SessionID-cookie
    # as SessionID! GET or POST SessionID have the lowest priority.
    if ( $ConfigObject->Get('SessionUseCookie') ) {
        $Param{SessionIDCookie} = $ParamObject->GetCookie( Key => $Param{SessionName} );
        if ( $Param{SessionIDCookie} ) {
            $Param{SessionID} = $Param{SessionIDCookie};
        }
    }

    $Kernel::OM->ObjectParamAdd(
        'Kernel::Output::HTML::Layout' => {
            Lang => $Param{Lang},
        },
        'Kernel::Language' => {
            UserLanguage => $Param{Lang}
        },
    );

    # Restrict Cookie to HTTPS if it is used.
    my $CookieSecureAttribute = $ConfigObject->Get('HttpType') eq 'https' ? 1 : undef;

    # check whether we are using the right scheme
    if ( $ENV{REQUEST_SCHEME} && lc( $ENV{REQUEST_SCHEME} ) ne $ConfigObject->Get('HttpType') ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'notice',
            Message  => 'HttpType '
                . $ConfigObject->Get('HttpType')
                . ' is set, but '
                . $ENV{REQUEST_SCHEME}
                . ' is used!',
        );
    }

    my $DBCanConnect = $Kernel::OM->Get('Kernel::System::DB')->Connect();

    if ( !$DBCanConnect || $ParamObject->Error() ) {
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
        if ( !$DBCanConnect ) {
            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.'),
            );
            return;
        }
        if ( $ParamObject->Error() ) {
            $LayoutObject->CustomerFatalError(
                Message => $ParamObject->Error(),
                Comment => Translatable('Please contact the administrator.'),
            );
            return;
        }
    }

    # get common application and add on application params
    my %CommonObjectParam = %{ $ConfigObject->Get('CustomerFrontend::CommonParam') };
    for my $Key ( sort keys %CommonObjectParam ) {
        $Param{$Key} = $ParamObject->GetParam( Param => $Key ) || $CommonObjectParam{$Key};
    }

    # security check Action Param (replace non-word chars)
    $Param{Action} =~ s/\W//g;

    my $SessionObject = $Kernel::OM->Get('Kernel::System::AuthSession');
    my $UserObject    = $Kernel::OM->Get('Kernel::System::CustomerUser');

    # check request type
    if ( $Param{Action} eq 'PreLogin' ) {
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # login screen
        $LayoutObject->Print(
            Output => \$LayoutObject->CustomerLogin(
                Title => 'Login',
                Mode  => 'PreLogin',
                %Param,
            ),
        );

        return;
    }
    elsif ( $Param{Action} eq 'Login' ) {
        my $User;
        my $AuthObject = $Kernel::OM->Get('Kernel::System::CustomerAuth');

        # get params
        my $PostUser = $ParamObject->GetParam( Param => 'User' ) || '';

        my $PreventBruteForceConfig = $ConfigObject->Get('SimpleBruteForceProtection::GeneralSettings');

        # if simplebruteforceconfig is valid
# Rother OSS / OneTimeAuthenticationLink
#        if ($PreventBruteForceConfig) {
        if ( $PostUser && $PreventBruteForceConfig ) {
# EO OneTimeAuthenticationLink

            # check if the login is banned
            my $CacheObject   = $Kernel::OM->Get('Kernel::System::Cache');
            my $CheckHashUser = $CacheObject->Get(
                Type => 'BannedLoginsCustomer',
                Key  => $PostUser,
            );

            # check if Cache CheckHashUser exists
            if ($CheckHashUser) {
                my %BanStatus = $Self->_CheckAndRemoveFromBannedList(
                    PostUser                => $PostUser,
                    PreventBruteForceConfig => $PreventBruteForceConfig,
                );

                if ( $BanStatus{Banned} ) {

                    # output error message
                    my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
                    $LayoutObject->Print(
                        Output => \$LayoutObject->CustomerLogin(
                            %Param,
                            Title   => 'Login',
                            Message => $LayoutObject->{LanguageObject}->Translate(
                                'Too many failed login attempts, please retry in %s s.',
                                $BanStatus{ResidualTime}
                            ),
                            LoginFailed => 1,
                            MessageType => 'Error',
                            User        => $PostUser,
                        ),
                    );
                    return;
                }
            }
        }

        my $PostPw = $ParamObject->GetParam(
            Param => 'Password',
            Raw   => 1
        ) || '';
        my $PostTwoFactorToken = $ParamObject->GetParam(
            Param => 'TwoFactorToken',
            Raw   => 1
        ) || '';

# Rother OSS / OneTimeAuthenticationLink
        my %ExtendedAuthParams;
        for my $Name ( $AuthObject->ExtendedParamNames() ) {
            $ExtendedAuthParams{$Name} = $ParamObject->GetParam(
                Param => $Name,
                Raw   => 1
            ) || '';
        }
# EO OneTimeAuthenticationLink

        # check submitted data
        $User = $AuthObject->Auth(
            User           => $PostUser,
            Pw             => $PostPw,
            TwoFactorToken => $PostTwoFactorToken,
# Rother OSS / OneTimeAuthenticationLink
            %ExtendedAuthParams,
# EO OneTimeAuthenticationLink
        );

        my $Expires = '+' . $ConfigObject->Get('SessionMaxTime') . 's';
        if ( !$ConfigObject->Get('SessionUseCookieAfterBrowserClose') ) {
            $Expires = '';
        }

        # login is invalid
        if ( !$User ) {
            $Kernel::OM->ObjectParamAdd(
                'Kernel::Output::HTML::Layout' => {
                    SetCookies => {

                        # set a cookie tentatively for checking cookie support
                        OTOBOBrowserHasCookie => $ParamObject->SetCookie(
                            Key      => 'OTOBOBrowserHasCookie',
                            Value    => 1,
                            Expires  => $Expires,
                            Path     => $ConfigObject->Get('ScriptAlias'),
                            Secure   => $CookieSecureAttribute,
                            HTTPOnly => 1,
                        ),
                    },
                }
            );

            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
                print $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                        . "?Reason=LoginFailed;RequestedURL=$Param{RequestedURL}",
                );
                return;
            }

# Rother OSS / OneTimeAuthenticationLink
#            if ($PreventBruteForceConfig) {
            if ( $PostUser && $PreventBruteForceConfig ) {
# EO OneTimeAuthenticationLink

                # prevent brute force
                my $Banned = $Self->_StoreFailedLogins(
                    PostUser                => $PostUser,
                    PreventBruteForceConfig => $PreventBruteForceConfig,
                );

                if ($Banned) {
                    $LayoutObject->Print(
                        Output => \$LayoutObject->CustomerLogin(
                            %Param,
                            Title   => 'Login',
                            Message => $LayoutObject->{LanguageObject}->Translate(
                                'Too many failed login attempts, please retry in %s s.',
                                $PreventBruteForceConfig->{BanDuration}
                            ),
                            LoginFailed => 1,
                            MessageType => 'Error',
                            User        => $PostUser,
                        ),
                    );

                    return;
                }
            }

            # show normal login
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => $Kernel::OM->Get('Kernel::System::Log')->GetLogEntry(
                        Type => 'Info',
                        What => 'Message',
                        )
                        || $AuthObject->GetLastErrorMessage()
                        || Translatable('Login failed! Your user name or password was entered incorrectly.'),
                    User        => $PostUser,
                    LoginFailed => 1,
                    %Param,
                ),
            );
            return;
        }

        # login is successful
        my %UserData = $UserObject->CustomerUserDataGet(
            User  => $User,
            Valid => 1
        );

        # check if the browser supports cookies
        if ( $ParamObject->GetCookie( Key => 'OTOBOBrowserHasCookie' ) ) {
            $Kernel::OM->ObjectParamAdd(
                'Kernel::Output::HTML::Layout' => {
                    BrowserHasCookie => 1,
                },
            );
        }

        # check needed data
        if ( !$UserData{UserID} || !$UserData{UserLogin} ) {

            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {
                print $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                        . '?Reason=SystemError',
                );
                return;
            }

            # show need user data error message
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Error',
                    Message => Translatable(
                        'Authentication succeeded, but no customer record is found in the customer backend. Please contact the administrator.'
                    ),
                    %Param,
                ),
            );
            return;
        }

        # create datetime object
        my $SessionDTObject = $Kernel::OM->Create('Kernel::System::DateTime');

        # Remove certain user attributes that are not needed to be stored in the session.
        #   - SMIME Certificate could be in binary format, if session backend in DB (default)
        #   it wont be possible to be saved in certain databases (see bug#14405).
        my %UserSessionData = %UserData;
        delete $UserSessionData{UserSMIMECertificate};

        # create new session id
        my $NewSessionID = $SessionObject->CreateSessionID(
            %UserSessionData,
            UserLastRequest => $SessionDTObject->ToEpoch(),
            UserType        => 'Customer',
            SessionSource   => 'CustomerInterface',
        );

        # show error message if no session id has been created
        if ( !$NewSessionID ) {

            # get error message
            my $Error = $SessionObject->SessionIDErrorMessage() || '';

            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # output error message
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => $Error,
                    %Param,
                ),
            );
            return;
        }

        # execution in 20 seconds
        my $ExecutionTimeObj = $Kernel::OM->Create('Kernel::System::DateTime');
        $ExecutionTimeObj->Add( Seconds => 20 );

        # add a asynchronous executor scheduler task to count the concurrent user
        $Kernel::OM->Get('Kernel::System::Scheduler')->TaskAdd(
            ExecutionTime            => $ExecutionTimeObj->ToString(),
            Type                     => 'AsynchronousExecutor',
            Name                     => 'PluginAsynchronous::ConcurrentUser',
            MaximumParallelInstances => 1,
            Data                     => {
                Object   => 'Kernel::System::SupportDataCollector::PluginAsynchronous::OTOBO::ConcurrentUsers',
                Function => 'RunAsynchronous',
            },
        );

        my $UserTimeZone = $Self->_UserTimeZoneGet(%UserData);

        $SessionObject->UpdateSessionID(
            SessionID => $NewSessionID,
            Key       => 'UserTimeZone',
            Value     => $UserTimeZone,
        );

        # check if the time zone offset reported by the user's browser differs from that
        # of the OTOBO user's time zone offset
        my $DateTimeObject = $Kernel::OM->Create(
            'Kernel::System::DateTime',
            ObjectParams => {
                TimeZone => $UserTimeZone,
            },
        );
        my $OTOBOUserTimeZoneOffset = $DateTimeObject->Format( Format => '%{offset}' ) / 60;
        my $BrowserTimeZoneOffset   = ( $ParamObject->GetParam( Param => 'TimeZoneOffset' ) || 0 ) * -1;

        # TimeZoneOffsetDifference contains the difference of the time zone offset between
        # the user's OTOBO time zone setting and the one reported by the user's browser.
        # If there is a difference it can be evaluated later to e. g. show a message
        # for the user to check his OTOBO time zone setting.
        my $UserTimeZoneOffsetDifference = abs( $OTOBOUserTimeZoneOffset - $BrowserTimeZoneOffset );
        $SessionObject->UpdateSessionID(
            SessionID => $NewSessionID,
            Key       => 'UserTimeZoneOffsetDifference',
            Value     => $UserTimeZoneOffsetDifference,
        );

        $Kernel::OM->ObjectParamAdd(
            'Kernel::Output::HTML::Layout' => {
                SetCookies => {
                    SessionIDCookie => $ParamObject->SetCookie(
                        Key      => $Param{SessionName},
                        Value    => $NewSessionID,
                        Expires  => $Expires,
                        Path     => $ConfigObject->Get('ScriptAlias'),
                        Secure   => $CookieSecureAttribute,
                        HTTPOnly => 1,
                    ),

                    # delete the OTOBOBrowserHasCookie cookie
                    OTOBOBrowserHasCookie => $ParamObject->SetCookie(
                        Key      => 'OTOBOBrowserHasCookie',
                        Value    => '',
                        Expires  => '-1y',
                        Path     => $ConfigObject->Get('ScriptAlias'),
                        Secure   => $CookieSecureAttribute,
                        HTTPOnly => 1,
                    ),
                },
                SessionID   => $NewSessionID,
                SessionName => $Param{SessionName},
            },
        );

        # redirect with new session id and old params
        # prepare old redirect URL -- do not redirect to Login or Logout (loop)!
        if ( $Param{RequestedURL} =~ /Action=(Logout|Login|LostPassword|PreLogin)/ ) {
            $Param{RequestedURL} = '';
        }

        # redirect with new session id
        print $Kernel::OM->Get('Kernel::Output::HTML::Layout')->Redirect(
            OP    => $Param{RequestedURL},
            Login => 1,
        );
        return 1;
    }

    # logout
    elsif ( $Param{Action} eq 'Logout' ) {

        # check session id
        if ( !$SessionObject->CheckSessionID( SessionID => $Param{SessionID} ) ) {

            # new layout object
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
                print $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                        . "?Reason=InvalidSessionID;RequestedURL=$Param{RequestedURL}",
                );
            }

            # show login screen
            print $LayoutObject->CustomerLogin(
                Title   => 'Logout',
                Message => Translatable('Session invalid. Please log in again.'),
                %Param,
            );
            return;
        }

        # get session data
        my %UserData = $SessionObject->GetSessionIDData(
            SessionID => $Param{SessionID},
        );

        $UserData{UserTimeZone} = $Self->_UserTimeZoneGet(%UserData);

        # create new LayoutObject with new '%Param' and '%UserData'
        $Kernel::OM->ObjectParamAdd(
            'Kernel::Output::HTML::Layout' => {
                SetCookies => {

                    # delete the OTOBO session cookie
                    SessionIDCookie => $ParamObject->SetCookie(
                        Key      => $Param{SessionName},
                        Value    => '',
                        Expires  => '-1y',
                        Path     => $ConfigObject->Get('ScriptAlias'),
                        Secure   => $CookieSecureAttribute,
                        HTTPOnly => 1,
                    ),
                },
                %Param,
                %UserData,
            },
        );

        $Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # remove session id
        if ( !$SessionObject->RemoveSessionID( SessionID => $Param{SessionID} ) ) {
            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.')
            );
            return;
        }

        # redirect to alternate login
        if ( $ConfigObject->Get('CustomerPanelLogoutURL') ) {
            print $LayoutObject->Redirect(
                ExtURL => $ConfigObject->Get('CustomerPanelLogoutURL'),
            );
        }

        # show logout screen
        my $LogoutMessage = $LayoutObject->{LanguageObject}->Translate('Logout successful.');

        $LayoutObject->Print(
            Output => \$LayoutObject->CustomerLogin(
                Title       => 'Logout',
                Message     => $LogoutMessage,
                MessageType => 'Success',
                %Param,
            ),
        );
        return 1;
    }

    # customer lost password
    elsif ( $Param{Action} eq 'CustomerLostPassword' ) {

        # new layout object
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # check feature
        if ( !$ConfigObject->Get('CustomerPanelLostPassword') ) {

            # show normal login
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => Translatable('Feature not active!'),
                ),
            );
            return;
        }

        # get params
        my $User  = $ParamObject->GetParam( Param => 'User' )  || '';
        my $Token = $ParamObject->GetParam( Param => 'Token' ) || '';

        # get user login by token
        if ( !$User && $Token ) {

            # Prevent extracting password reset token character-by-character via wildcard injection
            # The wild card characters "%" and "_" could be used to match arbitrary character.
            if ( $Token !~ m{\A (?: [a-zA-Z] | \d )+ \z}xms ) {

                # Security: pretend that password reset instructions were actually sent to
                #   make sure that users cannot find out valid usernames by
                #   just trying and checking the result message.
                $LayoutObject->Print(
                    Output => \$LayoutObject->Login(
                        Title       => 'Login',
                        Message     => Translatable('Sent password reset instructions. Please check your email.'),
                        MessageType => 'Success',
                        %Param,
                    ),
                );
                return;
            }

            my %UserList = $UserObject->SearchPreferences(
                Key   => 'UserToken',
                Value => $Token,
            );
            USER_ID:
            for my $UserID ( sort keys %UserList ) {
                my %UserData = $UserObject->CustomerUserDataGet(
                    User  => $UserID,
                    Valid => 1,
                );
                if (%UserData) {
                    $User = $UserData{UserLogin};
                    last USER_ID;
                }
            }
        }

        # get user data
        my %UserData = $UserObject->CustomerUserDataGet( User => $User );

        # verify customer user is valid when requesting password reset
        my @ValidIDs    = $Kernel::OM->Get('Kernel::System::Valid')->ValidIDsGet();
        my $UserIsValid = grep { $UserData{ValidID} && $UserData{ValidID} == $_ } @ValidIDs;
        if ( !$UserData{UserID} || !$UserIsValid ) {

            # Security: pretend that password reset instructions were actually sent to
            #   make sure that users cannot find out valid usernames by
            #   just trying and checking the result message.
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title       => 'Login',
                    Message     => Translatable('Sent password reset instructions. Please check your email.'),
                    MessageType => 'Success',
                ),
            );
            return;
        }

        # create email object
        my $EmailObject = Kernel::System::Email->new( %{$Self} );

        # send password reset token
        if ( !$Token ) {

            # generate token
            $UserData{Token} = $UserObject->TokenGenerate(
                UserID => $UserData{UserID},
            );

            # send token notify email with link
            my $Body = $ConfigObject->Get('CustomerPanelBodyLostPasswordToken')
                || 'ERROR: CustomerPanelBodyLostPasswordToken is missing!';
            my $Subject = $ConfigObject->Get('CustomerPanelSubjectLostPasswordToken')
                || 'ERROR: CustomerPanelSubjectLostPasswordToken is missing!';
            for ( sort keys %UserData ) {
                $Body =~ s/<OTOBO_$_>/$UserData{$_}/gi;
            }
            my $Sent = $EmailObject->Send(
                To       => $UserData{UserEmail},
                Subject  => $Subject,
                Charset  => $LayoutObject->{UserCharset},
                MimeType => 'text/plain',
                Body     => $Body
            );
            if ( !$Sent->{Success} ) {
                $LayoutObject->FatalError(
                    Comment => Translatable('Please contact the administrator.'),
                );
                return;
            }
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => Translatable('Sent password reset instructions. Please check your email.'),
                    %Param,
                    MessageType => 'Success',
                ),
            );
            return 1;

        }

        # reset password
        # check if token is valid
        my $TokenValid = $UserObject->TokenCheck(
            Token  => $Token,
            UserID => $UserData{UserID},
        );
        if ( !$TokenValid ) {
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => Translatable('Invalid Token!'),
                    %Param,
                ),
            );
            return;
        }

        # get new password
        $UserData{NewPW} = $UserObject->GenerateRandomPassword();

        # update new password
        my $Success = $UserObject->SetPassword(
            UserLogin => $User,
            PW        => $UserData{NewPW}
        );

        if ( !$Success ) {
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => Translatable('Reset password unsuccessful. Please contact the administrator.'),
                    User    => $User,
                ),
            );
            return;
        }

        # send notify email
        my $Body = $ConfigObject->Get('CustomerPanelBodyLostPassword')
            || 'New Password is: <OTOBO_NEWPW>';
        my $Subject = $ConfigObject->Get('CustomerPanelSubjectLostPassword')
            || 'New Password!';
        for ( sort keys %UserData ) {
            $Body =~ s/<OTOBO_$_>/$UserData{$_}/gi;
        }
        my $Sent = $EmailObject->Send(
            To       => $UserData{UserEmail},
            Subject  => $Subject,
            Charset  => $LayoutObject->{UserCharset},
            MimeType => 'text/plain',
            Body     => $Body
        );
        if ( !$Sent->{Success} ) {
            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.')
            );
            return;
        }
        my $Message = $LayoutObject->{LanguageObject}->Translate(
            'Sent new password to %s. Please check your email.',
            $UserData{UserEmail},
        );
        $LayoutObject->Print(
            Output => \$LayoutObject->CustomerLogin(
                Title       => 'Login',
                Message     => $Message,
                User        => $User,
                MessageType => 'Success',
            ),
        );
        return 1;
    }

    # create new customer account
    elsif ( $Param{Action} eq 'CustomerCreateAccount' ) {

        # new layout object
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # check feature
        if ( !$ConfigObject->Get('CustomerPanelCreateAccount') ) {

            # show normal login
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Login',
                    Message => Translatable('Feature not active!'),
                ),
            );
            return;
        }

        # get params
        my %GetParams;
        for my $Entry ( @{ $ConfigObject->Get('CustomerUser')->{Map} } ) {
            $GetParams{ $Entry->[0] } = $ParamObject->GetParam( Param => $Entry->[1] )
                || '';
        }
        $GetParams{ValidID} = 1;

        # check needed params
        if ( !$GetParams{UserCustomerID} ) {
            $GetParams{UserCustomerID} = $GetParams{UserEmail};
        }
        if ( !$GetParams{UserLogin} ) {
            $GetParams{UserLogin} = $GetParams{UserEmail};
        }

        # get new password
        $GetParams{UserPassword} = $UserObject->GenerateRandomPassword();

        # get user data
        my %UserData = $UserObject->CustomerUserDataGet( User => $GetParams{UserLogin} );
        if ( $UserData{UserID} || !$GetParams{UserLogin} ) {

            # send data to JS
            $LayoutObject->AddJSData(
                Key   => 'SignupError',
                Value => 1,
            );

            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title => 'Login',
                    Message =>
                        Translatable('This e-mail address already exists. Please log in or reset your password.'),
                    UserTitle     => $GetParams{UserTitle},
                    UserFirstname => $GetParams{UserFirstname},
                    UserLastname  => $GetParams{UserLastname},
                    UserEmail     => $GetParams{UserEmail},
                ),
            );
            return;
        }

        # check for mail address restrictions
        my @Whitelist = @{
            $ConfigObject->Get('CustomerPanelCreateAccount::MailRestrictions::Whitelist') // []
        };
        my @Blacklist = @{
            $ConfigObject->Get('CustomerPanelCreateAccount::MailRestrictions::Blacklist') // []
        };

        my $WhitelistMatched;
        for my $WhitelistEntry (@Whitelist) {
            my $Regex = eval {qr/$WhitelistEntry/i};
            if ($@) {
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message =>
                        $LayoutObject->{LanguageObject}->Translate(
                        'The customer panel mail address whitelist contains the invalid regular expression $WhitelistEntry, please check and correct it.'
                        ),
                );
            }
            elsif ( $GetParams{UserEmail} =~ $Regex ) {
                $WhitelistMatched++;
            }
        }
        my $BlacklistMatched;
        for my $BlacklistEntry (@Blacklist) {
            my $Regex = eval {qr/$BlacklistEntry/i};
            if ($@) {
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message =>
                        $LayoutObject->{LanguageObject}->Translate(
                        'The customer panel mail address blacklist contains the invalid regular expression $BlacklistEntry, please check and correct it.'
                        ),
                );
            }
            elsif ( $GetParams{UserEmail} =~ $Regex ) {
                $BlacklistMatched++;
            }
        }

        if ( ( @Whitelist && !$WhitelistMatched ) || ( @Blacklist && $BlacklistMatched ) ) {

            # send data to JS
            $LayoutObject->AddJSData(
                Key   => 'SignupError',
                Value => 1,
            );

            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title => 'Login',
                    Message =>
                        Translatable('This email address is not allowed to register. Please contact support staff.'),
                    UserTitle     => $GetParams{UserTitle},
                    UserFirstname => $GetParams{UserFirstname},
                    UserLastname  => $GetParams{UserLastname},
                    UserEmail     => $GetParams{UserEmail},
                ),
            );

            return;
        }

        # create account
        my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');

        my $Now = $DateTimeObject->ToString();

        my $Add = $UserObject->CustomerUserAdd(
            %GetParams,
            Comment => $LayoutObject->{LanguageObject}->Translate( 'Added via Customer Panel (%s)', $Now ),
            ValidID => 1,
            UserID  => $ConfigObject->Get('CustomerPanelUserID'),
        );
        if ( !$Add ) {

            # send data to JS
            $LayoutObject->AddJSData(
                Key   => 'SignupError',
                Value => 1,
            );

            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title         => 'Login',
                    Message       => Translatable('Customer user can\'t be added!'),
                    UserTitle     => $GetParams{UserTitle},
                    UserFirstname => $GetParams{UserFirstname},
                    UserLastname  => $GetParams{UserLastname},
                    UserEmail     => $GetParams{UserEmail},
                ),
            );
            return;
        }

        # send notify email
        my $EmailObject = Kernel::System::Email->new( %{$Self} );
        my $Body        = $ConfigObject->Get('CustomerPanelBodyNewAccount')
            || 'No Config Option found!';
        my $Subject = $ConfigObject->Get('CustomerPanelSubjectNewAccount')
            || 'New OTOBO Account!';
        for ( sort keys %GetParams ) {
            $Body =~ s/<OTOBO_$_>/$GetParams{$_}/gi;
        }

        # send account info
        my $Sent = $EmailObject->Send(
            To       => $GetParams{UserEmail},
            Subject  => $Subject,
            Charset  => $LayoutObject->{UserCharset},
            MimeType => 'text/plain',
            Body     => $Body
        );
        if ( !$Sent->{Success} ) {
            my $Output = $LayoutObject->CustomerHeader(
                Area  => 'Core',
                Title => 'Error'
            );
            $Output .= $LayoutObject->CustomerWarning(
                Comment => Translatable('Can\'t send account info!')
            );
            $Output .= $LayoutObject->CustomerFooter();
            $LayoutObject->Print( Output => \$Output );
            return;
        }

        # show sent account info
        if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {

            # redirect to alternate login
            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
            print $LayoutObject->Redirect(
                ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                    . "?RequestedURL=$Param{RequestedURL};User=$GetParams{UserLogin};"
                    . "Email=$GetParams{UserEmail};Reason=NewAccountCreated",
            );
            return 1;
        }

        my $AccountCreatedMessage = $LayoutObject->{LanguageObject}->Translate(
            'New account created. Sent login information to %s. Please check your email.',
            $GetParams{UserEmail},
        );

        # login screen
        $LayoutObject->Print(
            Output => \$LayoutObject->CustomerLogin(
                Title       => 'Login',
                Message     => $AccountCreatedMessage,
                User        => $GetParams{UserLogin},
                MessageType => 'Success',
            ),
        );
        return 1;
    }

    # show login site
    elsif ( !$Param{SessionID} ) {

        # new layout object
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # create AuthObject
        my $AuthObject = $Kernel::OM->Get('Kernel::System::CustomerAuth');
        if ( $AuthObject->GetOption( What => 'PreAuth' ) ) {

            # automatic login
            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
            print $LayoutObject->Redirect(
                OP => "Action=PreLogin;RequestedURL=$Param{RequestedURL}",
            );
            return;
        }
        elsif ( $ConfigObject->Get('CustomerPanelLoginURL') ) {

            # redirect to alternate login
            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
            print $LayoutObject->Redirect(
                ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                    . "?RequestedURL=$Param{RequestedURL}",
            );
            return;
        }

# Rother OSS / OneTimeAuthenticationLink
        my %ExtendedAuthParams;
        for my $Name ( $AuthObject->ExtendedParamNames() ) {
            my $ExtParam = $ParamObject->GetParam(
                Param => $Name,
                Raw   => 1
            );
            if ( defined $ExtParam ) {
                $ExtendedAuthParams{$Name} = $ExtParam;
            }
        }

        # redirect directly to Login if necessary parameters are present
        if ( %ExtendedAuthParams ) {
            my $LoginString = 'Action=Login';
            for my $Key ( keys %ExtendedAuthParams ) {
                $LoginString .= ";$Key=$ExtendedAuthParams{$Key}";
            }

            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
            print $LayoutObject->Redirect(
                OP => "$LoginString;RequestedURL=$Param{RequestedURL}",
            );
            return;
        }
# EO OneTimeAuthenticationLink

        # login screen
        $LayoutObject->Print(
            Output => \$LayoutObject->CustomerLogin(
                Title => 'Login',
                %Param,
            ),
        );
        return 1;
    }

    # run modules if a version value exists
    elsif ( $Kernel::OM->Get('Kernel::System::Main')->Require("Kernel::Modules::$Param{Action}") ) {

        # check session id
        if ( !$SessionObject->CheckSessionID( SessionID => $Param{SessionID} ) ) {

            # create new LayoutObject with new '%Param'
            $Kernel::OM->ObjectParamAdd(
                'Kernel::Output::HTML::Layout' => {
                    SetCookies => {

                        # delete the OTOBO session cookie
                        SessionIDCookie => $ParamObject->SetCookie(
                            Key      => $Param{SessionName},
                            Value    => '',
                            Expires  => '-1y',
                            Path     => $ConfigObject->Get('ScriptAlias'),
                            Secure   => $CookieSecureAttribute,
                            HTTPOnly => 1,
                        ),
                    },
                    %Param,
                },
            );

            # if the wrong scheme is used, delete also the "other" cookie - issue #251
            if ( $ENV{REQUEST_SCHEME} && lc( $ENV{REQUEST_SCHEME} ) ne $ConfigObject->Get('HttpType') ) {
                $Kernel::OM->ObjectParamAdd(
                    'Kernel::Output::HTML::Layout' => {
                        SetCookies => {

                            # delete the OTOBO session cookie
                            SessionIDCookiehttp => $ParamObject->SetCookie(
                                Key      => $Param{SessionName},
                                Value    => '',
                                Expires  => '-1y',
                                Path     => $ConfigObject->Get('ScriptAlias'),
                                Secure   => '',
                                HTTPOnly => 1,
                            ),

                            # delete the OTOBO session cookie
                            SessionIDCookiehttps => $ParamObject->SetCookie(
                                Key      => $Param{SessionName},
                                Value    => '',
                                Expires  => '-1y',
                                Path     => $ConfigObject->Get('ScriptAlias'),
                                Secure   => 1,
                                HTTPOnly => 1,
                            ),
                        },
                        %Param,
                    },
                );
            }

            $Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # create AuthObject
            my $AuthObject = $Kernel::OM->Get('Kernel::System::CustomerAuth');
            if ( $AuthObject->GetOption( What => 'PreAuth' ) ) {

                # automatic re-login
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
                print $LayoutObject->Redirect(
                    OP => "?Action=PreLogin&RequestedURL=$Param{RequestedURL}",
                );
                return;
            }

            # redirect to alternate login
            elsif ( $ConfigObject->Get('CustomerPanelLoginURL') ) {

                # redirect to alternate login
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
                print $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                        . "?Reason=InvalidSessionID;RequestedURL=$Param{RequestedURL}",
                );
                return;
            }

            # show login
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title => 'Login',
                    Message =>
                        $LayoutObject->{LanguageObject}->Translate( $SessionObject->SessionIDErrorMessage() ),
                    %Param,
                ),
            );
            return;
        }

        # get session data
        my %UserData = $SessionObject->GetSessionIDData(
            SessionID => $Param{SessionID},
        );

        $UserData{UserTimeZone} = $Self->_UserTimeZoneGet(%UserData);

        # check needed data
        if ( !$UserData{UserID} || !$UserData{UserLogin} || $UserData{UserType} ne 'Customer' ) {
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {
                print $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                        . "?Reason=SystemError",
                );
                return;
            }

            # show login screen
            $LayoutObject->Print(
                Output => \$LayoutObject->CustomerLogin(
                    Title   => 'Error',
                    Message => Translatable('Error: invalid session.'),
                    %Param,
                ),
            );
            return;
        }

        # check module registry
        my $ModuleReg = $ConfigObject->Get('CustomerFrontend::Module')->{ $Param{Action} };
        if ( !$ModuleReg ) {

            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message =>
                    "Module Kernel::Modules::$Param{Action} not registered in Kernel/Config.pm!",
            );
            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.'),
            );
            return;
        }

        # module permission check for action
        if (
            ref $ModuleReg->{GroupRo} eq 'ARRAY'
            && !scalar @{ $ModuleReg->{GroupRo} }
            && ref $ModuleReg->{Group} eq 'ARRAY'
            && !scalar @{ $ModuleReg->{Group} }
            )
        {
            $Param{AccessRo} = 1;
            $Param{AccessRw} = 1;
        }
        else {

            ( $Param{AccessRo}, $Param{AccessRw} ) = $Self->_CheckModulePermission(
                ModuleReg => $ModuleReg,
                %UserData,
            );

            if ( !$Param{AccessRo} ) {

                # new layout object
                my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message  => 'No Permission to use this frontend action module!'
                );
                $LayoutObject->CustomerFatalError(
                    Comment => Translatable('Please contact the administrator.'),
                );
                return;
            }

        }

        my $NavigationConfig = $ConfigObject->Get('CustomerFrontend::Navigation')->{ $Param{Action} };

        # module permission check for submenu item
        if ( IsHashRefWithData($NavigationConfig) ) {

            KEY:
            for my $Key ( sort keys %{$NavigationConfig} ) {
                next KEY if $Key                 !~ m/^\d+/i;
                next KEY if $Param{RequestedURL} !~ m/Subaction/i;

                my @ModuleNavigationConfigs;

                # FIXME: Support both old (HASH) and new (ARRAY of HASH) navigation configurations, for reasons of
                #   backwards compatibility. Once we are sure everything has been migrated correctly, support for
                #   HASH-only configuration can be dropped in future major release.
                if ( IsHashRefWithData( $NavigationConfig->{$Key} ) ) {
                    push @ModuleNavigationConfigs, $NavigationConfig->{$Key};
                }
                elsif ( IsArrayRefWithData( $NavigationConfig->{$Key} ) ) {
                    push @ModuleNavigationConfigs, @{ $NavigationConfig->{$Key} };
                }

                # Skip incompatible configuration.
                else {
                    next KEY;
                }

                ITEM:
                for my $Item (@ModuleNavigationConfigs) {
                    if (
                        $Item->{Link} =~ m/Subaction=/i
                        && $Item->{Link} !~ m/$Param{Subaction}/i
                        )
                    {
                        next ITEM;
                    }
                    $Param{AccessRo} = 0;
                    $Param{AccessRw} = 0;

                    # module permission check for submenu item
                    if (
                        ref $Item->{GroupRo} eq 'ARRAY'
                        && !scalar @{ $Item->{GroupRo} }
                        && ref $Item->{Group} eq 'ARRAY'
                        && !scalar @{ $Item->{Group} }
                        )
                    {
                        $Param{AccessRo} = 1;
                        $Param{AccessRw} = 1;
                    }
                    else {

                        ( $Param{AccessRo}, $Param{AccessRw} ) = $Self->_CheckModulePermission(
                            ModuleReg => $Item,
                            %UserData,
                        );

                        if ( !$Param{AccessRo} ) {

                            # new layout object
                            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
                            $Kernel::OM->Get('Kernel::System::Log')->Log(
                                Priority => 'error',
                                Message  => 'No Permission to use this frontend subaction module!'
                            );
                            $LayoutObject->CustomerFatalError(
                                Comment => Translatable('Please contact the administrator.')
                            );
                            return;
                        }
                    }
                }
            }
        }

        # create new LayoutObject with new '%Param' and '%UserData'
        $Kernel::OM->ObjectParamAdd(
            'Kernel::Output::HTML::Layout' => {
                %Param,
                %UserData,
                ModuleReg => $ModuleReg,
            },
        );

        $Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # update last request time
        if (
            !$ParamObject->IsAJAXRequest()
            || $Param{Action} eq 'CustomerVideoChat'
            )
        {
            my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');

            $SessionObject->UpdateSessionID(
                SessionID => $Param{SessionID},
                Key       => 'UserLastRequest',
                Value     => $DateTimeObject->ToEpoch(),
            );
        }

        # pre application module
        my $PreModule = $ConfigObject->Get('CustomerPanelPreApplicationModule');
        if ($PreModule) {
            my %PreModuleList;
            if ( ref $PreModule eq 'HASH' ) {
                %PreModuleList = %{$PreModule};
            }
            else {
                $PreModuleList{Init} = $PreModule;
            }

            MODULE:
            for my $PreModuleKey ( sort keys %PreModuleList ) {
                my $PreModule = $PreModuleList{$PreModuleKey};
                next MODULE if !$PreModule;
                next MODULE if !$Kernel::OM->Get('Kernel::System::Main')->Require($PreModule);

                # debug info
                if ( $Self->{Debug} ) {
                    $Kernel::OM->Get('Kernel::System::Log')->Log(
                        Priority => 'debug',
                        Message  => "CustomerPanelPreApplication module $PreModule is used.",
                    );
                }

                # use module
                my $PreModuleObject = $PreModule->new(
                    %Param,
                    %UserData,

                );
                my $Output = $PreModuleObject->PreRun();
                if ($Output) {
                    $LayoutObject->Print( Output => \$Output );
                    return 1;
                }
            }
        }

        # debug info
        if ( $Self->{Debug} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => 'Kernel::Modules::' . $Param{Action} . '->new',
            );
        }

        my $FrontendObject = ( 'Kernel::Modules::' . $Param{Action} )->new(
            %Param,
            %UserData,
            ModuleReg => $ModuleReg,
            Debug     => $Self->{Debug},
        );

        # debug info
        if ( $Self->{Debug} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => 'Kernel::Modules::' . $Param{Action} . '->run',
            );
        }

        # ->Run $Action with $FrontendObject
        $LayoutObject->Print( Output => \$FrontendObject->Run() );

        # log request time
        if ( $ConfigObject->Get('PerformanceLog') ) {
            if ( ( !$QueryString && $Param{Action} ) || $QueryString !~ /Action=/ ) {
                $QueryString = 'Action=' . $Param{Action} . ';Subaction=' . $Param{Subaction};
            }
            my $File = $ConfigObject->Get('PerformanceLog::File');

            if ( open my $Out, '>>', $File ) {
                print $Out time()
                    . '::Customer::'
                    . ( time() - $Self->{PerformanceLogStart} )
                    . "::$UserData{UserLogin}::$QueryString\n";
                close $Out;
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'debug',
                    Message  => 'Response::Customer: '
                        . ( time() - $Self->{PerformanceLogStart} )
                        . "s taken (URL:$QueryString:$UserData{UserLogin})",
                );
            }
            else {
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message  => "Can't write $File: $!",
                );
            }
        }
        return 1;
    }

    # print an error screen
    my %Data = $SessionObject->GetSessionIDData(
        SessionID => $Param{SessionID},
    );
    $Data{UserTimeZone} = $Self->_UserTimeZoneGet(%Data);
    $Kernel::OM->ObjectParamAdd(
        'Kernel::Output::HTML::Layout' => {
            %Param,
            %Data,
        },
    );
    my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
    $LayoutObject->CustomerFatalError(
        Comment => Translatable('Please contact the administrator.'),
    );
    return;
}

=begin Internal:

=head2 _StoreFailedLogins()

=cut

sub _StoreFailedLogins {
    my ( $Self, %Param ) = @_;
    my $CurrentTimeObject   = $Kernel::OM->Create('Kernel::System::DateTime');
    my $CurrentNewTimeStamp = $CurrentTimeObject->ToString();
    my $CacheObject         = $Kernel::OM->Get('Kernel::System::Cache');
    my $CheckHash           = $CacheObject->Get(
        Type => 'FailedLoginsCustomer',
        Key  => $Param{PostUser},
    );

    if ( !$CheckHash ) {
        $CacheObject->Set(
            Type  => 'FailedLoginsCustomer',
            Key   => $Param{PostUser},
            Value => [$CurrentNewTimeStamp],
            TTL   => $Param{PreventBruteForceConfig}{KeepCacheDuration},
        );

        return 0;
    }

    my @LoginTryArray = @{$CheckHash};

    # delete expired cache entries
    LOGIN:
    for my $LoginTime ( @{$CheckHash} ) {
        my $LoginTimeObject = $Kernel::OM->Create(
            'Kernel::System::DateTime',
            ObjectParams => {
                String => $LoginTime,
            },
        );
        my $Offset = $CurrentTimeObject->Delta(
            DateTimeObject => $LoginTimeObject,
        );

        if ( $Offset->{AbsoluteSeconds} > $Param{PreventBruteForceConfig}->{KeepCacheDuration} ) {
            shift @LoginTryArray;
        }
        else {
            last LOGIN;
        }
    }

    # add new failed login to cache
    push @LoginTryArray, $CurrentNewTimeStamp;
    $CacheObject->Set(
        Type  => 'FailedLoginsCustomer',
        Key   => $Param{PostUser},
        Value => \@LoginTryArray,
        TTL   => $Param{PreventBruteForceConfig}{KeepCacheDuration},
    );

    if ( scalar @LoginTryArray >= $Param{PreventBruteForceConfig}{MaxAttempt} ) {
        $CacheObject->Set(
            Type  => 'BannedLoginsCustomer',
            Key   => $Param{PostUser},
            Value => $CurrentNewTimeStamp,
            TTL   => $Param{PreventBruteForceConfig}{BanDuration},
        );
        return 1;
    }

    return 0;
}

sub _CheckAndRemoveFromBannedList {
    my ( $Self, %Param ) = @_;

    # get cache
    my $CacheObject = $Kernel::OM->Get('Kernel::System::Cache');

    my $BanTime = $CacheObject->Get(
        Type => 'BannedLoginsCustomer',
        Key  => $Param{PostUser},
    );

    if ( !$BanTime ) {
        return (
            Banned => 0,
        );
    }

    # calculate elapsed time
    my $CurTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');
    my $BanTimeObject = $Kernel::OM->Create(
        'Kernel::System::DateTime',
        ObjectParams => {
            String => $BanTime,
        },
    );
    my $Offset = $CurTimeObject->Delta(
        DateTimeObject => $BanTimeObject,
    );

    # if the ban duration has been surpassed, delete the cache entry
    if ( $Offset->{AbsoluteSeconds} > $Param{PreventBruteForceConfig}{BanDuration} ) {
        $CacheObject->Delete(
            Type => 'BannedLoginsCustomer',
            Key  => $Param{PostUser},
        );
        return (
            Banned => 0,
        );
    }

    return (
        Banned       => 1,
        ResidualTime => $Param{PreventBruteForceConfig}{BanDuration} - $Offset->{AbsoluteSeconds},
    );
}

=head2 _CheckModulePermission()

module permission check

    ($AccessRo, $AccessRw = $AutoResponseObject->_CheckModulePermission(
        ModuleReg => $ModuleReg,
        %UserData,
    );

=cut

sub _CheckModulePermission {
    my ( $Self, %Param ) = @_;

    my $AccessRo = 0;
    my $AccessRw = 0;

    PERMISSION:
    for my $Permission (qw(GroupRo Group)) {
        my $AccessOk = 0;
        my $Group    = $Param{ModuleReg}->{$Permission};

        next PERMISSION if !$Group;

        my $GroupObject = $Kernel::OM->Get('Kernel::System::CustomerGroup');

        if ( IsArrayRefWithData($Group) ) {
            GROUP:
            for my $Item ( @{$Group} ) {
                next GROUP if !$Item;
                next GROUP if !$GroupObject->PermissionCheck(
                    UserID    => $Param{UserID},
                    GroupName => $Item,
                    Type      => $Permission eq 'GroupRo' ? 'ro' : 'rw',
                );

                $AccessOk = 1;
                last GROUP;
            }
        }
        else {
            my $HasPermission = $GroupObject->PermissionCheck(
                UserID    => $Param{UserID},
                GroupName => $Group,
                Type      => $Permission eq 'GroupRo' ? 'ro' : 'rw',
            );
            if ($HasPermission) {
                $AccessOk = 1;
            }
        }
        if ( $Permission eq 'Group' && $AccessOk ) {
            $AccessRo = 1;
            $AccessRw = 1;
        }
        elsif ( $Permission eq 'GroupRo' && $AccessOk ) {
            $AccessRo = 1;
        }
    }

    return ( $AccessRo, $AccessRw );
}

=head2 _UserTimeZoneGet()

Get time zone for the current user. This function will validate passed time zone parameter and return default user time
zone if it's not valid.

    my $UserTimeZone = $Self->_UserTimeZoneGet(
        UserTimeZone => 'Europe/Berlin',
    );

=cut

sub _UserTimeZoneGet {
    my ( $Self, %Param ) = @_;

    my $UserTimeZone;

    # Return passed time zone only if it's valid. It can happen that user preferences or session store an old-style
    #   offset which is not valid anymore. In this case, return the default value.
    #   Please see bug#13374 for more information.
    if (
        $Param{UserTimeZone}
        && Kernel::System::DateTime->IsTimeZoneValid( TimeZone => $Param{UserTimeZone} )
        )
    {
        $UserTimeZone = $Param{UserTimeZone};
    }

    $UserTimeZone ||= Kernel::System::DateTime->UserDefaultTimeZoneGet();

    return $UserTimeZone;
}

=end Internal:

=cut

sub DESTROY {
    my $Self = shift;

    # debug info
    if ( $Self->{Debug} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'debug',
            Message  => 'Global handle stopped.',
        );
    }

    return 1;
}

1;

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxvdG9ib19jb25maWcgdmVyc2lvbj0iMi4wIiBpbml0PSJBcHBsaWNhdGlvbiI+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6Q3VzdG9tZXJFcnJvck1lc3NhZ2VSZWZyZXNoRmFpbGVkIiBSZXF1aXJlZD0iMCIgVmFsaWQ9IjEiPgogICAgICAgIDxEZXNjcmlwdGlvbiBUcmFuc2xhdGFibGU9IjEiPlRoZSBtZXNzYWdlIHdoaWNoIHdpbGwgYmUgc2VudCB0byB0aGUgY3VzdG9tZXIgaWYgYSBsaW5rIGNvdWxkIG5vdCBiZSBnZW5lcmF0ZWQuPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5Db3JlOjpBdXRoOjpDdXN0b21lcjwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxJdGVtIFZhbHVlVHlwZT0iU3RyaW5nIiBWYWx1ZVJlZ2V4PSIiPkxpbmsga29ubnRlIG5pY2h0IGVyemV1Z3Qgd2VyZGVuLCBiaXR0ZSBzZW5kZW4gU2llIGVpbmUgZW1haWwgYW4gc3VwcG9ydEB3ZS5jb20uPC9JdGVtPgogICAgICAgIDwvVmFsdWU+CiAgICA8L1NldHRpbmc+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6Q3VzdG9tZXJFcnJvck1lc3NhZ2VMaW5rRXhwaXJlZCIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIxIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5UaGUgbWVzc2FnZSB3aGljaCB0aGUgY3VzdG9tZXIgdXNlciB3aWxsIHNlZSBpZiBoZSB1c2VzIGFuIGludmFsaWQgdG9rZW4uPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5Db3JlOjpBdXRoOjpDdXN0b21lcjwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxJdGVtIFZhbHVlVHlwZT0iU3RyaW5nIiBWYWx1ZVJlZ2V4PSIiPklociBMaW5rIHZlcndlaXN0IGF1ZiBrZWluIG5vY2ggZ8O8bHRpZ2VzIFRpY2tldC48L0l0ZW0+CiAgICAgICAgPC9WYWx1ZT4KICAgIDwvU2V0dGluZz4KICAgIDxTZXR0aW5nIE5hbWU9Ik9uZVRpbWVBdXRoOjpDdXN0b21lckVycm9yTWVzc2FnZVdyb25nTGluayIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIxIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5UaGUgbWVzc2FnZSB3aGljaCB0aGUgY3VzdG9tZXIgdXNlciB3aWxsIHNlZSBpZiBoZSB1c2VzIGFuIG9sZCB0b2tlbiB3aXRoIGFuIGFjdGl2ZSBvbmUgYWxyZWFkeSBiZWluZyBwcmVzZW50LjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6QXV0aDo6Q3VzdG9tZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SXRlbSBWYWx1ZVR5cGU9IlN0cmluZyIgVmFsdWVSZWdleD0iIj5BdXMgU2ljaGVyaGVpdHNncsO8bmRlbiBtw7xzc2VuIFNpZSBkZW4gbmV1ZXN0ZW4gSWhuZW4genVnZXNhbmR0ZW4gTGluayBudXR6ZW4gdW0gYXVmIGRpZXNlcyBUaWNrZXQgenV6dWdyZWlmZW4uPC9JdGVtPgogICAgICAgIDwvVmFsdWU+CiAgICA8L1NldHRpbmc+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6Q3VzdG9tZXJFcnJvck1lc3NhZ2VOZXdMaW5rIiBSZXF1aXJlZD0iMCIgVmFsaWQ9IjEiPgogICAgICAgIDxEZXNjcmlwdGlvbiBUcmFuc2xhdGFibGU9IjEiPlRoZSBtZXNzYWdlIHdoaWNoIHRoZSBjdXN0b21lciB1c2VyIHdpbGwgc2VlIGlmIGEgbmV3IG9uZSBpcyBzZW50IHRvIGhpcyBlbWFpbCBhZGRyZXNzLjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6QXV0aDo6Q3VzdG9tZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SXRlbSBWYWx1ZVR5cGU9IlN0cmluZyIgVmFsdWVSZWdleD0iIj5JaHJlIFNlc3Npb24gaXN0IGxlaWRlciBhYmdlbGF1ZmVuIC0gZWluIG5ldWVyIExpbmsgd3VyZGUgYW4gSWhyZSBFbWFpbC1BZHJlc3NlIGdlc2VuZGV0LjwvSXRlbT4KICAgICAgICA8L1ZhbHVlPgogICAgPC9TZXR0aW5nPgogICAgPFNldHRpbmcgTmFtZT0iT25lVGltZUF1dGg6OkFjY2Vzc0RheXNBZnRlckNsb3NlIiBSZXF1aXJlZD0iMCIgVmFsaWQ9IjEiPgogICAgICAgIDxEZXNjcmlwdGlvbiBUcmFuc2xhdGFibGU9IjEiPlRoZSBudW1iZXIgb2YgZGF5cyBjdXN0b21lciB1c2VycyBjYW4gdXNlIGRpcmVjdCBsaW5rcyB0byBvcGVuIHRpY2tldHMgYWZ0ZXIgdGhleSBhcmUgY2xvc2VkLjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6QXV0aDo6Q3VzdG9tZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SXRlbSBWYWx1ZVR5cGU9IlN0cmluZyIgVmFsdWVSZWdleD0iXlxkKiQiPjE0PC9JdGVtPgogICAgICAgIDwvVmFsdWU+CiAgICA8L1NldHRpbmc+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6VG9rZW5SZWZyZXNoTm90aWZpY2F0aW9uSUQiIFJlcXVpcmVkPSIwIiBWYWxpZD0iMCI+CiAgICAgICAgPERlc2NyaXB0aW9uIFRyYW5zbGF0YWJsZT0iMSI+U2VuZCB0aGUgdGV4dCBvZiBhIG5vdGlmaWNhdGlvbiB0byB0aGUgY3VzdG9tZXIgdXNlciBpZiBoZSByZWZyZXNocyBoaXMgdG9rZW4uPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5Db3JlOjpBdXRoOjpDdXN0b21lcjwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxJdGVtIFZhbHVlVHlwZT0iU3RyaW5nIiBWYWx1ZVJlZ2V4PSJeXGQqJCI+MDwvSXRlbT4KICAgICAgICA8L1ZhbHVlPgogICAgPC9TZXR0aW5nPgogICAgPFNldHRpbmcgTmFtZT0iUG9zdE1hc3Rlcjo6UHJlRmlsdGVyTW9kdWxlIyMjMDAwLUNyZWF0ZUN1c3RvbWVyVXNlciIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIwIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5DcmVhdGUgYSBDdXN0b21lclVzZXIgaW4gYSBzcGVjaWZpYyBiYWNrZW5kIGlmIG5vbmUgZXhpc3RzIGZvciB0aGUgc2VuZGVyIGVtYWlsLiBDdXN0b21lckhlYWRlclNwb29mUHJvdGVjdGlvbiBzZXRzIChhbmQgcG9zc2libHkgb3ZlcndyaXRlcykgdGhlIFgtT1RPQk8tQ3VzdG9tZXIgaGVhZGVyIGlmIGEgY3VzdG9tZXIgdXNlciBleGlzdHMgZm9yIGFuIGVtYWlsIGFkZHJlc3MgdG8gcHJldmVudCBzcG9vZmluZy4gQ3VzdG9tZXJVc2VyQmFja2VuZCBkZWZpbmVzIHRoZSBiYWNrZW5kIGluIHdoaWNoIHRoZSBDdXN0b21lclVzZXIgd2lsbCBiZSBjcmVhdGVkLCBpZiBTZXRDaGVja0JveE5hbWUgaXMgc2V0IHRvIHRoZSBuYW1lIG9mIGEgZHluYW1pYyBmaWVsZCBvZiB0aGUgdHlwZSBjaGVja2JveCwgaXQgd2lsbCBiZSBzZXQgdG8gY2hlY2tlZCBmb3IgdGlja2V0cyBjcmVhdGVkIGJ5IGN1c3RvbWVyIHVzZXJzIGZyb20gdGhpcyBiYWNrZW5kLjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6RW1haWw6OlBvc3RNYXN0ZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SGFzaD4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iTW9kdWxlIj5LZXJuZWw6OlN5c3RlbTo6UG9zdE1hc3Rlcjo6RmlsdGVyOjpDcmVhdGVOZXdDdXN0b21lclVzZXI8L0l0ZW0+CiAgICAgICAgICAgICAgICA8SXRlbSBLZXk9IkN1c3RvbWVySGVhZGVyU3Bvb2ZQcm90ZWN0aW9uIj4xPC9JdGVtPgogICAgICAgICAgICAgICAgPEl0ZW0gS2V5PSJDdXN0b21lclVzZXJCYWNrZW5kIj48L0l0ZW0+CiAgICAgICAgICAgICAgICA8SXRlbSBLZXk9IlNldENoZWNrQm94TmFtZSI+PC9JdGVtPgogICAgICAgICAgICA8L0hhc2g+CiAgICAgICAgPC9WYWx1ZT4KICAgIDwvU2V0dGluZz4KICAgIDxTZXR0aW5nIE5hbWU9IkRhZW1vbjo6U2NoZWR1bGVyQ3JvblRhc2tNYW5hZ2VyOjpUYXNrIyMjRGVsZXRlRXhwaXJlZE9UQVRva2VucyIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIxIiBDb25maWdMZXZlbD0iMTAwIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5EZWxldGVzIE9UQSBUb2tlbnMgb2YgY2xvc2VkIHRpY2tldHMuPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5EYWVtb246OlNjaGVkdWxlckNyb25UYXNrTWFuYWdlcjo6VGFzazwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxIYXNoPgogICAgICAgICAgICAgICAgPEl0ZW0gS2V5PSJUYXNrTmFtZSI+RGVsZXRlRXhwaXJlZE9UQVRva2VuczwvSXRlbT4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iU2NoZWR1bGUiPjAgNCAqICogKjwvSXRlbT4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iTW9kdWxlIj5LZXJuZWw6OlN5c3RlbTo6Q3VzdG9tZXJBdXRoOjpPbmVUaW1lQXV0aExpbms8L0l0ZW0+CiAgICAgICAgICAgICAgICA8SXRlbSBLZXk9IkZ1bmN0aW9uIj5EZWFjdGl2YXRlQ2xvc2VkVGlja2V0czwvSXRlbT4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iTWF4aW11bVBhcmFsbGVsSW5zdGFuY2VzIj4xPC9JdGVtPgogICAgICAgICAgICAgICAgPEl0ZW0gS2V5PSJQYXJhbXMiPgogICAgICAgICAgICAgICAgICAgIDxBcnJheT4KICAgICAgICAgICAgICAgICAgICA8L0FycmF5PgogICAgICAgICAgICAgICAgPC9JdGVtPgogICAgICAgICAgICA8L0hhc2g+CiAgICAgICAgPC9WYWx1ZT4KICAgIDwvU2V0dGluZz4KPC9vdG9ib19jb25maWc+Cg==
IyAtLQojIE9UT0JPIGlzIGEgd2ViLWJhc2VkIHRpY2tldGluZyBzeXN0ZW0gZm9yIHNlcnZpY2Ugb3JnYW5pc2F0aW9ucy4KIyAtLQojIENvcHlyaWdodCAoQykgMjAwMS0yMDIwIE9UUlMgQUcsIGh0dHBzOi8vb3Rycy5jb20vCiMgQ29weXJpZ2h0IChDKSAyMDE5LTIwMjEgUm90aGVyIE9TUyBHbWJILCBodHRwczovL290b2JvLmRlLwojIC0tCiMgVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU6IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkgaXQgdW5kZXIKIyB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBTb2Z0d2FyZQojIEZvdW5kYXRpb24sIGVpdGhlciB2ZXJzaW9uIDMgb2YgdGhlIExpY2Vuc2UsIG9yIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCiMgVGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQgaXQgd2lsbCBiZSB1c2VmdWwsIGJ1dCBXSVRIT1VUCiMgQU5ZIFdBUlJBTlRZOyB3aXRob3V0IGV2ZW4gdGhlIGltcGxpZWQgd2FycmFudHkgb2YgTUVSQ0hBTlRBQklMSVRZIG9yIEZJVE5FU1MKIyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UuIFNlZSB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KIyBZb3Ugc2hvdWxkIGhhdmUgcmVjZWl2ZWQgYSBjb3B5IG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZQojIGFsb25nIHdpdGggdGhpcyBwcm9ncmFtLiBJZiBub3QsIHNlZSA8aHR0cHM6Ly93d3cuZ251Lm9yZy9saWNlbnNlcy8+LgojIC0tCgpwYWNrYWdlIEtlcm5lbDo6U3lzdGVtOjpDb25zb2xlOjpDb21tYW5kOjpNYWludDo6Q3VzdG9tZXJBdXRoOjpEZWxldGVFeHBpcmVkT1RBVG9rZW5zOwoKdXNlIHN0cmljdDsKdXNlIHdhcm5pbmdzOwoKdXNlIHBhcmVudCBxdyhLZXJuZWw6OlN5c3RlbTo6Q29uc29sZTo6QmFzZUNvbW1hbmQpOwoKdXNlIEtlcm5lbDo6U3lzdGVtOjpWYXJpYWJsZUNoZWNrIHF3KDphbGwpOwoKb3VyIEBPYmplY3REZXBlbmRlbmNpZXMgPSAoCiAgICAnS2VybmVsOjpTeXN0ZW06OkN1c3RvbWVyQXV0aDo6T25lVGltZUF1dGhMaW5rJywKKTsKCnN1YiBDb25maWd1cmUgewogICAgbXkgKCAkU2VsZiwgJVBhcmFtICkgPSBAXzsKCiAgICAkU2VsZi0+RGVzY3JpcHRpb24oJ0RlbGV0ZXMgZXhwaXJlZCBPbmVUaW1lQXV0aGVudGlmaWNhdGlvblRva2Vucy4nKTsKCiAgICByZXR1cm47Cn0KCnN1YiBQcmVSdW4gewogICAgbXkgKCAkU2VsZiwgJVBhcmFtICkgPSBAXzsKCiAgICByZXR1cm47Cn0KCnN1YiBSdW4gewogICAgbXkgKCAkU2VsZiwgJVBhcmFtICkgPSBAXzsKCiAgICBteSAkU3VjY2VzcyA9ICRLZXJuZWw6Ok9NLT5HZXQoJ0tlcm5lbDo6U3lzdGVtOjpDdXN0b21lckF1dGg6Ok9uZVRpbWVBdXRoTGluaycpLT5EZWFjdGl2YXRlQ2xvc2VkVGlja2V0cygpOwoKICAgIGlmICgkU3VjY2VzcykgewogICAgICAgICRTZWxmLT5QcmludCgiPGdyZWVuPkRvbmUuPC9ncmVlbj5cblxuIik7CiAgICAgICAgcmV0dXJuICRTZWxmLT5FeGl0Q29kZU9rKCk7CiAgICB9CgogICAgJFNlbGYtPlByaW50RXJyb3IoIkZhaWxlZC5cblxuIik7CiAgICByZXR1cm4gJFNlbGYtPkV4aXRDb2RlRXJyb3IoKTsKfQoKMTsK
# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2021 Rother OSS GmbH, https://otobo.de/
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::CustomerAuth::OneTimeAuthLink;

use strict;
use warnings;
use utf8;

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::System::CustomerUser',
    'Kernel::System::DB',
    'Kernel::System::Log',
);

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    # get database object
    $Self->{DBObject} = $Kernel::OM->Get('Kernel::System::DB');
    
    $Self->{Table} = 'ota_tokens';

    return $Self;
}

sub GetOption {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    if ( !$Param{What} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => "Need What!"
        );
        return;
    }

    # module options
    my %Option = (
        PreAuth => 0,
    );

    # return option
    return $Option{ $Param{What} };
}

sub ExtendedParamNames {
    my ( $Self, %Param ) = @_;
    
    return qw/OTAToken/;
}

sub Auth {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    if ( !$Param{OTAToken} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'debug',
            Message  => "No Token provided!"
        );
        return;
    }

    $Self->{DBObject}->Prepare(
        SQL => "SELECT used,user,ticket_number FROM $Self->{Table} WHERE token = ?",
        Bind => [ \$Param{OTAToken} ],
    );

    my @Row =  $Self->{DBObject}->FetchrowArray();
    my ( $Used, $User, $TicketNumber ) = ( 0 );

    if ( @Row ) {
        ( $Used, $User, $TicketNumber ) = @Row;
    }

    if ( !$Used || !$User ) {
        return {
            Error => $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::CustomerErrorMessageLinkExpired') || 'Ihr Link verweist auf kein noch gültiges Ticket.',
        }
    }

    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');

    # send out new email if the ticket is still considered active but no current link exists
    if ( $Used == 1 ) {
        # store failed login count
        my %CustomerData = $CustomerUserObject->CustomerUserDataGet( User => $Param{User} );
        if (%CustomerData) {
            my $Count = $CustomerData{UserLoginFailed} || 0;
            $Count++;
            $CustomerUserObject->SetPreferences(
                Key    => 'UserLoginFailed',
                Value  => $Count,
                UserID => $CustomerData{UserLogin},
            );
        }

        # check whether active login link still exists
        $Self->{DBObject}->Prepare(
            SQL => "SELECT user FROM $Self->{Table} WHERE ticket_number = ? AND used = ?",
            Bind => [ \$TicketNumber, \2 ],
        );

        if ( $Self->{DBObject}->FetchrowArray() ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => "CustomerUser '$User' tried to log in with an old token. New token exists - nothing to do."
            );

            return {
                Error => $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::CustomerErrorMessageWrongLink') || 'Aus Sicherheitsgründen müssen Sie den neuesten Ihnen zugesandten Link nutzen um auf dieses Ticket zuzugreifen.',
            }
        }
        else {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => "CustomerUser '$User' tried to log in with an old token. No active token left - sending a new one via mail."
            );

            $Self->SendNewToken(
                User         => $User,
                TicketNumber => $TicketNumber,
            );

            return {
                Error => $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::CustomerErrorMessageNewLink') || 'Ihre Session ist leider abgelaufen - ein neuer Link wurde an Ihre Email-Adresse gesendet.',
            }
        }
    }
    elsif ( $Used == 2 ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'debug',
            Message  => "CustomerUser '$User' logged in via token."
        );

        $Self->DeactivateTicketTokens(
            TicketNumber => $TicketNumber,
        );

        return $User;
    }

    return;
}

sub GenerateToken {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/User TicketNumber/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );
            return;
        }
    }

    # deactivate all other tokens for this ticket
    $Self->DeactivateTicketTokens(
        TicketNumber => $Param{TicketNumber},
    );

    my $OTATokenLength = 24;
    my $RandomString;

    my $Try = 1;
    while ( $Try ) {
        $RandomString = $Kernel::OM->Get('Kernel::System::Main')->GenerateRandomString(
            Length => $OTATokenLength,
        );

        # check whether the string already exists
        $Self->{DBObject}->Prepare(
            SQL => "SELECT user FROM $Self->{Table} WHERE token = ?",
            Bind => [ \$Param{OTAToken} ],
        );

        if ( $Self->{DBObject}->FetchrowArray() ) {
            $Try++;
        }
        else {
            $Try = 0;
        }

        if ( $Try > 5 ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Could not generate a unique random string after five retries - something is not right!"
            );
            return;
        }
    }

    return if !$Self->{DBObject}->Do(
        SQL => "INSERT INTO $Self->{Table} ( token, ticket_number, used, user, create_time, change_time )
            VALUES ( ?, ?, ?, ?, current_timestamp, current_timestamp )",
        Bind => [ \$RandomString, \$Param{TicketNumber}, \2, \$Param{User} ],
    );
    
    return $RandomString;
}

sub DeactivateTicketTokens {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/TicketNumber/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );
            return;
        }
    }

    return if !$Self->{DBObject}->Do(
        SQL => "UPDATE $Self->{Table} SET used = 1, change_time = current_timestamp WHERE ticket_number = ? AND used = 2",
        Bind => [ \$Param{TicketNumber} ],
    );

    return 1;
}

sub DeleteTicketTokens {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/TicketNumber/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );
            return;
        }
    }

    return if !$Self->{DBObject}->Do(
        SQL => "DELETE FROM $Self->{Table} WHERE ticket_number = ?",
        Bind => [ \$Param{TicketNumber} ],
    );

    return 1;
}

sub TicketLink {
    my ( $Self, %Param ) = @_;

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    # check needed stuff
    for my $Needed ( qw/TicketNumber User/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );

            return $ConfigObject->Get('OneTimeAuth::CustomerErrorMessageRefreshFailed') // 'Link could not be generated, please contact us directly!';
        }
    }

    my $TicketLink = $ConfigObject->Get('HttpType') . '://' . $ConfigObject->Get('FQDN') . '/otobo/customer.pl';
    $TicketLink .= "?Action=CustomerTicketZoom;TicketNumber=$Param{TicketNumber}";

    # check if the user already has a passsword - then no direct link is needed
    my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
        User => $Param{User},
    );

    unless ( $User{UserPassword} ) {
        # generate token
        my $Token = $Self->GenerateToken(
            %Param,
        );

        if ( !$Token ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Error in token generation!"
            );

            return $ConfigObject->Get('OneTimeAuth::CustomerErrorMessage') // 'Link could not be generated, please contact us directly!';
        }

        $TicketLink .= ";OTAToken=$Token";
    }

    return "<a href='$TicketLink' target='_blank'>$TicketLink</a>";
}

sub DeactivateClosedTickets {
    my ( $Self, %Param ) = @_;

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # get the compare time if a delay is given
    my $Delay       = $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::AccessDaysAfterClose') || 0;
    my $StillOKTime = $Kernel::OM->Create('Kernel::System::DateTime')->ToEpoch() - 24*60*60*$Delay;

    $Self->{DBObject}->Prepare(
        SQL => "SELECT DISTINCT(ticket_number) FROM $Self->{Table}",
    );
    
    my @TicketNumbers;
    while ( my @Row = $Self->{DBObject}->FetchrowArray() ) {
        push @TicketNumbers, $Row[0];
    }
    
    TICKET:
    for my $TN ( @TicketNumbers ) {
        my $TicketID = $TicketObject->TicketIDLookup(
            TicketNumber => $TN,
        );

        my %Ticket = $TicketObject->TicketGet(
            TicketID => $TicketID,
        );

        # remove old tokens
        if ( $Ticket{StateType} eq 'closed' || $Ticket{StateType} eq 'removed' || $Ticket{StateType} eq 'merged' ) {
            if ( $Delay ) {
                my $LastChangedTime = $Kernel::OM->Create(
                    'Kernel::System::DateTime',
                    ObjectParams => {
                        String   => $Ticket{Changed},
                    }
                )->ToEpoch();

                next TICKET if $LastChangedTime > $StillOKTime;
            }

            $Self->DeleteTicketTokens(
                TicketNumber => $TN,
            ); 
        }
    }

    return 1;
}

sub SendNewToken {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/TicketNumber User/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );

            return;
        }
    }

    my $ConfigObject       = $Kernel::OM->Get('Kernel::Config');
    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');
    my $TicketObject       = $Kernel::OM->Get('Kernel::System::Ticket');

    my $TicketID = $TicketObject->TicketIDLookup(
        TicketNumber => $Param{TicketNumber},
    );
    my %Ticket = $TicketObject->TicketGet(
        TicketID => $TicketID,
    );
    my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
        User => $Param{User},
    );

    my $TemplateGenerator = $Kernel::OM->Get('Kernel::System::TemplateGenerator');
    my $Sender            = $TemplateGenerator->Sender(
        QueueID => $Ticket{QueueID},
        UserID  => 1,
    );

    my $NotificationID = $ConfigObject->Get('OneTimeAuth::TokenRefreshNotificationID');

    my ( $Body, $Subject );

    if ( $NotificationID ) {
        my %Notification = $Kernel::OM->Get('Kernel::System::NotificationEvent')->NotificationGet(
            ID => $NotificationID,
        );

        my %Languages = map { $_ => $_ } @{ $Notification{Data}{LanguageID} };
        my $Language  = $Languages{de} || $Languages{en} || $Notification{Data}{LanguageID}[0];

        # replace place holder stuff
        $Body = $TemplateGenerator->_Replace(
            RichText        => $ConfigObject->Get('Frontend::RichText'),
            Text            => $Notification{Message}{$Language}{Body},
            Data            => {},
            TicketData      => \%Ticket,
            UserID          => 1,
        );

        $Subject = $TemplateGenerator->_Replace(
            RichText        => 0,
            Text            => $Notification{Message}{$Language}{Subject},
            Data            => {},
            TicketData      => \%Ticket,
            UserID          => 1,
        );
    }

    else {
        my $TicketLink = $Self->TicketLink( %Param );

        $Subject = "Neuer Authentifizierungslink für Ticket#$Ticket{TicketNumber}";
        $Body    = "Guten Tag<br/>Ihr aktueller Link um auf Ticket#$Ticket{TicketNumber} zugreifen zu können lautet:<br/>$TicketLink";
    }


    my $EmailObject = $Kernel::OM->Get('Kernel::System::Email');
    my $Sent = $EmailObject->Send(
        From     => $Sender,
        To       => $User{UserEmail},
        Subject  => $Subject,
        Charset  => 'utf-8',
        MimeType => 'text/html',
        Body     => $Body,
    );

    if ( !$Sent ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => "Could not send new token to $Param{User} for Ticket#$Param{TicketNumber}!"
        );

        return;
    }

    return 1;
}

1;

# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2021 Rother OSS GmbH, https://otobo.de/
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::PostMaster::Filter::CreateNewCustomerUser;

use strict;
use warnings;

use Kernel::System::VariableCheck qw(:all);

our @ObjectDependencies = (
    'Kernel::System::CustomerUser',
    'Kernel::System::Log',
);

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    # get parser object
    $Self->{ParserObject} = $Param{ParserObject} || die "Got no ParserObject!";

    # Get communication log object.
    $Self->{CommunicationLogObject} = $Param{CommunicationLogObject} || die "Got no CommunicationLogObject!";

    return $Self;
}

sub Run {
    my ( $Self, %Param ) = @_;

    # only needed for new tickets
    return 1 if $Param{TicketID};

    # check needed stuff
    for (qw(GetParam JobConfig)) {
        if ( !$Param{$_} ) {
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Error',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Need $_!",
            );
            return;
        }
    }

    my @EmailAddressOnField = $Self->{ParserObject}->SplitAddressLine(
        Line => $Self->{ParserObject}->GetParam( WHAT => 'From' ),
    );

    my $IncomingMailAddress;

    for my $EmailAddress (@EmailAddressOnField) {
        $IncomingMailAddress = $Self->{ParserObject}->GetEmailAddress(
            Email => $EmailAddress,
        );
    }

    return 1 if !$IncomingMailAddress;

    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');

    my %List = $CustomerUserObject->CustomerSearch(
        PostMasterSearch => lc( $IncomingMailAddress ),
        Valid            => 0,
    );

    # user already exists
    if ( %List ) {

        # return if no X-OTOBO-CustomerUser spoofing is possible/dangerous
        return 1 if !$Param{JobConfig}{CustomerHeaderSpoofProtection} && !$Param{JobConfig}{SetCheckBoxName};

        my %CustomerData;
        LOGIN:
        for my $UserLogin ( sort keys %List ) {
            my %CustomerUser = $CustomerUserObject->CustomerUserDataGet(
                User => $UserLogin,
            );
            
            if ( $CustomerUser{ValidID} == 1 ) {
                %CustomerData = %CustomerUser;
                last LOGIN;
            }
        }

        # if user exists but is not valid, do nothing
        return 1 if !%CustomerData;

        if ( $Param{JobConfig}{SetCheckBoxName} && $CustomerData{Source} eq ( $Param{JobConfig}{CustomerUserBackend} || 'CustomerUser' ) ) {
            $Param{GetParam}{ 'X-OTOBO-DynamicField-' . $Param{JobConfig}{SetCheckBoxName} } = 1;
        }

        return 1 if !$Param{JobConfig}{CustomerHeaderSpoofProtection};

        # take CustomerID from customer backend lookup or from from field
        if ( $CustomerData{UserLogin} ) {
            $Param{GetParam}{'X-OTOBO-CustomerUser'} = $CustomerData{UserLogin};

            # notice that UserLogin is from customer source backend
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Notice',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Take UserLogin ($CustomerData{UserLogin}) from "
                    . "customer source backend based on ($IncomingMailAddress).",
            );
        }
        if ( $CustomerData{UserCustomerID} ) {
            $Param{GetParam}{'X-OTOBO-CustomerNo'} = $CustomerData{UserCustomerID};

            # notice that UserCustomerID is from customer source backend
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Notice',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Take UserCustomerID ($CustomerData{UserCustomerID})"
                    . " from customer source backend based on ($IncomingMailAddress).",
            );
        }
    }

    # user does not yet exist - create it!
    else {
        my $UserLogin = lc( $IncomingMailAddress );
        
        my $Success = $CustomerUserObject->CustomerUserAdd(
            Source         => $Param{JobConfig}{CustomerUserBackend} || 'CustomerUser',
            UserFirstname  => ' ',
            UserLastname   => ' ',
            UserCustomerID => $UserLogin,
            UserLogin      => $UserLogin,
            UserEmail      => $UserLogin,
            ValidID        => 1,
            UserID         => 1,
        );

        if ( $Success ) {
            # notice that UserLogin is from customer source backend
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Notice',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Create and set new UserLogin ($UserLogin).",
            );

            $Param{GetParam}{'X-OTOBO-CustomerUser'} = $UserLogin;
            $Param{GetParam}{'X-OTOBO-CustomerNo'}   = $UserLogin;

            if ( $Param{JobConfig}{SetCheckBoxName} ) {
                $Param{GetParam}{ 'X-OTOBO-DynamicField-' . $Param{JobConfig}{SetCheckBoxName} } = 1;
            }

            # set preferences
            $CustomerUserObject->SetPreferences(
                UserID => $UserLogin,
                Key    => 'UserTimeZone',
                Value  => 'Europe/Berlin',
            );
            $CustomerUserObject->SetPreferences(
                UserID => $UserLogin,
                Key    => 'UserShowTickets',
                Value  => '25',
            );
            $CustomerUserObject->SetPreferences(
                UserID => $UserLogin,
                Key    => 'UserRefreshTime',
                Value  => '0',
            );
        }
    }

    return 1;
}

1;
