Merge branch 'master' of bitbucket.org:dheeyi/processmaker into PM-1737

2015-03-17 12:49:48 -04:00
parent c35ca18adf 21603e92d5
commit f0519ed14b
21 changed files with 596 additions and 93 deletions
--- a/gulliver/system/class.database_mssql.php
+++ b/gulliver/system/class.database_mssql.php
@@ -218,7 +218,10 @@ class database extends database_base
    public function getPrimaryKey ($sTable)
    {
        try {
-            $sSQL = " SELECT 	c.COLUMN_NAME " . " FROM 	INFORMATION_SCHEMA.TABLE_CONSTRAINTS pk , " . "       INFORMATION_SCHEMA.KEY_COLUMN_USAGE c " . " WHERE 	pk.TABLE_NAME = '" . trim( $sTable ) . "' " . " AND	CONSTRAINT_TYPE = 'PRIMARY KEY' " . " AND	c.TABLE_NAME = pk.TABLE_NAME " . " AND	c.CONSTRAINT_NAME = pk.CONSTRAINT_NAME ";
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $sSQL = " SELECT 	c.COLUMN_NAME " . " FROM 	INFORMATION_SCHEMA.TABLE_CONSTRAINTS pk , " . "       INFORMATION_SCHEMA.KEY_COLUMN_USAGE c " . " WHERE 	pk.TABLE_NAME = '%s' " . " AND	CONSTRAINT_TYPE = 'PRIMARY KEY' " . " AND	c.TABLE_NAME = pk.TABLE_NAME " . " AND	c.CONSTRAINT_NAME = pk.CONSTRAINT_NAME ";
+            $sSQL = $filter->preventSqlInjection($sSQL, array(trim( $sTable )));
            $oPrimaryKey = $this->executeQuery( $sSQL );
            $aPrimaryKey = mssql_fetch_array( $oPrimaryKey );
            mssql_free_result( $oPrimaryKey );
@@ -238,8 +241,10 @@ class database extends database_base
    public function getFieldConstraint ($sTable, $sField)
    {
        try {
-            $sSQL = " select a.name " . " from sysobjects a " . "   inner join syscolumns b on a.id = b.cdefault " . " where a.xtype = 'D' " . " and a.parent_obj = (select id from sysobjects where xtype = 'U' and name = '" . trim( $sTable ) . "') " . " and b.name = '" . trim( $sField ) . "' ";
-
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $sSQL = " select a.name " . " from sysobjects a " . "   inner join syscolumns b on a.id = b.cdefault " . " where a.xtype = 'D' " . " and a.parent_obj = (select id from sysobjects where xtype = 'U' and name = '%s') " . " and b.name = '%s' ";
+            $sSQL = $filter->preventSqlInjection($sSQL, array(trim( $sTable ),trim( $sField )));
            $oFieldConstraint = $this->executeQuery( $sSQL );
            $aFieldConstraint = mssql_fetch_array( $oFieldConstraint );
            mssql_free_result( $oFieldConstraint );
@@ -259,8 +264,11 @@ class database extends database_base
    public function dropFieldConstraint ($sTable, $sField)
    {
        try {
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
            $sConstraint = $this->getFieldConstraint( $sTable, $sField );
-            $sSQL = "ALTER TABLE " . $sTable . " DROP CONSTRAINT " . $sConstraint . $this->sEndLine;
+            $sSQL = "ALTER TABLE %s DROP CONSTRAINT %s";
+            $sSQL = $filter->preventSqlInjection($sSQL, array($sTable,$sConstraint . $this->sEndLine));
            $oFieldConstraint = $this->executeQuery( $sSQL );
            return $oFieldConstraint;
        } catch (Exception $oException) {
@@ -367,7 +375,10 @@ class database extends database_base
        if (! $this->oConnection) {
            return false;
        }
-        return $this->executeQuery( 'USE ' . $this->sDataBase );
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $query = $filter->preventSqlInjection("USE %s", array($this->sDataBase));
+        return $this->executeQuery( $query );
    }

    public function logQuery ($sQuery)
--- a/gulliver/system/class.dbMaintenance.php
+++ b/gulliver/system/class.dbMaintenance.php
@@ -254,6 +254,9 @@ class DataBaseMaintenance
     */
    function dumpData ($table)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $table = $filter->validateInput($table, 'nosql');
        $this->outfile = $this->tmpDir . $table . '.dump';

        //if the file exists delete it
@@ -261,7 +264,8 @@ class DataBaseMaintenance
            @unlink( $this->outfile );
        }

-        $sql = "SELECT * INTO OUTFILE '{$this->outfile}' FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n' FROM $table";
+        $sql = "SELECT * INTO OUTFILE '{%s}' FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n' FROM %s";
+        $sql = $filter->preventSqlInjection($sql, array($this->outfile,$table));
        // The mysql_escape_string function has been DEPRECATED as of PHP 5.3.0.
        // Commented that is not assigned to a variable.
        // mysql_escape_string("';");
@@ -281,8 +285,11 @@ class DataBaseMaintenance
     */
    function restoreData ($backupFile)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
        $tableName = str_replace( '.dump', '', basename( $backupFile ) );
-        $sql = "LOAD DATA INFILE '$backupFile' INTO TABLE $tableName FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n'";
+        $sql = "LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '\t|\t' OPTIONALLY ENCLOSED BY '\"' LINES TERMINATED BY '\t\t\r\r\n'";
+        $sql = $filter->preventSqlInjection($sql, array($backupFile,$tableName));
        if (! @mysql_query( $sql )) {
            print mysql_error() . "\n";
            return false;
@@ -421,11 +428,15 @@ class DataBaseMaintenance

    function lockTables ()
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
        $aTables = $this->getTablesList();
        if (empty( $aTables ))
            return false;
        printf( "%-70s", "LOCK TABLES" );
-        if (@mysql_query( "LOCK TABLES " . implode( " READ, ", $aTables ) . " READ; " )) {
+        $sQuery = "LOCK TABLES " . implode( " READ, ", $aTables ) . " READ; ";
+        $sQuery = $filter->preventSqlInjection($sQuery);
+        if (@mysql_query( $sQuery )) {
            echo "    [OK]\n";
            return true;
        } else {
@@ -454,8 +465,13 @@ class DataBaseMaintenance
    function dumpSqlInserts ($table)
    {

+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $table = $filter->validateInput($table, 'nosql');
        $bytesSaved = 0;
-        $result = @mysql_query( "SELECT * FROM `$table`" );
+        $query = "SELECT * FROM `%s`";
+        $query = $filter->preventSqlInjection($query, array($table));
+        $result = @mysql_query( $query );

        $num_rows = mysql_num_rows( $result );
        $num_fields = mysql_num_fields( $result );
@@ -625,10 +641,12 @@ class DataBaseMaintenance
     */
    function getSchemaFromTable ($tablename)
    {
-        //$tableSchema = "/* Structure for table `$tablename` */\n";
-        //$tableSchema .= "DROP TABLE IF EXISTS `$tablename`;\n\n";
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $tablename = $filter->validateInput($tablename, 'nosql');
        $tableSchema = "";
-        $sql = "show create table `$tablename`; ";
+        $sql = "show create table `%s`; ";
+        $sql = $filter->preventSqlInjection($sql, array($tablename));
        $result = @mysql_query( $sql );
        if ($result) {
            if ($row = mysql_fetch_assoc( $result )) {
--- a/gulliver/system/class.g.php
+++ b/gulliver/system/class.g.php
@@ -3317,10 +3317,10 @@ class G
      *
      * @author Erik A.O. <erik@colosa.com>
     */
-    public function json_decode($Json)
+    public function json_decode($Json, $assoc = false)
    {
        if (function_exists('json_decode')) {
-            return json_decode($Json);
+            return json_decode($Json, $assoc);
        } else {
            G::LoadThirdParty('pear/json', 'class.json');
            $oJSON = new Services_JSON();
--- a/gulliver/system/class.inputfilter.php
+++ b/gulliver/system/class.inputfilter.php
@@ -436,7 +436,7 @@ class InputFilter
                                    $inputFiltered = str_replace('&amp;','&',$inputFiltered);
                                }
                            } else {
-                                $jsArray = (array)G::json_decode($val);  
+                                $jsArray = G::json_decode($val,true);  
                                if(is_array($jsArray) && sizeof($jsArray)) {
                                    foreach($jsArray as $j => $jsVal){
                                        if(is_array($jsVal) && sizeof($jsVal)) {
@@ -472,7 +472,7 @@ class InputFilter
                        $input = str_replace('&amp;','&',$input);
                    }
                } else {
-                    $jsArray = (array)G::json_decode($input);
+                    $jsArray = G::json_decode($input,true);
                    if(is_array($jsArray) && sizeof($jsArray)) {
                        foreach($jsArray as $j => $jsVal){
                            if(is_array($jsVal) && sizeof($jsVal)) {
@@ -526,34 +526,43 @@ class InputFilter
      * @access protected
      * @param String $value
      * @param String or Array $types
+      * @param String $valType
      * @return String $value
      */
-    function validateInput($value, $types = 'string')
+    function validateInput($value, $types = 'string', $valType = 'sanitize')
    {
-        if(!isset($value) || trim($value) === '' || $value === NULL ) {
+        if(!isset($value) || empty($value)) {
            return '';
        } 
        
-        if($pos = strpos($value,";")) {
-           $value = substr($value,0,$pos);
-        }
-        
        if(is_array($types) && sizeof($types)){
            foreach($types as $type){
+                if($valType == 'sanitize') {
+                    $value = $this->sanitizeInputValue($value, $type);
+                } else {
                    $value = $this->validateInputValue($value, $type);        
                }
+            }    
        } elseif(is_string($types)) {
+            if($types == 'sanitize' || $types == 'validate') {
+                $valType = $types;
+                $types = 'string';
+            }
+            if($valType == 'sanitize') {
+                $value = $this->sanitizeInputValue($value, $types);
+            } else {
                $value = $this->validateInputValue($value, $types);        
            }
+        }
         
        return $value;
    }
    
-    function validateInputValue($value, $type) {
+    function sanitizeInputValue($value, $type) {
        
        switch($type) {
            case 'float':
-                $value = (float)filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT);
+                $value = filter_var($value, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION | FILTER_FLAG_ALLOW_THOUSAND);
            break;
            case 'int':
                $value = (int)filter_var($value, FILTER_SANITIZE_NUMBER_INT);
@@ -568,16 +577,53 @@ class InputFilter
            break;
            case 'nosql':
                $value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
-                if(preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i' , $value)) {
-                   $value = '';
+                if(preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i' , $value, $matches, PREG_OFFSET_CAPTURE)) {
+                       $value = substr($value,0,$matches[0][1]);
                }
            break;
-            case 'db':
-            break;
            default:
                $value = (string)filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
        }
        
        return $value;    
    } 
+    
+   
+    function validateInputValue($value, $type) {
+        
+        switch($type) {
+            case 'float':
+                $value = str_replace(',', '.', $value);
+                if(!filter_var($value, FILTER_VALIDATE_FLOAT)) {
+                    throw new Exception('not a float value'); 
+                }
+            break;
+            case 'int':
+                if(!filter_var($value, FILTER_VALIDATE_INT)) {
+                    throw new Exception('not a int value');    
+                }
+            break;
+            case 'boolean':
+                if(!preg_match('/\b(yes|no|false|true|1|0)\b/i' , $value)) {
+                    throw new Exception('not a boolean value');
+                }
+            break;
+            case 'path':
+                if(!file_exists($value)) {
+                    throw new Exception('not a valid path');
+                }
+            break;
+            case 'nosql':
+                if(preg_match('/\b(or|and|xor|drop|insert|update|delete|select)\b/i' , $value)) {
+                    throw new Exception('sql command found');
+                }
+            break;
+            default:
+                if(!is_string($value)) {
+                    throw new Exception('not a string value');
+                }
+        }
+     
+ 
+    } 
 }
--- a/workflow/engine/classes/class.case.php
+++ b/workflow/engine/classes/class.case.php
@@ -1175,7 +1175,26 @@ class Cases
            if ($this->appSolr != null) {
                $this->appSolr->deleteApplicationSearchIndex($sAppUid);
            }
+            /*----------------------------------********---------------------------------*/
+            $criteria = new Criteria();
+            $criteria->addSelectColumn( ListInboxPeer::USR_UID );
+            $criteria->add( ListInboxPeer::APP_UID, $sAppUid, Criteria::EQUAL );
+            $dataset = ApplicationPeer::doSelectRS($criteria);
+            $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+            while($dataset->next()) {
+                $aRow = $dataset->getRow();
+                $users = new Users();
+                $users->refreshTotal($aRow['USR_UID'], 'remove', 'draft');
+                $users->refreshTotal($aRow['USR_UID'], 'remove', 'participated');
+            }

+            $oCriteria = new Criteria('workflow');
+            $oCriteria->add(ListInboxPeer::APP_UID, $sAppUid);
+            ListInboxPeer::doDelete($oCriteria);
+            $oCriteria = new Criteria('workflow');
+            $oCriteria->add(ListParticipatedLastPeer::APP_UID, $sAppUid);
+            ListParticipatedLastPeer::doDelete($oCriteria);
+            /*----------------------------------********---------------------------------*/
            return $result;
        } catch (exception $e) {
            throw ($e);
@@ -1237,6 +1256,12 @@ class Cases
            $appAssignSelfServiceValue = new AppAssignSelfServiceValue();

            $appAssignSelfServiceValue->remove($sAppUid, $iDelIndex);
+            /*----------------------------------********---------------------------------*/
+            $aFields = $oAppDel->toArray(BasePeer::TYPE_FIELDNAME);
+            $aFields['APP_STATUS'] = 'TO_DO';
+            $inbox = new ListInbox();
+            $inbox->update($aFields, true);
+            /*----------------------------------********---------------------------------*/
        } catch (exception $e) {
            throw ($e);
        }
@@ -1905,11 +1930,11 @@ class Cases
            $c->add(AppDelegationPeer::APP_UID, $sAppUid);
            $c->add(AppDelegationPeer::DEL_INDEX, $iDelIndex);
            $rowObj = AppDelegationPeer::doSelect($c);
-            G::LoadClass('dates');
-            $oDates = new dates();
+            $user = '';
            foreach ($rowObj as $appDel) {
                $appDel->setDelThreadStatus('CLOSED');
                $appDel->setDelFinishDate('now');
+                $user = $appDel->getUsrUid();
                if ($appDel->Validate()) {
                    $appDel->Save();
                } else {
@@ -1926,7 +1951,7 @@ class Cases
            $data['DEL_THREAD_STATUS'] = 'CLOSED';
            $data['APP_UID']   = $sAppUid;
            $data['DEL_INDEX'] = $iDelIndex;
-            $data['USR_UID']   = $appDel->getUsrUid();
+            $data['USR_UID']   = $user;
            $listParticipatedLast = new ListParticipatedLast();
            $listParticipatedLast->refresh($data);
            /*----------------------------------********---------------------------------*/
@@ -1981,7 +2006,7 @@ class Cases
     * @return Fields
     */

-    public function startCase($sTasUid, $sUsrUid, $isSubprocess = false)
+    public function startCase($sTasUid, $sUsrUid, $isSubprocess = false, $dataPreviusApplication = array())
    {
        if ($sTasUid != '') {
            try {
@@ -2045,11 +2070,12 @@ class Cases
                $Fields['USR_UID'] = $sUsrUid;
                $Fields['DEL_INDEX'] = $iDelIndex;
                $Fields['APP_STATUS'] = 'TO_DO';
+                $Fields['DEL_DELEGATE_DATE'] = $Fields['APP_INIT_DATE'];
                if(!$isSubprocess){
                    $Fields['APP_STATUS'] = 'DRAFT';
                }
                $inbox = new ListInbox();
-                $inbox->newRow($Fields, $sUsrUid);
+                $inbox->newRow($Fields, $sUsrUid, $isSubprocess, $dataPreviusApplication);
                /*----------------------------------********---------------------------------*/
            } catch (exception $e) {
                throw ($e);
@@ -4041,8 +4067,9 @@ class Cases
        $this->getExecuteTriggerProcess($sApplicationUID, "UNPAUSE");

        /*----------------------------------********---------------------------------*/
+        $aData = array_merge($aFieldsDel, $aData);
        $oListPaused = new ListPaused();
-        $oListPaused->remove($sApplicationUID, $iDelegation, true);
+        $oListPaused->remove($sApplicationUID, $iDelegation, $aData);
        /*----------------------------------********---------------------------------*/
    }

@@ -4254,6 +4281,27 @@ class Cases
            $this->appSolr->updateApplicationSearchIndex($sApplicationUID);
        }

+        /*----------------------------------********---------------------------------*/
+        $oCriteria = new Criteria('workflow');
+        $oCriteria->add(ListParticipatedLastPeer::APP_UID, $aData['APP_UID']);
+        $oCriteria->add(ListParticipatedLastPeer::USR_UID, $sUserUID);
+        $oCriteria->add(ListParticipatedLastPeer::DEL_INDEX, $iDelegation);
+        ListParticipatedLastPeer::doDelete($oCriteria);
+        $users = new Users();
+        $users->refreshTotal($sUserUID, 'remove', 'participated');
+
+        $aFieldsDel = array_merge($aData, $aFieldsDel);
+        $aFieldsDel['USR_UID'] = $newUserUID;
+        $inbox = new ListInbox();
+        $inbox->newRow($aFieldsDel, $sUserUID);
+        $users = new Users();
+        if ($aFields['APP_STATUS'] == 'DRAFT') {
+            $users->refreshTotal($sUserUID, 'remove', 'draft');
+        } else if ($iDelegation == 2) {
+            $users->refreshTotal($sUserUID, 'add', 'draft');
+            $users->refreshTotal($sUserUID, 'remove', 'inbox');
+        }
+        /*----------------------------------********---------------------------------*/
        $this->getExecuteTriggerProcess($sApplicationUID, 'REASSIGNED');
        return true;
    }
@@ -6646,7 +6694,6 @@ class Cases
            }
        }

-        require_once 'classes/model/Users.php';
        $c = new Criteria('workflow');
        $c->addSelectColumn(UsersPeer::USR_UID);
        $c->addSelectColumn(UsersPeer::USR_USERNAME);
--- a/workflow/engine/classes/class.derivation.php
+++ b/workflow/engine/classes/class.derivation.php
@@ -748,14 +748,13 @@ class Derivation
            //SETS THE APP_PROC_CODE
            //if (isset($nextDel['TAS_DEF_PROC_CODE']))
            //$appFields['APP_PROC_CODE'] = $nextDel['TAS_DEF_PROC_CODE'];
-
            /*----------------------------------********---------------------------------*/
            if (!empty($iNewDelIndex) && empty($aSP)) {
                $oAppDel = AppDelegationPeer::retrieveByPK( $appFields['APP_UID'], $iNewDelIndex );
                $aFields = $oAppDel->toArray( BasePeer::TYPE_FIELDNAME );
                $aFields['APP_STATUS'] = $currentDelegation['APP_STATUS'];
                $inbox = new ListInbox();
-                $inbox->newRow($aFields, $nextDel['USR_UID']);
+                $inbox->newRow($aFields, $appFields['CURRENT_USER_UID'], false, array(), ($nextDel['TAS_ASSIGN_TYPE'] == 'SELF_SERVICE' ? true : false));
            }
            /*----------------------------------********---------------------------------*/
            unset( $aSP );
@@ -863,7 +862,7 @@ class Derivation
        if (isset( $aSP )) {
            //Create the new case in the sub-process
            // set the initial date to null the time its created
-            $aNewCase = $this->case->startCase( $aSP['TAS_UID'], $aSP['USR_UID'], true );
+            $aNewCase = $this->case->startCase( $aSP['TAS_UID'], $aSP['USR_UID'], true, $appFields);
            //Copy case variables to sub-process case
            $aFields = unserialize( $aSP['SP_VARIABLES_OUT'] );
            $aNewFields = array ();
--- a/workflow/engine/classes/class.wsTools.php
+++ b/workflow/engine/classes/class.wsTools.php
@@ -1970,6 +1970,39 @@ class workspaceTools
        }        
        CLI::logging("> Completed table LIST_UNASSIGNED\n");
        CLI::logging("> Completed table LIST_UNASSIGNED_GROUP\n");
+
+        // ADD LISTS COUNTS
+        $aTypes = array(
+            'to_do',
+            'draft',
+            'cancelled',
+            'sent',
+            'paused',
+            'completed',
+            'selfservice'
+        );
+
+        $users = new Users();
+        $criteria = new Criteria();
+        $criteria->addSelectColumn(UsersPeer::USR_UID);
+        $dataset = UsersPeer::doSelectRS($criteria);
+        $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+        while($dataset->next()) {
+            $aRow = $dataset->getRow();
+            $oAppCache = new AppCacheView();
+            $aCount = $oAppCache->getAllCounters( $aTypes, $aRow['USR_UID'] );
+            $newData = array(
+                'USR_UID'                   => $aRow['USR_UID'],
+                'USR_TOTAL_INBOX'           => $aCount['to_do'],
+                'USR_TOTAL_DRAFT'           => $aCount['draft'],
+                'USR_TOTAL_CANCELLED'       => $aCount['cancelled'],
+                'USR_TOTAL_PARTICIPATED'    => $aCount['sent'],
+                'USR_TOTAL_PAUSED'          => $aCount['paused'],
+                'USR_TOTAL_COMPLETED'       => $aCount['completed'],
+                'USR_TOTAL_UNASSIGNED'      => $aCount['selfservice']
+            );
+            $users->update($newData);
+        }
        $this->listFirstExecution('insert');
        return true;
    } 
--- a/workflow/engine/classes/model/ListCanceled.php
+++ b/workflow/engine/classes/model/ListCanceled.php
@@ -103,6 +103,10 @@ class ListCanceled extends BaseListCanceled {
        $oListInbox = new ListInbox();
        $oListInbox->removeAll($data['APP_UID']);

+        $users = new Users();
+        $users->refreshTotal($data['USR_UID'], 'removed', 'inbox');
+        $users->refreshTotal($data['USR_UID'], 'add', 'canceled');
+
        $con = Propel::getConnection( ListCanceledPeer::DATABASE_NAME );
        try {
            $this->fromArray( $data, BasePeer::TYPE_FIELDNAME );
--- a/workflow/engine/classes/model/ListCompleted.php
+++ b/workflow/engine/classes/model/ListCompleted.php
@@ -94,6 +94,14 @@ class ListCompleted extends BaseListCompleted
        $criteriaSet->add(ListParticipatedLastPeer::APP_STATUS, 'COMPLETED');
        BasePeer::doUpdate($criteriaWhere, $criteriaSet, Propel::getConnection("workflow"));

+        $users = new Users();
+        $users->refreshTotal($data['USR_UID'], 'add', 'completed');
+        if ($data['DEL_PREVIOUS'] != 0) {
+            $users->refreshTotal($data['USR_UID'], 'remove', 'inbox');
+        } else {
+            $users->refreshTotal($data['USR_UID'], 'remove', 'draft');
+        }
+
        $con = Propel::getConnection( ListCompletedPeer::DATABASE_NAME );
        try {
            $this->fromArray( $data, BasePeer::TYPE_FIELDNAME );
--- a/workflow/engine/classes/model/ListInbox.php
+++ b/workflow/engine/classes/model/ListInbox.php
@@ -23,7 +23,7 @@ class ListInbox extends BaseListInbox
     * @return type
     *
     */
-    public function create($data)
+    public function create($data, $isSelfService = false)
    {
        $con = Propel::getConnection( ListInboxPeer::DATABASE_NAME );
        try {
@@ -48,12 +48,27 @@ class ListInbox extends BaseListInbox
            $listMyInbox->refresh($data);

            // remove and create participated last
+            if (!$isSelfService) {
                $listParticipatedLast = new ListParticipatedLast();
                $listParticipatedLast->remove($data['APP_UID'], $data['USR_UID']);
                $listParticipatedLast = new ListParticipatedLast();
                $listParticipatedLast->create($data);
                $listParticipatedLast = new ListParticipatedLast();
                $listParticipatedLast->refresh($data);
+            } else {
+                $data['USR_UID'] = $data['DEL_PREVIOUS_USR_UID'];
+                $data['DEL_CURRENT_USR_LASTNAME'] = '';
+                $data['DEL_CURRENT_USR_USERNAME'] = '';
+                $data['DEL_CURRENT_USR_FIRSTNAME'] = '';
+
+                $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedLast->refresh($data, $isSelfService);
+                $data['USR_UID'] = 'SELF_SERVICES';
+                $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedLast->create($data);
+                $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedLast->refresh($data, $isSelfService);
+            }

            return $result;
        } catch(Exception $e) {
@@ -69,8 +84,31 @@ class ListInbox extends BaseListInbox
     * @return type
     * @throws type
     */
-    public function update($data)
+    public function update($data, $isSelfService = false)
    {
+        if ($isSelfService) {
+            $users = new Users();
+            $users->refreshTotal($data['USR_UID'], 'add', 'inbox');
+
+            $listParticipatedLast = new ListParticipatedLast();
+            $listParticipatedLast->remove($data['APP_UID'], $data['USR_UID']);
+
+            //Update - WHERE
+            $criteriaWhere = new Criteria("workflow");
+            $criteriaWhere->add(ListParticipatedLastPeer::APP_UID, $data["APP_UID"], Criteria::EQUAL);
+            $criteriaWhere->add(ListParticipatedLastPeer::USR_UID, 'SELF_SERVICES', Criteria::EQUAL);
+            $criteriaWhere->add(ListParticipatedLastPeer::DEL_INDEX, $data["DEL_INDEX"], Criteria::EQUAL);
+
+            //Update - SET
+            $criteriaSet = new Criteria("workflow");
+            $criteriaSet->add(ListParticipatedLastPeer::USR_UID, $data['USR_UID']);
+            BasePeer::doUpdate($criteriaWhere, $criteriaSet, Propel::getConnection("workflow"));
+
+            $listParticipatedLast = new ListParticipatedLast();
+            $listParticipatedLast->refresh($data);
+            $users = new Users();
+            $users->refreshTotal($data['USR_UID'], 'add', 'participated');
+        }
        $con = Propel::getConnection( ListInboxPeer::DATABASE_NAME );
        try {
            $con->begin();
@@ -141,7 +179,7 @@ class ListInbox extends BaseListInbox
        }
    }

-    public function newRow ($data, $delPreviusUsrUid)
+    public function newRow ($data, $delPreviusUsrUid, $isInitSubprocess = false, $dataPreviusApplication = array(), $isSelfService = false)
    {
        $data['DEL_PREVIOUS_USR_UID'] = $delPreviusUsrUid;
        if (isset($data['DEL_TASK_DUE_DATE'])) {
@@ -211,7 +249,53 @@ class ListInbox extends BaseListInbox
            $data['DEL_PREVIOUS_USR_LASTNAME']  = $aRow['USR_LASTNAME'];
        }

-        self::create($data);
+        $users = new Users();
+        $criteria = new Criteria();
+        $criteria->addSelectColumn(SubApplicationPeer::DEL_INDEX_PARENT);
+        $criteria->add( SubApplicationPeer::APP_PARENT, $data['APP_UID'], Criteria::EQUAL );
+        $dataset = SubApplicationPeer::doSelectRS($criteria);
+        $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+        if ($dataset->next()) {
+            $aSub = $dataset->getRow();
+            if ($aSub['DEL_INDEX_PARENT'] == $data['DEL_PREVIOUS'] && !$isSelfService) {
+                $users->refreshTotal($data['USR_UID'], 'add', 'inbox');
+                self::create($data, $isSelfService);
+                return 1;
+            }
+        }
+
+        if (!$isInitSubprocess) {
+            if ($data['APP_STATUS'] == 'DRAFT') {
+                $users->refreshTotal($data['USR_UID'], 'add', 'draft');
+            } else {
+                $oRow = ApplicationPeer::retrieveByPK($data['APP_UID']);
+                $aFields = $oRow->toArray( BasePeer::TYPE_FIELDNAME );
+                if ($data['DEL_INDEX'] == 2 || $aFields['APP_STATUS'] == 'DRAFT') {
+                    $criteria = new Criteria();
+                    $criteria->addSelectColumn(SubApplicationPeer::APP_UID);
+                    $criteria->add( SubApplicationPeer::APP_UID, $data['APP_UID'], Criteria::EQUAL );
+                    $dataset = SubApplicationPeer::doSelectRS($criteria);
+                    if ($dataset->next()) {
+                        $users->refreshTotal($delPreviusUsrUid, 'remove', 'inbox');
+                    } else {
+                        $users->refreshTotal($delPreviusUsrUid, 'remove', 'draft');
+                    }
+                } else {
+                    $users->refreshTotal($delPreviusUsrUid, 'remove', 'inbox');
+                }
+                if (!$isSelfService) {
+                    $users->refreshTotal($data['USR_UID'], 'add', 'inbox');
+                }
+            }
+        } else {
+            $users->refreshTotal($data['USR_UID'], 'add', 'inbox');
+            if ($dataPreviusApplication['APP_STATUS'] == 'DRAFT') {
+                $users->refreshTotal($dataPreviusApplication['CURRENT_USER_UID'], 'remove', 'draft');
+            } else {
+                $users->refreshTotal($dataPreviusApplication['CURRENT_USER_UID'], 'remove', 'inbox');
+            }
+        }
+        self::create($data, $isSelfService);
    }

    public function loadFilters (&$criteria, $filters)
--- a/workflow/engine/classes/model/ListParticipatedLast.php
+++ b/workflow/engine/classes/model/ListParticipatedLast.php
@@ -26,6 +26,16 @@ class ListParticipatedLast extends BaseListParticipatedLast
     */
    public function create($data)
    { 
+        $criteria = new Criteria();
+        $criteria->addSelectColumn(ApplicationPeer::APP_STATUS);
+        $criteria->add( ApplicationPeer::APP_UID, $data['APP_UID'], Criteria::EQUAL );
+        $dataset = UsersPeer::doSelectRS($criteria);
+        $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+        $dataset->next();
+        $aRow = $dataset->getRow();
+        $data['APP_STATUS']  = $aRow['APP_STATUS'];
+
+        if ($data['USR_UID'] != 'SELF_SERVICES') {
            $criteria = new Criteria();
            $criteria->addSelectColumn(UsersPeer::USR_USERNAME);
            $criteria->addSelectColumn(UsersPeer::USR_FIRSTNAME);
@@ -39,14 +49,9 @@ class ListParticipatedLast extends BaseListParticipatedLast
            $data['DEL_CURRENT_USR_FIRSTNAME'] = $aRow['USR_FIRSTNAME'];
            $data['DEL_CURRENT_USR_LASTNAME']  = $aRow['USR_LASTNAME'];

-        $criteria = new Criteria();
-        $criteria->addSelectColumn(ApplicationPeer::APP_STATUS);
-        $criteria->add( ApplicationPeer::APP_UID, $data['APP_UID'], Criteria::EQUAL );
-        $dataset = UsersPeer::doSelectRS($criteria);
-        $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
-        $dataset->next();
-        $aRow = $dataset->getRow();
-        $data['APP_STATUS']  = $aRow['APP_STATUS'];
+            $users = new Users();
+            $users->refreshTotal($data['USR_UID'], 'add', 'participated');
+        }

        $con = Propel::getConnection( ListParticipatedLastPeer::DATABASE_NAME );
        try {
@@ -102,9 +107,10 @@ class ListParticipatedLast extends BaseListParticipatedLast
     * @throws type
     *
     */
-    public function refresh ($data)
+    public function refresh ($data, $isSelfService = false)
    {   
        $data['APP_STATUS'] = (empty($data['APP_STATUS'])) ? 'TO_DO' : $data['APP_STATUS'];
+        if (!$isSelfService) {
            $criteria = new Criteria();
            $criteria->addSelectColumn(UsersPeer::USR_USERNAME);
            $criteria->addSelectColumn(UsersPeer::USR_FIRSTNAME);
@@ -115,10 +121,17 @@ class ListParticipatedLast extends BaseListParticipatedLast
            $dataset->next();
            $aRow = $dataset->getRow();

-        $data['DEL_CURRENT_USR_UID'] = $data['USR_UID'];
-        $data['DEL_CURRENT_USR_USERNAME']  = $aRow['USR_USERNAME'];
-        $data['DEL_CURRENT_USR_FIRSTNAME'] = $aRow['USR_FIRSTNAME'];
-        $data['DEL_CURRENT_USR_LASTNAME']  = $aRow['USR_LASTNAME']; 
+            //Update - WHERE
+            $criteriaWhere = new Criteria("workflow");
+            $criteriaWhere->add(ListParticipatedLastPeer::APP_UID, $data["APP_UID"], Criteria::EQUAL);
+            //Update - SET
+            $criteriaSet = new Criteria("workflow");
+            $criteriaSet->add(ListParticipatedLastPeer::DEL_CURRENT_USR_USERNAME, $aRow['USR_USERNAME']);
+            $criteriaSet->add(ListParticipatedLastPeer::DEL_CURRENT_USR_FIRSTNAME, $aRow['USR_FIRSTNAME']);
+            $criteriaSet->add(ListParticipatedLastPeer::DEL_CURRENT_USR_LASTNAME, $aRow['USR_LASTNAME']);
+            BasePeer::doUpdate($criteriaWhere, $criteriaSet, Propel::getConnection("workflow"));
+
+        }
        $this->update($data);
        
    }
@@ -132,6 +145,11 @@ class ListParticipatedLast extends BaseListParticipatedLast
     */
    public function remove ($app_uid, $usr_uid)
    {
+        $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid);
+        if (! is_null( $existField )) {
+            $users = new Users();
+            $users->refreshTotal($usr_uid, 'removed', 'participated');
+        }
        $con = Propel::getConnection( ListParticipatedLastPeer::DATABASE_NAME );
        try {
            $this->setAppUid($app_uid);
--- a/workflow/engine/classes/model/ListPaused.php
+++ b/workflow/engine/classes/model/ListPaused.php
@@ -118,6 +118,14 @@ class ListPaused extends BaseListPaused {
        $oListInbox = new ListInbox();
        $oListInbox->remove($data['APP_UID'], $data['DEL_INDEX']);

+        $users = new Users();
+        if ($data['APP_STATUS'] == 'DRAFT') {
+            $users->refreshTotal($data['USR_UID'], 'removed', 'draft');
+        } else {
+            $users->refreshTotal($data['USR_UID'], 'removed', 'inbox');
+        }
+        $users->refreshTotal($data['USR_UID'], 'add', 'paused');
+
        $con = Propel::getConnection( ListPausedPeer::DATABASE_NAME );
        try {
            $this->fromArray( $data, BasePeer::TYPE_FIELDNAME );
@@ -172,8 +180,20 @@ class ListPaused extends BaseListPaused {
     * @throws type
     *
     */
-    public function remove ($app_uid, $del_index)
+    public function remove ($app_uid, $del_index, $data_inbox)
    {
+        $users = new Users();
+        $users->refreshTotal($data_inbox['USR_UID'], 'removed', 'paused');
+
+        $oRow = ApplicationPeer::retrieveByPK($app_uid);
+        $aFields = $oRow->toArray( BasePeer::TYPE_FIELDNAME );
+        $data_inbox['APP_STATUS'] = $aFields['APP_STATUS'];
+        if ($data_inbox['APP_STATUS'] == 'TO_DO') {
+            $users->refreshTotal($data_inbox['USR_UID'], 'add', 'inbox');
+        }
+        $listInbox = new ListInbox();
+        $listInbox->newRow($data_inbox, $data_inbox['USR_UID']);
+
        $con = Propel::getConnection( ListPausedPeer::DATABASE_NAME );
        try {
            $this->setAppUid($app_uid);
--- a/workflow/engine/methods/cases/casesList_Ajax.php
+++ b/workflow/engine/methods/cases/casesList_Ajax.php
@@ -216,6 +216,7 @@ if ($actionAjax == "getUsersToReassign") {
    G::LoadClass( 'tasks' );
    $task = new Task();
    $tasks = $task->load($_SESSION['TASK']);
+    $result = new stdclass();
    $result->data = $case->getUsersToReassign( $_SESSION['TASK'], $_SESSION['USER_LOGGED'], $tasks['PRO_UID'] );
    print G::json_encode( $result );
 }
@@ -240,6 +241,7 @@ if ($actionAjax == 'reassignCase') {
        //print_r($caseData);
        $data['APP_NUMBER'] = $caseData['APP_NUMBER'];
        $data['USER'] = $userData['USR_LASTNAME'] . ' ' . $userData['USR_FIRSTNAME']; //TODO change with the farmated username from environment conf
+        $result = new stdclass();
        $result->status = 0;
        $result->msg = G::LoadTranslation( 'ID_REASSIGNMENT_SUCCESS', SYS_LANG, $data );
    } catch (Exception $e) {
--- a/workflow/engine/methods/cases/main_init.php
+++ b/workflow/engine/methods/cases/main_init.php
@@ -80,9 +80,49 @@ if ($oServerConf->isRtl( SYS_LANG )) {
    $regionTreePanel = 'west';
    $regionDebug = 'east';
 }
+
+$urlProxy = 'casesMenuLoader?action=getAllCounters&r=';
+/*----------------------------------********---------------------------------*/
+$urlProxy = '/api/1.0/' . SYS_SYS . '/system/counters-lists?r=';
+$clientId = 'x-pm-local-client';
+$client = getClientCredentials($clientId);
+$authCode = getAuthorizationCode($client);
+$debug = false; //System::isDebugMode();
+
+$loader = Maveriks\Util\ClassLoader::getInstance();
+$loader->add(PATH_TRUNK . 'vendor/bshaffer/oauth2-server-php/src/', "OAuth2");
+
+$request = array(
+    'grant_type' => 'authorization_code',
+    'code' => $authCode
+);
+$server = array(
+    'REQUEST_METHOD' => 'POST'
+);
+$headers = array(
+    "PHP_AUTH_USER" => $client['CLIENT_ID'],
+    "PHP_AUTH_PW" => $client['CLIENT_SECRET'],
+    "Content-Type" => "multipart/form-data;",
+    "Authorization" => "Basic " . base64_encode($client['CLIENT_ID'] . ":" . $client['CLIENT_SECRET'])
+);
+
+$request = new \OAuth2\Request(array(), $request, array(), array(), array(), $server, null, $headers);
+$oauthServer = new \ProcessMaker\Services\OAuth2\Server();
+$response = $oauthServer->postToken($request, true);
+
+$clientToken = $response->getParameters();
+$clientToken["client_id"] = $client['CLIENT_ID'];
+$clientToken["client_secret"] = $client['CLIENT_SECRET'];
+/*----------------------------------********---------------------------------*/
+
+
 $oHeadPublisher->assign( 'regionTreePanel', $regionTreePanel );
 $oHeadPublisher->assign( 'regionDebug', $regionDebug );
 $oHeadPublisher->assign( "defaultOption", $defaultOption ); //User menu permissions
+$oHeadPublisher->assign( 'urlProxy', $urlProxy ); //sending the urlProxy to make
+/*----------------------------------********---------------------------------*/
+$oHeadPublisher->assign( 'credentials', $clientToken );
+/*----------------------------------********---------------------------------*/
 $oHeadPublisher->assign( "_nodeId", isset( $confDefaultOption ) ? $confDefaultOption : "PM_USERS" ); //User menu permissions
 $oHeadPublisher->assign( "FORMATS", $conf->getFormats() );

@@ -90,3 +130,41 @@ $_SESSION["current_ux"] = "NORMAL";

 G::RenderPage( "publish", "extJs" );

+
+/*----------------------------------********---------------------------------*/
+function getClientCredentials($clientId)
+{
+    $oauthQuery = new ProcessMaker\Services\OAuth2\PmPdo(getDsn());
+    return $oauthQuery->getClientDetails($clientId);
+}
+
+function getDsn()
+{
+    list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
+    $port = empty($port) ? '' : ";port=$port";
+    $dsn = DB_ADAPTER.':host='.$host.';dbname='.DB_NAME.$port;
+
+    return array('dsn' => $dsn, 'username' => DB_USER, 'password' => DB_PASS);
+}
+
+
+function getAuthorizationCode($client)
+{
+    \ProcessMaker\Services\OAuth2\Server::setDatabaseSource(getDsn());
+    \ProcessMaker\Services\OAuth2\Server::setPmClientId($client['CLIENT_ID']);
+
+    $oauthServer = new \ProcessMaker\Services\OAuth2\Server();
+    $userId = $_SESSION['USER_LOGGED'];
+    $authorize = true;
+    $_GET = array_merge($_GET, array(
+        'response_type' => 'code',
+        'client_id' => $client['CLIENT_ID'],
+        'scope' => implode(' ', $oauthServer->getScope())
+    ));
+
+    $response = $oauthServer->postAuthorize($authorize, $userId, true);
+    $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40);
+
+    return $code;
+}
+/*----------------------------------********---------------------------------*/
--- a/workflow/engine/methods/setup/appCacheViewAjax.php
+++ b/workflow/engine/methods/setup/appCacheViewAjax.php
@@ -26,6 +26,8 @@ function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName

    G::LoadClass('net');
    $Server = new NET($server);
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();

    if ($Server->getErrno() == 0) {
        $Server->scannPort($port);
@@ -40,18 +42,24 @@ function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName
                        $response = $Server->tryConnectServer($type);
                        $connDatabase = @mysql_connect($server, $user, $passwd);
                        $dbNameTest = "PROCESSMAKERTESTDC";
-                        $db = @mysql_query("CREATE DATABASE " . $dbNameTest, $connDatabase);
+                        $dbNameTest = $filter->validateInput($dbNameTest, 'nosql');
+                        $query = "CREATE DATABASE %s";
+                        $query = $filter->preventSqlInjection($query, array($dbNameTest), $connDatabase);
+                        $db = @mysql_query($query, $connDatabase);
                        $success = false;
                        if (!$db) {
                            $message = mysql_error();;
                        } else {
                            $usrTest = "wfrbtest";
-                            $chkG = "GRANT ALL PRIVILEGES ON `" . $dbNameTest . "`.* TO " . $usrTest . "@'%' IDENTIFIED BY 'sample' WITH GRANT OPTION";
+                            $chkG = "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%%' IDENTIFIED BY 'sample' WITH GRANT OPTION";
+                            $chkG = $filter->preventSqlInjection($chkG, array($dbNameTest,$usrTest), $connDatabase);
                            $ch = @mysql_query($chkG, $connDatabase);
                            if (!$ch) {
                                $message = mysql_error();
                            } else {
-                                $sqlCreateUser = "CREATE USER '" . $user . "_usertest'@'%' IDENTIFIED BY 'sample'";
+                                $sqlCreateUser = "CREATE USER '%s'@'%%' IDENTIFIED BY '%s'";
+                                $user = $filter->validateInput($user, 'nosql');
+                                $sqlCreateUser = $filter->preventSqlInjection($sqlCreateUser, array($user."_usertest","sample"), $connDatabase);
                                $result = @mysql_query($sqlCreateUser, $connDatabase);
                                if (!$result) {
                                    $message = mysql_error();
@@ -59,12 +67,20 @@ function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName
                                    $success = true;
                                    $message = G::LoadTranslation('ID_SUCCESSFUL_CONNECTION');
                                }
-                                $sqlDropUser = "DROP USER '" . $user . "_usertest'@'%'";
+                                $sqlDropUser = "DROP USER '%s'@'%%'";
+                                $user = $filter->validateInput($user, 'nosql');
+                                $sqlDropUser = $filter->preventSqlInjection($sqlDropUser, array($user."_usertest"), $connDatabase);
                                @mysql_query($sqlDropUser, $connDatabase);
                                
-                                @mysql_query("DROP USER " . $usrTest . "@'%'", $connDatabase);
+                                $sqlDropUser = "DROP USER %s@'%%'";
+                                $usrTest = $filter->validateInput($usrTest, 'nosql');
+                                $sqlDropUser = $filter->preventSqlInjection($sqlDropUser, array($usrTest), $connDatabase);
+                                @mysql_query($sqlDropUser, $connDatabase);
                            }
-                            @mysql_query("DROP DATABASE " . $dbNameTest, $connDatabase);
+                            $sqlDropDb = "DROP DATABASE %s";
+                            $dbNameTest = $filter->validateInput($dbNameTest, 'nosql');
+                            $sqlDropDb = $filter->preventSqlInjection($sqlDropDb, array($dbNameTest), $connDatabase);
+                            @mysql_query($sqlDropDb, $connDatabase);
                        }
                        return array($success, ($message != "")? $message : $Server->error);
                    } else {
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Light.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Light.php
@@ -723,6 +723,7 @@ class Light
     */
    public function documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data)
    {
+        $response = array("status" => "fail");
        if (isset( $_FILES["form"]["name"] ) && count( $_FILES["form"]["name"] ) > 0) {
            $arrayField = array ();
            $arrayFileName = array ();
@@ -773,6 +774,7 @@ class Light
                        $sPathName = PATH_DOCUMENT . $pathUID . PATH_SEP;
                        $sFileName = $sAppDocUid . "_" . $iDocVersion . "." . $sExtension;
                        G::uploadFile( $arrayFileTmpName[$i], $sPathName, $sFileName );
+                        $response = array("status" => "ok");
                    }
                }
            }
@@ -780,4 +782,31 @@ class Light

        return $response;
    }
+
+    /**
+     * claim case
+     *
+     * @param $userUid
+     * @param $Fields
+     * @param $type
+     * @throws \Exception
+     */
+    public function claimCaseUser($userUid, $sAppUid)
+    {
+        $response = array("status" => "fail");
+        $oCase = new \Cases();
+        $iDelIndex = $oCase->getCurrentDelegation( $sAppUid, $userUid );
+
+        $oAppDelegation = new \AppDelegation();
+        $aDelegation = $oAppDelegation->load( $sAppUid, $iDelIndex );
+
+        //if there are no user in the delegation row, this case is still in selfservice
+        if ($aDelegation['USR_UID'] == "") {
+            $oCase->setCatchUser( $sAppUid,$iDelIndex, $userUid );
+            $response = array("status" => "ok");
+        } else {
+            //G::SendMessageText( G::LoadTranslation( 'ID_CASE_ALREADY_DERIVATED' ), 'error' );
+        }
+        return $response;
+    }
 }
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php
@@ -1,6 +1,8 @@
 <?php
 namespace ProcessMaker\BusinessModel;
 use \G;
+use \Criteria;
+use \UsersPeer;

 /**
 * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
@@ -180,4 +182,45 @@ class Lists {
        }
        return $response;
    }
+
+    /**
+     * Get counters for lists
+     *
+     * @access public
+     * @param array $userId, User Uid
+     * @return array
+     *
+     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
+     * @copyright Colosa - Bolivia
+     */
+    public function getCounters($userId)
+    {
+        $criteria = new Criteria();
+        $criteria->addSelectColumn(UsersPeer::USR_TOTAL_INBOX);
+        $criteria->addSelectColumn(UsersPeer::USR_TOTAL_DRAFT);
+        $criteria->addSelectColumn(UsersPeer::USR_TOTAL_CANCELLED);
+        $criteria->addSelectColumn(UsersPeer::USR_TOTAL_PARTICIPATED);
+        $criteria->addSelectColumn(UsersPeer::USR_TOTAL_PAUSED);
+        $criteria->addSelectColumn(UsersPeer::USR_TOTAL_COMPLETED);
+        $criteria->add( UsersPeer::USR_UID, $userId, Criteria::EQUAL );
+        $dataset = UsersPeer::doSelectRS($criteria);
+        $dataset->setFetchmode(\ResultSet::FETCHMODE_ASSOC);
+        $dataset->next();
+        $aRow = $dataset->getRow();
+
+        $oAppCache = new \AppCacheView();
+        $totalUnassigned = $oAppCache->getListCounters('selfservice', $userId, false);
+
+        $response = array(
+            array('count' => $aRow['USR_TOTAL_INBOX'],          'item' => 'CASES_INBOX'),
+            array('count' => $aRow['USR_TOTAL_DRAFT'],          'item' => 'CASES_DRAFT'),
+            array('count' => $aRow['USR_TOTAL_CANCELLED'],      'item' => 'CASES_CANCELLED'),
+            array('count' => $aRow['USR_TOTAL_PARTICIPATED'],   'item' => 'CASES_SENT'),
+            array('count' => $aRow['USR_TOTAL_PAUSED'],         'item' => 'CASES_PAUSED'),
+            array('count' => $aRow['USR_TOTAL_COMPLETED'],      'item' => 'CASES_COMPLETED'),
+            array('count' => $totalUnassigned,                  'item' => 'CASES_SELFSERVICE')
+        );
+
+        return $response;
+    }
 }
--- a/workflow/engine/src/ProcessMaker/Services/Api/Light.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/Light.php
@@ -794,10 +794,28 @@ class Light extends Api
        try {
            $userUid = $this->getUserId();
            $oMobile = new \ProcessMaker\BusinessModel\Light();
-            $filesUids = $oMobile->documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data);
+            $response = $oMobile->documentUploadFiles($userUid, $app_uid, $app_doc_uid, $request_data);
        } catch (\Exception $e) {
            throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
        }
-        return $filesUids;
+        return $response;
+    }
+
+    /**
+     * @url POST /case/:app_uid/claim
+     *
+     * @param $app_uid
+     * @return mixed
+     */
+    public function claimCaseUser($app_uid)
+    {
+        try {
+            $userUid = $this->getUserId();
+            $oMobile = new \ProcessMaker\BusinessModel\Light();
+            $response = $oMobile->claimCaseUser($userUid, $app_uid);
+        } catch (\Exception $e) {
+            throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
+        }
+        return $response;
    }
 }
--- a/workflow/engine/src/ProcessMaker/Services/Api/System.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/System.php
@@ -29,5 +29,27 @@ class System extends Api
            throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
        }
    }
+
+    /**
+     * Get count for all lists
+     *
+     * @return array
+     *
+     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
+     * @copyright Colosa - Bolivia
+     *
+     * @url GET /counters-lists
+     */
+    public function doGetCountersLists()
+    {
+        try {
+            $userId   = $this->getUserId();
+            $lists    = new \ProcessMaker\BusinessModel\Lists();
+            $response = $lists->getCounters($userId);
+            return $response;
+        } catch (\Exception $e) {
+            throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
+        }
+    }
 }

--- a/workflow/engine/src/ProcessMaker/Services/OAuth2/Server.php
+++ b/workflow/engine/src/ProcessMaker/Services/OAuth2/Server.php
@@ -57,7 +57,7 @@ class Server implements iAuthenticate
        }

        // Pass a storage object or array of storage objects to the OAuth2 server class
-        $this->server = new \OAuth2\Server($this->storage, array('allow_implicit' => true));
+        $this->server = new \OAuth2\Server($this->storage, array('allow_implicit' => true, 'access_lifetime' => 86400));

        $this->server->setConfig('enforce_state', false);

--- a/workflow/engine/templates/cases/main.js
+++ b/workflow/engine/templates/cases/main.js
@@ -573,7 +573,14 @@ function updateCasesTree() {
    ReloadTreeMenuItemDetail({item:currentSelectedTreeMenuItem});
  }
  Ext.Ajax.request({
-    url: 'casesMenuLoader?action=getAllCounters&r='+Math.random(),
+    url: urlProxy + Math.random(),
+    /*----------------------------------********---------------------------------*/
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': 'Bearer ' + credentials.access_token
+    },
+    method: 'GET',
+    /*----------------------------------********---------------------------------*/
    success: function(response){
      result = Ext.util.JSON.decode(response.responseText);