If a user had permissions to execute a change, they should always have
permission to read the description of the transaction that is returned.
This case is triggered when a user changes a ticket's queue to one they
do not have rights in, for example; without it, the UI merely displays
the unhelpful status change "Permission denied" in @Actions, despite an
action clearly having happened.

While the simplest method for ensuring that the transaction can be read
would be to load it as the system user, this causes the returned message
to be in the system user's localization, not the current user's.  Add an
explicit flag which allows ->CurrentUserCanSee to be overridden for this
one object.

Conflicts:
	lib/RT/Attachment_Overlay.pm
	lib/RT/Interface/Web.pm
	lib/RT/Queue_Overlay.pm
	lib/RT/Template_Overlay.pm
	lib/RT/User_Overlay.pm
	share/html/Admin/Queues/Modify.html
	share/html/NoAuth/css/base/misc.css
	t/web/crypt-gnupg.t

Instead of generating double or triple slashes and then removing them
with a regex, simply avoid generating the extra slashes in the first
place by skipping the append if the parent path already has a trailing
slash.

Switch to always making an absolute (although often schemeless) URI
object, even if there's no parent or parent path.  If no parent path
exists, simply use "/".  This ensures the path correctly concatenates
with WebPath.

Resolves [rt3 #21304] in which overzealous slash smashing in 9b8d1425
broke menu paths with schemes after 4.0.7.

7f9b93f7 introduced this file, intending it to be referenced when
documentation was published into local installs.  However, the line
referencing it was commented out in 03339d5d and removed completely
981758cf, due to moving to publishing on docs.bestpractical.com instead,
which provides its own CSS.

Remove the no longer referenced file, and thus the directory as well.

The fake methods were returning the object instance itself, rather than
a data type compatible with what the real object does.  While this does
not cause any bugs at this point, it could lead to unexpected
consequences in the future; for example anything calling headers_out in
an array context would break, even though it's a valid thing to do.

RT::Extension::ActivityReports makes a call which requires the fake web
request object to implement this method.  [rt3 #20871]

3.8-era and older upgrading docs are in the root and are still manually
converted from plain text to HTML.  This conveniently avoids the need to
backport Alex's commit to update the upgrading formatting.

An unfortunate workaround is needed for a Pod::Simple::Search
limitation.

No content changes, with the exception of one or two section headings
added.

Unlikely, but possible if the session got a login form before the
security upgrade and submitted the same form after the upgrade.
(cherry picked from commit 496e93fe)

We now have the means to be slightly less vague than "perform actions".

This helps prevent phishing where the user follows a malicious link and
isn't logged in yet.  Previously there was no indication of what would
happen after login.  The CSRF protection does somewhat double duty and
provides the same measure of phishing protection when the user is
already logged in, but it is never triggered by unauthenticated
requests.

The warnings on login are controlled by the same configuration as CSRF.

GnuPG added DECRYPTION_INFO in version 1.4.12.

https://gitorious.org/gnupg-org/gnupg/commit/cfb193a1de2f0553ee65a19a417a885938539225
(cherry picked from commit ea2a23c9)

Without this, anyone running rt tests on 1.4.12 rather than 1.4.10 would
end up with changes in the test suite.  This should be back-compat to
1.4.10.
(cherry picked from commit 41dc5b44)
(cherry picked from commit 19c26e9111264d9ce8d1c0203827131f7edc86c3)