itflow-org · cs2000 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/admin/database_updates.php b/admin/database_updates.php
diff --git a/admin/post/settings_ai.php b/admin/post/settings_ai.php
@@ -1,27 +1,27 @@
-<?php
-
-defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
-
-if (isset($_POST['edit_ai_settings'])) {
-
-    validateCSRFToken($_POST['csrf_token']);
-
-    $provider = sanitizeInput($_POST['provider']);
-    if($provider){
-        $ai_enable = 1;
-    } else {
-        $ai_enable = 0;
-    }
-    $model = sanitizeInput($_POST['model']);
-    $url = sanitizeInput($_POST['url']);
-    $api_key = sanitizeInput($_POST['api_key']);
-
-    mysqli_query($mysqli,"UPDATE settings SET config_ai_enable = $ai_enable, config_ai_provider = '$provider', config_ai_model = '$model', config_ai_url = '$url', config_ai_api_key = '$api_key' WHERE company_id = 1");
-
-    logAction("Settings", "Edit", "$session_name edited AI settings");
-
-    flash_alert("AI Settings updated");
-
-    redirect();
-
-}
+<?php
+
+defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
+
+if (isset($_POST['edit_ai_settings'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    $provider = sanitizeInput($_POST['provider']);
+    if($provider){
+        $ai_enable = 1;
+    } else {
+        $ai_enable = 0;
+    }
+    $model = sanitizeInput($_POST['model']);
+    $url = sanitizeInput($_POST['url']);
+    $api_key = sanitizeInput($_POST['api_key']);
+
+    mysqli_query($mysqli,"UPDATE settings SET config_ai_enable = $ai_enable, config_ai_provider = '$provider', config_ai_model = '$model', config_ai_url = '$url', config_ai_api_key = '$api_key' WHERE company_id = 1");
+
+    logAction("Settings", "Edit", "$session_name edited AI settings");
+
+    flash_alert("AI Settings updated");
+
+    redirect();
+
+}
diff --git a/admin/post/settings_mail.php b/admin/post/settings_mail.php
@@ -6,25 +6,31 @@
     define('MICROSOFT_OAUTH_BASE_URL', 'https://login.microsoftonline.com/');
 }
 
-if (isset($_POST['oauth_connect_microsoft_mail'])) {
+if (isset($_POST['oauth_connect_microsoft_mail'])) {
 
     validateCSRFToken($_POST['csrf_token']);
 
     // Save current IMAP/OAuth form values first so auth flow always uses latest inputs.
-    $config_imap_provider = sanitizeInput($_POST['config_imap_provider'] ?? '');
-    $config_imap_username = sanitizeInput($_POST['config_imap_username'] ?? '');
+    $config_imap_provider = sanitizeInput($_POST['config_imap_provider'] ?? '');
+    $config_imap_username = sanitizeInput($_POST['config_imap_username'] ?? '');
+    $config_imap_processed_folder = sanitizeInput($_POST['config_imap_processed_folder'] ?? 'ITFlow');
     $config_mail_oauth_client_id = sanitizeInput($_POST['config_mail_oauth_client_id'] ?? '');
     $config_mail_oauth_client_secret = sanitizeInput($_POST['config_mail_oauth_client_secret'] ?? '');
     $config_mail_oauth_tenant_id = sanitizeInput($_POST['config_mail_oauth_tenant_id'] ?? '');
     $config_mail_oauth_refresh_token = sanitizeInput($_POST['config_mail_oauth_refresh_token'] ?? '');
     $config_mail_oauth_access_token = sanitizeInput($_POST['config_mail_oauth_access_token'] ?? '');
 
-    mysqli_query($mysqli, "UPDATE settings SET
-        config_imap_provider = '$config_imap_provider',
-        config_imap_username = '$config_imap_username',
-        config_mail_oauth_client_id = '$config_mail_oauth_client_id',
-        config_mail_oauth_client_secret = '$config_mail_oauth_client_secret',
-        config_mail_oauth_tenant_id = '$config_mail_oauth_tenant_id',
+    if (empty($config_imap_processed_folder)) {
+        $config_imap_processed_folder = 'ITFlow';
+    }
+
+    mysqli_query($mysqli, "UPDATE settings SET
+        config_imap_provider = '$config_imap_provider',
+        config_imap_username = '$config_imap_username',
+        config_imap_processed_folder = '$config_imap_processed_folder',
+        config_mail_oauth_client_id = '$config_mail_oauth_client_id',
+        config_mail_oauth_client_secret = '$config_mail_oauth_client_secret',
+        config_mail_oauth_tenant_id = '$config_mail_oauth_tenant_id',
         config_mail_oauth_refresh_token = '$config_mail_oauth_refresh_token',
         config_mail_oauth_access_token = '$config_mail_oauth_access_token'
         WHERE company_id = 1
@@ -121,12 +127,13 @@
 
     validateCSRFToken($_POST['csrf_token']);
 
-    $config_imap_provider            = sanitizeInput($_POST['config_imap_provider']);
-    $config_imap_host                = sanitizeInput($_POST['config_imap_host']);
-    $config_imap_port                = intval($_POST['config_imap_port'] ?? 0);
-    $config_imap_encryption          = sanitizeInput($_POST['config_imap_encryption']);
-    $config_imap_username            = sanitizeInput($_POST['config_imap_username']);
-    $config_imap_password            = sanitizeInput($_POST['config_imap_password']);
+    $config_imap_provider            = sanitizeInput($_POST['config_imap_provider']);
+    $config_imap_host                = sanitizeInput($_POST['config_imap_host']);
+    $config_imap_port                = intval($_POST['config_imap_port'] ?? 0);
+    $config_imap_encryption          = sanitizeInput($_POST['config_imap_encryption']);
+    $config_imap_username            = sanitizeInput($_POST['config_imap_username']);
+    $config_imap_password            = sanitizeInput($_POST['config_imap_password']);
+    $config_imap_processed_folder    = sanitizeInput($_POST['config_imap_processed_folder'] ?? 'ITFlow');
 
     // Shared OAuth fields
     $config_mail_oauth_client_id     = sanitizeInput($_POST['config_mail_oauth_client_id']);
@@ -135,17 +142,22 @@
     $config_mail_oauth_refresh_token = sanitizeInput($_POST['config_mail_oauth_refresh_token']);
     $config_mail_oauth_access_token  = sanitizeInput($_POST['config_mail_oauth_access_token']);
 
-    mysqli_query($mysqli, "
-        UPDATE settings SET
-            config_imap_provider              = '$config_imap_provider',
-            config_imap_host                  = '$config_imap_host',
-            config_imap_port                  = $config_imap_port,
-            config_imap_encryption            = '$config_imap_encryption',
-            config_imap_username              = '$config_imap_username',
-            config_imap_password              = '$config_imap_password',
-            config_mail_oauth_client_id       = '$config_mail_oauth_client_id',
-            config_mail_oauth_client_secret   = '$config_mail_oauth_client_secret',
-            config_mail_oauth_tenant_id       = '$config_mail_oauth_tenant_id',
+    if (empty($config_imap_processed_folder)) {
+        $config_imap_processed_folder = 'ITFlow';
+    }
+
+    mysqli_query($mysqli, "
+        UPDATE settings SET
+            config_imap_provider              = '$config_imap_provider',
+            config_imap_host                  = '$config_imap_host',
+            config_imap_port                  = $config_imap_port,
+            config_imap_encryption            = '$config_imap_encryption',
+            config_imap_username              = '$config_imap_username',
+            config_imap_password              = '$config_imap_password',
+            config_imap_processed_folder      = '$config_imap_processed_folder',
+            config_mail_oauth_client_id       = '$config_mail_oauth_client_id',
+            config_mail_oauth_client_secret   = '$config_mail_oauth_client_secret',
+            config_mail_oauth_tenant_id       = '$config_mail_oauth_tenant_id',
             config_mail_oauth_refresh_token   = '$config_mail_oauth_refresh_token',
             config_mail_oauth_access_token    = '$config_mail_oauth_access_token'
         WHERE company_id = 1

diff --git a/admin/settings_mail.php b/admin/settings_mail.php
@@ -172,21 +172,38 @@
                     </div>
                 </div>
 
-                <div class='form-group' id="imap_password_group">
-                    <label>IMAP Password</label>
-                    <div class='input-group'>
-                        <div class='input-group-prepend'>
-                            <span class='input-group-text'><i class='fa fa-fw fa-key'></i></span>
+                <div class='form-group' id="imap_password_group">
+                    <label>IMAP Password</label>
+                    <div class='input-group'>
+                        <div class='input-group-prepend'>
+                            <span class='input-group-text'><i class='fa fa-fw fa-key'></i></span>
                         </div>
                         <input type='password' class='form-control' data-toggle='password' name='config_imap_password' placeholder='Password (not used for OAuth)' value="<?php echo nullable_htmlentities($config_imap_password); ?>" autocomplete='new-password'>
                         <div class='input-group-append'>
                             <span class='input-group-text'><i class='fa fa-fw fa-eye'></i></span>
-                        </div>
-                    </div>
-                </div>
-
-                <!-- OAuth shared fields (show for google_oauth / microsoft_oauth) -->
-                <div id="smtp_oauth_fields" style="display:none;">
+                        </div>
+                    </div>
+                </div>
+
+                <hr>
+                <h5 class="mb-2">Processed Email Handling</h5>
+                <p class="text-secondary">Processed emails are marked as read and moved to the folder below.</p>
+
+                <div class="form-group" id="imap_processed_folder_row">
+                    <label>Processed email folder</label>
+                    <div class="input-group">
+                        <div class="input-group-prepend">
+                            <span class="input-group-text"><i class="fa fa-fw fa-folder"></i></span>
+                        </div>
+                        <input type="text" class="form-control" name="config_imap_processed_folder"
+                               placeholder="Example: ITFlow or INBOX/ITFlow"
+                               value="<?php echo nullable_htmlentities($config_imap_processed_folder ?? 'ITFlow'); ?>">
+                    </div>
+                    <small class="text-secondary d-block mt-1">Processed emails are marked as read and moved to this folder (created if missing).</small>
+                </div>
+
+                <!-- OAuth shared fields (show for google_oauth / microsoft_oauth) -->
+                <div id="smtp_oauth_fields" style="display:none;">
                     <hr>
                     <h5 class="mb-2">OAuth Settings (shared for IMAP & SMTP)</h5>
                     <p class="text-secondary" id="oauth_hint">
@@ -581,10 +598,11 @@ function toggle(){
   wireProvider('config_imap_provider', 'standard_fields', 'imap_password_group',
                'oauth_fields', 'tenant_row', 'imap_provider_hint', 'oauth_hint');
 
-  // SMTP (the IDs we just added)
-  wireProvider('config_smtp_provider', 'smtp_standard_fields', 'smtp_password_group',
-               'smtp_oauth_fields', 'smtp_tenant_row', 'smtp_provider_hint', 'smtp_oauth_hint');
-})();
-</script>
+  // SMTP (the IDs we just added)
+  wireProvider('config_smtp_provider', 'smtp_standard_fields', 'smtp_password_group',
+               'smtp_oauth_fields', 'smtp_tenant_row', 'smtp_provider_hint', 'smtp_oauth_hint');
+
+})();
+</script>
 
 <?php require_once "../includes/footer.php";
diff --git a/cron/ticket_email_parser.php b/cron/ticket_email_parser.php
@@ -572,18 +572,56 @@ function getMicrosoftAccessToken(string $username): ?string {
     exit(1);
 }
 
-$inbox = $client->getFolderByPath('INBOX');
-
-$targetFolderPath = 'ITFlow';
-try {
-    $targetFolder = $client->getFolderByPath($targetFolderPath);
-} catch (\Throwable $e) {
-    $client->createFolder($targetFolderPath);
-    $targetFolder = $client->getFolderByPath($targetFolderPath);
-}
-
-// Fetch unseen messages
-$messages = $inbox->messages()->leaveUnread()->unseen()->get();
+$inbox = $client->getFolderByPath('INBOX');
+
+$processed_folder = trim((string) ($config_imap_processed_folder ?? 'ITFlow'));
+if ($processed_folder === '') {
+    $processed_folder = 'ITFlow';
+}
+
+$delimiter = $inbox->delimiter ?? '/';
+$inbox_path = $inbox->path ?? 'INBOX';
+$targetFolderPath = $processed_folder;
+$targetFolder = null;
+$candidate_paths = [$processed_folder];
+if (stripos($processed_folder, 'inbox') !== 0 && strpos($processed_folder, $delimiter) === false) {
+    array_unshift($candidate_paths, $inbox_path . $delimiter . $processed_folder);
+    if ($delimiter !== '.') {
+        $candidate_paths[] = $inbox_path . '.' . $processed_folder;
+    }
+}
+
+foreach ($candidate_paths as $candidate_path) {
+    try {
+        $targetFolder = $client->getFolderByPath($candidate_path);
+        $targetFolderPath = $candidate_path;
+        break;
+    } catch (\Throwable $e) {
+        try {
+            if (stripos($candidate_path, 'inbox') === 0 && strpos($candidate_path, $inbox_path) === 0) {
+                $inbox->getClient()->createFolder($candidate_path, false);
+            } else {
+                $client->createFolder($candidate_path, false);
+            }
+            $targetFolder = $client->getFolderByPath($candidate_path);
+            $targetFolderPath = $candidate_path;
+            break;
+        } catch (\Throwable $inner) {
+            logApp(
+                "Cron-Email-Parser",
+                "warning",
+                "Unable to create processed folder [$candidate_path]: ".$inner->getMessage()
+            );
+        }
+    }
+}
+
+// Fetch unseen messages (ensure UID sequence for MOVE/COPY)
+$messages = $inbox->messages()
+    ->leaveUnread()
+    ->unseen()
+    ->setSequence(\Webklex\PHPIMAP\IMAP::ST_UID)
+    ->get();
 
 // Counters
 $processed_count = 0;
@@ -850,26 +888,82 @@ function getMicrosoftAccessToken(string $username): ?string {
     }
 
 
-    // Flag/move based on processing result
-    if ($email_processed) {
-        $processed_count++; // increment first so a move failure doesn't hide the success
-        try {
-            $message->setFlag('Seen');
-            // Move using the Folder object (top-level "ITFlow")
-            $message->move($targetFolderPath);
-            // optional: logApp("Cron-Email-Parser", "info", "Moved message to ITFlow");
-        } catch (\Throwable $e) {
-            // >>> Put the extra logging RIGHT HERE
-            $subj = (string)$message->getSubject();
-            $uid  = method_exists($message, 'getUid') ? $message->getUid() : 'n/a';
-            $path = (is_object($targetFolder) && property_exists($targetFolder, 'path')) ? (string)$targetFolder->path : $targetFolderPath;
-            logApp(
-                "Cron-Email-Parser",
-                "warning",
-                "Move failed (subject=\"$subj\", uid=$uid) to [$path]: ".$e->getMessage()
-            );
-        }
-    } else {
+    // Flag/move based on processing result
+    if ($email_processed) {
+        $processed_count++; // increment first so a move failure doesn't hide the success
+        try {
+            $message->setFlag('Seen');
+            $move_path = (is_object($targetFolder) && property_exists($targetFolder, 'path'))
+                ? (string) $targetFolder->path
+                : $targetFolderPath;
+
+            $client->openFolder($inbox_path);
+
+            try {
+                $move_ok = $client->getConnection()
+                    ->moveMessage($move_path, $message->getSequenceId(), null, \Webklex\PHPIMAP\IMAP::ST_UID)
+                    ->validatedData();
+            } catch (\Throwable $move_error) {
+                $move_ok = false;
+                $move_exception = $move_error;
+            }
+
+            if (!$move_ok && isset($move_exception) && stripos($move_exception->getMessage(), 'TRYCREATE') !== false) {
+                try {
+                    $client->createFolder($move_path, false);
+                    $move_ok = $client->getConnection()
+                        ->moveMessage($move_path, $message->getSequenceId(), null, \Webklex\PHPIMAP\IMAP::ST_UID)
+                        ->validatedData();
+                } catch (\Throwable $retry_error) {
+                    $move_ok = false;
+                    $move_exception = $retry_error;
+                }
+            }
+
+            if (!$move_ok) {
+                $copy_exception = null;
+                try {
+                    $copy_ok = $client->getConnection()
+                        ->copyMessage($move_path, $message->getSequenceId(), null, \Webklex\PHPIMAP\IMAP::ST_UID)
+                        ->validatedData();
+                    if (!$copy_ok && isset($move_exception) && stripos($move_exception->getMessage(), 'TRYCREATE') !== false) {
+                        $client->createFolder($move_path, false);
+                        $copy_ok = $client->getConnection()
+                            ->copyMessage($move_path, $message->getSequenceId(), null, \Webklex\PHPIMAP\IMAP::ST_UID)
+                            ->validatedData();
+                    }
+                    if (!$copy_ok) {
+                        $move_msg = isset($move_exception) ? $move_exception->getMessage() : 'MOVE returned false';
+                        $copy_msg = $copy_exception ? $copy_exception->getMessage() : 'COPY returned false';
+                        throw new RuntimeException("Move failed (MOVE: $move_msg) (COPY+DELETE: $copy_msg)");
+                    }
+                    $client->getConnection()
+                        ->store(['\\Deleted'], $message->getSequenceId(), null, null, true, \Webklex\PHPIMAP\IMAP::ST_UID)
+                        ->validatedData();
+                    $client->expunge();
+                } catch (\Throwable $copy_error) {
+                    $copy_ok = false;
+                    $copy_exception = $copy_error;
+                }
+                if (!$copy_ok) {
+                    $move_msg = isset($move_exception) ? $move_exception->getMessage() : 'MOVE returned false';
+                    $copy_msg = $copy_exception ? $copy_exception->getMessage() : 'COPY returned false';
+                    throw new RuntimeException("Move failed (MOVE: $move_msg) (COPY+DELETE: $copy_msg)");
+                }
+            }
+        } catch (\Throwable $e) {
+            // >>> Put the extra logging RIGHT HERE
+            $subj = (string)$message->getSubject();
+            $seq_id = method_exists($message, 'getSequenceId') ? $message->getSequenceId() : 'n/a';
+            $seq_type = method_exists($message, 'getSequence') ? $message->getSequence() : 'n/a';
+            $path = (is_object($targetFolder) && property_exists($targetFolder, 'path')) ? (string)$targetFolder->path : $targetFolderPath;
+            logApp(
+                "Cron-Email-Parser",
+                "warning",
+                "Post-process failed (subject=\"$subj\", seq_id=$seq_id, seq_type=$seq_type) to [$path]: ".$e->getMessage()
+            );
+        }
+    } else {
         $unprocessed_count++;
         try {
             $message->setFlag('Flagged');