Merge branch 'master' into ui-logic-rework

# Conflicts: # src/Squidex/app/features/administration/pages/users/user-page.component.ts # src/Squidex/app/features/settings/pages/contributors/contributors-page.component.html # src/Squidex/app/features/settings/pages/contributors/contributors-page.component.ts # src/Squidex/app/features/settings/pages/plans/plans-page.component.html # src/Squidex/app/shared/components/pipes.ts # src/Squidex/app/shared/services/users.service.spec.ts # src/Squidex/app/shared/services/users.service.ts
8 years ago · 1a5d163dba
57 changed files with 849 additions and 288 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -1,3 +1,8 @@
+clone:
+  git:
+    image: plugins/git:next
+    pull: true
+
 pipeline:
  test_pull_request:
    image: docker
--- a/LICENSE.txt
+++ b/LICENSE.txt
@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE. 
--- a/src/Squidex.Domain.Apps.Entities/Apps/AppGrain.cs
+++ b/src/Squidex.Domain.Apps.Entities/Apps/AppGrain.cs
@ -70,11 +70,13 @@ namespace Squidex.Domain.Apps.Entities.Apps
                    });

                case AssignContributor assigneContributor:
-                    return UpdateAsync(assigneContributor, async c =>
+                    return UpdateReturnAsync(assigneContributor, async c =>
                    {
                        await GuardAppContributors.CanAssign(Snapshot.Contributors, c, userResolver, appPlansProvider.GetPlan(Snapshot.Plan?.PlanId));

                        AssignContributor(c);
+
+                        return EntityCreatedResult.Create(c.ContributorId, NewVersion);
                    });

                case RemoveContributor removeContributor:
--- a/src/Squidex.Domain.Apps.Entities/Apps/Guards/GuardAppContributors.cs
+++ b/src/Squidex.Domain.Apps.Entities/Apps/Guards/GuardAppContributors.cs
@ -34,20 +34,27 @@ namespace Squidex.Domain.Apps.Entities.Apps.Guards
                }
                else
                {
-                    if (await users.FindByIdAsync(command.ContributorId) == null)
+                    var user = await users.FindByIdOrEmailAsync(command.ContributorId);
+
+                    if (user == null)
                    {
                        error(new ValidationError("Cannot find contributor id.", nameof(command.ContributorId)));
                    }
-                    else if (contributors.TryGetValue(command.ContributorId, out var existing))
+                    else
                    {
-                        if (existing == command.Permission)
+                        command.ContributorId = user.Id;
+
+                        if (contributors.TryGetValue(command.ContributorId, out var existing))
                        {
-                            error(new ValidationError("Contributor has already this permission.", nameof(command.Permission)));
+                            if (existing == command.Permission)
+                            {
+                                error(new ValidationError("Contributor has already this permission.", nameof(command.Permission)));
+                            }
+                        }
+                        else if (plan.MaxContributors == contributors.Count)
+                        {
+                            error(new ValidationError("You have reached the maximum number of contributors for your plan."));
                        }
-                    }
-                    else if (plan.MaxContributors == contributors.Count)
-                    {
-                        error(new ValidationError("You have reached the maximum number of contributors for your plan."));
                    }
                }
            });
--- a/src/Squidex.Domain.Apps.Entities/Apps/Services/IAppLimitsPlan.cs
+++ b/src/Squidex.Domain.Apps.Entities/Apps/Services/IAppLimitsPlan.cs
@ -15,6 +15,10 @@ namespace Squidex.Domain.Apps.Entities.Apps.Services

        string Costs { get; }

+        string YearlyCosts { get; }
+
+        string YearlyId { get; }
+
        long MaxApiCalls { get; }

        long MaxAssetSize { get; }
--- a/src/Squidex.Domain.Apps.Entities/Apps/Services/Implementations/ConfigAppLimitsPlan.cs
+++ b/src/Squidex.Domain.Apps.Entities/Apps/Services/Implementations/ConfigAppLimitsPlan.cs
@ -15,6 +15,10 @@ namespace Squidex.Domain.Apps.Entities.Apps.Services.Implementations

        public string Costs { get; set; }

+        public string YearlyCosts { get; set; }
+
+        public string YearlyId { get; set; }
+
        public long MaxApiCalls { get; set; }

        public long MaxAssetSize { get; set; }
--- a/src/Squidex.Domain.Apps.Entities/Apps/Services/Implementations/ConfigAppPlansProvider.cs
+++ b/src/Squidex.Domain.Apps.Entities/Apps/Services/Implementations/ConfigAppPlansProvider.cs
@ -23,15 +23,23 @@ namespace Squidex.Domain.Apps.Entities.Apps.Services.Implementations
            MaxContributors = -1
        };

-        private readonly Dictionary<string, ConfigAppLimitsPlan> plansById;
-        private readonly List<ConfigAppLimitsPlan> plansList;
+        private readonly Dictionary<string, ConfigAppLimitsPlan> plansById = new Dictionary<string, ConfigAppLimitsPlan>(StringComparer.OrdinalIgnoreCase);
+        private readonly List<ConfigAppLimitsPlan> plansList = new List<ConfigAppLimitsPlan>();

        public ConfigAppPlansProvider(IEnumerable<ConfigAppLimitsPlan> config)
        {
            Guard.NotNull(config, nameof(config));

-            plansList = config.Select(c => c.Clone()).OrderBy(x => x.MaxApiCalls).ToList();
-            plansById = plansList.ToDictionary(c => c.Id, StringComparer.OrdinalIgnoreCase);
+            foreach (var plan in config.OrderBy(x => x.MaxApiCalls).Select(x => x.Clone()))
+            {
+                plansList.Add(plan);
+                plansById[plan.Id] = plan;
+
+                if (!string.IsNullOrWhiteSpace(plan.YearlyId) && !string.IsNullOrWhiteSpace(plan.YearlyCosts))
+                {
+                    plansById[plan.YearlyId] = plan;
+                }
+            }
        }

        public IEnumerable<IAppLimitsPlan> GetAvailablePlans()
--- a/src/Squidex.Domain.Users.MongoDb/MongoUserStore.cs
+++ b/src/Squidex.Domain.Users.MongoDb/MongoUserStore.cs
@ -12,6 +12,7 @@ using System.Security.Claims;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Identity;
+using MongoDB.Bson;
 using MongoDB.Driver;
 using Squidex.Infrastructure.MongoDb;
 using Squidex.Infrastructure.Tasks;
@ -72,9 +73,16 @@ namespace Squidex.Domain.Users.MongoDb
            return new MongoUser { Email = email, UserName = email };
        }

-        public async Task<IUser> FindByIdAsync(string id)
+        public async Task<IUser> FindByIdOrEmailAsync(string id)
        {
-            return await Collection.Find(x => x.Id == id).FirstOrDefaultAsync();
+            if (ObjectId.TryParse(id, out var parsed))
+            {
+                return await Collection.Find(x => x.Id == id).FirstOrDefaultAsync();
+            }
+            else
+            {
+                return await Collection.Find(x => x.NormalizedEmail == id.ToUpperInvariant()).FirstOrDefaultAsync();
+            }
        }

        public async Task<IUser> FindByIdAsync(string userId, CancellationToken cancellationToken)
--- a/src/Squidex.Domain.Users/UserExtensions.cs
+++ b/src/Squidex.Domain.Users/UserExtensions.cs
@ -35,6 +35,11 @@ namespace Squidex.Domain.Users
            user.SetClaim(SquidexClaimTypes.SquidexPictureUrl, GravatarHelper.CreatePictureUrl(email));
        }

+        public static void SetHidden(this IUser user, bool value)
+        {
+            user.SetClaim(SquidexClaimTypes.SquidexHidden, value.ToString());
+        }
+
        public static void SetConsent(this IUser user)
        {
            user.SetClaim(SquidexClaimTypes.SquidexConsent, "true");
@ -45,6 +50,11 @@ namespace Squidex.Domain.Users
            user.SetClaim(SquidexClaimTypes.SquidexConsentForEmails, value.ToString());
        }

+        public static bool IsHidden(this IUser user)
+        {
+            return user.HasClaimValue(SquidexClaimTypes.SquidexHidden, "true");
+        }
+
        public static bool HasConsent(this IUser user)
        {
            return user.HasClaimValue(SquidexClaimTypes.SquidexConsent, "true");
--- a/src/Squidex.Domain.Users/UserManagerExtensions.cs
+++ b/src/Squidex.Domain.Users/UserManagerExtensions.cs
@ -71,8 +71,9 @@ namespace Squidex.Domain.Users
            return user;
        }

-        public static Task<IdentityResult> UpdateAsync(this UserManager<IUser> userManager, IUser user, string email, string displayName)
+        public static Task<IdentityResult> UpdateAsync(this UserManager<IUser> userManager, IUser user, string email, string displayName, bool hidden)
        {
+            user.SetHidden(hidden);
            user.SetEmail(email);
            user.SetDisplayName(displayName);

--- a/src/Squidex.Infrastructure/EventSourcing/Grains/OrleansEventNotifier.cs
+++ b/src/Squidex.Infrastructure/EventSourcing/Grains/OrleansEventNotifier.cs
@ -10,26 +10,24 @@ using Orleans;

 namespace Squidex.Infrastructure.EventSourcing.Grains
 {
-    public sealed class OrleansEventNotifier : IEventNotifier, IInitializable
+    public sealed class OrleansEventNotifier : IEventNotifier
    {
        private readonly IGrainFactory factory;
-        private IEventConsumerManagerGrain eventConsumerManagerGrain;
+        private readonly Lazy<IEventConsumerManagerGrain> eventConsumerManagerGrain;

        public OrleansEventNotifier(IGrainFactory factory)
        {
            Guard.NotNull(factory, nameof(factory));

-            this.factory = factory;
-        }
-
-        public void Initialize()
-        {
-            eventConsumerManagerGrain = factory.GetGrain<IEventConsumerManagerGrain>("Default");
+            eventConsumerManagerGrain = new Lazy<IEventConsumerManagerGrain>(() =>
+            {
+                return factory.GetGrain<IEventConsumerManagerGrain>("Default");
+            });
        }

        public void NotifyEventsStored(string streamName)
        {
-            eventConsumerManagerGrain?.ActivateAsync(streamName);
+            eventConsumerManagerGrain.Value.ActivateAsync(streamName);
        }

        public IDisposable Subscribe(Action<string> handler)
--- a/src/Squidex.Infrastructure/Orleans/Bootstrap.cs
+++ b/src/Squidex.Infrastructure/Orleans/Bootstrap.cs
@ -14,6 +14,7 @@ namespace Squidex.Infrastructure.Orleans
 {
    public sealed class Bootstrap<T> : IStartupTask where T : IBackgroundGrain
    {
+        private const int NumTries = 10;
        private readonly IGrainFactory grainFactory;

        public Bootstrap(IGrainFactory grainFactory)
@ -23,11 +24,26 @@ namespace Squidex.Infrastructure.Orleans
            this.grainFactory = grainFactory;
        }

-        public Task Execute(CancellationToken cancellationToken)
+        public async Task Execute(CancellationToken cancellationToken)
        {
-            var grain = grainFactory.GetGrain<T>("Default");
+            for (var i = 1; i <= NumTries; i++)
+            {
+                try
+                {
+                    var grain = grainFactory.GetGrain<T>("Default");

-            return grain.ActivateAsync();
+                    await grain.ActivateAsync();
+
+                    return;
+                }
+                catch (OrleansException)
+                {
+                    if (i == NumTries)
+                    {
+                        throw;
+                    }
+                }
+            }
        }
    }
 }
--- a/src/Squidex.Shared/Identity/SquidexClaimTypes.cs
+++ b/src/Squidex.Shared/Identity/SquidexClaimTypes.cs
@ -17,6 +17,8 @@ namespace Squidex.Shared.Identity

        public static readonly string SquidexConsentForEmails = "urn:squidex:consent:emails";

+        public static readonly string SquidexHidden = "urn:squidex:hidden";
+
        public static readonly string Prefix = "urn:squidex:";
    }
 }
--- a/src/Squidex.Shared/Users/IUserResolver.cs
+++ b/src/Squidex.Shared/Users/IUserResolver.cs
@ -11,6 +11,6 @@ namespace Squidex.Shared.Users
 {
    public interface IUserResolver
    {
-        Task<IUser> FindByIdAsync(string id);
+        Task<IUser> FindByIdOrEmailAsync(string idOrEmail);
    }
 }
--- a/src/Squidex/Areas/Api/Controllers/Apps/AppContributorsController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Apps/AppContributorsController.cs
@ -65,19 +65,24 @@ namespace Squidex.Areas.Api.Controllers.Apps
        /// <param name="app">The name of the app.</param>
        /// <param name="request">Contributor object that needs to be added to the app.</param>
        /// <returns>
-        /// 204 => User assigned to app.
+        /// 200 => User assigned to app.
        /// 400 => User is already assigned to the app or not found.
        /// 404 => App not found.
        /// </returns>
        [HttpPost]
        [Route("apps/{app}/contributors/")]
+        [ProducesResponseType(typeof(ContributorAssignedDto), 201)]
        [ProducesResponseType(typeof(ErrorDto), 400)]
        [ApiCosts(1)]
        public async Task<IActionResult> PostContributor(string app, [FromBody] AssignAppContributorDto request)
        {
-            await CommandBus.PublishAsync(SimpleMapper.Map(request, new AssignContributor()));
+            var command = SimpleMapper.Map(request, new AssignContributor());
+            var context = await CommandBus.PublishAsync(command);

-            return NoContent();
+            var result = context.Result<EntityCreatedResult<string>>();
+            var response = new ContributorAssignedDto { ContributorId = result.IdOrValue };
+
+            return Ok(response);
        }

        /// <summary>
--- a/src/Squidex/Areas/Api/Controllers/Apps/AppsController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Apps/AppsController.cs
@ -99,7 +99,6 @@ namespace Squidex.Areas.Api.Controllers.Apps
        public async Task<IActionResult> PostApp([FromBody] CreateAppDto request)
        {
            var command = SimpleMapper.Map(request, new CreateApp());
-
            var context = await CommandBus.PublishAsync(command);

            var result = context.Result<EntityCreatedResult<Guid>>();
--- a/src/Squidex/Areas/Api/Controllers/Apps/Models/AssignAppContributorDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Apps/Models/AssignAppContributorDto.cs
@ -15,7 +15,7 @@ namespace Squidex.Areas.Api.Controllers.Apps.Models
    public sealed class AssignAppContributorDto
    {
        /// <summary>
-        /// The id of the user to add to the app.
+        /// The id or email of the user to add to the app.
        /// </summary>
        [Required]
        public string ContributorId { get; set; }
--- a/src/Squidex/Areas/Api/Controllers/Apps/Models/ContributorAssignedDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Apps/Models/ContributorAssignedDto.cs
@ -0,0 +1,20 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.ComponentModel.DataAnnotations;
+
+namespace Squidex.Areas.Api.Controllers.Apps.Models
+{
+    public sealed class ContributorAssignedDto
+    {
+        /// <summary>
+        /// The id of the user that has been assigned as contributor.
+        /// </summary>
+        [Required]
+        public string ContributorId { get; set; }
+    }
+}
--- a/src/Squidex/Areas/Api/Controllers/Content/ContentsController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Content/ContentsController.cs
@ -268,7 +268,6 @@ namespace Squidex.Areas.Api.Controllers.Contents
            await contentQuery.FindSchemaAsync(App, name);

            var command = new UpdateContent { ContentId = id, Data = request.ToCleaned() };
-
            var context = await CommandBus.PublishAsync(command);

            var result = context.Result<ContentDataChangedResult>();
@ -301,7 +300,6 @@ namespace Squidex.Areas.Api.Controllers.Contents
            await contentQuery.FindSchemaAsync(App, name);

            var command = new PatchContent { ContentId = id, Data = request.ToCleaned() };
-
            var context = await CommandBus.PublishAsync(command);

            var result = context.Result<ContentDataChangedResult>();
--- a/src/Squidex/Areas/Api/Controllers/Plans/AppPlansController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Plans/AppPlansController.cs
@ -55,11 +55,12 @@ namespace Squidex.Areas.Api.Controllers.Plans
        public IActionResult GetPlans(string app)
        {
            var planId = appPlansProvider.GetPlanForApp(App).Id;
+            var plans = appPlansProvider.GetAvailablePlans().Select(x => SimpleMapper.Map(x, new PlanDto())).ToList();

            var response = new AppPlansDto
            {
                CurrentPlanId = planId,
-                Plans = appPlansProvider.GetAvailablePlans().Select(x => SimpleMapper.Map(x, new PlanDto())).ToList(),
+                Plans = plans,
                PlanOwner = App.Plan?.Owner.Identifier,
                HasPortal = appPlansBillingManager.HasPortal
            };
--- a/src/Squidex/Areas/Api/Controllers/Plans/Models/PlanDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Plans/Models/PlanDto.cs
@ -5,6 +5,8 @@
 //  All rights reserved. Licensed under the MIT license.
 // ==========================================================================

+using System.ComponentModel.DataAnnotations;
+
 namespace Squidex.Areas.Api.Controllers.Plans.Models
 {
    public sealed class PlanDto
@ -12,18 +14,31 @@ namespace Squidex.Areas.Api.Controllers.Plans.Models
        /// <summary>
        /// The id of the plan.
        /// </summary>
+        [Required]
        public string Id { get; set; }

        /// <summary>
        /// The name of the plan.
        /// </summary>
+        [Required]
        public string Name { get; set; }

        /// <summary>
        /// The monthly costs of the plan.
        /// </summary>
+        [Required]
        public string Costs { get; set; }

+        /// <summary>
+        /// The yearly costs of the plan.
+        /// </summary>
+        public string YearlyCosts { get; set; }
+
+        /// <summary>
+        /// The yearly id of the plan.
+        /// </summary>
+        public string YearlyId { get; set; }
+
        /// <summary>
        /// The maximum number of API calls.
        /// </summary>
--- a/src/Squidex/Areas/Api/Controllers/Schemas/SchemaFieldsController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Schemas/SchemaFieldsController.cs
@ -11,6 +11,7 @@ using NSwag.Annotations;
 using Squidex.Areas.Api.Controllers.Schemas.Models;
 using Squidex.Domain.Apps.Entities.Schemas.Commands;
 using Squidex.Infrastructure.Commands;
+using Squidex.Infrastructure.Reflection;
 using Squidex.Pipeline;

 namespace Squidex.Areas.Api.Controllers.Schemas
@ -50,13 +51,7 @@ namespace Squidex.Areas.Api.Controllers.Schemas
        [ApiCosts(1)]
        public async Task<IActionResult> PostField(string app, string name, [FromBody] AddFieldDto request)
        {
-            var command = new AddField
-            {
-                Name = request.Name,
-                Partitioning = request.Partitioning,
-                Properties = request.Properties.ToProperties()
-            };
-
+            var command = SimpleMapper.Map(request, new AddField { Properties = request.Properties.ToProperties() });
            var context = await CommandBus.PublishAsync(command);

            var result = context.Result<EntityCreatedResult<long>>();
--- a/src/Squidex/Areas/Api/Controllers/Schemas/SchemasController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Schemas/SchemasController.cs
@ -120,7 +120,6 @@ namespace Squidex.Areas.Api.Controllers.Schemas
        public async Task<IActionResult> PostSchema(string app, [FromBody] CreateSchemaDto request)
        {
            var command = request.ToCommand();
-
            var context = await CommandBus.PublishAsync(command);

            var result = context.Result<EntityCreatedResult<Guid>>();
--- a/src/Squidex/Areas/Api/Controllers/Users/Models/CreateUserDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Users/Models/CreateUserDto.cs
@ -11,13 +11,22 @@ namespace Squidex.Areas.Api.Controllers.Users.Models
 {
    public sealed class CreateUserDto
    {
+        /// <summary>
+        /// The email of the user. Unique value.
+        /// </summary>
        [Required]
        [EmailAddress]
        public string Email { get; set; }

+        /// <summary>
+        /// The display name (usually first name and last name) of the user.
+        /// </summary>
        [Required]
        public string DisplayName { get; set; }

+        /// <summary>
+        /// The password of the user.
+        /// </summary>
        [Required]
        public string Password { get; set; }
    }
--- a/src/Squidex/Areas/Api/Controllers/Users/Models/PublicUserDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Users/Models/PublicUserDto.cs
@ -0,0 +1,26 @@
+// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschränkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using System.ComponentModel.DataAnnotations;
+
+namespace Squidex.Areas.Api.Controllers.Users.Models
+{
+    public sealed class PublicUserDto
+    {
+        /// <summary>
+        /// The id of the user.
+        /// </summary>
+        [Required]
+        public string Id { get; set; }
+
+        /// <summary>
+        /// The display name (usually first name and last name) of the user.
+        /// </summary>
+        [Required]
+        public string DisplayName { get; set; }
+    }
+}
--- a/src/Squidex/Areas/Api/Controllers/Users/Models/UpdateUserDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Users/Models/UpdateUserDto.cs
@ -11,13 +11,22 @@ namespace Squidex.Areas.Api.Controllers.Users.Models
 {
    public sealed class UpdateUserDto
    {
+        /// <summary>
+        /// The email of the user. Unique value.
+        /// </summary>
        [Required]
        [EmailAddress]
        public string Email { get; set; }

+        /// <summary>
+        /// The display name (usually first name and last name) of the user.
+        /// </summary>
        [Required]
        public string DisplayName { get; set; }

+        /// <summary>
+        /// The password of the user.
+        /// </summary>
        public string Password { get; set; }
    }
 }
--- a/src/Squidex/Areas/Api/Controllers/Users/Models/UserCreatedDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Users/Models/UserCreatedDto.cs
@ -11,10 +11,10 @@ namespace Squidex.Areas.Api.Controllers.Users.Models
 {
    public sealed class UserCreatedDto
    {
+        /// <summary>
+        /// The id of the user.
+        /// </summary>
        [Required]
        public string Id { get; set; }
-
-        [Required]
-        public string PictureUrl { get; set; }
    }
 }
--- a/src/Squidex/Areas/Api/Controllers/Users/Models/UserDto.cs
+++ b/src/Squidex/Areas/Api/Controllers/Users/Models/UserDto.cs
@ -23,12 +23,6 @@ namespace Squidex.Areas.Api.Controllers.Users.Models
        [Required]
        public string Email { get; set; }

-        /// <summary>
-        /// The url to the profile picture of the user.
-        /// </summary>
-        [Required]
-        public string PictureUrl { get; set; }
-
        /// <summary>
        /// The display name (usually first name and last name) of the user.
        /// </summary>
--- a/src/Squidex/Areas/Api/Controllers/Users/UserManagementController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Users/UserManagementController.cs
@ -82,7 +82,7 @@ namespace Squidex.Areas.Api.Controllers.Users
        {
            var user = await userManager.CreateAsync(userFactory, request.Email, request.DisplayName, request.Password);

-            var response = new UserCreatedDto { Id = user.Id, PictureUrl = user.PictureUrl() };
+            var response = new UserCreatedDto { Id = user.Id };

            return Ok(response);
        }
@ -129,7 +129,7 @@ namespace Squidex.Areas.Api.Controllers.Users

        private static UserDto Map(IUser user)
        {
-            return SimpleMapper.Map(user, new UserDto { DisplayName = user.DisplayName(), PictureUrl = user.PictureUrl() });
+            return SimpleMapper.Map(user, new UserDto { DisplayName = user.DisplayName() });
        }

        private bool IsSelf(string id)
--- a/src/Squidex/Areas/Api/Controllers/Users/UsersController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Users/UsersController.cs
@ -65,12 +65,12 @@ namespace Squidex.Areas.Api.Controllers.Users
        [ApiAuthorize]
        [HttpGet]
        [Route("users/")]
-        [ProducesResponseType(typeof(UserDto[]), 200)]
+        [ProducesResponseType(typeof(PublicUserDto[]), 200)]
        public async Task<IActionResult> GetUsers(string query)
        {
            var entities = await userManager.QueryByEmailAsync(query ?? string.Empty);

-            var models = entities.Select(x => SimpleMapper.Map(x, new UserDto { DisplayName = x.DisplayName(), PictureUrl = x.PictureUrl() })).ToArray();
+            var models = entities.Where(x => !x.IsHidden()).Select(x => SimpleMapper.Map(x, new UserDto { DisplayName = x.DisplayName() })).ToArray();

            return Ok(models);
        }
@ -86,7 +86,7 @@ namespace Squidex.Areas.Api.Controllers.Users
        [ApiAuthorize]
        [HttpGet]
        [Route("users/{id}/")]
-        [ProducesResponseType(typeof(UserDto), 200)]
+        [ProducesResponseType(typeof(PublicUserDto), 200)]
        public async Task<IActionResult> GetUser(string id)
        {
            var entity = await userManager.FindByIdAsync(id);
@ -96,7 +96,7 @@ namespace Squidex.Areas.Api.Controllers.Users
                return NotFound();
            }

-            var response = SimpleMapper.Map(entity, new UserDto { DisplayName = entity.DisplayName(), PictureUrl = entity.PictureUrl() });
+            var response = SimpleMapper.Map(entity, new UserDto { DisplayName = entity.DisplayName() });

            return Ok(response);
        }
--- a/src/Squidex/Areas/IdentityServer/Controllers/Profile/ChangeProfileModel.cs
+++ b/src/Squidex/Areas/IdentityServer/Controllers/Profile/ChangeProfileModel.cs
@ -17,5 +17,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Profile

        [Required(ErrorMessage = "DisplayName is required.")]
        public string DisplayName { get; set; }
+
+        public bool IsHidden { get; set; }
    }
 }
--- a/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileController.cs
+++ b/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileController.cs
@ -83,7 +83,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Profile
        [Route("/account/profile/update/")]
        public Task<IActionResult> UpdateProfile(ChangeProfileModel model)
        {
-            return MakeChangeAsync(user => userManager.UpdateAsync(user, model.Email, model.DisplayName),
+            return MakeChangeAsync(user => userManager.UpdateAsync(user, model.Email, model.DisplayName, model.IsHidden),
                "Account updated successfully.");
        }

@ -195,6 +195,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Profile
                ExternalLogins = user.Logins,
                ExternalProviders = externalProviders,
                DisplayName = user.DisplayName(),
+                IsHidden = user.IsHidden(),
                HasPassword = await userManager.HasPasswordAsync(user),
                HasPasswordAuth = identityOptions.Value.AllowPasswordAuth,
                SuccessMessage = successMessage
--- a/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileVM.cs
+++ b/src/Squidex/Areas/IdentityServer/Controllers/Profile/ProfileVM.cs
@ -22,6 +22,8 @@ namespace Squidex.Areas.IdentityServer.Controllers.Profile

        public string SuccessMessage { get; set; }

+        public bool IsHidden { get; set; }
+
        public bool HasPassword { get; set; }

        public bool HasPasswordAuth { get; set; }
--- a/src/Squidex/Areas/IdentityServer/Views/Profile/Profile.cshtml
+++ b/src/Squidex/Areas/IdentityServer/Views/Profile/Profile.cshtml
@ -52,7 +52,7 @@
                </div>
            }

-            <input type="email" ap class="form-control" asp-for="Email" name="email" id="email" />
+            <input type="email" ap class="form-control" asp-for="Email" id="email" />
        </div>

        <div class="form-group">
@ -65,7 +65,15 @@
                </div>
            }

-            <input type="text" class="form-control" asp-for="DisplayName" name="displayName" id="displayName"/>
+            <input type="text" class="form-control" asp-for="DisplayName" id="displayName"/>
+        </div>
+
+        <div class="form-group">
+            <div class="form-check">
+                <input type="checkbox" class="form-check-input" asp-for="IsHidden" id="hidden" />
+
+                <label class="form-check-label" for="hidden">Do not show my profile to other users</label>
+            </div>
        </div>

        <button type="submit" class="btn btn-primary">Save</button>
--- a/src/Squidex/Config/Domain/EventStoreServices.cs
+++ b/src/Squidex/Config/Domain/EventStoreServices.cs
@ -53,8 +53,7 @@ namespace Squidex.Config.Domain
            });

            services.AddSingletonAs<OrleansEventNotifier>()
-                .As<IEventNotifier>()
-                .As<IInitializable>();
+                .As<IEventNotifier>();

            services.AddSingletonAs<DefaultStreamNameResolver>()
                .As<IStreamNameResolver>();
--- a/src/Squidex/app/features/settings/pages/contributors/contributors-page.component.html
+++ b/src/Squidex/app/features/settings/pages/contributors/contributors-page.component.html
@ -6,55 +6,53 @@
    </ng-container>

    <ng-container content>
-        <div class="panel-alert panel-alert-success" *ngIf="maxContributors > 0">
-            Your plan allows up to {{maxContributors}} contributors.
-        </div>
-        
-        <table class="table table-items table-fixed">
-            <tbody>
-                <ng-template ngFor let-contributor [ngForOf]="appContributors?.contributors">
-                    <tr>
-                        <td class="cell-user">
-                            <img class="user-picture" [attr.title]="contributor.contributorId | sqxUserName" [attr.src]="contributor.contributorId | sqxUserPicture" />
-                        </td>
-                        <td class="cell-auto">
-                            <span class="user-name table-cell">{{contributor.contributorId | sqxUserName}}</span>
-                        </td>
-                        <td class="cell-auto">
-                            <span class="user-email table-cell">{{contributor.contributorId | sqxUserEmail}}</span>
-                        </td>
-                        <td class="cell-time">
-                            <select class="form-control" [ngModel]="contributor.permission" (ngModelChange)="changePermission(contributor, $event)" [disabled]="userId === contributor.contributorId">
-                                <option *ngFor="let permission of usersPermissions" [ngValue]="permission">{{permission}}</option>
-                            </select>
-                        </td>
-                        <td class="cell-actions">
-                            <button type="button" class="btn btn-link btn-danger" [disabled]="userId === contributor.contributorId" (click)="removeContributor(contributor)">
-                                <i class="icon-bin2"></i>
-                            </button>
-                        </td>
-                    </tr>
-                    <tr class="spacer"></tr>
-                </ng-template>
-            </tbody>
-        </table>
-        
-        <div class="table-items-footer" *ngIf="appContributors">
-            <form [formGroup]="addContributorForm" (ngSubmit)="assignContributor()">
-                <div class="row no-gutters">
-                    <div class="col">
-                        <sqx-autocomplete [source]="usersDataSource" formControlName="user" [inputName]="'contributor'" placeholder="Find existing user" displayProperty="email">
-                            <ng-template let-user="$implicit">
-                                <img class="user-picture autocomplete-user-picture" [attr.src]="user | sqxUserDtoPicture" />
+		<div class="panel-alert panel-alert-success" *ngIf="maxContributors > 0">
+			Your plan allows up to {{maxContributors}} contributors.
+		</div>
+		
+		<table class="table table-items table-fixed">
+			<tbody>
+				<ng-template ngFor let-contributor [ngForOf]="appContributors?.contributors">
+					<tr>
+						<td class="cell-user">
+							<img class="user-picture" [attr.title]="contributor.contributorId | sqxUserName" [attr.src]="contributor.contributorId | sqxUserPicture" />
+						</td>
+						<td class="cell-auto">
+							<span class="user-name table-cell">{{contributor.contributorId | sqxUserName}}</span>
+						</td>
+						<td class="cell-time">
+							<select class="form-control" [ngModel]="contributor.permission" (ngModelChange)="changePermission(contributor, $event)" [disabled]="userId === contributor.contributorId">
+								<option *ngFor="let permission of usersPermissions" [ngValue]="permission">{{permission}}</option>
+							</select>
+						</td>
+						<td class="cell-actions">
+							<button *ngIf="ctx.userId !== contributor.contributorId" type="button" class="btn btn-link btn-danger" (click)="removeContributor(contributor)">
+								<i class="icon-bin2"></i>
+							</button>
+						</td>
+					</tr>
+					<tr class="spacer"></tr>
+				</ng-template>
+			</tbody>
+		</table>
+		
+		<div class="table-items-footer" *ngIf="appContributors">
+			<form [formGroup]="addContributorForm" (ngSubmit)="assignContributor()">
+				<div class="row no-gutters">
+					<div class="col">
+						<sqx-autocomplete [source]="usersDataSource" formControlName="user" [inputName]="'contributor'" placeholder="Find existing user" displayProperty="displayName">
+							<ng-template let-user="$implicit">
+								<span class="autocomplete-user">
+									<img class="user-picture autocomplete-user-picture" [attr.src]="user | sqxUserDtoPicture" />

-                                <span class="user-name autocomplete-user-name">{{user.displayName}}</span>
-                                <span class="user-email autocomplete-user-email">{{user.email}}</span>
-                            </ng-template>
-                        </sqx-autocomplete>
-                    </div>
-                    <div class="col col-auto pl-1">
-                        <button type="submit" class="btn btn-success" [disabled]="!canAddContributor">Add Contributor</button>
-                    </div>
+									<span class="user-name autocomplete-user-name">{{user.displayName}}</span>
+								</span>
+							</ng-template>
+						</sqx-autocomplete>
+					</div>
+					<div class="col col-auto pl-1">
+						<button type="submit" class="btn btn-success" [disabled]="!canAddContributor">Add Contributor</button>
+					</div>
                </div>
            </form>
        </div>
--- a/src/Squidex/app/features/settings/pages/contributors/contributors-page.component.scss
+++ b/src/Squidex/app/features/settings/pages/contributors/contributors-page.component.scss
@ -2,14 +2,11 @@
@import '_mixins';

 .autocomplete-user {
-    &-picture {
-        float: left;
-        margin-top: .4rem;
+    & {
+        @include truncate;
    }

-    &-name,
-    &-email {
-        @include truncate;
-        margin-left: 3rem;
+    &-name {
+        margin-left: .25rem;
    }
 }
--- a/src/Squidex/app/features/settings/pages/contributors/contributors-page.component.ts
+++ b/src/Squidex/app/features/settings/pages/contributors/contributors-page.component.ts
@ -15,8 +15,9 @@ import {
    AppContributorsService,
    AppsState,
    AutocompleteSource,
-    UsersService,
-    DialogService
+    DialogService,
+    PublicUserDto,
+    UsersService
 } from '@app/shared';

 export class UsersDataSource implements AutocompleteSource {
@ -111,11 +112,17 @@ export class ContributorsPageComponent implements OnInit {
    }

    public assignContributor() {
-        const requestDto = new AppContributorDto(this.addContributorForm.controls['user'].value.id, 'Editor');
+        let value: any = this.addContributorForm.controls['user'].value;
+
+        if (value instanceof PublicUserDto) {
+            value = value.id;
+        }
+
+        const requestDto = new AppContributorDto(value, 'Editor');

        this.appContributorsService.postContributor(this.appsState.appName, requestDto, this.appContributors.version)
            .subscribe(dto => {
-                this.updateContributors(this.appContributors.addContributor(requestDto, dto.version));
+                this.updateContributors(this.appContributors.addContributor(new AppContributorDto(dto.payload.contributorId, requestDto.permission), dto.version));
                this.resetContributorForm();
            }, error => {
                this.dialogs.notifyError(error);
--- a/src/Squidex/app/features/settings/pages/plans/plans-page.component.html
+++ b/src/Squidex/app/features/settings/pages/plans/plans-page.component.html
@ -1,62 +1,86 @@
-<sqx-title message="{app} | Plans | Settings" parameter1="app" [value1]="appsState.appName"></sqx-title>
+<sqx-title message="{app} | Plans | Settings" parameter1="app" [value1]="ctx.appName"></sqx-title>

 <sqx-panel desiredWidth="61rem">
-    <ng-container title>
-        Contributors
-    </ng-container>
-
-    <ng-container menu>
-        <button class="btn btn-link btn-secondary" (click)="load(true)" title="Refresh Plans (CTRL + SHIFT + R)">
-            <i class="icon-reset"></i> Refresh
-        </button>
-
-        <sqx-shortcut keys="ctrl+shift+r" (trigger)="load(true)"></sqx-shortcut>
-    </ng-container>
-
-    <ng-container content>
-        <ng-container *ngIf="plans">
-            <div class="panel-alert panel-alert-danger" *ngIf="!planOwned">
-                You have not created the subscription. Therefore you cannot change the plan.
-            </div>
+    <div class="panel-header">
+        <div class="panel-title-row">
+            <div class="float-right">
+                <button class="btn btn-link btn-secondary" (click)="load(true)" title="Refresh Plans (CTRL + SHIFT + R)">
+                    <i class="icon-reset"></i> Refresh
+                </button>

-            <div class="text-muted text-center empty" *ngIf="plans.plans.length === 0">
-                No plan configured, this app has unlimited usage.
+                <sqx-shortcut keys="ctrl+shift+r" (trigger)="load(true)"></sqx-shortcut>
            </div>
+            
+            <h3 class="panel-title">Update Plan</h3>
+        </div>

-            <div class="clearfix">
-                <div class="card plan float-left" *ngFor="let plan of plans.plans">
-                    <div class="card-body plan-header text-center">
-                        <h4 class="card-title">{{plan.name}}</h4>
-                        <h5 class="plan-price">{{plan.costs}}</h5>
+        <a class="panel-close" sqxParentLink>
+            <i class="icon-close"></i>
+        </a>
+    </div>

-                        <small class="text-muted">Per Month</small>
-                    </div>
-                    <div class="card-body">
-                        <div class="plan-fact">
-                            {{plan.maxApiCalls | sqxKNumber}} API Calls
+    <div class="panel-main">
+        <div class="panel-content">
+            <div *ngIf="plans">
+                <div class="panel-alert panel-alert-danger" *ngIf="!planOwned">
+                    You have not created the subscription. Therefore you cannot change the plan.
+                </div>
+
+                <div class="text-muted text-center empty" *ngIf="plans.plans.length === 0">
+                    No plan configured, this app has unlimited usage.
+                </div>
+
+                <div class="clearfix">
+                    <div class="card plan float-left" *ngFor="let plan of plans.plans">
+                        <div class="card-header text-center">
+                            <h4 class="card-title">{{plan.name}}</h4>
+                            <h5 class="plan-price">{{plan.costs}}</h5>
+    
+                            <small class="text-muted">Per Month</small>
                        </div>
-                        <div class="plan-fact">
-                            {{plan.maxAssetSize | sqxFileSize}} Storage
+                        <div class="card-body">
+                            <div class="plan-fact text-center">
+                                <div>
+                                    <strong>{{plan.maxApiCalls | sqxKNumber}}</strong> API Calls
+                                </div>
+                                <div>
+                                    {{plan.maxAssetSize | sqxFileSize}} Storage
+                                </div>
+                                <div>
+                                    {{plan.maxContributors}} Contributors
+                                </div>
+                            </div>
+                        
+                            <button *ngIf="plan.id === plans.currentPlanId" class="btn btn-block btn-link btn-success plan-selected">
+                                &#10003; Selected
+                            </button>
+                            
+                            <button *ngIf="plan.id !== plans.currentPlanId" class="btn btn-block btn-success" [disabled]="isDisabled || !planOwned" (click)="changePlan(plan.id)">
+                                Change
+                            </button>
                        </div>
-                        <div class="plan-fact">
-                            {{plan.maxContributors}} Contributors
+                        <div class="card-footer" *ngIf="plan.yearlyId">
+                            <div class="text-center">
+                                <h5 class="plan-price">{{plan.yearlyCosts}}</h5>
+
+                                <small class="text-muted">Per Year</small>
+                            </div>
+
+                            <button *ngIf="plan.yearlyId === plans.currentPlanId" class="btn btn-block btn-link btn-success plan-selected">
+                                &#10003; Selected
+                            </button>
+                            
+                            <button *ngIf="plan.yearlyId !== plans.currentPlanId" class="btn btn-block btn-success" [disabled]="isDisabled || !planOwned" (click)="changePlan(plan.yearlyId)">
+                                Change
+                            </button>
                        </div>
                    </div>
-                    <div class="card-body">
-                        <button *ngIf="plan.id === plans.currentPlanId" class="btn btn-block btn-link btn-success plan-selected">
-                            &#10003; Selected
-                        </button>
-                        
-                        <button *ngIf="plan.id !== plans.currentPlanId" class="btn btn-block btn-success" [disabled]="isDisabled || !planOwned" (click)="changePlan(plan.id)">
-                            Change
-                        </button>
-                    </div>
                </div>
-            </div>

-            <div *ngIf="plans.hasPortal" class="billing-portal-link">
-                Go to <a target="_blank" href="{{portalUrl}}">Billing Portal</a> for payment history and subscription overview.
+                <div *ngIf="plans.hasPortal" class="billing-portal-link">
+                    Go to <a target="_blank" href="{{portalUrl}}">Billing Portal</a> for payment history and subscription overview.
+                </div>
            </div>
-        </ng-container>
-    </ng-container>
+        </div>
+    </div>
 </sqx-panel>
--- a/src/Squidex/app/features/settings/pages/plans/plans-page.component.scss
+++ b/src/Squidex/app/features/settings/pages/plans/plans-page.component.scss
@ -8,12 +8,10 @@
        margin: .5rem;
    }

-    &-header {
-        border-bottom: 1px solid $color-border;
-    }
-
    &-price {
        color: $color-theme-blue;
+        margin-top: 0;
+        margin-bottom: 0;
    }

    &-selected {
@ -21,10 +19,20 @@
    }

    &-fact {
-        line-height: 2rem;
+        line-height: 1.8rem;
+    }
+
+    .btn {
+        margin-top: 1rem;
    }
 }

+.card-footer,
+.card-header,
+.card-body {
+    padding: 1rem;
+}
+
 .empty {
    margin: 1.25rem;
    margin-top: 6.25rem;
--- a/src/Squidex/app/framework/angular/forms/autocomplete.component.ts
+++ b/src/Squidex/app/framework/angular/forms/autocomplete.component.ts
@ -61,15 +61,18 @@ export class AutocompleteComponent implements ControlValueAccessor, OnDestroy, O
    public ngOnInit() {
        this.subscription =
            this.queryInput.valueChanges
+                .do(query => {
+                    this.callChange(query);
+                })
                .map(query => <string>query)
                .map(query => query ? query.trim() : query)
-                .distinctUntilChanged()
-                .debounceTime(200)
                .do(query => {
                    if (!query) {
                        this.reset();
                    }
                })
+                .distinctUntilChanged()
+                .debounceTime(200)
                .filter(query => !!query && !!this.source)
                .switchMap(query => this.source.find(query)).catch(error => Observable.of([]))
                .subscribe(items => {
--- a/src/Squidex/app/shared/components/pipes.ts
+++ b/src/Squidex/app/shared/components/pipes.ts
@ -11,7 +11,7 @@ import { Observable, Subscription } from 'rxjs';
 import {
    ApiUrlConfig,
    MathHelper,
-    UserDto,
+    PublicUserDto,
    UsersProviderService
 } from '@app/shared/internal';

@ -91,42 +91,6 @@ export class UserNameRefPipe extends UserAsyncPipe implements PipeTransform {
    }
 }

-@Pipe({
-    name: 'sqxUserEmail',
-    pure: false
-})
-export class UserEmailPipe extends UserAsyncPipe implements PipeTransform {
-    constructor(users: UsersProviderService, changeDetector: ChangeDetectorRef) {
-        super(users, changeDetector);
-    }
-
-    public transform(userId: string): string | null {
-        return super.transformInternal(userId, users => users.getUser(userId).map(u => u.email));
-    }
-}
-
-@Pipe({
-    name: 'sqxUserEmailRef',
-    pure: false
-})
-export class UserEmailRefPipe extends UserAsyncPipe implements PipeTransform {
-    constructor(users: UsersProviderService, changeDetector: ChangeDetectorRef) {
-        super(users, changeDetector);
-    }
-
-    public transform(userId: string): string | null {
-        return super.transformInternal(userId, users => {
-            const parts = userId.split(':');
-
-            if (parts[0] === 'subject') {
-                return users.getUser(parts[1]).map(u => u.email);
-            } else {
-                return Observable.of(null);
-            }
-        });
-    }
-}
-
@Pipe({
    name: 'sqxUserDtoPicture',
    pure: false
@ -137,7 +101,7 @@ export class UserDtoPicture implements PipeTransform {
    ) {
    }

-    public transform(user: UserDto): string | null {
+    public transform(user: PublicUserDto): string | null {
        return this.apiUrl.buildUrl(`api/users/${user.id}/picture`);
    }
 }
--- a/src/Squidex/app/shared/module.ts
+++ b/src/Squidex/app/shared/module.ts
@ -53,8 +53,6 @@ import {
    UnsetAppGuard,
    UsagesService,
    UserDtoPicture,
-    UserEmailPipe,
-    UserEmailRefPipe,
    UserNamePipe,
    UserNameRefPipe,
    UserIdPicturePipe,
@ -83,8 +81,6 @@ import {
        LanguageSelectorComponent,
        MarkdownEditorComponent,
        UserDtoPicture,
-        UserEmailPipe,
-        UserEmailRefPipe,
        UserIdPicturePipe,
        UserNamePipe,
        UserNameRefPipe,
@ -105,8 +101,6 @@ import {
        MarkdownEditorComponent,
        RouterModule,
        UserDtoPicture,
-        UserEmailPipe,
-        UserEmailRefPipe,
        UserIdPicturePipe,
        UserNamePipe,
        UserNameRefPipe,
--- a/src/Squidex/app/shared/services/app-contributors.service.spec.ts
+++ b/src/Squidex/app/shared/services/app-contributors.service.spec.ts
@ -14,7 +14,8 @@ import {
    AppContributorDto,
    AppContributorsDto,
    AppContributorsService,
-    Version
+    Version,
+    ContributorAssignedDto
 } from './../';

 describe('AppContributorsDto', () => {
@ -122,14 +123,20 @@ describe('AppContributorsService', () => {

        const dto = new AppContributorDto('123', 'Owner');

-        appContributorsService.postContributor('my-app', dto, version).subscribe();
+        let contributorAssignedDto: ContributorAssignedDto | null = null;
+
+        appContributorsService.postContributor('my-app', dto, version).subscribe(result => {
+            contributorAssignedDto = result.payload;
+        });

        const req = httpMock.expectOne('http://service/p/api/apps/my-app/contributors');

        expect(req.request.method).toEqual('POST');
        expect(req.request.headers.get('If-Match')).toEqual(version.value);

-        req.flush({});
+        req.flush({ contributorId: '123' });
+
+        expect(contributorAssignedDto!.contributorId).toEqual('123');
    }));

    it('should make delete request to remove contributor',
--- a/src/Squidex/app/shared/services/app-contributors.service.ts
+++ b/src/Squidex/app/shared/services/app-contributors.service.ts
@ -58,6 +58,13 @@ export class AppContributorDto {
    }
 }

+export class ContributorAssignedDto {
+    constructor(
+        public readonly contributorId: string
+    ) {
+    }
+}
+
@Injectable()
 export class AppContributorsService {
    constructor(
@ -87,10 +94,17 @@ export class AppContributorsService {
                .pretifyError('Failed to load contributors. Please reload.');
    }

-    public postContributor(appName: string, dto: AppContributorDto, version: Version): Observable<Versioned<any>> {
+    public postContributor(appName: string, dto: AppContributorDto, version: Version): Observable<Versioned<ContributorAssignedDto>> {
        const url = this.apiUrl.buildUrl(`api/apps/${appName}/contributors`);

        return HTTP.postVersioned(this.http, url, dto, version)
+                .map(response => {
+                    const body: any = response.payload.body;
+
+                    const result = new ContributorAssignedDto(body.contributorId);
+
+                    return new Versioned(response.version, result);
+                })
                .do(() => {
                    this.analytics.trackEvent('Contributor', 'Configured', appName);
                })
--- a/src/Squidex/app/shared/services/plans.service.spec.ts
+++ b/src/Squidex/app/shared/services/plans.service.spec.ts
@ -62,6 +62,8 @@ describe('PlansService', () => {
                    id: 'free',
                    name: 'Free',
                    costs: '14 €',
+                    yearlyId: 'free_yearly',
+                    yearlyCosts: '12 €',
                    maxApiCalls: 1000,
                    maxAssetSize: 1500,
                    maxContributors: 2500
@ -70,6 +72,8 @@ describe('PlansService', () => {
                    id: 'prof',
                    name: 'Prof',
                    costs: '18 €',
+                    yearlyId: 'prof_yearly',
+                    yearlyCosts: '16 €',
                    maxApiCalls: 4000,
                    maxAssetSize: 5500,
                    maxContributors: 6500
@ -87,8 +91,8 @@ describe('PlansService', () => {
                '456',
                true,
                [
-                    new PlanDto('free', 'Free', '14 €', 1000, 1500, 2500),
-                    new PlanDto('prof', 'Prof', '18 €', 4000, 5500, 6500)
+                    new PlanDto('free', 'Free', '14 €', 'free_yearly', '12 €', 1000, 1500, 2500),
+                    new PlanDto('prof', 'Prof', '18 €', 'prof_yearly', '16 €', 4000, 5500, 6500)
                ],
                new Version('2')
            ));
--- a/src/Squidex/app/shared/services/plans.service.ts
+++ b/src/Squidex/app/shared/services/plans.service.ts
@ -44,6 +44,8 @@ export class PlanDto {
        public readonly id: string,
        public readonly name: string,
        public readonly costs: string,
+        public readonly yearlyId: string,
+        public readonly yearlyCosts: string,
        public readonly maxApiCalls: number,
        public readonly maxAssetSize: number,
        public readonly maxContributors: number
@ -92,6 +94,8 @@ export class PlansService {
                                item.id,
                                item.name,
                                item.costs,
+                                item.yearlyId,
+                                item.yearlyCosts,
                                item.maxApiCalls,
                                item.maxAssetSize,
                                item.maxContributors);
--- a/src/Squidex/app/shared/services/users-provider.service.spec.ts
+++ b/src/Squidex/app/shared/services/users-provider.service.spec.ts
@ -11,7 +11,7 @@ import { IMock, Mock, Times } from 'typemoq';
 import {
    AuthService,
    Profile,
-    UserDto,
+    PublicUserDto,
    UsersProviderService,
    UsersService
 } from './../';
@ -28,12 +28,12 @@ describe('UsersProviderService', () => {
    });

    it('should return users service when user not cached', () => {
-        const user = new UserDto('123', 'mail@domain.com', 'User1', 'path/to/image', true);
+        const user = new PublicUserDto('123', 'User1');

        usersService.setup(x => x.getUser('123'))
            .returns(() => Observable.of(user)).verifiable(Times.once());

-        let resultingUser: UserDto | null = null;
+        let resultingUser: PublicUserDto | null = null;

        usersProviderService.getUser('123').subscribe(result => {
            resultingUser = result;
@ -45,14 +45,14 @@ describe('UsersProviderService', () => {
    });

    it('should return provide user from cache', () => {
-        const user = new UserDto('123', 'mail@domain.com', 'User1', 'path/to/image', true);
+        const user = new PublicUserDto('123', 'User1');

        usersService.setup(x => x.getUser('123'))
            .returns(() => Observable.of(user)).verifiable(Times.once());

        usersProviderService.getUser('123');

-        let resultingUser: UserDto | null = null;
+        let resultingUser: PublicUserDto | null = null;

        usersProviderService.getUser('123').subscribe(result => {
            resultingUser = result;
@ -64,7 +64,7 @@ describe('UsersProviderService', () => {
    });

    it('should return me when user is current user', () => {
-        const user = new UserDto('123', 'mail@domain.com', 'User1', 'path/to/image', true);
+        const user = new PublicUserDto('123', 'User1');

        authService.setup(x => x.user)
            .returns(() => new Profile(<any>{ profile: { sub: '123'}}));
@ -72,13 +72,13 @@ describe('UsersProviderService', () => {
        usersService.setup(x => x.getUser('123'))
            .returns(() => Observable.of(user)).verifiable(Times.once());

-        let resultingUser: UserDto | null = null;
+        let resultingUser: PublicUserDto | null = null;

        usersProviderService.getUser('123').subscribe(result => {
            resultingUser = result;
        }).unsubscribe();

-        expect(resultingUser).toEqual(new UserDto('123', 'mail@domain.com', 'Me', 'path/to/image', true));
+        expect(resultingUser).toEqual(new PublicUserDto('123', 'Me'));

        usersService.verifyAll();
    });
@ -90,13 +90,13 @@ describe('UsersProviderService', () => {
        usersService.setup(x => x.getUser('123'))
            .returns(() => Observable.throw('NOT FOUND')).verifiable(Times.once());

-        let resultingUser: UserDto | null = null;
+        let resultingUser: PublicUserDto | null = null;

        usersProviderService.getUser('123').subscribe(result => {
            resultingUser = result;
        }).unsubscribe();

-        expect(resultingUser).toEqual(new UserDto('NOT FOUND', 'NOT FOUND', 'NOT FOUND', null, false));
+        expect(resultingUser).toEqual(new PublicUserDto('Unknown', 'Unknown'));

        usersService.verifyAll();
    });
--- a/src/Squidex/app/shared/services/users-provider.service.ts
+++ b/src/Squidex/app/shared/services/users-provider.service.ts
@ -8,13 +8,13 @@
 import { Injectable } from '@angular/core';
 import { Observable } from 'rxjs';

-import { UserDto, UsersService } from './users.service';
+import { PublicUserDto, UsersService } from './users.service';

 import { AuthService } from './auth.service';

@Injectable()
 export class UsersProviderService {
-    private readonly caches: { [id: string]: Observable<UserDto> } = {};
+    private readonly caches: { [id: string]: Observable<PublicUserDto> } = {};

    constructor(
        private readonly usersService: UsersService,
@ -22,14 +22,14 @@ export class UsersProviderService {
    ) {
    }

-    public getUser(id: string, me: string | null = 'Me'): Observable<UserDto> {
+    public getUser(id: string, me: string | null = 'Me'): Observable<PublicUserDto> {
        let result = this.caches[id];

        if (!result) {
            const request =
                this.usersService.getUser(id)
                    .catch(error => {
-                        return Observable.of(new UserDto('NOT FOUND', 'NOT FOUND', 'NOT FOUND', null, false));
+                        return Observable.of(new PublicUserDto('Unknown', 'Unknown'));
                    })
                    .publishLast();

@ -41,7 +41,7 @@ export class UsersProviderService {
        return result
            .map(dto => {
                if (me && this.authService.user && dto.id === this.authService.user.id) {
-                    dto = new UserDto(dto.id, dto.email, me, dto.pictureUrl, dto.isLocked);
+                    dto = new PublicUserDto(dto.id, me);
                }
                return dto;
            }).share();
--- a/src/Squidex/app/shared/services/users.service.spec.ts
+++ b/src/Squidex/app/shared/services/users.service.spec.ts
@ -10,10 +10,39 @@ import { inject, TestBed } from '@angular/core/testing';

 import {
    ApiUrlConfig,
+    CreateUserDto,
+    PublicUserDto,
+    UpdateUserDto,
    UserDto,
+    UserManagementService,
+    UsersDto,
    UsersService
 } from './../';

+describe('UserDto', () => {
+    it('should update email and display name property when unlocking', () => {
+        const user_1 = new UserDto('1', 'sebastian@squidex.io', 'Sebastian',  true);
+        const user_2 = user_1.update('qaisar@squidex.io', 'Qaisar');
+
+        expect(user_2.email).toEqual('qaisar@squidex.io');
+        expect(user_2.displayName).toEqual('Qaisar');
+    });
+
+    it('should update isLocked property when locking', () => {
+        const user_1 = new UserDto('1', 'sebastian@squidex.io', 'Sebastian', false);
+        const user_2 = user_1.lock();
+
+        expect(user_2.isLocked).toBeTruthy();
+    });
+
+    it('should update isLocked property when unlocking', () => {
+        const user_1 = new UserDto('1', 'sebastian@squidex.io', 'Sebastian', true);
+        const user_2 = user_1.unlock();
+
+        expect(user_2.isLocked).toBeFalsy();
+    });
+});
+
 describe('UsersService', () => {
    beforeEach(() => {
        TestBed.configureTestingModule({
@ -34,7 +63,7 @@ describe('UsersService', () => {
    it('should make get request to get many users',
        inject([UsersService, HttpTestingController], (usersService: UsersService, httpMock: HttpTestingController) => {

-        let users: UserDto[] | null = null;
+        let users: PublicUserDto[] | null = null;

        usersService.getUsers().subscribe(result => {
            users = result;
@ -48,31 +77,25 @@ describe('UsersService', () => {
        req.flush([
            {
                id: '123',
-                email: 'mail1@domain.com',
-                displayName: 'User1',
-                pictureUrl: 'path/to/image1',
-                isLocked: true
+                displayName: 'User1'
            },
            {
                id: '456',
-                email: 'mail2@domain.com',
-                displayName: 'User2',
-                pictureUrl: 'path/to/image2',
-                isLocked: true
+                displayName: 'User2'
            }
        ]);

        expect(users).toEqual(
            [
-                new UserDto('123', 'mail1@domain.com', 'User1', 'path/to/image1', true),
-                new UserDto('456', 'mail2@domain.com', 'User2', 'path/to/image2', true)
+                new PublicUserDto('123', 'User1'),
+                new PublicUserDto('456', 'User2')
            ]);
    }));

    it('should make get request with query to get many users',
        inject([UsersService, HttpTestingController], (usersService: UsersService, httpMock: HttpTestingController) => {

-        let users: UserDto[] | null = null;
+        let users: PublicUserDto[] | null = null;

        usersService.getUsers('my-query').subscribe(result => {
            users = result;
@ -86,31 +109,25 @@ describe('UsersService', () => {
        req.flush([
            {
                id: '123',
-                email: 'mail1@domain.com',
-                displayName: 'User1',
-                pictureUrl: 'path/to/image1',
-                isLocked: true
+                displayName: 'User1'
            },
            {
                id: '456',
-                email: 'mail2@domain.com',
-                displayName: 'User2',
-                pictureUrl: 'path/to/image2',
-                isLocked: true
+                displayName: 'User2'
            }
        ]);

        expect(users).toEqual(
            [
-                new UserDto('123', 'mail1@domain.com', 'User1', 'path/to/image1', true),
-                new UserDto('456', 'mail2@domain.com', 'User2', 'path/to/image2', true)
+                new PublicUserDto('123', 'User1'),
+                new PublicUserDto('456', 'User2')
            ]);
    }));

    it('should make get request to get single user',
        inject([UsersService, HttpTestingController], (usersService: UsersService, httpMock: HttpTestingController) => {

-        let user: UserDto | null = null;
+        let user: PublicUserDto | null = null;

        usersService.getUser('123').subscribe(result => {
            user = result;
@ -121,14 +138,192 @@ describe('UsersService', () => {
        expect(req.request.method).toEqual('GET');
        expect(req.request.headers.get('If-Match')).toBeNull();

+        req.flush({ id: '123', displayName: 'User1' });
+
+        expect(user).toEqual(new PublicUserDto('123', 'User1'));
+    }));
+});
+
+describe('UserManagementService', () => {
+     beforeEach(() => {
+        TestBed.configureTestingModule({
+            imports: [
+                HttpClientTestingModule
+            ],
+            providers: [
+                UserManagementService,
+                { provide: ApiUrlConfig, useValue: new ApiUrlConfig('http://service/p/') }
+            ]
+        });
+    });
+
+    afterEach(inject([HttpTestingController], (httpMock: HttpTestingController) => {
+        httpMock.verify();
+    }));
+
+    it('should make get request to get many users',
+        inject([UserManagementService, HttpTestingController], (userManagementService: UserManagementService, httpMock: HttpTestingController) => {
+
+        let users: UsersDto | null = null;
+
+        userManagementService.getUsers(20, 30).subscribe(result => {
+            users = result;
+        });
+
+        const req = httpMock.expectOne('http://service/p/api/user-management?take=20&skip=30&query=');
+
+        expect(req.request.method).toEqual('GET');
+        expect(req.request.headers.get('If-Match')).toBeNull();
+
+        req.flush({
+            total: 100,
+            items: [
+                {
+                    id: '123',
+                    email: 'mail1@domain.com',
+                    displayName: 'User1',
+                    isLocked: true
+                },
+                {
+                    id: '456',
+                    email: 'mail2@domain.com',
+                    displayName: 'User2',
+                    isLocked: true
+                }
+            ]
+        });
+
+        expect(users).toEqual(
+            new UsersDto(100, [
+                new UserDto('123', 'mail1@domain.com', 'User1', true),
+                new UserDto('456', 'mail2@domain.com', 'User2', true)
+            ]));
+    }));
+
+    it('should make get request with query to get many users',
+        inject([UserManagementService, HttpTestingController], (userManagementService: UserManagementService, httpMock: HttpTestingController) => {
+
+        let users: UsersDto | null = null;
+
+        userManagementService.getUsers(20, 30, 'my-query').subscribe(result => {
+            users = result;
+        });
+
+        const req = httpMock.expectOne('http://service/p/api/user-management?take=20&skip=30&query=my-query');
+
+        expect(req.request.method).toEqual('GET');
+        expect(req.request.headers.get('If-Match')).toBeNull();
+
+        req.flush({
+            total: 100,
+            items: [
+                {
+                    id: '123',
+                    email: 'mail1@domain.com',
+                    displayName: 'User1',
+                    pictureUrl: 'path/to/image1',
+                    isLocked: true
+                },
+                {
+                    id: '456',
+                    email: 'mail2@domain.com',
+                    displayName: 'User2',
+                    pictureUrl: 'path/to/image2',
+                    isLocked: true
+                }
+            ]
+        });
+
+        expect(users).toEqual(
+            new UsersDto(100, [
+                new UserDto('123', 'mail1@domain.com', 'User1', true),
+                new UserDto('456', 'mail2@domain.com', 'User2', true)
+            ]));
+    }));
+
+    it('should make get request to get single user',
+        inject([UserManagementService, HttpTestingController], (userManagementService: UserManagementService, httpMock: HttpTestingController) => {
+
+        let user: UserDto | null = null;
+
+        userManagementService.getUser('123').subscribe(result => {
+            user = result;
+        });
+
+        const req = httpMock.expectOne('http://service/p/api/user-management/123');
+
+        expect(req.request.method).toEqual('GET');
+        expect(req.request.headers.get('If-Match')).toBeNull();
+
        req.flush({
            id: '123',
            email: 'mail1@domain.com',
            displayName: 'User1',
-            pictureUrl: 'path/to/image1',
            isLocked: true
        });

-        expect(user).toEqual(new UserDto('123', 'mail1@domain.com', 'User1', 'path/to/image1', true));
+        expect(user).toEqual(new UserDto('123', 'mail1@domain.com', 'User1', true));
+    }));
+
+    it('should make post request to create user',
+        inject([UserManagementService, HttpTestingController], (userManagementService: UserManagementService, httpMock: HttpTestingController) => {
+
+        const dto = new CreateUserDto('mail@squidex.io', 'Squidex User', 'password');
+
+        let user: UserDto | null = null;
+
+        userManagementService.postUser(dto).subscribe(result => {
+            user = result;
+        });
+
+        const req = httpMock.expectOne('http://service/p/api/user-management');
+
+        expect(req.request.method).toEqual('POST');
+        expect(req.request.headers.get('If-Match')).toBeNull();
+
+        req.flush({ id: '123' });
+
+        expect(user).toEqual(new UserDto('123', dto.email, dto.displayName, false));
+    }));
+
+    it('should make put request to update user',
+        inject([UserManagementService, HttpTestingController], (userManagementService: UserManagementService, httpMock: HttpTestingController) => {
+
+        const dto = new UpdateUserDto('mail@squidex.io', 'Squidex User', 'password');
+
+        userManagementService.putUser('123', dto).subscribe();
+
+        const req = httpMock.expectOne('http://service/p/api/user-management/123');
+
+        expect(req.request.method).toEqual('PUT');
+        expect(req.request.headers.get('If-Match')).toBeNull();
+
+        req.flush({});
+    }));
+
+    it('should make put request to lock user',
+        inject([UserManagementService, HttpTestingController], (userManagementService: UserManagementService, httpMock: HttpTestingController) => {
+
+        userManagementService.lockUser('123').subscribe();
+
+        const req = httpMock.expectOne('http://service/p/api/user-management/123/lock');
+
+        expect(req.request.method).toEqual('PUT');
+        expect(req.request.headers.get('If-Match')).toBeNull();
+
+        req.flush({});
+    }));
+
+    it('should make put request to unlock user',
+        inject([UserManagementService, HttpTestingController], (userManagementService: UserManagementService, httpMock: HttpTestingController) => {
+
+        userManagementService.unlockUser('123').subscribe();
+
+        const req = httpMock.expectOne('http://service/p/api/user-management/123/unlock');
+
+        expect(req.request.method).toEqual('PUT');
+        expect(req.request.headers.get('If-Match')).toBeNull();
+
+        req.flush({});
    }));
 });
--- a/src/Squidex/app/shared/services/users.service.ts
+++ b/src/Squidex/app/shared/services/users.service.ts
@ -13,15 +13,60 @@ import '@app/framework/angular/http/http-extensions';

 import { ApiUrlConfig, HTTP } from '@app/framework';

+export class UsersDto {
+    constructor(
+        public readonly total: number,
+        public readonly items: UserDto[]
+    ) {
+    }
+}
+
 export class UserDto {
    constructor(
        public readonly id: string,
        public readonly email: string,
        public readonly displayName: string,
-        public readonly pictureUrl: string | null,
        public readonly isLocked: boolean
    ) {
    }
+
+    public update(email: string, displayName: string): UserDto {
+        return new UserDto(this.id, email, displayName, this.isLocked);
+    }
+
+    public lock(): UserDto {
+        return new UserDto(this.id, this.email, this.displayName, true);
+    }
+
+    public unlock(): UserDto {
+        return new UserDto(this.id, this.email, this.displayName, false);
+    }
+}
+
+export class CreateUserDto {
+    constructor(
+        public readonly email: string,
+        public readonly displayName: string,
+        public readonly password: string
+    ) {
+    }
+}
+
+export class UpdateUserDto {
+    constructor(
+        public readonly email: string,
+        public readonly displayName: string,
+        public readonly password: string
+    ) {
+    }
+}
+
+export class PublicUserDto {
+    constructor(
+        public readonly id: string,
+        public readonly displayName: string
+    ) {
+    }
 }

@Injectable()
@ -32,7 +77,7 @@ export class UsersService {
    ) {
    }

-    public getUsers(query?: string): Observable<UserDto[]> {
+    public getUsers(query?: string): Observable<PublicUserDto[]> {
        const url = this.apiUrl.buildUrl(`api/users?query=${query || ''}`);

        return HTTP.getVersioned<any>(this.http, url)
@ -42,19 +87,61 @@ export class UsersService {
                    const items: any[] = body;

                    return items.map(item => {
+                        return new PublicUserDto(
+                            item.id,
+                            item.displayName);
+                    });
+                })
+                .pretifyError('Failed to load users. Please reload.');
+    }
+
+    public getUser(id: string): Observable<PublicUserDto> {
+        const url = this.apiUrl.buildUrl(`api/users/${id}`);
+
+        return HTTP.getVersioned<any>(this.http, url)
+                .map(response => {
+                    const body = response.payload.body;
+
+                    return new PublicUserDto(
+                        body.id,
+                        body.displayName);
+                })
+                .pretifyError('Failed to load user. Please reload.');
+    }
+}
+
+@Injectable()
+export class UserManagementService {
+    constructor(
+        private readonly http: HttpClient,
+        private readonly apiUrl: ApiUrlConfig
+    ) {
+    }
+
+    public getUsers(take: number, skip: number, query?: string): Observable<UsersDto> {
+        const url = this.apiUrl.buildUrl(`api/user-management?take=${take}&skip=${skip}&query=${query || ''}`);
+
+        return HTTP.getVersioned<any>(this.http, url)
+                .map(response => {
+                    const body = response.payload.body;
+
+                    const items: any[] = body.items;
+
+                    const users = items.map(item => {
                        return new UserDto(
                            item.id,
                            item.email,
                            item.displayName,
-                            item.pictureUrl,
                            item.isLocked);
                    });
+
+                    return new UsersDto(body.total, users);
                })
                .pretifyError('Failed to load users. Please reload.');
    }

    public getUser(id: string): Observable<UserDto> {
-        const url = this.apiUrl.buildUrl(`api/users/${id}`);
+        const url = this.apiUrl.buildUrl(`api/user-management/${id}`);

        return HTTP.getVersioned<any>(this.http, url)
                .map(response => {
@ -64,9 +151,41 @@ export class UsersService {
                        body.id,
                        body.email,
                        body.displayName,
-                        body.pictureUrl,
                        body.isLocked);
                })
                .pretifyError('Failed to load user. Please reload.');
    }
+
+    public postUser(dto: CreateUserDto): Observable<UserDto> {
+        const url = this.apiUrl.buildUrl('api/user-management');
+
+        return HTTP.postVersioned<any>(this.http, url, dto)
+                .map(response => {
+                    const body = response.payload.body;
+
+                    return new UserDto(body.id, dto.email, dto.displayName, false);
+                })
+                .pretifyError('Failed to create user. Please reload.');
+    }
+
+    public putUser(id: string, dto: UpdateUserDto): Observable<any> {
+        const url = this.apiUrl.buildUrl(`api/user-management/${id}`);
+
+        return HTTP.putVersioned(this.http, url, dto)
+                .pretifyError('Failed to update user. Please reload.');
+    }
+
+    public lockUser(id: string): Observable<any> {
+        const url = this.apiUrl.buildUrl(`api/user-management/${id}/lock`);
+
+        return HTTP.putVersioned(this.http, url, {})
+                .pretifyError('Failed to load users. Please retry.');
+    }
+
+    public unlockUser(id: string): Observable<any> {
+        const url = this.apiUrl.buildUrl(`api/user-management/${id}/unlock`);
+
+        return HTTP.putVersioned(this.http, url, {})
+                .pretifyError('Failed to load users. Please retry.');
+    }
 }
--- a/tests/Squidex.Domain.Apps.Entities.Tests/Apps/AppGrainTests.cs
+++ b/tests/Squidex.Domain.Apps.Entities.Tests/Apps/AppGrainTests.cs
@ -27,6 +27,7 @@ namespace Squidex.Domain.Apps.Entities.Apps
        private readonly IAppProvider appProvider = A.Fake<IAppProvider>();
        private readonly IAppPlansProvider appPlansProvider = A.Fake<IAppPlansProvider>();
        private readonly IAppPlanBillingManager appPlansBillingManager = A.Fake<IAppPlanBillingManager>();
+        private readonly IUser user = A.Fake<IUser>();
        private readonly IUserResolver userResolver = A.Fake<IUserResolver>();
        private readonly string contributorId = Guid.NewGuid().ToString();
        private readonly string clientId = "client";
@ -46,10 +47,13 @@ namespace Squidex.Domain.Apps.Entities.Apps
        public AppGrainTests()
        {
            A.CallTo(() => appProvider.GetAppAsync(AppName))
-             .Returns((IAppEntity)null);
+                .Returns((IAppEntity)null);

-            A.CallTo(() => userResolver.FindByIdAsync(contributorId))
-                .Returns(A.Fake<IUser>());
+            A.CallTo(() => user.Id)
+                .Returns(contributorId);
+
+            A.CallTo(() => userResolver.FindByIdOrEmailAsync(contributorId))
+                .Returns(user);

            initialPatterns = new InitialPatterns
            {
@ -163,7 +167,7 @@ namespace Squidex.Domain.Apps.Entities.Apps

            var result = await sut.ExecuteAsync(CreateCommand(command));

-            result.ShouldBeEquivalent(new EntitySavedResult(5));
+            result.ShouldBeEquivalent(EntityCreatedResult.Create(contributorId, 5));

            Assert.Equal(AppContributorPermission.Editor, sut.Snapshot.Contributors[contributorId]);

--- a/tests/Squidex.Domain.Apps.Entities.Tests/Apps/Billing/ConfigAppLimitsProviderTests.cs
+++ b/tests/Squidex.Domain.Apps.Entities.Tests/Apps/Billing/ConfigAppLimitsProviderTests.cs
@ -41,7 +41,9 @@ namespace Squidex.Domain.Apps.Entities.Apps.Billing
            Name = "Basic",
            MaxApiCalls = 150000,
            MaxAssetSize = 1024 * 1024 * 2,
-            MaxContributors = 5
+            MaxContributors = 5,
+            YearlyCosts = "100€",
+            YearlyId = "basic_yearly"
        };

        private static readonly ConfigAppLimitsPlan[] Plans = { BasicPlan, FreePlan };
@ -76,6 +78,16 @@ namespace Squidex.Domain.Apps.Entities.Apps.Billing
            plan.ShouldBeEquivalentTo(BasicPlan);
        }

+        [Fact]
+        public void Should_return_fitting_yearly_app_plan()
+        {
+            var sut = new ConfigAppPlansProvider(Plans);
+
+            var plan = sut.GetPlanForApp(CreateApp("basic_yearly"));
+
+            plan.ShouldBeEquivalentTo(BasicPlan);
+        }
+
        [Fact]
        public void Should_smallest_plan_if_none_fits()
        {
--- a/tests/Squidex.Domain.Apps.Entities.Tests/Apps/Guards/GuardAppContributorsTests.cs
+++ b/tests/Squidex.Domain.Apps.Entities.Tests/Apps/Guards/GuardAppContributorsTests.cs
@ -20,14 +20,29 @@ namespace Squidex.Domain.Apps.Entities.Apps.Guards
 {
    public class GuardAppContributorsTests
    {
+        private readonly IUser user1 = A.Fake<IUser>();
+        private readonly IUser user2 = A.Fake<IUser>();
+        private readonly IUser user3 = A.Fake<IUser>();
        private readonly IUserResolver users = A.Fake<IUserResolver>();
        private readonly IAppLimitsPlan appPlan = A.Fake<IAppLimitsPlan>();
        private readonly AppContributors contributors_0 = AppContributors.Empty;

        public GuardAppContributorsTests()
        {
-            A.CallTo(() => users.FindByIdAsync(A<string>.Ignored))
-                .Returns(A.Fake<IUser>());
+            A.CallTo(() => user1.Id).Returns("1");
+            A.CallTo(() => user2.Id).Returns("2");
+            A.CallTo(() => user3.Id).Returns("3");
+
+            A.CallTo(() => users.FindByIdOrEmailAsync("1")).Returns(user1);
+            A.CallTo(() => users.FindByIdOrEmailAsync("2")).Returns(user2);
+            A.CallTo(() => users.FindByIdOrEmailAsync("3")).Returns(user3);
+
+            A.CallTo(() => users.FindByIdOrEmailAsync("1@email.com")).Returns(user1);
+            A.CallTo(() => users.FindByIdOrEmailAsync("2@email.com")).Returns(user2);
+            A.CallTo(() => users.FindByIdOrEmailAsync("3@email.com")).Returns(user3);
+
+            A.CallTo(() => users.FindByIdOrEmailAsync("notfound"))
+                .Returns(Task.FromResult<IUser>(null));

            A.CallTo(() => appPlan.MaxContributors)
                .Returns(10);
@ -62,10 +77,7 @@ namespace Squidex.Domain.Apps.Entities.Apps.Guards
        [Fact]
        public Task CanAssign_should_throw_exception_if_user_not_found()
        {
-            A.CallTo(() => users.FindByIdAsync(A<string>.Ignored))
-                .Returns(Task.FromResult<IUser>(null));
-
-            var command = new AssignContributor { ContributorId = "1", Permission = (AppContributorPermission)10 };
+            var command = new AssignContributor { ContributorId = "notfound", Permission = (AppContributorPermission)10 };

            return Assert.ThrowsAsync<ValidationException>(() => GuardAppContributors.CanAssign(contributors_0, command, users, appPlan));
        }
@ -84,6 +96,16 @@ namespace Squidex.Domain.Apps.Entities.Apps.Guards
            return Assert.ThrowsAsync<ValidationException>(() => GuardAppContributors.CanAssign(contributors_2, command, users, appPlan));
        }

+        [Fact]
+        public async Task CanAssign_assign_if_if_user_added_by_email()
+        {
+            var command = new AssignContributor { ContributorId = "1@email.com" };
+
+            await GuardAppContributors.CanAssign(contributors_0, command, users, appPlan);
+
+            Assert.Equal("1", command.ContributorId);
+        }
+
        [Fact]
        public Task CanAssign_should_not_throw_exception_if_user_found()
        {
--- a/tests/Squidex.Domain.Apps.Entities.Tests/Apps/Guards/GuardAppTests.cs
+++ b/tests/Squidex.Domain.Apps.Entities.Tests/Apps/Guards/GuardAppTests.cs
@ -27,7 +27,7 @@ namespace Squidex.Domain.Apps.Entities.Apps.Guards
            A.CallTo(() => apps.GetAppAsync("new-app"))
                .Returns(Task.FromResult<IAppEntity>(null));

-            A.CallTo(() => users.FindByIdAsync(A<string>.Ignored))
+            A.CallTo(() => users.FindByIdOrEmailAsync(A<string>.Ignored))
                .Returns(A.Fake<IUser>());

            A.CallTo(() => appPlans.GetPlan("free"))
--- a/tests/Squidex.Infrastructure.Tests/EventSourcing/Grains/OrleansEventNotifierTests.cs
+++ b/tests/Squidex.Infrastructure.Tests/EventSourcing/Grains/OrleansEventNotifierTests.cs
@ -29,7 +29,6 @@ namespace Squidex.Infrastructure.EventSourcing.Grains
        [Fact]
        public void Should_wakeup_manager_with_stream_name()
        {
-            sut.Initialize();
            sut.NotifyEventsStored("my-stream");

            A.CallTo(() => manager.ActivateAsync("my-stream"))
--- a/tests/Squidex.Infrastructure.Tests/Orleans/BootstrapTests.cs
+++ b/tests/Squidex.Infrastructure.Tests/Orleans/BootstrapTests.cs
@ -6,10 +6,13 @@
 //  All rights reserved.
 // ==========================================================================

+using System;
 using System.Threading;
 using System.Threading.Tasks;
 using FakeItEasy;
 using Orleans;
+using Orleans.Runtime;
+using Squidex.Infrastructure.Tasks;
 using Xunit;

 namespace Squidex.Infrastructure.Orleans
@ -37,5 +40,41 @@ namespace Squidex.Infrastructure.Orleans
            A.CallTo(() => grain.ActivateAsync())
                .MustHaveHappened();
        }
+
+        [Fact]
+        public async Task Should_fail_on_non_rejection_exception()
+        {
+            A.CallTo(() => grain.ActivateAsync())
+                .Throws(new InvalidOperationException());
+
+            await Assert.ThrowsAsync<InvalidOperationException>(() => sut.Execute(CancellationToken.None));
+        }
+
+        [Fact]
+        public async Task Should_retry_after_rejection_exception()
+        {
+            A.CallTo(() => grain.ActivateAsync())
+                .Returns(TaskHelper.Done);
+
+            A.CallTo(() => grain.ActivateAsync())
+                .Throws(new OrleansException()).Once();
+
+            await sut.Execute(CancellationToken.None);
+
+            A.CallTo(() => grain.ActivateAsync())
+                .MustHaveHappened(Repeated.Exactly.Twice);
+        }
+
+        [Fact]
+        public async Task Should_fail_after_10_rejection_exception()
+        {
+            A.CallTo(() => grain.ActivateAsync())
+                .Throws(new OrleansException());
+
+            await Assert.ThrowsAsync<OrleansException>(() => sut.Execute(CancellationToken.None));
+
+            A.CallTo(() => grain.ActivateAsync())
+                .MustHaveHappened(Repeated.Exactly.Times(10));
+        }
    }
 }