From 9b5cbfb018f38956791d7dc4465076d32c1f6933 Mon Sep 17 00:00:00 2001
From: Carlos Proensa <proensa@gmail.com>
Date: Tue, 11 Apr 2017 10:53:34 +0200
Subject: [PATCH] Remove functionality: serialized filter as parameter

current_user_get_bug_filter was reading for a gpc variable "filter",
which can represents a json encoded filter array
This means that this parameter would override the usual filter workflows
if present.
AFAIK, this is not used currently in mantis, and may be an old
implementation.

Keep the existing "filter" parameter as a numerical id, whcih point to
the token_id which holds a temporary filter
---
 core/current_user_api.php | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/core/current_user_api.php b/core/current_user_api.php
index e60e00504d..4928df5f25 100644
--- a/core/current_user_api.php
+++ b/core/current_user_api.php
@@ -228,26 +228,25 @@ function current_user_ensure_unprotected() {
 }
 
 /**
- * Returns the issue filter parameters for the current user
+ * Returns the issue filter for the current user, which is retrieved by
+ * evaluating these steps:
+ * 1) Reads gpc vars for a token id, which means to load a temporary filter
+ * 2) Otherwise, get the filter saved as current, for the user, project 
  *
- * @param integer $p_project_id Project id. This argument is only used if a 'filter' string is not passed via the web request.
- *                              The default value is null meaning return the current filter for user's current project
-                                if a filter string is not supplied.
- * @return array User filter, if not set, then default filter.
+ * @param integer $p_project_id Project id to get the user's filter from, if needed.
+ * @return array	A filter array
  * @access public
  */
 function current_user_get_bug_filter( $p_project_id = null ) {
-	$f_filter_string = gpc_get_string( 'filter', '' );
-	$t_filter = array();
+	$f_filter_token = gpc_get( 'filter', null );
 
-	if( !is_blank( $f_filter_string ) ) {
-		if( is_numeric( $f_filter_string ) ) {
-			$t_token = token_get_value( TOKEN_FILTER );
-			if( null != $t_token ) {
-				$t_filter = json_decode( $t_token, true );
-			}
-		} else {
-			$t_filter = json_decode( $f_filter_string, true );
+	if( null !== $f_filter_token && token_exists( (int)$f_filter_token ) ) {
+		# If the token id exists, try to load the value
+		# At this point, only one value can exists for each token type and user
+		# so read the token based on type, regardless of the id that was provided
+		$t_token = token_get_value( TOKEN_FILTER );
+		if( null != $t_token ) {
+			$t_filter = json_decode( $t_token, true );
 		}
 		$t_filter = filter_ensure_valid_filter( $t_filter );
 	} else if( !filter_is_cookie_valid() ) {