Merge tag 'release-1.2.18' into oracle

Stable release 1.2.18

.mailmap

@@ -7,6 +7,7 @@ Damien Regad <dregad@mantisbt.org> <damien.regad@merckserono.net>
 David Hicks <d@hx.id.au> <hickseydr@optusnet.com.au>
 David Newcomb <davidnewcomb@users.sourceforge.net> davidnewcomb
 Frank Rodgers <frodgers@redcom.com> <frodgers@iowa.redcom.com>
+jeckyhl <jeckyhl@sourceforge.net> jeckyll <jeckyll@mantisbt.org>
 Jim Hanley <dgtlrift@users.sourceforge.net> dgtlrift
 Johan Guilbaud <git@lapinkiller.fr>
 Johan Guilbaud <git@lapinkiller.fr> Lapinkiller <lapinkiller@hotmail.fr>
@@ -18,13 +19,19 @@ Michael Lorer <info@01-scripts.de>
 Paul Richards <paul@mantisforge.org> Paul
 Paul Richards <paul@mantisforge.org> <Paul@.(none)>
 Paul Richards <paul@mantisforge.org> root <root@paul.shroudbox.com>
+Paul Richards <paul@mantisforge.org> <paul@issue-track.org>
 Robert Munteanu <robert@lmn.ro> <robert.munteanu@gmail.com>
 Robert Munteanu <robert@lmn.ro> <robert.munteanu@sdc.ro>
-Siebrand Mazeland <s.mazeland@xs4all.nl>
-Siebrand Mazeland <s.mazeland@xs4all.nl> git <Administrator@.(none)>
-Siebrand Mazeland <s.mazeland@xs4all.nl> unknown <Administrator@.(none)>
+Robert Munteanu <robert@lmn.ro> <rmuntean@adobe.com>
+Siebrand Mazeland <siebrand@kitano.nl>
+Siebrand Mazeland <siebrand@kitano.nl> <s.mazeland@xs4all.nl>
+Siebrand Mazeland <siebrand@kitano.nl> git <Administrator@.(none)>
+Siebrand Mazeland <siebrand@kitano.nl> unknown <Administrator@.(none)>
 Stéphane Veyret <sveyret@axway.com>
 Tarik Sedlarevic <tazza70@users.sourceforge.net> tazza70
 Véronique Maginot <veronique.maginot@credit-agricole-sa.fr>
 Victor Boctor <vboctor@gmail.com> root <root@localhost.localdomain>
+Victor Boctor <vboctor@gmail.com> <vboctor@localhost.localdomain>
 Victor Boctor <vboctor@gmail.com> <vboctor@new-host-3.home>
+Victor Boctor <vboctor@gmail.com> <victor@mantishub.com>
+Victor Boctor <vboctor@gmail.com> <victor@mantishub.net>

adm_config_report.php

@@ -138,6 +138,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
 	} else {
 		# Retrieve the filter from the cookie if it exists
 		$t_cookie_string = gpc_get_cookie( $t_cookie_name, null );
+
 		if( null !== $t_cookie_string ) {
 			$t_cookie_contents = explode( ':', $t_cookie_string );
 
@@ -148,6 +149,13 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
 			if( $t_filter_project_value != META_FILTER_NONE && !project_exists( $t_filter_project_value ) ) {
 				$t_filter_project_value = ALL_PROJECTS;
 			}
+
+			if(    $t_filter_config_value != META_FILTER_NONE
+			   && !is_blank( $t_filter_config_value )
+			   && @config_get_global( $t_filter_config_value ) === null
+			) {
+				$t_filter_config_value = META_FILTER_NONE;
+			}
 		}
 	}
 
@@ -472,7 +480,7 @@ function print_option_list_from_array( $p_array, $p_filter_value ) {
 	</td>
 	<td>
 		<input type="text" name="config_option"
-			value="<?php echo $t_edit_option; ?>"
+			value="<?php echo string_attribute( $t_edit_option ); ?>"
 			size="64" maxlength="64" />
 	</td>
 </tr>

adm_permissions_report.php

@@ -76,10 +76,12 @@ function get_section_end() {
 	echo '<br /><br />';
 
 	# News
-	echo get_section_begin_apr( lang_get( 'news' ) );
-	echo get_capability_row( lang_get( 'view_private_news' ), config_get( 'private_news_threshold' ) );
-	echo get_capability_row( lang_get( 'manage_news' ), config_get( 'manage_news_threshold' ) );
-	echo get_section_end();
+    if( config_get( 'news_enabled' ) == ON ) {
+        echo get_section_begin_apr( lang_get( 'news' ) );
+        echo get_capability_row( lang_get( 'view_private_news' ), config_get( 'private_news_threshold' ) );
+        echo get_capability_row( lang_get( 'manage_news' ), config_get( 'manage_news_threshold' ) );
+        echo get_section_end();
+	}
 
 	# Attachments
 	if( config_get( 'allow_file_upload' ) == ON ) {

admin/copy_field.php

@@ -30,6 +30,18 @@
 
 $f_source_field_id = gpc_get_int( 'source_id' );
 $f_dest_field = gpc_get( 'dest_id' );
+
+# checks on validity
+$t_valid_fields = array(
+	'fixed_in_version',
+);
+if( !in_array( $f_dest_field, $t_valid_fields ) ) {
+	echo '<html><body>';
+	echo '<p>Invalid destination field (' . string_attribute($f_dest_field) . ') specified.</p>';
+	echo '</body></html>';
+	exit;
+}
+
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html>
@@ -53,15 +65,6 @@
 <br /><br />
 
 <?php
-# checks on validity
-$t_valid_fields = array(
-	'fixed_in_version',
-);
-if( !in_array( $f_dest_field, $t_valid_fields ) ) {
-	echo '<p>Invalid destination field (' . $f_dest_field . ') specified.</p>';
-	echo '</body></html>';
-	exit;
-}
 
 # @@@ check that source and destination are compatible
 

admin/upgrade_unattended.php

@@ -94,27 +94,22 @@ function print_test_result( $p_result, $p_hard_fail = true, $p_message = '' ) {
 }
 
 # read control variables with defaults
-$f_hostname = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );
-$f_db_type = gpc_get( 'db_type', config_get( 'db_type', '' ) );
-$f_database_name = gpc_get( 'database_name', config_get( 'database_name', 'bugtrack' ) );
-$f_db_username = gpc_get( 'db_username', config_get( 'db_username', '' ) );
-$f_db_password = gpc_get( 'db_password', config_get( 'db_password', '' ) );
-$f_db_exists = gpc_get_bool( 'db_exists', false );
+$t_db_type = config_get_global( 'db_type' );
 
 # install the tables
-if ( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
-     !file_exists( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'library' . DIRECTORY_SEPARATOR . 'adodb' . DIRECTORY_SEPARATOR . 'drivers' . DIRECTORY_SEPARATOR . 'adodb-' . $f_db_type . '.inc.php' ) ) {
-	echo 'Invalid db type ' . htmlspecialchars( $f_db_type ) . '.';
+if( !preg_match( '/^[a-zA-Z0-9_]+$/', $f_db_type ) ||
+	!file_exists( dirname( dirname( __FILE__ ) ) . '/library/adodb/drivers/adodb-' . $t_db_type . '.inc.php' ) ) {
+	echo 'Invalid db type ' . htmlspecialchars( $t_db_type ) . '.';
 	exit;
 }
 
-$GLOBALS['g_db_type'] = $f_db_type; # database_api references this
-require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'schema.php' );
-$g_db = ADONewConnection( $f_db_type );
+$GLOBALS['g_db_type'] = $t_db_type; # database_api references this
+require_once( dirname( __FILE__ ) . '/schema.php' );
+$g_db = ADONewConnection( $t_db_type );
 
 echo "\nPost 1.0 schema changes\n";
 echo "Connecting to database... ";
-$t_result = @$g_db->Connect( $f_hostname, $f_db_username, $f_db_password, $f_database_name );
+$t_result = @$g_db->Connect( config_get_global( 'hostname' ), config_get_global( 'db_username' ), config_get_global( 'db_password' ), config_get_global( 'database_name' ) );
 
 if( false == $t_result ) {
 	echo "Failed.\n";

api/soap/mc_account_api.php

@@ -11,17 +11,34 @@ function mci_account_get_array_by_id( $p_user_id ) {
 	$t_result['id'] = $p_user_id;
 
 	if( user_exists( $p_user_id ) ) {
+
+		$t_current_user_id = auth_get_current_user_id();
+		$t_access_level = user_get_field ( $t_current_user_id, 'access_level' );
+		$t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) &&
+			access_has_global_level( $t_access_level );
+
+		# this deviates from the behaviour of view_user_page.php, but it is more intuitive
+		$t_is_same_user = $t_current_user_id === $p_user_id;
+
+		$t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) );
+		$t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) );
+
 		$t_result['name'] = user_get_field( $p_user_id, 'username' );
-		$t_dummy = user_get_field( $p_user_id, 'realname' );
 
-		if( !empty( $t_dummy ) ) {
-			$t_result['real_name'] = $t_dummy;
+		if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) {
+			$t_realname = user_get_realname( $p_user_id );
+
+			if( !empty( $t_realname ) ) {
+				$t_result['real_name'] = $t_realname;
+			}
 		}
 
-		$t_dummy = user_get_field( $p_user_id, 'email' );
+		if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) {
+			$t_email = user_get_email( $p_user_id );
 
-		if( !empty( $t_dummy ) ) {
-			$t_result['email'] = $t_dummy;
+			if( !empty( $t_email ) ) {
+				$t_result['email'] = $t_email;
+			}
 		}
 	}
 	return $t_result;

api/soap/mc_issue_api.php

@@ -96,7 +96,9 @@ function mc_issue_get( $p_username, $p_password, $p_issue_id ) {
 	$t_issue_data['sponsorship_total'] = $t_bug->sponsorship_total;
 
 	if( !empty( $t_bug->handler_id ) ) {
-		$t_issue_data['handler'] = mci_account_get_array_by_id( $t_bug->handler_id );
+		if( access_has_bug_level( VIEWER, $p_issue_id, $t_user_id ) ) {
+			$t_issue_data['handler'] = mci_account_get_array_by_id( $t_bug->handler_id );
+		}
 	}
 
 	$t_issue_data['projection'] = mci_enum_get_array_by_id( $t_bug->projection, 'projection', $t_lang );
@@ -566,6 +568,39 @@ function mc_issue_get_id_from_summary( $p_username, $p_password, $p_summary ) {
 	}
 }
 
+/**
+ * Does the actual checks when setting the issue handler.
+ * The user existence check is always done even if handler doesn't change.
+ * The handler's access level check is done even if handler doesn't change.
+ * The current user ability to assign issue access check is only done on change.
+ * This behavior would be consistent with the web UI.
+ *
+ * @param $p_user_id        The id of the logged in user.
+ * @param $p_project_id     The id of the project the issue is associated with.
+ * @param $p_old_handler_id The old handler id.
+ * @param $p_new_handler_id The new handler id.  0 for not assigned.
+ * @return true: access ok, otherwise: soap fault.
+ */
+function mci_issue_handler_access_check( $p_user_id, $p_project_id, $p_old_handler_id, $p_new_handler_id ) {
+	if( $p_new_handler_id != 0 ) {
+		if ( !user_exists( $p_new_handler_id ) ) {
+			return SoapObjectsFactory::newSoapFault( 'Client', 'User \'' . $p_new_handler_id . '\' does not exist.' );
+		}
+
+		if( !access_has_project_level( config_get( 'handle_bug_threshold' ), $p_project_id, $p_new_handler_id ) ) {
+			return mci_soap_fault_access_denied( 'User \'' . $p_new_handler_id . '\' does not have access right to handle issues' );
+		}
+	}
+
+	if( $p_old_handler_id != $p_new_handler_id ) {
+		if( !access_has_project_level( config_get( 'update_bug_assign_threshold' ), $p_project_id, $p_user_id ) ) {
+			return mci_soap_fault_access_denied( 'User \'' . $p_user_id . '\' does not have access right to assign issues' );
+		}
+	}
+
+	return true;
+}
+
 /**
  * Add an issue to the database.
  *
@@ -632,14 +667,10 @@ function mc_issue_add( $p_username, $p_password, $p_issue ) {
 		return mci_soap_fault_access_denied( "User '$t_user_id' does not have access right to report issues" );
 	}
 
-	#if ( !access_has_project_level( config_get( 'report_bug_threshold' ), $t_project_id ) ||
-	#	!access_has_project_level( config_get( 'report_bug_threshold' ), $t_project_id, $v_reporter ) ) {
-	#	return SoapObjectsFactory::newSoapFault( 'Client', '', "User does not have access right to report issues." );
-	#}
-
-	if(( $t_handler_id != 0 ) && !user_exists( $t_handler_id ) ) {
-		return SoapObjectsFactory::newSoapFault('Client', "User '$t_handler_id' does not exist.");
-	}
+	$t_access_check_result = mci_issue_handler_access_check( $t_user_id, $t_project_id, /* old */ 0, /* new */ $t_handler_id );
+	if( $t_access_check_result !== true ) {
+		return $t_access_check_result;
+ 	}
 
 	$t_category = isset ( $p_issue['category'] ) ? $p_issue['category'] : null;
 
@@ -819,10 +850,6 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, $p_issue ) {
 		return mci_soap_fault_access_denied( $t_user_id,  "Not enough rights to update issues" );
 	}
 
-	if(( $t_handler_id != 0 ) && !user_exists( $t_handler_id ) ) {
-		return SoapObjectsFactory::newSoapFault( 'Client', "User '$t_handler_id' does not exist." );
-	}
-
 	$t_category = isset ( $p_issue['category'] ) ? $p_issue['category'] : null;
 
 	$t_category_id = translate_category_name_to_id( $t_category, $t_project_id );
@@ -858,6 +885,12 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, $p_issue ) {
 	$t_bug_data = bug_get( $p_issue_id, true );
 	$t_bug_data->project_id = $t_project_id;
 	$t_bug_data->reporter_id = $t_reporter_id;
+
+	$t_access_check_result = mci_issue_handler_access_check( $t_user_id, $t_project_id, /* old */ $t_bug_data->handler_id, /* new */ $t_handler_id );
+	if( $t_access_check_result !== true ) {
+		return $t_access_check_result;
+	}
+
 	$t_bug_data->handler_id = $t_handler_id;
 	$t_bug_data->category_id = $t_category_id;
 	$t_bug_data->summary = $t_summary;
@@ -978,6 +1011,10 @@ function mc_issue_update( $p_username, $p_password, $p_issue_id, $p_issue ) {
 				bugnote_add( $p_issue_id, $t_note['text'], mci_get_time_tracking_from_note( $p_issue_id, $t_note ), $t_view_state_id == VS_PRIVATE, $note_type, $note_attr, $t_user_id, FALSE );
 			}
 		}
+
+		# The issue has been cached earlier in the bug_get() call.  Flush the cache since it is
+		# now stale.  Otherwise, the email notification will be based on the cached data.
+		bugnote_clear_cache( $p_issue_id );
 	}
 
 	if ( isset ( $p_issue['tags']) && is_array ( $p_issue['tags']) ) {

api/soap/mc_project_api.php

@@ -655,6 +655,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
 		return mci_soap_fault_login_failed();
 	}
 
+	$p_project_id = (int)$p_project_id;
 	$g_project_override = $p_project_id;
 
 	# Check if project documentation feature is enabled.

bug_file_add.php

@@ -53,10 +53,12 @@
 	access_ensure_bug_level( config_get( 'upload_bug_file_threshold' ), $f_bug_id );
 
 	# Process array of files to upload
-	$t_files = helper_array_transpose( $f_files );
-	foreach( $t_files as $t_file ) {
-		if( !empty( $t_file['name'] ) ) {
-			file_add( $f_bug_id, $t_file, 'bug' );
+	if( -1 != $f_files ) {
+		$t_files = helper_array_transpose( $f_files );
+		foreach( $t_files as $t_file ) {
+			if( !empty( $t_file['name'] ) ) {
+				file_add( $f_bug_id, $t_file, 'bug' );
+			}
 		}
 	}
 

bug_report.php

@@ -94,6 +94,11 @@
 		$t_bug_data->target_version = gpc_get_string( 'target_version', '' );
 	}
 
+	# Prevent unauthorized users setting handler when reporting issue
+	if( $t_bug_data->handler_id > 0 ) {
+		access_ensure_project_level( config_get( 'update_bug_assign_threshold' ) );
+	}
+
 	# if a profile was selected then let's use that information
 	if ( 0 != $t_bug_data->profile_id ) {
 		if ( profile_is_global( $t_bug_data->profile_id ) ) {
@@ -147,10 +152,12 @@
 	last_visited_issue( $t_bug_id );
 
 	# Handle the file upload
-	$t_files = helper_array_transpose( $f_files );
-	foreach( $t_files as $t_file ) {
-		if( !empty( $t_file['name'] ) ) {
-			file_add( $t_bug_id, $t_file, 'bug' );
+	if( !is_null( $f_files ) ) {
+		$t_files = helper_array_transpose( $f_files );
+		foreach( $t_files as $t_file ) {
+			if( !empty( $t_file['name'] ) ) {
+				file_add( $t_bug_id, $t_file, 'bug' );
+			}
 		}
 	}
 
@@ -199,16 +206,16 @@
 		# copy notes from parent
 		if ( $f_copy_notes_from_parent ) {
 
-		    $t_parent_bugnotes = bugnote_get_all_bugnotes( $f_master_bug_id );
+			$t_parent_bugnotes = bugnote_get_all_bugnotes( $f_master_bug_id );
 
-		    foreach ( $t_parent_bugnotes as $t_parent_bugnote ) {
+			foreach ( $t_parent_bugnotes as $t_parent_bugnote ) {
 
-		        $t_private = $t_parent_bugnote->view_state == VS_PRIVATE;
+				$t_private = $t_parent_bugnote->view_state == VS_PRIVATE;
 
-		        bugnote_add( $t_bug_id, $t_parent_bugnote->note, $t_parent_bugnote->time_tracking,
-		            $t_private, $t_parent_bugnote->note_type, $t_parent_bugnote->note_attr,
-		            $t_parent_bugnote->reporter_id, /* send_email */ FALSE , /* log history */ FALSE);
-		    }
+				bugnote_add( $t_bug_id, $t_parent_bugnote->note, $t_parent_bugnote->time_tracking,
+					$t_private, $t_parent_bugnote->note_type, $t_parent_bugnote->note_attr,
+					$t_parent_bugnote->reporter_id, /* send_email */ FALSE , /* log history */ FALSE);
+			}
 		}
 
 		# copy attachments from parent

config_defaults_inc.php

@@ -2030,9 +2030,8 @@
 	 * An array of the fields to show on the bug report page.
 	 *
 	 * The following fields can not be included:
-	 * id, project, date_submitted, last_updated, status,
-	 * resolution, tags, fixed_in_version, projection, eta,
-	 * reporter.
+	 * id, project, date_submitted, last_updated, tags, fixed_in_version,
+	 * projection, eta, reporter.
 	 *
 	 * The following fields must be included:
 	 * category_id, summary, description.