Skip to content


Subversion checkout URL

You can clone with
Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: mantisbt/mantisbt
base: master
head fork: mantisbt/mantisbt
compare: 2b5691f07756
This comparison is big! We're only showing the most recent 250 commits
Commits on Nov 11, 2012
@dregad dregad Changed version to 1.2.13dev 23b9476
@vboctor vboctor Fixes #15200: Anonymous access is broken. d67c257
@dregad dregad Reset version to 1.2.12 e78c311
@dregad dregad Changed version back to 1.2.13dev
This reverts commit e78c311.
Commits on Nov 12, 2012
@dregad dregad Fix SQL error in summary page on PostgreSQL
This is a regression introduced by the fix for issue #11928 (see commit
0c9dc2a) which was not detected before
as it was tested on MySQL which has more permissive SQL syntax.

Fixes #15201
@rombert rombert Fix #14871: Add support for the built-in soap extension in addition to
Commits on Nov 14, 2012
@dregad dregad Fix and improve timezone verification in admin checks
admin/check.php now properly detects issues with timezone settings, in
line with behavior of date_default_timezone_get() in PHP >= 5.3 and
provides better information to the admin in case of errors.

It also fixes an issue with PHP 5.1, by only calling function
timezone_identifiers_list() when it actually exists, and returns a
warning that it is unable to check timezone if it does not. Thanks to
Tim Jackson for detecting and providing the initial patch for this bug.

Fixes #14009
@dregad dregad Documentation: added $g_default_timezone to admin guide
Fixes #11854
@rombert rombert SOAP API: make the first parameter of mci_soap_fault_access_denied

Fixes #14871: Add support for the built-in soap extension in addition to
@rombert rombert SOAP API: add failing test for retrieving issue text in non-latin cha…

Affects #14157: Array to string conversion error on soap request with
PHP 5.4
Commits on Nov 15, 2012
@rombert rombert Fix replacing of invalid XML characters
Fixes #14157: Array to string conversion error on soap request with PHP
Commits on Nov 20, 2012
@siebrand siebrand Localisation updates from e4d4f1b
@rombert rombert SOAP API: only reference the global default category if it exists
Fixes #15222: mc_project_delete_category fails to delete category
Commits on Nov 21, 2012
@rombert rombert soap api: fall back to the default_category_for_moves when deleting

Fixes #15222: mc_project_delete_category fails to delete category
Commits on Nov 22, 2012
@rombert rombert Fix #15199: Update json api error format e7bb701
Commits on Nov 26, 2012
@siebrand siebrand Localisation updates from 1c847ef
Commits on Nov 29, 2012
@dregad dregad Don't send notif mail when updating Protected account's Access Level
Prior to this, Mantis would effectively not update the protected user
account's 'Access Level' field, but would still send a notification to
the user informing them that the field was modified, causing confusion.

The confirmation message for protected account update was reworded.

Fixes #15247
@dregad dregad Reworded PHPdoc email_send_all() function description 3be57b7
@dregad dregad Make email_send_all() send older queued messages first
To achieve this, a new optional parameter was added to function
email_queue_get_ids() to specify the desired sort order (defaults to
'DESC' to ensure no change in behavior).

email_send_all() now retrieves the list of emails to send in ascending

Fixes #15248
Commits on Dec 01, 2012
@dregad dregad Remove unnecessary assignment
Commit 361089d omitted to remove the
old default value for $g_set_status_threshold.
@siebrand siebrand Localisation updates from deb45ec
Commits on Dec 04, 2012
@dregad dregad Enable filter date fields by default when $g_use_javascript = OFF
With javascript disabled, when ticking 'use date filters' checkbox in
view issues page, the associated selection fields to pick the date
criteria remain disabled, preventing date filtering.

The code now detects the state of $g_use_javascript and sets the
'disabled' state of the date selection fields accordingly.

Also removes 'Undefined variables' system notices.

Fixes #15255
@dregad dregad Fix inconsistent use of numeric vs text month in date filter
The selection list now uses full-text months consistently across the
filter page

Fixes #15257
Commits on Dec 06, 2012
@dregad dregad access_get_status_threshold() returns incorrect value for NEW
When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.

This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default

Fixes #15260, affects issue #15258
@dregad dregad Prevent reporters from changing issue status to 'new'
Due to a missing access level check in html_button_bug_update(), in some
cases reporters had access to the 'Change Status To' button, which could
let them change an existing issue's status to 'new' (even if not their
own issue).

The code now checks that the user has at least 'update_bug_threshold'
permissions to display the button.

Fixes #15258
@dregad dregad Fix custom_field_get_id_from_name() always returning false
Commit 6a7db34 introduced an error in
the call to db_query_bound(), passing the param as a scalar value
instead of an array.

Thanks to user nimmich for noticing the issue and providing a patch.

Fixes #15264
@dregad dregad Cache obsolete custom field names
If a custom field name changed, custom_field_get_id_from_name() keeps
asking the database for an id over and over again (e.g. for every
change of the field in the bug history) to decide if it should be

Thanks to user nimmich for noticing the issue and providing a patch.

Fixes #15265
Commits on Dec 08, 2012
@siebrand siebrand Localisation updates from 26c592a
Commits on Dec 12, 2012
@dregad dregad Make username in Manage Projects page a link to edit user
Fixes #3693
@MatthieuR MatthieuR Manage columns include: rename form and remove multipart encoding
The form in manage_columns_inc.php was apparently copy-pasted from
bug_report_page.php; it was named "report_bug_form" and an optional
multipart encoding if file upload is enabled, which does not make sense
in this context.

This code-cleanup commit removes the enctype and renames the form.

Fixes #15280

Signed-off-by: Damien Regad <>
JGuilbaud Show all users in assign filter when ALL PROJECTS is selected
Fixes #10130

Signed-off-by: Damien Regad <>
Commits on Dec 13, 2012
@dregad dregad Optimise code in print_user_option_list()
Improve performance of code building the list of users for all projects
introduced in commit 21746dd.

By using an associative array, the foreach loop to remove duplicates can
be simplified (no need for an if statement) and we can also remove the
current user from the list more easily.

Affects issue #10130
@dregad dregad Removing current user from list built by print_user_option_list()
Since there is a [myself] value in the list, the current user should be
removed. This was done for ALL_PROJECTS with the fix for issue #10130,
but the single-project code still listed the current user.

By moving the code to remove the current user to the foreach loop that
builds the sort arrays, we ensure that it is removed in both cases.
Commits on Dec 14, 2012
@dregad dregad Do not remove current user from list
As mentioned by atrol in issue #10130, removing the current user causes
potential loss of functionality when using filters because [myself]
(handler_id = -1) is not the same as a specific handler_id.

This is a partial revert of 748c4ce.
Lapinkiller fix #14559 - Filter for adm_report_config.php
Signed-off-by: Damien Regad <>
@dregad dregad Issue #14559: improve adm_report_config.php filter
The following changes were made

- revised UI to make it more similar to the issues filter
- make use of existing constants and language strings
- filter defaults to All Users / All Projects / All options which avoids
  performance issues in installations having a large number of entries
  in the config table (workaround for issue #13680)
- filter form uses post instead of get method
- comply to coding guidelines
Commits on Dec 16, 2012
@rombert rombert Fix undefined access to $l_oServer d828a3b
@siebrand siebrand Localisation updates from 4f94440
Commits on Dec 21, 2012
@siebrand siebrand Localisation updates from 07b5d53
Commits on Dec 28, 2012
@dregad dregad Make it possible to edit config options in adm_config_report.php
Use CONFIG_TYPE_xxx constants instead of magic strings to define the
type of config value to process.

Added code for FLOAT type which was previously handled through COMPLEX.

Improve handling of INT (and FLOAT) by calling constant_replace(),
allowing user to specify a defined constant instead of a numeric value.

Fixes #7586
Commits on Dec 30, 2012
@siebrand siebrand Localisation updates from d8c8188
Commits on Dec 31, 2012
@dregad dregad Standardize the copyright notice
To facilitate the process of bumping the copyright year, this commit unifies
the way the copyright statement is written throughout the code.
@dregad dregad Update copyright year to 2013 293dd6d
@dregad dregad Use date() for current copyright year in html_footer 6e51d86
@dregad dregad Split very long echo statement on multiple lines 66050dc
@dregad dregad Revised Cookies documentation
- Removed paragraph with incorrect information about need to redefine
  cookie variables after modifying $g_cookie_prefix.
- Revised layout
- Updated description for some variables
- Reflected these changes in related comments in config_default_inc.php
@dregad dregad Fix 1st uppercase letter for 'Filters' language string
Affects issue #14559
@dregad dregad Respect $g_show_realname setting in config report's filter userlist
The filter's original implementation displayed "Realname (username)" in
the user selection list. We now only retrieve the user id from the db,
and call user_get_name() to get either the realname or the username as
appropriate instead.

Issue #14559
@dregad dregad Manage persistency of config report filter using a cookie
A new cookie 'manage_config_cookie' was added to store the user's filter

Includes documentation update to admin guide.

Issue #14559
@dregad dregad Rename 'manage_cookie' to 'manage_users_cookie'
After the introduction of the 'manage_config_cookie', the name of the
existing cookie ('manage_cookie') which is used to store the filter for
the Manage Users page could be misleading, so it has been renamed to
Commits on Jan 01, 2013
@dregad dregad Whitespace: remove unnecessary code indentation 65696fb
Commits on Jan 02, 2013
@dregad dregad Config report filter: added handling for invalid values in cookie
In some cases, the cookie could contain values which are no longer
applicable as filter criteria, e.g.
  - a project id which has been deleted
  - a user id for whom there are no config options
  - a config id for which there are no config options

The code now correctly handles these, by making sure that either the
filter criteria is dynamically updated to a valid value (ALL_PROJECTS
for projects), or the filter's selection list effectively includes the
invalid value (user id, config id), so that the displayed filter
reflects the actual data listed in the Database Configuration table.

Fixes the bug reported by atrol in issue #14559's bugnote 34648
@dregad dregad Config report: preset the edit form to the current filter
The 'Username', 'Project Name' and 'Configuration Option' fields in the
'Set Configuration Option' form are now preset to the corresponding
value from the filter or defaulting to ALL_USERS, ALL_PROJECTS and blank
respectively if the filter is not defined or set to '[any]'.

This allows easier definition of related config, e.g. for a given
project or user.
@dregad dregad Config report filter: added buttons to clear and reset default filter
This provides the user with a single-click way to

 - reset the filter to default settings
   (i.e. ALL_USERS, ALL_PROJECTS, [any] config).
 - clear the filter to display all configs
   (i.e. [any] user, [any] project, [any] config)

Issue #14559
@dregad dregad Fix performance issue on adm_config_report.php
In systems with large numbers of config items in mantis_config_table, the
Configuration Report page can take a very long time to load.

This behavior is due to each of the 'Delete' buttons being printed with
its own form, each one having a security token. The performance
bottleneck is actually the serialize/unserialize calls executed while
storing/retrieving the token from the PHP session.

To avoid this problem, the print_button() and form_security_field()
functions have been modified to accept a security token as an optional
parameter. This allows the calling page to generate a single token,
which is shared by all buttons.

Furthermore, print_button() also allows the security token parameter to
be 'OFF', which prevents the function from displaying a security field.
This is useful for buttons not resulting in modifications (i.e. not
requiring CSRF protection).

Fixes #13680
Commits on Jan 06, 2013
@atrol atrol Remove typos in name of default configuration file 8756bb4
@rombert rombert filter_api: apply all project_where_clauses first
where_clauses and project_where_clauses must not be mixed, since the
where_params are expected to be held in order - first for the
project_where_clauses and then for the where_clauses. 

Fixes #15320: Date filters broken since 1.2.12
Commits on Jan 07, 2013
@siebrand siebrand Localisation updates from ca6f667
Commits on Jan 09, 2013
@dregad dregad Support for multi-dimentional arrays in admin_config_set.php
This commit adds support for multi-dimentional arrays, as well as
correct handling of commas and '=>' within strings.

This is based on work by jspezeski; the original code was modified to
align with MantisBT coding guidelines, simplification of the recursive
function and fixing a couple of errors in regex.

Fixes #13298
@dregad dregad admin_config_set: Revised process_complex_value() function
The new code features an improved regex, which deals more efficiently
with the parsing of multi-dimensional and associative arrays.

Regex are defined as static variables for better performance with
repeated and recursive calls

Known issue: an invalid definition like 'array(array(1,2)=>array(3,4))'
is not properly parsed.

Fixes #13298
Commits on Jan 12, 2013
jeckyll fix #15356 [SOAP Api] Check errors raised by mci_issue_set_custom_field 1e70c3c
@rombert rombert Fix #15370: When a bug is resolved on report, default the handler to the
current user
Commits on Jan 13, 2013
@rombert rombert bug_report.php: Use NO_USER instead of magic constant a07f75e
@siebrand siebrand Localisation updates from e86be8d
Commits on Jan 15, 2013
@dregad dregad Added NetBeans IDE metadata directory to .gitignore 5b2116d
Commits on Jan 17, 2013
@dregad dregad Improve logging when sending e-mails
The email_api email_send() and email_send_all() functions have been
modified to provide a better log trace in case of errors.

A log entry is now printed in the following situations
- a message as already been sent
- the server is not responding and the batch sending is aborted
- whenever a phpMailer exception is thrown in email_send()

In addition, the log message gets the detailed error from phpMailer's
ErrorInfo property instead of the exception's getMessage(), as in some
cases (particularly when using PHPMAILER_METHOD_SMTP), the latter only
contains partial information instead of the full error text.

$t_emails_recipients_failed variable initialization has been removed as
it was not used in the code.

Fixes #15382
@dregad dregad Make log_event() calls print to stdout when running from CLI
This simple modification to the logging_api allows command-line scripts
such as send_emails.php to easily provide detailed information about
their operations, provided that the appropriate log_level is set in

This output can then be redirected to log files, etc.

Fixes #15382
@dregad dregad Add Missing config in workflow threshold page
The page lists the 'bug_reminder_threshold' (i.e. access level needed
for users to send reminders) configuration, but does not allow the admin
to set its counterpart 'reminder_receive_threshold'.

Fixes #15360
Commits on Jan 18, 2013
@davidhicks davidhicks Fix #15373: match_type XSS vulnerability
Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter

@rombert rombert filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value
Based on @dregad's comments, this follows up on @dhx's fix.

Fixes #15373: XSS vulnerability
@davidhicks davidhicks Fix #15384: summary.php XSS vulnerability in MantisBT 1.2.12 only
Roland Becker (MantisBT Developer) discovered a XSS vulnerability
introduced in MantisBT 1.2.12 with the display of category/project names
on the summary.php page.

A malicious MantisBT user holding privileged manager/administrator
permissions could create a category or project name that contains
JavaScript code. Any user visiting summary.php from that point on may
then be exposed to having the malicious JavaScript execute within their
browser environment.

The severity of this issue is limited by the need to hold privileged
manager/administrator permissions in order to modify category and
project names. However -- there are many use cases where MantisBT
installations can have hundreds of sub-projects, each managed by
different people/parties that can not or should not be fully trusted.

Refer to previous commits 3ca8a16 and 6ec3f69 to trace back the origin
of this vulnerability.
Commits on Jan 19, 2013
@rombert rombert Revert "filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int…
… value"

This reverts commit 610da6e.

This fix reopens the reported vulnerability therefore it is reverted.
@dregad dregad Update match_type parameter to be XSS-safe by itself
Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes #15388
Commits on Jan 20, 2013
@dregad dregad Display of match_type filter property for unknown types
Prior to this, if for any reason the filter's match type property was
not one of the predefined types (i.e. 'any' or 'all'), the code would
default to 'all', but display a blank string on the filter page. This is
confusing to users, so the display now matches the filter's actual

Fixes #15389
Commits on Jan 22, 2013
@siebrand siebrand Localisation updates from 0052435
@dregad dregad Merge branch 'manage-config' into master-1.2.x
This branch implements several improvements to the Manage Configuration
page, including:

 - better performance
 - filtering
 - ability to edit config options
@dregad dregad Updated CREDITS file in preparation of 1.2.13 release 6492038
@dregad dregad Bump version and update release notes for 1.2.13 d38abf9
Commits on Jan 23, 2013
@dregad dregad Changed version to 1.2.14dev ced463b
@dregad dregad Fix huge memory consumption for print_user_option_list()
Following the implementation of the fix for 0010130, calling this
function when the current project is ALL_PROJECTS causes a massive surge
in memory usage as the code builds a large array containing the list of
all users in all projects accessible to the current user, and then
reduces it to remove duplicates.

This commit reduces the problem by removing calls to array_merge() and
building the consolidated user list in a single pass, using a while
loop. No-longer-used arrays are unset to free up memory.

Fixes #15411
@dregad dregad Fix #15415: XSS vulnerability on Configuration Report page
A project name containing javascript code results in execution of said
code when displaying the filter's project list.

Note that despite using the same function to display the option list,
the vulnerability does not exist for usernames (due to input
restrictions in place when creating/updating user accounts) or config
names (which must exist in config_default_inc.php and must be valid php
@dregad dregad Fix #15416: XSS issue in adm_config_report.php
If a 'complex' config option contains javascript code, it would be
executed when displaying the page.
Commits on Jan 27, 2013
@siebrand siebrand Localisation updates from f899063
Commits on Jan 28, 2013
@dregad dregad Bump version and update release notes for 1.2.14 9147d9d
Commits on Jan 29, 2013
@dregad dregad Revised release notes for 1.2.14
Based on atrol's feedback, added info about #15415.
Commits on Jan 30, 2013
@dregad dregad Changed version to 1.2.15dev a685ee5
@dregad dregad Remove call to realpath() when setting BASE_PATH in core.php
Per PHP documentation [1], since version 4.0.2 __FILE__ always contains
an absolute path with symlinks resolved; considering that MantisBT's
minimum requirement is PHP 5.1 we therefore do not need to call

This avoids problems with the function returning FALSE when the running
script does not have executable permissions on all directories in the
hierarchy, which can happen e.g. with shared hosting on Windows.

Fixes #15357

Commits on Jan 31, 2013
@cybd cybd Fix #15451: Incorrect invocations of SoapObjectsFactory::newSoapFault
Signed-off-by: Robert Munteanu <>
Commits on Feb 06, 2013
@dregad dregad Fix #15453: Only display Close button if workflow allows Closed status d85e69f
@dregad dregad Documentation: custom fields localization
The indications in the Custom Fields localization section contained an
incorrect reference to lang_get_current() to determine the current
language in custom_strings_inc.php. Using this function will cause the
code to return incorrect translations if the default language is
different from English.

Fixes #10118
@dregad dregad Fix #2971: add reminder events to the bug history f4753ec
Commits on Feb 07, 2013
@dregad dregad Removed trailing ':' from reminder_sent_to language string
This is for consistency, as except for error messages punctuation is
generally added by the code.

Issue #2971
@dregad dregad Improve handling of reminders' recipients list truncation
Replaced the previous method of truncating the list to a hardcoded
number of entries (50), to a more robust approach based on the size of
the underlying database field (250 chars, note_attr in bugnote table).

Added a message on the REMINDER bugnote, to inform user that the list of
recipients stored with the note, was actually truncated (Users should
refer to the issue's history to see who actually received the reminder).

This functionality relies on a hack, i.e. to indicate that the list was
truncated, bug_reminder.php is not storing the trailing delimiter in the
note_attr field, and this is picked up in bugnote_view_inc.php to
display the note to the user's attention.

Fixes #15470
@dregad dregad Optimize code to add reminder recipients to monitoring list de4e0fa
@dregad dregad Fix return value of email_bug_reminder()
The function now returns an array containing only the users to whom the
reminder e-mail was actually sent (i.e. excludes failures, blank e-mails,

In addition, the return value is now an array of user id's instead of
user names, which indeed makes more sense from an API perspective, as
mentioned by Julian Fitzell in 5ea3d0b,
since the function's only caller is bug_reminder.php which exclusively
relies on user id's.

Fixes #15472
@dregad dregad bug_reminder.php does not handle unsent reminders
Reminders are not logged in history (or the bugnote) if the e-mail was not
actually sent to the recipient.

The function now uses email_bug_reminder()'s return value instead of the
full user-provided list of recipients for inclusion in the reminder's
bugnote and to add history entries.

Fixes #15471
Commits on Feb 09, 2013
@dregad dregad Fix #15481: custom field values sort order in view all page filter
Commit b5abce1 introduced a regression
in the sort order of custom field values because the query retrieving
the custom field values was rewritten with a SELECT DISTINCT instead of
using a GROUP BY clause. With MySQL, group by sorts the results, whereas
distinct does not (not tested with other RDBMS).

This fixes the issue by adding an ORDER BY clause.
Commits on Feb 10, 2013
@siebrand siebrand Localisation updates from a1b67cc
Commits on Feb 15, 2013
@atrol atrol Fix #15511: XSS vulnerability when deleting a version 8b13da0
Commits on Feb 16, 2013
@siebrand siebrand Localisation updates from bc2620b
Commits on Feb 20, 2013
@wiggisser wiggisser Fix #15517: soap API datatype for DateTime
Wrong datatype for DateTime  'dateTime' vs. 'xsd:dateTime'
results in an error during deserialization in .net

Signed-off-by: Damien Regad <>
Commits on Feb 21, 2013
@marcodings marcodings Fix #15522: SOAP mc_project_get_issues now reports due_date
Signed-off-by: Damien Regad <>
Commits on Feb 24, 2013
@siebrand siebrand Localisation updates from 73317ba
Commits on Feb 25, 2013
@dregad dregad Fix crash when report_bug_threshold=array in access_has_bug_level
When displaying a bug for which the user is not the reporter,
$g_limit_reporters=ON and the workflow is set so report_bug_threshold is
an array, MantisBT crashes with "PHP Fatal error: Unsupported operand

This is due to use of '+ 1' to indicate that user should have the next
higher access level to view the issue. We now use the same logic but
within a foreach loop to check against each array element.

Fixes #15538
@atrol atrol Fix #15540: Wrong example code for custom status translation d6619f7
Commits on Feb 26, 2013
@dregad dregad Optimize performance of access_has_bug_level() api function
Through use of a static array to cache the reporter threshold when
$g_limit_reporter = ON and more importantly reducing the total number of
API calls, the performance of this function has been improved by 65%
(stress tests executed over 2000 iterations, 0.34s vs 0.22s).

Issue #15538, follow up on b3276bb
Commits on Feb 27, 2013
@dregad dregad Fix #13054: Install: don't suppress errors when including libraries ac05a43
@dregad dregad Fix invalid access denied error caused by access_has_bug_level()
Commit d42e80c changed the code in
access_has_bug_level() function, and introduced a bug as the final call
to access_compare_level() inverted the 2 parameters which caused an
incorrect return value to be returned in certain cases, incorrectly
denying access to issues.

Issue #15538
Commits on Mar 01, 2013
@dregad dregad Issue #15556: remove unused variable
$c_private is initialized but never used in bugnote_add()'s scope.
@dregad dregad Documentation: added step in Customizing Status Values section
We now include instructions to check and update existing workflow
configurations to include the new status values.

Fixes #10047
Commits on Mar 02, 2013
@dregad dregad Fix #15558: url_get() fallback to next method in case of error 3fb561f
Commits on Mar 04, 2013
@siebrand siebrand Localisation updates from 31829a3
Commits on Mar 05, 2013
@dregad dregad Fix invalid access denied error caused by access_has_bug_level()
Commit d42e80c changed the code in
access_has_bug_level() function, and introduced a bug in the call to
access_compare_level() when access is limited to issue reporter
(inverted parameters caused an incorrect access denied error).

See also 9ec47a0.

Issue #15538
@dregad dregad Print pages: don't show custom fields user has no access to
Prior to this, if a custom field's 'read' access level were higher than
the user's access, the print pages would display the field's label (but
not the data). This behavior is not consistent with how this situation
is handled in the View Issue page, where the field is not shown at all.

For consistency, we now skip the of the custom field users have no read
access to in the print pages, so that nothing is displayed.

Fixes #15528
Commits on Mar 08, 2013
@dregad dregad Documentation: added php_mbstring as recommended extension
Fixes #15575
Commits on Mar 11, 2013
@siebrand siebrand Localisation updates from 8afbd34
Commits on Mar 12, 2013
@rombert rombert filter_api: ensure that the free_text where clauses are always ANDed
Fixes #15573: One query can be issued via current Mantis interface to
take down site
Commits on Mar 13, 2013
@langerheiko langerheiko email_bug_info_to_one_user() is not using email_build_subject() function 7159a92
@langerheiko langerheiko add hook EVENT_DISPLAY_EMAIL_BUILD_SUBJECT for email subject dab98da
Commits on Mar 18, 2013
@siebrand siebrand Localisation updates from 4a95223
@dregad dregad Revert "filter_api: ensure that the free_text where clauses are alway…
…s ANDed"

This reverts commit 543ba01.
@dregad dregad Fix filter api issue with 'any condition' and text search
A filter combining some criteria and a text search with 'any condition'
results in a cartesian product, which has the potential to bring down
the site as the RDBMS eats up all available resources.

The root cause of this behavior is joining the bug_text table with a
from clause and setting the join's criteria in the query's where clause,
without taking consideration the operator's precedence (AND/OR).

This commit resolves the problem by using a JOIN clause instead, which
makes the query cleaner.

Fixes #15573
@dregad dregad Filter api: systematic use JOIN when building SQL
Do not join tables using the where clause, for better readability and
avoiding risk of issues with operator precedence and 'any condition'
filtering mode.

This commit also removes an unnecessary LEFT JOIN between the bugnote
and bugnote_text tables; since this is a strict 1:1 relationship, an
inner join is sufficient and yields better performance.
Commits on Mar 23, 2013
@siebrand siebrand Localisation updates from a1ea176
Commits on Mar 27, 2013
@dregad dregad Config report: retrieval of saved project filter does not work
When retrieving a saved filter from the cookie in adm_config_report.php
the saved project id is not reflected in the filter's selection list:
'All Projects' is always selected instead of the actual project. This
value should only be picked as default when the project id does not

This is due to a missing negation in the check for project's existence.

Fixes  #15691
@dregad dregad Code cleanup: align adm_config_report.php with 1.3 branch 0acb11b
Commits on Apr 01, 2013
@siebrand siebrand Localisation updates from 03b5f34
Commits on Apr 02, 2013
@atrol atrol Fix #15704: Wrong description of writing custom_functions 6443c62
Commits on Apr 04, 2013
@dregad dregad Fix #15698: system warning when editing profile
When user clicks Submit button to edit an existing profile, without
first selecting one from the list, the following system warning was
triggered: 'extract() expects parameter 1 to be array, boolean given'.

The code now ensures that a profile has been selected before redirecting
to account_prof_edit_page.php, and issues a meaningful error message if
@dregad dregad Reenable ability to clear default profile
Regression introduced by fe8e367

Fixes #15698
Commits on Apr 07, 2013
@siebrand siebrand Localisation updates from 074bd9f
Commits on Apr 10, 2013
@dregad dregad Revert "Fix #2971: add reminder events to the bug history"
This reverts commit f4753ec following
discussion on the mailing list [1].


@dregad dregad Create reminder bugnote even if no message text provided
When adding a reminder, a bugnote was actually NOT created when the
reminder text is empty, even if $g_store_reminders = ON.  This was due
to bugnote_add() returning false when $p_bugnote_text is blank as the
code did not take REMINDER type notes into consideration.

Fixes #15744
Commits on Apr 11, 2013
@dregad dregad Revised reminder_list_truncated string
Follow-up on revert commit for issue #2971, as we don't store recipients
in history anymore.

Affects issue #15470
@dregad dregad Fix regression in filter_api.php
Commit c9bc064 introduced a regression,
whereby the filter would exclude issues without bugnotes when using text

This was caused by removal of left outer join between bugnote_table and
bugnote_text_table, which was in fact required because the join clause
fails to return any record when the bugnote_text_id is null (which is
the case when there are no bugnotes).

Thanks to user Kitzberger for reporting this and atrol for providing the
steps to reproduce.
@dregad dregad Updated CREDITS file in preparation of 1.2.15 release ebbacb1
@dregad dregad Bump version and update release notes for 1.2.15 7455c40
@dregad dregad Changed version to 1.2.16dev 494d54f
Commits on Apr 14, 2013
@siebrand siebrand Localisation updates from d2bc53e
Commits on Apr 16, 2013
@dregad dregad Fix #15762: case insensitive email parsing regex 4cb774c
@dregad dregad Removed unused API function project_file_is_name_unique() 35849d1
@dregad dregad Modify file_is_name_unique() API to work for project files also
Previously this function would only work for bug attachments, and
another API function project_file_is_name_unique() would take care of
projects. The latter was removed as it was not used, and this one
amended in case it's ever required to check for uniqueness of a project

It also makes sense to regroup file-related functions in file_api.php.

Issue #15572
@dregad dregad Revise and improve diskfile_is_name_unique()
Prior to this, the API would only check for a file's uniqueness by
looking up the bug_file table, and did not actually checking the file
system for an existing file.

This causes 2 potential issues:

- we could have a duplicate in the file system and therefore unwittingly
  overwrite it with a new file
- it was not possible to use the function for for project docs

Fixes #15572
@dregad dregad PHPdoc updates 589af33
@dregad dregad Full rewrite the Move Attachments admin page
The old move_db2disk.php program was completely outdated and did not
work properly.

This commit introduces completely new page, with dissociated page to
select which attachments to move, and action page to actually move the
files from DB to disk

Fixes #15496
@dregad dregad Fix redirection to system utils page after moving attachments 2384d29
Commits on Apr 17, 2013
@dregad dregad Issue #15496: wrong variable name in move_attachments.php cbc4037
Commits on Apr 19, 2013
@dregad dregad Simplify code, align to guidelines d75c2fb
@dregad dregad Add plugin event for e-mail subject customization

Fixes #15648
Commits on Apr 21, 2013
@siebrand siebrand Localisation updates from e957627
@rombert rombert Expand SOAP API documentation
Fixes #14301: Add SOAP API documentation in the administration guide
Commits on Apr 23, 2013
@atrol atrol Fix #15775: Wrong reporter when copying an issue 26572cd
@atrol atrol Fix #15777: Wrong value in field "Date Submitted" when copying issues c610904
Commits on Apr 26, 2013
@dregad dregad Fix #15790: url api - set curl user agent in url_get() 8df9d5f
@dregad dregad Add log entry with message id when queuing mail 8c2bd07
@dregad dregad System notice when json_url() retrieves non-existent member
An additional check and returning false allows caller to handle errors

Fixes #15791
Commits on Apr 27, 2013
@atrol atrol PHPMailer moved to github e52392c
Commits on Apr 28, 2013
@siebrand siebrand Localisation updates from c4f6493
Commits on May 01, 2013
@vboctor vboctor Prototype for mc_project_get_issues_assigned_to() webservice method. 18113cc
@vboctor vboctor Commented new method in filter_api.php 11003f4
@dregad dregad Optimize user_get_all_accessible_projects()
On instances having a large number of projects, this function would
consume significant resources while processing all the subprojects to
determine if one is accessible to the user (about 25 seconds to load
main_page.php for 5'000 projects, without subprojects).

The performance bottleneck was the array_merge() call in the loop. This
has been replaced by a foreach working on an associative array. The same
page now loads under 1 second.

Fixes #9876
Commits on May 03, 2013
@vboctor vboctor Support unassigned, reported by and monitored by. 9e05727
@vboctor vboctor Use case insensitive comparison for filter type and return only unres…
…olved issues for assigned to filter.
@vboctor vboctor Passed in user and project ids to config_get(). d318e2a
@vboctor vboctor Fixed php error on my view page. 58b44b1
Commits on May 04, 2013
@vboctor vboctor Added 10 test cases and a couple of minor fixes. ce612c0
@vboctor vboctor Added test case to make sure that assigned filter doesn't return reso…
…lved issues.
@atrol atrol Fix #15812: Wrong example code for custom validation functions 32a8120
@vboctor vboctor Use AccountData instead of ObjectRef for identifying target user. 0927b6d
Commits on May 09, 2013
@siebrand siebrand Localisation updates from c659a5e
Commits on May 10, 2013
@vboctor vboctor Merge pull request #82 from vboctor/standard_filters
Fixes #15807: Support standard filters like ones in My View page in SOAP API

Implemented mc_project_get_issues_for_user() that supports the following:

Assigned To User (or 0 for unassigned)
Reported By User
Monitored By User
@dregad dregad Documentation: added missing closing tag 1f1ffeb
@dregad dregad Documentation: update README file 919afa2
Commits on May 12, 2013
@siebrand siebrand Localisation updates from be9f1de
Commits on May 15, 2013
@dregad dregad Do not display login dialog when using HTTP_AUTH
Fixes #11084
@grangeway grangeway Revert "Do not display login dialog when using HTTP_AUTH"
This reverts commit 90633ab.
Commits on May 20, 2013
@siebrand siebrand Localisation updates from d0ad62a
@dregad dregad Documentation: revised Makefile
Fixed the following issues:

- 'all' rule now actually builds all targets
- 'html.tar.gz' was not doing anything
- 'install' rule simplified using a foreach function on a list of
  file extensions to copy
- added tar.gz to list of extensions to copy during 'install'
- updated help text
Commits on May 21, 2013
@dregad dregad Trigger error when resetting password for user with empty email
When password reset is handled through verification e-mails, the
administrator should not be able to reset the password if the user's
e-mail is blank as the user won't receive the verification URL.

Fixes #15893
@dregad dregad Issue #15893: Improve logging when resetting user password 7c2273d
@dregad dregad Documentation: revised database types cadf5fd
@dregad dregad Documentation: remove empty 'para' tags
These cause publican builds to fail on as the tool's
version installed there deletes these tags when processing the XML,
which trigger validation errors.

Fixes #15886
Commits on May 22, 2013
@dregad dregad Issue #15893: format user id consistently with other log messages f54a191
Commits on May 24, 2013
@dregad dregad soap api: added wsdl-viewer
NuSoap offered a convenient, self-generated API documentation page. On
the other hand, the php-soap extension does not offer such functionality
and the wsdl's raw XML is not easy to read.

This commit adds Tomi Vanek's wsdl-viewer XSLT [1] to mantisconnect.wsdl
to offer a more user-friendly face to the XML.

Commits on May 25, 2013
@dregad dregad Temp var defined in global scope should be unset() after use
Fixes #15921
@dregad dregad New helper_array_transpose api function
Required for issue #15774
@dregad dregad Fix #15774: unable to simultaneously upload > 5 files 4bb2be6
@dregad dregad Tests: fix whitespace, comments and phpDoc 92097c3
@dregad dregad Tests: fix inclusion of TestConfig.php
This way tests can be called individually
@dregad dregad Tests: Strings - use string API functions
Remove hardcoded copy of string_sanitize_url()

Added require_once calls for necessary API and includes. This needed a
change in TestConfig.php to add the Mantis Root directory to the include
@dregad dregad Tests: Strings - fix broken test cases (&amp; => &)
Commit c59ad8a changed the use of
ampersands in internally generated URLs
@dregad dregad Tests: add new Helper API test script
Currently only covers helper_array_transpose() function
@dregad dregad Tests: added function for globals declaration
MantisBT configs (defined in config_defaults_inc.php) are not
defined in the global scope when running PHPUnit. Because of this,
including 'core.php' does not work.

All 'global' configs must therefore be specifically declared as such
when API functions are needed to run tests.
@dregad dregad Tests: improve require_mantis_core() function
New version no longer requires use of eval() to declare globals.

Also fixes a system warning caused by $g_queries_array not being
declared as global in database api.

Backport from master branch 0b53ba9fb21a77358591ad5c5a48e272e733db9f,
added workaround to avoid warnings caused by lack of require_api()
@dregad dregad Fix #15920: Missing config file causes cli scripts to fail silently
We now display an error message and die with exit code 1.
Commits on May 27, 2013
@dregad dregad Fix #15921: Unset $t_hosts after use 5ba8645
Commits on Jun 01, 2013
@dregad dregad Upgrade PHPMailer from 5.2.1 to 5.2.6
See for details

Fixes #14543, #15953
Commits on Jun 04, 2013
@dregad dregad soap tests: fix whitespace 2a7951b
@dregad dregad soap/VersionTest.php: take timezone into consideration
Prior to this, dates were compared as string, resulting in
'2015-10-29T12:59:14+00:00' and '2015-10-29T05:59:14-07:00' to be
considered as different dates.

Fixes #15817
@dregad dregad soap/AttachmentTest.php: fix reference download URL
mc_issue_api.php/mci_issue_get_attachments() generates the download URL
with '&amp;' while the test suite compares it with '&'. In some cases
the soap api returns '&' while in most cases it returns '&amp;'.

To fix the problem we decode the string with html_entity_decode() before
comparing it.

Fixes #15817
Commits on Jun 10, 2013
@siebrand siebrand Localisation updates from 118c902
Commits on Jun 17, 2013
@siebrand siebrand Localisation updates from e73e738
Commits on Jun 24, 2013
@siebrand siebrand Localisation updates from 83f15a8
Commits on Jun 30, 2013
@siebrand siebrand Localisation updates from 4e027d6
@rombert rombert soap api: set $g_project_override for all applicable mc_issue and
mc_project methods

Fixes #16028: Adding note via webservice generates wrong email content
for assigned user
@winston01 winston01 New function added to retrieve bug history via API.
Fixes #9936: add history information

Signed-off-by: Laszlo Kovacs <>
Signed-off-by: Robert Munteanu <>
@rombert rombert soap api: add tests for the mc_issue_get_history call
Affects #9936: add history information
Commits on Jul 01, 2013
@atrol atrol Fix #16120: Cannot modify Receive Reminder threshold cdaf037
Commits on Jul 11, 2013
@rombert rombert soap api: remove unused $t_lang variable ( thanks to @atrol )
Affects #9936: add history information
@rombert rombert Add support for running complete test suite on Travis CI
Fixes #16126: Setup integration testing on Travis CI
@rombert rombert Fix #15196: Create history entries when creating issues with non-default
status and resolution
Commits on Jul 14, 2013
@rombert rombert Fix #16174: Travis CI: set up PHP 5.5 build alongside 5.4 812811f
@rombert rombert Fix #16175: Send Travis build notifications to #mantisbt-help 644d6a6
@rombert rombert Revert "Fix #16175: Send Travis build notifications to #mantisbt-help"
This reverts commit 644d6a6 until we reach
consensus on a notification scheme.
@siebrand siebrand Localisation updates from 2d50d42
Commits on Jul 21, 2013
@atrol atrol Fix #16202: Travis CI: set up PHP 5.3 build faeb484
Commits on Jul 22, 2013
@dregad dregad Merge of branch 'file-attach-fixes'
@dregad dregad UserTest: preferences should compare against default value
Previously the test was comparing the retrieved user preference
'bugnote_order' with a hardcoded value, so the test would fail if the
config_inc settings were different.

Fixes #16204
@dregad dregad IssueHistoryTest: Fix Whitespace 9f0f592
@dregad dregad IssueHistoryTest: use MantisBT constants ee6293c
@dregad dregad IssueHistoryTest: fix failure when using descending order
Tests would incorrectly be marked as failure when $g_history_order is
set to DESC, as the cases assume the default of ASC.

Fixes #16205
@dregad dregad IssueHistoryTest: fix random failure with simultaneous entries
This happens when history entries are created in rapid sequence (i.e.
within the same second), and the RDBMS then returns the records in
random order. Since the tests rely on a fixed order of the entries, this
occasionally causes failures.

Fixes #16203
@siebrand siebrand Localisation updates from 1d697f4
@dregad dregad Tests: move include of constant_inc.php to SoapBase.php 24256f3
@dregad dregad Remove useless variable initialization
Follow up fix on commit ec53975
Commits on Jul 23, 2013
@dregad dregad Fix #16187: error caused by array_combine() with PHP<5.4
array_combine() function behavior was changed in PHP 5.4 [1]; in earlier
versions it would issue a warning and return false when working with
empty arrays, which then causes Mantis to trigger an application error.

This is a regression introduced by cc7703a

Commits on Jul 29, 2013
@rombert rombert Fix #16158: mc_filter_get_issues does not populate monitors fiels for
retrieved issues
Commits on Jul 30, 2013
@siebrand siebrand Localisation updates from 54e3f36
Commits on Aug 07, 2013
@rombert rombert soap api: make sure we have a compatible soap extension installed
Even though the soap extension is installed, versions of PHP older than
5.2.2 do not support all the features we need. To guard against
unexpected errors, we now enable the soap extension if the
SOAP_USE_XSI_ARRAY_TYPE constant is defined. This constant is used at
runtime by the SOAP extension and is a good indicator of a recent enough
soap extension.

Fixes #16252: API SOAP provides no answer after MantisBT upgrade
Commits on Aug 28, 2013
@dregad dregad Do not redirect after creating the first project
When the first project is created after installing MantisBT, an
application error 2800 occurs when submitting the changes from
manage_proj_create_page.php, although the project is created

Regression introduced by b1a1bba

Fixes #16337
@dregad dregad Translate custom field names
Custom fields are displayed with their name, disregarding their
localization :
- in the history log
- in the custom fields section, in the project management page

Thanks to jmonin for the patch.

Fixes #12470
@dregad dregad Remove useless code 017eca5
@OSguard OSguard When sorting by due_date, display undefined values last
Markus' original patch was modified to simplify the code and reduce
duplication, fix a couple typos in comment text and reword the
commit message.

Fixes #16259
@dregad dregad due_date ASC sort: pgsql fix
Fix #16259: adding order by expression to select list to avoid error.
Commits on Aug 30, 2013
@dregad dregad Follow-up fix for custom field names translations
In the case where we have multiple custom strings localized to the same
string, commit c174d88 would make it
impossible to distinguish them.

While this should not be a major issue in the bug history (as it doesn't
make sense to have more than one fields with a given localized name
within a given project), it is important that in custom field management
as well as project management pages custom fields are uniquely
identified with their "system" name to ensure there is no confusion.

This commit adds a new API function custom_field_get_display_name() that
will append the localized name to the field name, and which is called
from the above-mentioned pages.

Issue #12470
@dregad dregad ADOdb/pgsql: fix output of bytea fields for PostgreSQL >= 9.0
The new default 'hex' prevents Mantis from displaying the contents of

Fixes #16341
Commits on Sep 01, 2013
@atrol atrol MantisCoreFormatting: Fix single-line fields html tags processing
Methods text() and formatted() Plugin sent a hardcoded 'true' parameter
to string_restore_valid_html_tags(), instead of using the method's
$p_multiline parameter.

Fixes #16342
@dregad dregad MantisCoreFormatting: phpDoc corrections and improvements e7e3428
@dregad dregad MantisCoreFormatting: Remove code duplication
Method formatted() now calls text() instead of duplicating plain text
processing code

Bump plugin version to 1.0b

Fixes #16348
Commits on Sep 02, 2013
@dregad dregad MantisCoreFormatting: Remove useless assignment
Fixes #16348, as per Roland Becker's comment
@siebrand siebrand Localisation updates from 2d3dbee
Commits on Sep 03, 2013
@dregad dregad Updated .mailmap and CREDITS files a173ab9
Commits on Sep 06, 2013
@dregad dregad Whitespace fixes fe7b477
@dregad dregad Fix usage of tag_get_all for DBs not using Assoc fetch mode
This is a regression caused by implementation of issue #13446 (see
commit be3dde7), which used a foreach
to iterate throught the ADOdb recordset returned by tag_get_all(),
instead of using MantisBT's db_fetch_array() function which takes care
of row association for DBs not supporting it natively.

Fixes #16340
Commits on Sep 09, 2013
@siebrand siebrand Localisation updates from a721991
Commits on Sep 13, 2013
@dregad dregad Fix assignment to wrong variable
This caused the page to always display an empty list of tags. Follow up
fix on commit 0d9c5e7.

Fixes #16340
Commits on Sep 14, 2013
@dregad dregad Use correct threshold for display of Change status list+button
Fix for issue #15258 introduced a check for 'update_bug_threshold' to
prevent unauthorized users from changing issue status.

This was not the correct config setting to use, the right one is

Fixes #16376
Commits on Sep 16, 2013
@dregad dregad Travis: only build for master and master-1.2.x
[skip ci]
Commits on Sep 25, 2013
@vboctor vboctor Fixes #16408: config_eval() fails on configs that reference array values
The $g_update_bug_assign_threshold is set to '%handle_bug_threshold%'.
If the value of $g_handle_bug_threshold is set to an array instead of a string/int, a system notice is generated that array to string conversion is done in config_eval().

The fix is to detect the direct assignment case and not use a string replace,
but use normal assignment.  This will make it work for complex types like

We still don't support $g_x = '%y%_aaa' where $g_y is not a string or int,
but that shouldn't be an issue.
Commits on Sep 28, 2013
@vboctor vboctor Fixes #16416: Improve first login experience by auto-redirecting to c…
…reate project page.