From 8df3db566a3a937b45ebf11adb90d265e6f5e2d4 Mon Sep 17 00:00:00 2001 From: Andreas Baumann Date: Sun, 17 Nov 2019 20:45:02 +0100 Subject: initial checking of customized version 1.0rc9 --- includes/class.backend.php | 1869 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1869 insertions(+) create mode 100644 includes/class.backend.php (limited to 'includes/class.backend.php') diff --git a/includes/class.backend.php b/includes/class.backend.php new file mode 100644 index 0000000..f440db9 --- /dev/null +++ b/includes/class.backend.php @@ -0,0 +1,1869 @@ +query(' SELECT * + FROM {tasks} + WHERE ' . substr(str_repeat(' task_id = ? OR ', count($tasks)), 0, -3), + $tasks); + + while ($row = $db->fetchRow($sql)) { + // -> user adds himself + if ($user->id == $user_id) { + if (!$user->can_view_task($row) && !$do) { + continue; + } + // -> user is added by someone else + } else { + if (!$user->perms('manage_project', $row['project_id']) && !$do) { + continue; + } + } + + $notif = $db->query('SELECT notify_id + FROM {notifications} + WHERE task_id = ? and user_id = ?', + array($row['task_id'], $user_id)); + + if (!$db->countRows($notif)) { + $db->query('INSERT INTO {notifications} (task_id, user_id) + VALUES (?,?)', array($row['task_id'], $user_id)); + Flyspray::logEvent($row['task_id'], 9, $user_id); + } + } + + return (bool) $db->countRows($sql); + } + + + /** + * Removes a user $user_id from the notifications list of $tasks + * @param integer $user_id + * @param array $tasks + * @access public + * @return void + * @version 1.0 + */ + + public static function remove_notification($user_id, $tasks) + { + global $db, $user; + + settype($tasks, 'array'); + + if (!count($tasks)) { + return; + } + + $sql = $db->query(' SELECT * + FROM {tasks} + WHERE ' . substr(str_repeat(' task_id = ? OR ', count($tasks)), 0, -3), + $tasks); + + while ($row = $db->fetchRow($sql)) { + // -> user removes himself + if ($user->id == $user_id) { + if (!$user->can_view_task($row)) { + continue; + } + // -> user is removed by someone else + } else { + if (!$user->perms('manage_project', $row['project_id'])) { + continue; + } + } + + $db->query('DELETE FROM {notifications} + WHERE task_id = ? AND user_id = ?', + array($row['task_id'], $user_id)); + if ($db->affectedRows()) { + Flyspray::logEvent($row['task_id'], 10, $user_id); + } + } + } + + + /** + * Assigns one or more $tasks only to a user $user_id + * @param integer $user_id + * @param array $tasks + * @access public + * @return void + * @version 1.0 + */ + public static function assign_to_me($user_id, $tasks) + { + global $db, $notify; + + $user = $GLOBALS['user']; + if ($user_id != $user->id) { + $user = new User($user_id); + } + + settype($tasks, 'array'); + if (!count($tasks)) { + return; + } + + $sql = $db->query(' SELECT * + FROM {tasks} + WHERE ' . substr(str_repeat(' task_id = ? OR ', count($tasks)), 0, -3), + $tasks); + + while ($row = $db->fetchRow($sql)) { + if (!$user->can_take_ownership($row)) { + continue; + } + + $db->query('DELETE FROM {assigned} + WHERE task_id = ?', + array($row['task_id'])); + + $db->query('INSERT INTO {assigned} + (task_id, user_id) + VALUES (?,?)', + array($row['task_id'], $user->id)); + + if ($db->affectedRows()) { + $current_proj = new Project($row['project_id']); + Flyspray::logEvent($row['task_id'], 19, $user->id, implode(' ', Flyspray::getAssignees($row['task_id']))); + $notify->create(NOTIFY_OWNERSHIP, $row['task_id'], null, null, NOTIFY_BOTH, $current_proj->prefs['lang_code']); + } + + if ($row['item_status'] == STATUS_UNCONFIRMED || $row['item_status'] == STATUS_NEW) { + $db->query('UPDATE {tasks} SET item_status = 3 WHERE task_id = ?', array($row['task_id'])); + Flyspray::logEvent($row['task_id'], 3, 3, 1, 'item_status'); + } + } + } + + /** + * Adds a user $user_id to the assignees of one or more $tasks + * @param integer $user_id + * @param array $tasks + * @param bool $do Force execution independent of user permissions + * @access public + * @return void + * @version 1.0 + */ + public static function add_to_assignees($user_id, $tasks, $do = false) + { + global $db, $notify; + + settype($tasks, 'array'); + + $user = $GLOBALS['user']; + if ($user_id != $user->id) { + $user = new User($user_id); + } + + settype($tasks, 'array'); + if (!count($tasks)) { + return; + } + + $sql = $db->query(' SELECT * + FROM {tasks} + WHERE ' . substr(str_repeat(' task_id = ? OR ', count($tasks)), 0, -3), + $tasks); + + while ($row = $db->fetchRow($sql)) { + if (!$user->can_add_to_assignees($row) && !$do) { + continue; + } + + $db->replace('{assigned}', array('user_id'=> $user->id, 'task_id'=> $row['task_id']), array('user_id','task_id')); + + if ($db->affectedRows()) { + $current_proj = new Project($row['project_id']); + Flyspray::logEvent($row['task_id'], 29, $user->id, implode(' ', Flyspray::getAssignees($row['task_id']))); + $notify->create(NOTIFY_ADDED_ASSIGNEES, $row['task_id'], null, null, NOTIFY_BOTH, $current_proj->prefs['lang_code']); + } + + if ($row['item_status'] == STATUS_UNCONFIRMED || $row['item_status'] == STATUS_NEW) { + $db->query('UPDATE {tasks} SET item_status = 3 WHERE task_id = ?', array($row['task_id'])); + Flyspray::logEvent($row['task_id'], 3, 3, 1, 'item_status'); + } + } + } + + /** + * Adds a vote from $user_id to the task $task_id + * @param integer $user_id + * @param integer $task_id + * @access public + * @return bool + * @version 1.0 + */ + public static function add_vote($user_id, $task_id) + { + global $db; + + $user = $GLOBALS['user']; + if ($user_id != $user->id) { + $user = new User($user_id); + } + + $task = Flyspray::getTaskDetails($task_id); + + if (!$task) { + return false; + } + + if ($user->can_vote($task) > 0) { + + if($db->query("INSERT INTO {votes} (user_id, task_id, date_time) + VALUES (?,?,?)", array($user->id, $task_id, time()))) { + // TODO: Log event in a later version. + return true; + } + } + return false; + } + + /** + * Removes a vote from $user_id to the task $task_id + * @param integer $user_id + * @param integer $task_id + * @access public + * @return bool + * @version 1.0 + */ + public static function remove_vote($user_id, $task_id) + { + global $db; + + $user = $GLOBALS['user']; + if ($user_id != $user->id) { + $user = new User($user_id); + } + + $task = Flyspray::getTaskDetails($task_id); + + if (!$task) { + return false; + } + + if ($user->can_vote($task) == -2) { + + if($db->query("DELETE FROM {votes} WHERE user_id = ? and task_id = ?", + array($user->id, $task_id))) { + // TODO: Log event in a later version. + return true; + } + } + return false; + } + + /** + * Adds a comment to $task + * @param array $task + * @param string $comment_text + * @param integer $time for synchronisation with other functions + * @access public + * @return bool + * @version 1.0 + */ + public static function add_comment($task, $comment_text, $time = null) + { + global $conf, $db, $user, $notify, $proj; + + if (!($user->perms('add_comments', $task['project_id']) && (!$task['is_closed'] || $user->perms('comment_closed', $task['project_id'])))) { + return false; + } + + if($conf['general']['syntax_plugin'] != 'dokuwiki'){ + $purifierconfig = HTMLPurifier_Config::createDefault(); + $purifier = new HTMLPurifier($purifierconfig); + $comment_text = $purifier->purify($comment_text); + } + + if (!is_string($comment_text) || !strlen($comment_text)) { + return false; + } + + $time = !is_numeric($time) ? time() : $time ; + + $db->query('INSERT INTO {comments} + (task_id, date_added, last_edited_time, user_id, comment_text) + VALUES ( ?, ?, ?, ?, ? )', + array($task['task_id'], $time, $time, $user->id, $comment_text)); + $cid = $db->Insert_ID(); + Backend::upload_links($task['task_id'], $cid); + Flyspray::logEvent($task['task_id'], 4, $cid); + + if (Backend::upload_files($task['task_id'], $cid)) { + $notify->create(NOTIFY_COMMENT_ADDED, $task['task_id'], 'files', null, NOTIFY_BOTH, $proj->prefs['lang_code']); + } else { + $notify->create(NOTIFY_COMMENT_ADDED, $task['task_id'], null, null, NOTIFY_BOTH, $proj->prefs['lang_code']); + } + + + return true; + } + + /** + * Upload files for a comment or a task + * @param integer $task_id + * @param integer $comment_id if it is 0, the files will be attached to the task itself + * @param string $source name of the file input + * @access public + * @return bool + * @version 1.0 + */ + public static function upload_files($task_id, $comment_id = 0, $source = 'userfile') + { + global $db, $notify, $conf, $user; + + $task = Flyspray::getTaskDetails($task_id); + + if (!$user->perms('create_attachments', $task['project_id'])) { + return false; + } + + $res = false; + + if (!isset($_FILES[$source]['error'])) { + return false; + } + + foreach ($_FILES[$source]['error'] as $key => $error) { + if ($error != UPLOAD_ERR_OK) { + continue; + } + + + $fname = substr($task_id . '_' . md5(uniqid(mt_rand(), true)), 0, 30); + $path = BASEDIR .'/attachments/'. $fname ; + + $tmp_name = $_FILES[$source]['tmp_name'][$key]; + + // Then move the uploaded file and remove exe permissions + if(!@move_uploaded_file($tmp_name, $path)) { + //upload failed. continue + continue; + } + + @chmod($path, 0644); + $res = true; + + // Use a different MIME type + $fileparts = explode( '.', $_FILES[$source]['name'][$key]); + $extension = end($fileparts); + if (isset($conf['attachments'][$extension])) { + $_FILES[$source]['type'][$key] = $conf['attachments'][$extension]; + //actually, try really hard to get the real filetype, not what the browser reports. + } elseif($type = Flyspray::check_mime_type($path)) { + $_FILES[$source]['type'][$key] = $type; + }// we can try even more, however, far too much code is needed. + + $db->query("INSERT INTO {attachments} + ( task_id, comment_id, file_name, + file_type, file_size, orig_name, + added_by, date_added) + VALUES (?, ?, ?, ?, ?, ?, ?, ?)", + array($task_id, $comment_id, $fname, + $_FILES[$source]['type'][$key], + $_FILES[$source]['size'][$key], + $_FILES[$source]['name'][$key], + $user->id, time())); + $attid = $db->insert_ID(); + Flyspray::logEvent($task_id, 7, $attid, $_FILES[$source]['name'][$key]); + } + + return $res; + } + + public static function upload_links($task_id, $comment_id = 0, $source = 'userlink') + { + global $db, $user; + + $task = Flyspray::getTaskDetails($task_id); + + if (!$user->perms('create_attachments', $task['project_id'])) { + return false; + } + + if (!isset($_POST[$source])) { + return false; + } + + $res = false; + foreach($_POST[$source] as $text) { + $text = filter_var($text, FILTER_SANITIZE_URL); + + if( preg_match( '/^\s*(javascript:|data:)/', $text)){ + continue; + } + + if(empty($text)) { + continue; + } + + $res = true; + + // Insert into database + $db->query("INSERT INTO {links} (task_id, comment_id, url, added_by, date_added) VALUES (?, ?, ?, ?, ?)", + array($task_id, $comment_id, $text, $user->id, time())); + // TODO: Log event in a later version. + } + + return $res; + } + + /** + * Delete one or more attachments of a task or comment + * @param array $attachments + * @access public + * @return void + * @version 1.0 + */ + public static function delete_files($attachments) + { + global $db, $user; + + settype($attachments, 'array'); + if (!count($attachments)) { + return; + } + + $sql = $db->query(' SELECT t.*, a.* + FROM {attachments} a + LEFT JOIN {tasks} t ON t.task_id = a.task_id + WHERE ' . substr(str_repeat(' attachment_id = ? OR ', count($attachments)), 0, -3), + $attachments); + + while ($task = $db->fetchRow($sql)) { + if (!$user->perms('delete_attachments', $task['project_id'])) { + continue; + } + + $db->query('DELETE FROM {attachments} WHERE attachment_id = ?', + array($task['attachment_id'])); + @unlink(BASEDIR . '/attachments/' . $task['file_name']); + Flyspray::logEvent($task['task_id'], 8, $task['orig_name']); + } + } + + public static function delete_links($links) + { + global $db, $user; + + settype($links, 'array'); + + if(!count($links)) { + return; + } + + $sql = $db->query('SELECT t.*, l.* FROM {links} l LEFT JOIN {tasks} t ON t.task_id = l.task_id WHERE '.substr(str_repeat('link_id = ? OR ', count($links)), 0, -3), $links); + + //Delete from database + while($task = $db->fetchRow($sql)) { + if (!$user->perms('delete_attachments', $task['project_id'])) { + continue; + } + + $db->query('DELETE FROM {links} WHERE link_id = ?', array($task['link_id'])); + // TODO: Log event in a later version. + } + } + + /** + * Cleans a username (length, special chars, spaces) + * @param string $user_name + * @access public + * @return string + */ + public static function clean_username($user_name) + { + // Limit length + $user_name = substr(trim($user_name), 0, 32); + // Remove doubled up spaces and control chars + $user_name = preg_replace('![\x00-\x1f\s]+!u', ' ', $user_name); + // Strip special chars + return utf8_keepalphanum($user_name); + } + + public static function getAdminAddresses() { + global $db; + + $emails = array(); + $jabbers = array(); + $onlines = array(); + + $sql = $db->query('SELECT DISTINCT u.user_id, u.email_address, u.jabber_id, + u.notify_online, u.notify_type, u.notify_own, u.lang_code + FROM {users} u + JOIN {users_in_groups} ug ON u.user_id = ug.user_id + JOIN {groups} g ON g.group_id = ug.group_id + WHERE g.is_admin = 1 AND u.account_enabled = 1'); + + Notifications::assignRecipients($db->fetchAllArray($sql), $emails, $jabbers, $onlines); + + return array($emails, $jabbers, $onlines); + } + + public static function getProjectManagerAddresses($project_id) { + global $db; + + $emails = array(); + $jabbers = array(); + $onlines = array(); + + $sql = $db->query('SELECT DISTINCT u.user_id, u.email_address, u.jabber_id, + u.notify_online, u.notify_type, u.notify_own, u.lang_code + FROM {users} u + JOIN {users_in_groups} ug ON u.user_id = ug.user_id + JOIN {groups} g ON g.group_id = ug.group_id + WHERE g.manage_project = 1 AND g.project_id = ? AND u.account_enabled = 1', + array($project_id)); + + Notifications::assignRecipients($db->fetchAllArray($sql), $emails, $jabbers, $onlines); + + return array($emails, $jabbers, $onlines); + } + /** + * Creates a new user + * @param string $user_name + * @param string $password + * @param string $real_name + * @param string $jabber_id + * @param string $email + * @param integer $notify_type + * @param integer $time_zone + * @param integer $group_in + * @access public + * @return bool false if username is already taken + * @version 1.0 + * @notes This function does not have any permission checks (checked elsewhere) + */ + public static function create_user($user_name, $password, $real_name, $jabber_id, $email, $notify_type, $time_zone, $group_in, $enabled, $oauth_uid = '', $oauth_provider = '', $profile_image = '') + { + global $fs, $db, $notify, $baseurl; + + $user_name = Backend::clean_username($user_name); + + // TODO Handle this whole create_user better concerning return false. Why did it fail? + # 'notassigned' and '-1' are possible filtervalues for advanced task search + if( empty($user_name) || ctype_digit($user_name) || $user_name == '-1' || $user_name=='notassigned' ) { + return false; + } + + // Limit length + $real_name = substr(trim($real_name), 0, 100); + // Remove doubled up spaces and control chars + $real_name = preg_replace('![\x00-\x1f\s]+!u', ' ', $real_name); + + # 'notassigned' and '-1' are possible filtervalues for advanced task search, lets avoid them + if( ctype_digit($real_name) || $real_name == '-1' || $real_name=='notassigned' ) { + return false; + } + + // Check to see if the username is available + $sql = $db->query('SELECT COUNT(*) FROM {users} WHERE user_name = ?', array($user_name)); + + if ($db->fetchOne($sql)) { + return false; + } + + $auto = false; + // Autogenerate a password + if (!$password) { + $auto = true; + $password = substr(md5(uniqid(mt_rand(), true)), 0, mt_rand(8, 12)); + } + + // Check the emails before inserting anything to database. + $emailList = explode(';',$email); + foreach ($emailList as $mail) { //Still need to do: check email + $count = $db->query("SELECT COUNT(*) FROM {user_emails} WHERE email_address = ?",array($mail)); + $count = $db->fetchOne($count); + if ($count > 0) { + Flyspray::show_error("Email address has alredy been taken"); + return false; + } + } + + $db->query("INSERT INTO {users} + ( user_name, user_pass, real_name, jabber_id, profile_image, magic_url, + email_address, notify_type, account_enabled, + tasks_perpage, register_date, time_zone, dateformat, + dateformat_extended, oauth_uid, oauth_provider, lang_code) + VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, 25, ?, ?, ?, ?, ?, ?, ?)", + array($user_name, Flyspray::cryptPassword($password), $real_name, strtolower($jabber_id), + $profile_image, '', strtolower($email), $notify_type, $enabled, time(), $time_zone, '', '', $oauth_uid, $oauth_provider, $fs->prefs['lang_code'])); + + // Get this user's id for the record + $uid = Flyspray::userNameToId($user_name); + + foreach ($emailList as $mail) { + if ($mail != '') { + $db->query("INSERT INTO {user_emails}(id,email_address,oauth_uid,oauth_provider) VALUES (?,?,?,?)", + array($uid,strtolower($mail),$oauth_uid, $oauth_provider)); + } + } + + // Now, create a new record in the users_in_groups table + $db->query('INSERT INTO {users_in_groups} (user_id, group_id) + VALUES (?, ?)', array($uid, $group_in)); + + Flyspray::logEvent(0, 30, serialize(Flyspray::getUserDetails($uid))); + + $varnames = array('iwatch','atome','iopened'); + + $toserialize = array('string' => NULL, + 'type' => array (''), + 'sev' => array (''), + 'due' => array (''), + 'dev' => NULL, + 'cat' => array (''), + 'status' => array ('open'), + 'order' => NULL, + 'sort' => NULL, + 'percent' => array (''), + 'opened' => NULL, + 'search_in_comments' => NULL, + 'search_for_all' => NULL, + 'reported' => array (''), + 'only_primary' => NULL, + 'only_watched' => NULL); + + foreach($varnames as $tmpname) { + if($tmpname == 'iwatch') { + $tmparr = array('only_watched' => '1'); + } elseif ($tmpname == 'atome') { + $tmparr = array('dev'=> $uid); + } elseif($tmpname == 'iopened') { + $tmparr = array('opened'=> $uid); + } + $$tmpname = $tmparr + $toserialize; + } + + // Now give him his default searches + $db->query('INSERT INTO {searches} (user_id, name, search_string, time) + VALUES (?, ?, ?, ?)', + array($uid, L('taskswatched'), serialize($iwatch), time())); + $db->query('INSERT INTO {searches} (user_id, name, search_string, time) + VALUES (?, ?, ?, ?)', + array($uid, L('assignedtome'), serialize($atome), time())); + $db->query('INSERT INTO {searches} (user_id, name, search_string, time) + VALUES (?, ?, ?, ?)', + array($uid, L('tasksireported'), serialize($iopened), time())); + + if ($jabber_id) { + Notifications::jabberRequestAuth($jabber_id); + } + + // Send a user his details (his username might be altered, password auto-generated) + // dont send notifications if the user logged in using oauth + if (!$oauth_provider) { + $recipients = self::getAdminAddresses(); + $newuser = array(); + + // Add the right message here depending on $enabled. + if ($enabled === 0) { + $newuser[0][$email] = array('recipient' => $email, 'lang' => $fs->prefs['lang_code']); + + } else { + $newuser[0][$email] = array('recipient' => $email, 'lang' => $fs->prefs['lang_code']); + } + + // Notify the appropriate users + if ($fs->prefs['notify_registration']) { + $notify->create(NOTIFY_NEW_USER, null, + array($baseurl, $user_name, $real_name, $email, $jabber_id, $password, $auto), + $recipients, NOTIFY_EMAIL); + } + // And also the new user + $notify->create(NOTIFY_OWN_REGISTRATION, null, + array($baseurl, $user_name, $real_name, $email, $jabber_id, $password, $auto), + $newuser, NOTIFY_EMAIL); + } + + // If the account is created as not enabled, no matter what any + // preferences might say or how the registration was made in first + // place, it MUST be first approved by an admin. And a small + // work-around: there's no field for email, so we use reason_given + // for that purpose. + if ($enabled === 0) { + Flyspray::adminRequest(3, 0, 0, $uid, $email); + } + + return true; + } + + /** + * Deletes a user + * @param integer $uid + * @access public + * @return bool + * @version 1.0 + */ + public static function delete_user($uid) + { + global $db, $user; + + if (!$user->perms('is_admin')) { + return false; + } + + $userDetails = Flyspray::getUserDetails($uid); + + if (is_file(BASEDIR.'/avatars/'.$userDetails['profile_image'])) { + unlink(BASEDIR.'/avatars/'.$userDetails['profile_image']); + } + + $tables = array('users', 'users_in_groups', 'searches', 'notifications', 'assigned', 'votes', 'effort'); + # FIXME Deleting a users effort without asking when user is deleted may not be wanted in every situation. + # For example for billing a project and the deleted user worked for a project. + # The better solution is to just deactivate the user, but maybe there are cases a user MUSt be deleted from the database. + # Move that effort to an 'anonymous users' effort if the effort(s) was legal and should be measured for project(s)? + foreach ($tables as $table) { + if (!$db->query('DELETE FROM ' .'{' . $table .'}' . ' WHERE user_id = ?', array($uid))) { + return false; + } + } + + if (!empty($userDetails['profile_image']) && is_file(BASEDIR.'/avatars/'.$userDetails['profile_image'])) { + unlink(BASEDIR.'/avatars/'.$userDetails['profile_image']); + } + + $db->query('DELETE FROM {registrations} WHERE email_address = ?', + array($userDetails['email_address'])); + + $db->query('DELETE FROM {user_emails} WHERE id = ?', + array($uid)); + + $db->query('DELETE FROM {reminders} WHERE to_user_id = ? OR from_user_id = ?', + array($uid, $uid)); + + // for the unusual situuation that a user ID is re-used, make sure that the new user doesn't + // get permissions for a task automatically + $db->query('UPDATE {tasks} SET opened_by = 0 WHERE opened_by = ?', array($uid)); + + Flyspray::logEvent(0, 31, serialize($userDetails)); + + return true; + } + + + /** + * Deletes a project + * @param integer $pid + * @param integer $move_to to which project contents of the project are moved + * @access public + * @return bool + * @version 1.0 + */ + public static function delete_project($pid, $move_to = 0) + { + global $db, $user; + + if (!$user->perms('manage_project', $pid)) { + return false; + } + + // Delete all project's tasks related information + if (!$move_to) { + $task_ids = $db->query('SELECT task_id FROM {tasks} WHERE project_id = ' . intval($pid)); + $task_ids = $db->fetchCol($task_ids); + // What was supposed to be in tables field_values, notification_threads + // and redundant, they do not exist in database? + $tables = array('admin_requests', 'assigned', 'attachments', 'comments', + 'dependencies', 'related', 'history', + 'notifications', + 'reminders', 'votes'); + foreach ($tables as $table) { + if ($table == 'related') { + $stmt = $db->dblink->prepare('DELETE FROM ' . $db->dbprefix . $table . ' WHERE this_task = ? OR related_task = ? '); + } else { + $stmt = $db->dblink->prepare('DELETE FROM ' . $db->dbprefix . $table . ' WHERE task_id = ?'); + } + foreach ($task_ids as $id) { + $db->dblink->execute($stmt, ($table == 'related') ? array($id, $id) : array($id)); + } + } + } + + // unset category of tasks because we don't move categories + if ($move_to) { + $db->query('UPDATE {tasks} SET product_category = 0 WHERE project_id = ?', array($pid)); + } + + $tables = array('list_category', 'list_os', 'list_resolution', 'list_tasktype', + 'list_status', 'list_version', 'admin_requests', + 'cache', 'projects', 'tasks'); + + foreach ($tables as $table) { + if ($move_to && $table !== 'projects' && $table !== 'list_category') { + // Having a unique index in most list_* tables prevents + // doing just a simple update, if the list item already + // exists in target project, so we have to update existing + // tasks to use the one in target project. Something similar + // should be done when moving a single task to another project. + // Consider making this a separate function that can be used + // for that purpose too, if possible. + if (strpos($table, 'list_') === 0) { + list($type, $name) = explode('_', $table); + $sql = $db->query('SELECT ' . $name . '_id, ' . $name . '_name + FROM {' . $table . '} + WHERE project_id = ?', + array($pid)); + $rows = $db->fetchAllArray($sql); + foreach ($rows as $row) { + $sql = $db->query('SELECT ' . $name . '_id + FROM {' . $table . '} + WHERE project_id = ? AND '. $name . '_name = ?', + array($move_to, $row[$name .'_name'])); + $new_id = $db->fetchOne($sql); + if ($new_id) { + switch ($name) { + case 'os'; + $column = 'operating_system'; + break; + case 'resolution'; + $column = 'resolution_reason'; + break; + case 'tasktype'; + $column = 'task_type'; + break; + case 'status'; + $column = 'item_status'; + break; + case 'version'; + // Questionable what to do with this one. 1.0 could + // have been still future in the old project and + // already past in the new one... + $column = 'product_version'; + break; + } + if (isset($column)) { + $db->query('UPDATE {tasks} + SET ' . $column . ' = ? + WHERE ' . $column . ' = ?', + array($new_id, $row[$name . '_id'])); + $db->query('DELETE FROM {' . $table . '} + WHERE ' . $name . '_id = ?', + array($row[$name . '_id'])); + } + } + } + } + $base_sql = 'UPDATE {' . $table . '} SET project_id = ?'; + $sql_params = array($move_to, $pid); + } else { + $base_sql = 'DELETE FROM {' . $table . '}'; + $sql_params = array($pid); + } + + if (!$db->query($base_sql . ' WHERE project_id = ?', $sql_params)) { + return false; + } + } + + // groups are only deleted, not moved (it is likely + // that the destination project already has all kinds + // of groups which are also used by the old project) + $sql = $db->query('SELECT group_id FROM {groups} WHERE project_id = ?', array($pid)); + while ($row = $db->fetchRow($sql)) { + $db->query('DELETE FROM {users_in_groups} WHERE group_id = ?', array($row['group_id'])); + } + $sql = $db->query('DELETE FROM {groups} WHERE project_id = ?', array($pid)); + + //we have enough reasons .. the process is OK. + return true; + } + + /** + * Adds a reminder to a task + * @param integer $task_id + * @param string $message + * @param integer $how_often send a reminder every ~ seconds + * @param integer $start_time time when the reminder starts + * @param $user_id the user who is reminded. by default (null) all users assigned to the task are reminded. + * @access public + * @return bool + * @version 1.0 + */ + public static function add_reminder($task_id, $message, $how_often, $start_time, $user_id = null) + { + global $user, $db; + $task = Flyspray::getTaskDetails($task_id); + + if (!$user->perms('manage_project', $task['project_id'])) { + return false; + } + + if (is_null($user_id)) { + // Get all users assigned to a task + $user_id = Flyspray::getAssignees($task_id); + } else { + $user_id = array(Flyspray::validUserId($user_id)); + if (!reset($user_id)) { + return false; + } + } + + foreach ($user_id as $id) { + $sql = $db->replace('{reminders}', + array('task_id'=> $task_id, 'to_user_id'=> $id, + 'from_user_id' => $user->id, 'start_time' => $start_time, + 'how_often' => $how_often, 'reminder_message' => $message), + array('task_id', 'to_user_id', 'how_often', 'reminder_message')); + if(!$sql) { + // query has failed :( + return false; + } + } + // 2 = no record has found and was INSERT'ed correclty + if (isset($sql) && $sql == 2) { + Flyspray::logEvent($task_id, 17, $task_id); + } + return true; + } + + /** + * Adds a new task + * @param array $args array containing all task properties. unknown properties will be ignored + * @access public + * @return integer the task ID on success + * @version 1.0 + * @notes $args is POST data, bad..bad user.. + */ + public static function create_task($args) + { + global $conf, $db, $user, $proj; + + if (!isset($args)) return 0; + + // these are the POST variables that the user MUST send, if one of + // them is missing or if one of them is empty, then we have to abort + $requiredPostArgs = array('item_summary', 'project_id');//modify: made description not required + foreach ($requiredPostArgs as $required) { + if (empty($args[$required])) return 0; + } + + $notify = new Notifications(); + if ($proj->id != $args['project_id']) { + $proj = new Project($args['project_id']); + } + + if (!$user->can_open_task($proj)) { + return 0; + } + + // first populate map with default values + $sql_args = array( + 'project_id' => $proj->id, + 'date_opened' => time(), + 'last_edited_time' => time(), + 'opened_by' => intval($user->id), + 'percent_complete' => 0, + 'mark_private' => 0, + 'supertask_id' => 0, + 'closedby_version' => 0, + 'closure_comment' => '', + 'task_priority' => 2, + 'due_date' => 0, + 'anon_email' => '', + 'item_status'=> STATUS_UNCONFIRMED + ); + + // POST variables the user is ALLOWED to provide + $allowedPostArgs = array( + 'task_type', 'product_category', 'product_version', + 'operating_system', 'task_severity', 'estimated_effort', + 'supertask_id', 'item_summary', 'detailed_desc' + ); + // these POST variables the user is only ALLOWED to provide if he got the permissions + if ($user->perms('modify_all_tasks')) { + $allowedPostArgs[] = 'closedby_version'; + $allowedPostArgs[] = 'task_priority'; + $allowedPostArgs[] = 'due_date'; + $allowedPostArgs[] = 'item_status'; + } + if ($user->perms('manage_project')) { + $allowedPostArgs[] = 'mark_private'; + } + // now copy all over all POST variables the user is ALLOWED to provide + // (but only if they are not empty) + foreach ($allowedPostArgs as $allowed) { + if (!empty($args[$allowed])) { + $sql_args[$allowed] = $args[$allowed]; + } + } + + // Process the due_date + if ( isset($args['due_date']) && ($due_date = $args['due_date']) || ($due_date = 0) ) { + $due_date = Flyspray::strtotime($due_date); + } + + $sql_params[] = 'mark_private'; + $sql_values[] = intval($user->perms('manage_project') && isset($args['mark_private']) && $args['mark_private'] == '1'); + + $sql_params[] = 'due_date'; + $sql_values[] = $due_date; + + $sql_params[] = 'closure_comment'; + $sql_values[] = ''; + + // Process estimated effort + $estimated_effort = 0; + if ($proj->prefs['use_effort_tracking'] && isset($sql_args['estimated_effort'])) { + if (($estimated_effort = effort::editStringToSeconds($sql_args['estimated_effort'], $proj->prefs['hours_per_manday'], $proj->prefs['estimated_effort_format'])) === FALSE) { + Flyspray::show_error(L('invalideffort')); + $estimated_effort = 0; + } + $sql_args['estimated_effort'] = $estimated_effort; + } + + // Token for anonymous users + $token = ''; + if ($user->isAnon()) { + if (empty($args['anon_email'])) { + return 0; + } + $token = md5(function_exists('openssl_random_pseudo_bytes') ? + openssl_random_pseudo_bytes(32) : + uniqid(mt_rand(), true)); + $sql_args['task_token'] = $token; + $sql_args['anon_email'] = $args['anon_email']; + } + + // ensure all variables are in correct format + if (!empty($sql_args['due_date'])) { + $sql_args['due_date'] = Flyspray::strtotime($sql_args['due_date']); + } + if (isset($sql_args['mark_private'])) { + $sql_args['mark_private'] = intval($sql_args['mark_private'] == '1'); + } + + # dokuwiki syntax plugin filters on output + if($conf['general']['syntax_plugin'] != 'dokuwiki' && isset($sql_args['detailed_desc']) ){ + $purifierconfig = HTMLPurifier_Config::createDefault(); + $purifier = new HTMLPurifier($purifierconfig); + $sql_args['detailed_desc'] = $purifier->purify($sql_args['detailed_desc']); + } + + // split keys and values into two separate arrays + $sql_keys = array(); + $sql_values = array(); + foreach ($sql_args as $key => $value) { + $sql_keys[] = $key; + $sql_values[] = $value; + } + + /* + * TODO: At least with PostgreSQL, this has caused the sequence to be + * out of sync with reality. Must be fixed in upgrade process. Check + * what's the situation with MySQL. (It's fine, it updates the value even + * if the column was manually adjusted. Remove this whole block later.) + $result = $db->query('SELECT MAX(task_id)+1 + FROM {tasks}'); + $task_id = $db->fetchOne($result); + $task_id = $task_id ? $task_id : 1; + */ + //now, $task_id is always the first element of $sql_values + #array_unshift($sql_keys, 'task_id'); + #array_unshift($sql_values, $task_id); + + $sql_keys_string = join(', ', $sql_keys); + $sql_placeholder = $db->fill_placeholders($sql_values); + + $result = $db->query("INSERT INTO {tasks} + ($sql_keys_string) + VALUES ($sql_placeholder)", $sql_values); + $task_id=$db->insert_ID(); + + Backend::upload_links($task_id); + + // create tags + if (isset($args['tags'])) { + $tagList = explode(';', $args['tags']); + $tagList = array_map('strip_tags', $tagList); + $tagList = array_map('trim', $tagList); + $tagList = array_unique($tagList); # avoid duplicates for inputs like: "tag1;tag1" or "tag1; tag1

" + foreach ($tagList as $tag){ + if ($tag == ''){ + continue; + } + + # old tag feature + #$result2 = $db->query("INSERT INTO {tags} (task_id, tag) VALUES (?,?)",array($task_id,$tag)); + + # new tag feature. let's do it in 2 steps, it is getting too complicated to make it cross database compatible, drawback is possible (rare) race condition (use transaction?) + $res=$db->query("SELECT tag_id FROM {list_tag} WHERE (project_id=0 OR project_id=?) AND tag_name LIKE ? ORDER BY project_id", array($proj->id,$tag) ); + if($t=$db->fetchRow($res)){ + $tag_id=$t['tag_id']; + } else{ + if( $proj->prefs['freetagging']==1){ + # add to taglist of the project + $db->query("INSERT INTO {list_tag} (project_id,tag_name) VALUES (?,?)", array($proj->id,$tag)); + $tag_id=$db->insert_ID(); + } else{ + continue; + } + }; + $db->query("INSERT INTO {task_tag}(task_id,tag_id) VALUES(?,?)", array($task_id, $tag_id) ); + } + } + + // Log the assignments and send notifications to the assignees + if (isset($args['rassigned_to']) && is_array($args['rassigned_to'])) + { + // Convert assigned_to and store them in the 'assigned' table + foreach ($args['rassigned_to'] as $val) + { + $db->replace('{assigned}', array('user_id'=> $val, 'task_id'=> $task_id), array('user_id','task_id')); + } + // Log to task history + Flyspray::logEvent($task_id, 14, implode(' ', $args['rassigned_to'])); + + // Notify the new assignees what happened. This obviously won't happen if the task is now assigned to no-one. + $notify->create(NOTIFY_NEW_ASSIGNEE, $task_id, null, $notify->specificAddresses($args['rassigned_to']), NOTIFY_BOTH, $proj->prefs['lang_code']); + } + + // Log that the task was opened + Flyspray::logEvent($task_id, 1); + + $result = $db->query('SELECT * + FROM {list_category} + WHERE category_id = ?', + array($args['product_category'])); + $cat_details = $db->fetchRow($result); + + // We need to figure out who is the category owner for this task + if (!empty($cat_details['category_owner'])) { + $owner = $cat_details['category_owner']; + } + else { + // check parent categories + $result = $db->query('SELECT * + FROM {list_category} + WHERE lft < ? AND rgt > ? AND project_id = ? + ORDER BY lft DESC', + array($cat_details['lft'], $cat_details['rgt'], $cat_details['project_id'])); + while ($row = $db->fetchRow($result)) { + // If there's a parent category owner, send to them + if (!empty($row['category_owner'])) { + $owner = $row['category_owner']; + break; + } + } + } + + if (!isset($owner)) { + $owner = $proj->prefs['default_cat_owner']; + } + + if ($owner) { + if ($proj->prefs['auto_assign'] && ($args['item_status'] == STATUS_UNCONFIRMED || $args['item_status'] == STATUS_NEW)) { + Backend::add_to_assignees($owner, $task_id, true); + } + Backend::add_notification($owner, $task_id, true); + } + + // Reminder for due_date field + if (!empty($sql_args['due_date'])) { + Backend::add_reminder($task_id, L('defaultreminder') . "\n\n" . createURL('details', $task_id), 2*24*60*60, time()); + } + + // Create the Notification + if (Backend::upload_files($task_id)) { + $notify->create(NOTIFY_TASK_OPENED, $task_id, 'files', null, NOTIFY_BOTH, $proj->prefs['lang_code']); + } else { + $notify->create(NOTIFY_TASK_OPENED, $task_id, null, null, NOTIFY_BOTH, $proj->prefs['lang_code']); + } + + // If the reporter wanted to be added to the notification list + if (isset($args['notifyme']) && $args['notifyme'] == '1' && $user->id != $owner) { + Backend::add_notification($user->id, $task_id, true); + } + + if ($user->isAnon()) { + $anonuser = array(); + $anonuser[$email] = array('recipient' => $args['anon_email'], 'lang' => $fs->prefs['lang_code']); + $recipients = array($anonuser); + $notify->create(NOTIFY_ANON_TASK, $task_id, $token, + $recipients, NOTIFY_EMAIL, $proj->prefs['lang_code']); + } + + return array($task_id, $token); + } + + /** + * Closes a task + * @param integer $task_id + * @param integer $reason + * @param string $comment + * @param bool $mark100 + * @access public + * @return bool + * @version 1.0 + */ + public static function close_task($task_id, $reason, $comment, $mark100 = true) + { + global $db, $notify, $user, $proj; + $task = Flyspray::getTaskDetails($task_id); + + if (!$user->can_close_task($task)) { + return false; + } + + if ($task['is_closed']) { + return false; + } + + $db->query('UPDATE {tasks} + SET date_closed = ?, closed_by = ?, closure_comment = ?, + is_closed = 1, resolution_reason = ?, last_edited_time = ?, + last_edited_by = ? + WHERE task_id = ?', + array(time(), $user->id, $comment, $reason, time(), $user->id, $task_id)); + + if ($mark100) { + $db->query('UPDATE {tasks} SET percent_complete = 100 WHERE task_id = ?', + array($task_id)); + + Flyspray::logEvent($task_id, 3, 100, $task['percent_complete'], 'percent_complete'); + } + + $notify->create(NOTIFY_TASK_CLOSED, $task_id, null, null, NOTIFY_BOTH, $proj->prefs['lang_code']); + Flyspray::logEvent($task_id, 2, $reason, $comment); + + // If there's an admin request related to this, close it + $db->query('UPDATE {admin_requests} + SET resolved_by = ?, time_resolved = ? + WHERE task_id = ? AND request_type = ?', + array($user->id, time(), $task_id, 1)); + + // duplicate + if ($reason == RESOLUTION_DUPLICATE) { + preg_match("/\b(?:FS#|bug )(\d+)\b/", $comment, $dupe_of); + if (count($dupe_of) >= 2) { + $existing = $db->query('SELECT * FROM {related} WHERE this_task = ? AND related_task = ? AND is_duplicate = 1', + array($task_id, $dupe_of[1])); + + if ($existing && $db->countRows($existing) == 0) { + $db->query('INSERT INTO {related} (this_task, related_task, is_duplicate) VALUES(?, ?, 1)', + array($task_id, $dupe_of[1])); + } + Backend::add_vote($task['opened_by'], $dupe_of[1]); + } + } + + return true; + } + + /** + * Returns an array of tasks (respecting pagination) and an ID list (all tasks) + * @param array $args + * @param array $visible + * @param integer $offset + * @param integer $comment + * @param bool $perpage + * @access public + * @return array + * @version 1.0 + */ + public static function get_task_list($args, $visible, $offset = 0, $perpage = 20) { + global $fs, $proj, $db, $user, $conf; + /* build SQL statement {{{ */ + // Original SQL courtesy of Lance Conry http://www.rhinosw.com/ + $where = $sql_params = array(); + + // echo '
' . print_r($visible, true) . '
'; + // echo '
' . print_r($args, true) . '
'; + // PostgreSQL LIKE searches are by default case sensitive, + // so we use ILIKE instead. For other databases, in our case + // only MySQL/MariaDB, LIKE is good for our purposes. + $LIKEOP = 'LIKE'; + if ($db->dblink->dataProvider == 'postgres') { + $LIKEOP = 'ILIKE'; + } + + $select = ''; + $groupby = 't.task_id, '; + $cgroupbyarr = array(); + + // Joins absolutely needed for user viewing rights + $from = ' {tasks} t +-- All tasks have a project! +JOIN {projects} p ON t.project_id = p.project_id'; + + // Not needed for anonymous users + if (!$user->isAnon()) { +$from .= ' -- Global group always exists +JOIN ({groups} gpg + JOIN {users_in_groups} gpuig ON gpg.group_id = gpuig.group_id AND gpuig.user_id = ? +) ON gpg.project_id = 0 +-- Project group might exist or not. +LEFT JOIN ({groups} pg + JOIN {users_in_groups} puig ON pg.group_id = puig.group_id AND puig.user_id = ? +) ON pg.project_id = t.project_id'; + $sql_params[] = $user->id; + $sql_params[] = $user->id; + } + + // Keep this always, could also used for showing assigned users for a task. + // Keeps the overall logic somewhat simpler. + $from .= ' LEFT JOIN {assigned} ass ON t.task_id = ass.task_id'; + $from .= ' LEFT JOIN {task_tag} tt ON t.task_id = tt.task_id'; + $cfrom = $from; + + // Seems resution name really is needed... + $select .= 'lr.resolution_name, '; + $from .= ' LEFT JOIN {list_resolution} lr ON t.resolution_reason = lr.resolution_id '; + $groupby .= 'lr.resolution_name, '; + + // Otherwise, only join tables which are really necessary to speed up the db-query + if (array_get($args, 'type') || in_array('tasktype', $visible)) { + $select .= ' lt.tasktype_name, '; + $from .= ' +LEFT JOIN {list_tasktype} lt ON t.task_type = lt.tasktype_id '; + $groupby .= ' lt.tasktype_id, '; + } + + if (array_get($args, 'status') || in_array('status', $visible)) { + $select .= ' lst.status_name, '; + $from .= ' +LEFT JOIN {list_status} lst ON t.item_status = lst.status_id '; + $groupby .= ' lst.status_id, '; + } + + if (array_get($args, 'cat') || in_array('category', $visible)) { + $select .= ' lc.category_name AS category_name, '; + $from .= ' +LEFT JOIN {list_category} lc ON t.product_category = lc.category_id '; + $groupby .= 'lc.category_id, '; + } + + if (in_array('votes', $visible)) { + $select .= ' (SELECT COUNT(vot.vote_id) FROM {votes} vot WHERE vot.task_id = t.task_id) AS num_votes, '; + } + + $maxdatesql = ' GREATEST(COALESCE((SELECT max(c.date_added) FROM {comments} c WHERE c.task_id = t.task_id), 0), t.date_opened, t.date_closed, t.last_edited_time) '; + $search_for_changes = in_array('lastedit', $visible) || array_get($args, 'changedto') || array_get($args, 'changedfrom'); + if ($search_for_changes) { + $select .= ' GREATEST(COALESCE((SELECT max(c.date_added) FROM {comments} c WHERE c.task_id = t.task_id), 0), t.date_opened, t.date_closed, t.last_edited_time) AS max_date, '; + $cgroupbyarr[] = 't.task_id'; + } + + if (array_get($args, 'search_in_comments')) { + $from .= ' +LEFT JOIN {comments} c ON t.task_id = c.task_id '; + $cfrom .= ' +LEFT JOIN {comments} c ON t.task_id = c.task_id '; + $cgroupbyarr[] = 't.task_id'; + } + + if (in_array('comments', $visible)) { + $select .= ' (SELECT COUNT(cc.comment_id) FROM {comments} cc WHERE cc.task_id = t.task_id) AS num_comments, '; + } + + if (in_array('reportedin', $visible)) { + $select .= ' lv.version_name AS product_version_name, '; + $from .= ' +LEFT JOIN {list_version} lv ON t.product_version = lv.version_id '; + $groupby .= 'lv.version_id, '; + } + + if (array_get($args, 'opened') || in_array('openedby', $visible)) { + $select .= ' uo.real_name AS opened_by_name, '; + $from .= ' +LEFT JOIN {users} uo ON t.opened_by = uo.user_id '; + $groupby .= 'uo.user_id, '; + if (array_get($args, 'opened')) { + $cfrom .= ' +LEFT JOIN {users} uo ON t.opened_by = uo.user_id '; + } + } + + if (array_get($args, 'closed')) { + $select .= ' uc.real_name AS closed_by_name, '; + $from .= ' +LEFT JOIN {users} uc ON t.closed_by = uc.user_id '; + $groupby .= 'uc.user_id, '; + $cfrom .= ' +LEFT JOIN {users} uc ON t.closed_by = uc.user_id '; + } + + if (array_get($args, 'due') || in_array('dueversion', $visible)) { + $select .= ' lvc.version_name AS closedby_version_name, '; + $from .= ' +LEFT JOIN {list_version} lvc ON t.closedby_version = lvc.version_id '; + $groupby .= 'lvc.version_id, lvc.list_position, '; + } + + if (in_array('os', $visible)) { + $select .= ' los.os_name AS os_name, '; + $from .= ' +LEFT JOIN {list_os} los ON t.operating_system = los.os_id '; + $groupby .= 'los.os_id, '; + } + + if (in_array('attachments', $visible)) { + $select .= ' (SELECT COUNT(attc.attachment_id) FROM {attachments} attc WHERE attc.task_id = t.task_id) AS num_attachments, '; + } + + if (array_get($args, 'has_attachment')) { + $where[] = 'EXISTS (SELECT 1 FROM {attachments} att WHERE t.task_id = att.task_id)'; + } + # 20150213 currently without recursive subtasks! + if (in_array('effort', $visible)) { + $select .= ' (SELECT SUM(ef.effort) FROM {effort} ef WHERE t.task_id = ef.task_id) AS effort, '; + } + + if (array_get($args, 'dev') || in_array('assignedto', $visible)) { + # not every db system has this feature out of box + if($conf['database']['dbtype']=='mysqli' || $conf['database']['dbtype']=='mysql'){ + $select .= ' GROUP_CONCAT(DISTINCT u.user_name ORDER BY u.user_id) AS assigned_to_name, '; + $select .= ' GROUP_CONCAT(DISTINCT u.user_id ORDER BY u.user_id) AS assignedids, '; + $select .= ' GROUP_CONCAT(DISTINCT u.profile_image ORDER BY u.user_id) AS assigned_image, '; + } elseif( $conf['database']['dbtype']=='pgsql'){ + $select .= " array_to_string(array_agg(u.user_name ORDER BY u.user_id), ',') AS assigned_to_name, "; + $select .= " array_to_string(array_agg(CAST(u.user_id as text) ORDER BY u.user_id), ',') AS assignedids, "; + $select .= " array_to_string(array_agg(u.profile_image ORDER BY u.user_id), ',') AS assigned_image, "; + } else{ + $select .= ' MIN(u.user_name) AS assigned_to_name, '; + $select .= ' (SELECT COUNT(assc.user_id) FROM {assigned} assc WHERE assc.task_id = t.task_id) AS num_assigned, '; + } + // assigned table is now always included in join + $from .= ' +LEFT JOIN {users} u ON ass.user_id = u.user_id '; + $groupby .= 'ass.task_id, '; + if (array_get($args, 'dev')) { + $cfrom .= ' +LEFT JOIN {users} u ON ass.user_id = u.user_id '; + $cgroupbyarr[] = 't.task_id'; + $cgroupbyarr[] = 'ass.task_id'; + } + } + + # not every db system has this feature out of box, it is not standard sql + if($conf['database']['dbtype']=='mysqli' || $conf['database']['dbtype']=='mysql'){ + #$select .= ' GROUP_CONCAT(DISTINCT tg.tag_name ORDER BY tg.list_position) AS tags, '; + $select .= ' GROUP_CONCAT(DISTINCT tg.tag_id ORDER BY tg.list_position) AS tagids, '; + #$select .= ' GROUP_CONCAT(DISTINCT tg.class ORDER BY tg.list_position) AS tagclass, '; + } elseif($conf['database']['dbtype']=='pgsql'){ + #$select .= " array_to_string(array_agg(tg.tag_name ORDER BY tg.list_position), ',') AS tags, "; + $select .= " array_to_string(array_agg(CAST(tg.tag_id as text) ORDER BY tg.list_position), ',') AS tagids, "; + #$select .= " array_to_string(array_agg(tg.class ORDER BY tg.list_position), ',') AS tagclass, "; + } else{ + # unsupported groupconcat or we just do not know how write it for the other databasetypes in this section + #$select .= ' MIN(tg.tag_name) AS tags, '; + #$select .= ' (SELECT COUNT(tt.tag_id) FROM {task_tag} tt WHERE tt.task_id = t.task_id) AS tagnum, '; + $select .= ' MIN(tg.tag_id) AS tagids, '; + #$select .= " '' AS tagclass, "; + } + // task_tag join table is now always included in join + $from .= ' +LEFT JOIN {list_tag} tg ON tt.tag_id = tg.tag_id '; + $groupby .= 'tt.task_id, '; + $cfrom .= ' +LEFT JOIN {list_tag} tg ON tt.tag_id = tg.tag_id '; + $cgroupbyarr[] = 't.task_id'; + $cgroupbyarr[] = 'tt.task_id'; + + + # use preparsed task description cache for dokuwiki when possible + if($conf['general']['syntax_plugin']=='dokuwiki' && FLYSPRAY_USE_CACHE==true){ + $select.=' MIN(cache.content) desccache, '; + $from.=' +LEFT JOIN {cache} cache ON t.task_id=cache.topic AND cache.type=\'task\' '; + } else { + $select .= 'NULL AS desccache, '; + } + + if (array_get($args, 'only_primary')) { + $where[] = 'NOT EXISTS (SELECT 1 FROM {dependencies} dep WHERE dep.dep_task_id = t.task_id)'; + } + + # feature FS#1600 + if (array_get($args, 'only_blocker')) { + $where[] = 'EXISTS (SELECT 1 FROM {dependencies} dep WHERE dep.dep_task_id = t.task_id)'; + } + + if (array_get($args, 'only_blocked')) { + $where[] = 'EXISTS (SELECT 1 FROM {dependencies} dep WHERE dep.task_id = t.task_id)'; + } + + # feature FS#1599 + if (array_get($args, 'only_unblocked')) { + $where[] = 'NOT EXISTS (SELECT 1 FROM {dependencies} dep WHERE dep.task_id = t.task_id)'; + } + + if (array_get($args, 'hide_subtasks')) { + $where[] = 't.supertask_id = 0'; + } + + if (array_get($args, 'only_watched')) { + $where[] = 'EXISTS (SELECT 1 FROM {notifications} fsn WHERE t.task_id = fsn.task_id AND fsn.user_id = ?)'; + $sql_params[] = $user->id; + } + + if ($proj->id) { + $where[] = 't.project_id = ?'; + $sql_params[] = $proj->id; + } else { + if (!$user->isAnon()) { // Anon-case handled later. + $allowed = array(); + foreach($fs->projects as $p) { + $allowed[] = $p['project_id']; + } + if(count($allowed)>0){ + $where[] = 't.project_id IN (' . implode(',', $allowed). ')'; + }else{ + $where[] = '0 = 1'; # always empty result + } + } + } + + // process users viewing rights, if not anonymous + if (!$user->isAnon()) { + $where[] = ' +( -- Begin block where users viewing rights are checked. + -- Case everyone can see all project tasks anyway and task not private + (t.mark_private = 0 AND p.others_view = 1) + OR + -- Case admin or project manager, can see any task, even private + (gpg.is_admin = 1 OR gpg.manage_project = 1 OR pg.is_admin = 1 OR pg.manage_project = 1) + OR + -- Case allowed to see all tasks, but not private + ((gpg.view_tasks = 1 OR pg.view_tasks = 1) AND t.mark_private = 0) + OR + -- Case allowed to see own tasks (automatically covers private tasks also for this user!) + ((gpg.view_own_tasks = 1 OR pg.view_own_tasks = 1) AND (t.opened_by = ? OR ass.user_id = ?)) + OR + -- Case task is private, but user either opened it or is an assignee + (t.mark_private = 1 AND (t.opened_by = ? OR ass.user_id = ?)) + OR + -- Leave groups tasks as the last one to check. They are the only ones that actually need doing a subquery + -- for checking viewing rights. There\'s a chance that a previous check already matched and the subquery is + -- not executed at all. All this of course depending on how the database query optimizer actually chooses + -- to fetch the results and execute this query... At least it has been given the hint. + + -- Case allowed to see groups tasks, all projects (NOTE: both global and project specific groups accepted here) + -- Strange... do not use OR here with user_id in EXISTS clause, seems to prevent using index with both mysql and + -- postgresql, query times go up a lot. So it\'ll be 2 different EXISTS OR\'ed together. + (gpg.view_groups_tasks = 1 AND t.mark_private = 0 AND ( + EXISTS (SELECT 1 FROM {users_in_groups} WHERE (group_id = pg.group_id OR group_id = gpg.group_id) AND user_id = t.opened_by) + OR + EXISTS (SELECT 1 FROM {users_in_groups} WHERE (group_id = pg.group_id OR group_id = gpg.group_id) AND user_id = ass.user_id) + )) + OR + -- Case allowed to see groups tasks, current project. Only project group allowed here. + (pg.view_groups_tasks = 1 AND t.mark_private = 0 AND ( + EXISTS (SELECT 1 FROM {users_in_groups} WHERE group_id = pg.group_id AND user_id = t.opened_by) + OR + EXISTS (SELECT 1 FROM {users_in_groups} WHERE group_id = pg.group_id AND user_id = ass.user_id) + )) +) -- Rights have been checked +'; + $sql_params[] = $user->id; + $sql_params[] = $user->id; + $sql_params[] = $user->id; + $sql_params[] = $user->id; + } + /// process search-conditions {{{ + $submits = array('type' => 'task_type', 'sev' => 'task_severity', + 'due' => 'closedby_version', 'reported' => 'product_version', + 'cat' => 'product_category', 'status' => 'item_status', + 'percent' => 'percent_complete', 'pri' => 'task_priority', + 'dev' => array('ass.user_id', 'u.user_name', 'u.real_name'), + 'opened' => array('opened_by', 'uo.user_name', 'uo.real_name'), + 'closed' => array('closed_by', 'uc.user_name', 'uc.real_name')); + foreach ($submits as $key => $db_key) { + $type = array_get($args, $key, ($key == 'status') ? 'open' : ''); + settype($type, 'array'); + + if (in_array('', $type)) { + continue; + } + + $temp = ''; + $condition = ''; + foreach ($type as $val) { + // add conditions for the status selection + if ($key == 'status' && $val == 'closed' && !in_array('open', $type)) { + $temp .= ' is_closed = 1 AND'; + } elseif ($key == 'status' && !in_array('closed', $type)) { + $temp .= ' is_closed = 0 AND'; + } + if (is_numeric($val) && !is_array($db_key) && !($key == 'status' && $val == 'closed')) { + $temp .= ' ' . $db_key . ' = ? OR'; + $sql_params[] = $val; + } elseif (is_array($db_key)) { + if ($key == 'dev' && ($val == 'notassigned' || $val == '0' || $val == '-1')) { + $temp .= ' ass.user_id is NULL OR'; + } else { + foreach ($db_key as $singleDBKey) { + if(ctype_digit($val) && strpos($singleDBKey, '_name') === false) { + $temp .= ' ' . $singleDBKey . ' = ? OR'; + $sql_params[] = $val; + } elseif (!ctype_digit($val) && strpos($singleDBKey, '_name') !== false) { + $temp .= ' ' . $singleDBKey . " $LIKEOP ? OR"; + $sql_params[] = '%' . $val . '%'; + } + } + } + } + + // Add the subcategories to the query + if ($key == 'cat') { + $result = $db->query('SELECT * + FROM {list_category} + WHERE category_id = ?', array($val)); + $cat_details = $db->fetchRow($result); + + $result = $db->query('SELECT * + FROM {list_category} + WHERE lft > ? AND rgt < ? AND project_id = ?', array($cat_details['lft'], $cat_details['rgt'], $cat_details['project_id'])); + while ($row = $db->fetchRow($result)) { + $temp .= ' product_category = ? OR'; + $sql_params[] = $row['category_id']; + } + } + } + + if ($temp) { + $where[] = '(' . substr($temp, 0, -3) . ')'; # strip last ' OR' and 'AND' + } + } +/// }}} + + $order_keys = array( + 'id' => 't.task_id', + 'project' => 'project_title', + 'tasktype' => 'tasktype_name', + 'dateopened' => 'date_opened', + 'summary' => 'item_summary', + 'severity' => 'task_severity', + 'category' => 'lc.category_name', + 'status' => 'is_closed, item_status', + 'dueversion' => 'lvc.list_position', + 'duedate' => 'due_date', + 'progress' => 'percent_complete', + 'lastedit' => 'max_date', + 'priority' => 'task_priority', + 'openedby' => 'uo.real_name', + 'reportedin' => 't.product_version', + 'assignedto' => 'u.real_name', + 'dateclosed' => 't.date_closed', + 'os' => 'los.os_name', + 'votes' => 'num_votes', + 'attachments' => 'num_attachments', + 'comments' => 'num_comments', + 'private' => 'mark_private', + 'supertask' => 't.supertask_id', + ); + + // make sure that only columns can be sorted that are visible (and task severity, since it is always loaded) + $order_keys = array_intersect_key($order_keys, array_merge(array_flip($visible), array('severity' => 'task_severity'))); + + // Implementing setting "Default order by" + if (!array_key_exists('order', $args)) { + # now also for $proj->id=0 (allprojects) + $orderBy = $proj->prefs['sorting'][0]['field']; + $sort = $proj->prefs['sorting'][0]['dir']; + if (count($proj->prefs['sorting']) >1){ + $orderBy2 =$proj->prefs['sorting'][1]['field']; + $sort2= $proj->prefs['sorting'][1]['dir']; + } else{ + $orderBy2='severity'; + $sort2='DESC'; + } + } else { + $orderBy = $args['order']; + $sort = $args['sort']; + $orderBy2='severity'; + $sort2='desc'; + } + + // TODO: Fix this! If something is already ordered by task_id, there's + // absolutely no use to even try to order by something else also. + $order_column[0] = $order_keys[Filters::enum(array_get($args, 'order', $orderBy), array_keys($order_keys))]; + $order_column[1] = $order_keys[Filters::enum(array_get($args, 'order2', $orderBy2), array_keys($order_keys))]; + $sortorder = sprintf('%s %s, %s %s, t.task_id ASC', + $order_column[0], + Filters::enum(array_get($args, 'sort', $sort), array('asc', 'desc')), + $order_column[1], + Filters::enum(array_get($args, 'sort2', $sort2), array('asc', 'desc')) + ); + + $having = array(); + $dates = array('duedate' => 'due_date', 'changed' => $maxdatesql, + 'opened' => 'date_opened', 'closed' => 'date_closed'); + foreach ($dates as $post => $db_key) { + $var = ($post == 'changed') ? 'having' : 'where'; + if ($date = array_get($args, $post . 'from')) { + ${$var}[] = '(' . $db_key . ' >= ' . Flyspray::strtotime($date) . ')'; + } + if ($date = array_get($args, $post . 'to')) { + ${$var}[] = '(' . $db_key . ' <= ' . Flyspray::strtotime($date) . ' AND ' . $db_key . ' > 0)'; + } + } + + if (array_get($args, 'string')) { + $words = explode(' ', strtr(array_get($args, 'string'), '()', ' ')); + $comments = ''; + $where_temp = array(); + + if (array_get($args, 'search_in_comments')) { + $comments .= " OR c.comment_text $LIKEOP ?"; + } + if (array_get($args, 'search_in_details')) { + $comments .= " OR t.detailed_desc $LIKEOP ?"; + } + + foreach ($words as $word) { + $word=trim($word); + if($word==''){ + continue; + } + $likeWord = '%' . str_replace('+', ' ', $word) . '%'; + $where_temp[] = "(t.item_summary $LIKEOP ? OR t.task_id = ? $comments)"; + array_push($sql_params, $likeWord, intval($word)); + if (array_get($args, 'search_in_comments')) { + array_push($sql_params, $likeWord); + } + if (array_get($args, 'search_in_details')) { + array_push($sql_params, $likeWord); + } + } + + if(count($where_temp)>0){ + $where[] = '(' . implode((array_get($args, 'search_for_all') ? ' AND ' : ' OR '), $where_temp) . ')'; + } + } + + if ($user->isAnon()) { + $where[] = 't.mark_private = 0 AND p.others_view = 1'; + if(array_key_exists('status', $args)){ + if (in_array('closed', $args['status']) && !in_array('open', $args['status'])) { + $where[] = 't.is_closed = 1'; + } elseif (in_array('open', $args['status']) && !in_array('closed', $args['status'])) { + $where[] = 't.is_closed = 0'; + } + } + } + + $where = (count($where)) ? 'WHERE ' . join(' AND ', $where) : ''; + + // Get the column names of table tasks for the group by statement + if (!strcasecmp($conf['database']['dbtype'], 'pgsql')) { + $groupby .= "p.project_title, p.project_is_active, "; + // Remove this after checking old PostgreSQL docs. + // 1 column from task table should be enough, after + // already grouping by task_id, there's no possibility + // to have anything more in that table to group by. + $groupby .= $db->getColumnNames('{tasks}', 't.task_id', 't.'); + } else { + $groupby = 't.task_id'; + } + + $having = (count($having)) ? 'HAVING ' . join(' AND ', $having) : ''; + + // echo '
' . print_r($args, true) . '
'; + // echo '
' . print_r($cgroupbyarr, true) . '
'; + $cgroupby = count($cgroupbyarr) ? 'GROUP BY ' . implode(',', array_unique($cgroupbyarr)) : ''; + + $sqlcount = "SELECT COUNT(*) FROM (SELECT 1, t.task_id, t.date_opened, t.date_closed, t.last_edited_time + FROM $cfrom + $where + $cgroupby + $having) s"; + $sqltext = "SELECT t.*, $select +p.project_title, p.project_is_active +FROM $from +$where +GROUP BY $groupby +$having +ORDER BY $sortorder"; + + // Very effective alternative with a little bit more work + // and if row_number() can be emulated in mysql. Idea: + // Move every join and other operation not needed in + // the inner clause to select rows to the outer query, + // and do the rest when we already know which rows + // are in the window to show. Got it to run constantly + // under 6000 ms. + /* Leave this for next version, don't have enough time for testing. + $sqlexperiment = "SELECT * FROM ( +SELECT row_number() OVER(ORDER BY task_id) AS rownum, +t.*, $select p.project_title, p.project_is_active FROM $from +$where +GROUP BY $groupby +$having +ORDER BY $sortorder +) +t WHERE rownum BETWEEN $offset AND " . ($offset + $perpage); +*/ + +// echo '
'.print_r($sql_params, true).'
'; # for debugging +// echo '
'.$sqlcount.'
'; # for debugging +// echo '
'.$sqltext.'
'; # for debugging + $sql = $db->query($sqlcount, $sql_params); + $totalcount = $db->fetchOne($sql); + +# 20150313 peterdd: Do not override task_type with tasktype_name until we changed t.task_type to t.task_type_id! We need the id too. + + $sql = $db->query($sqltext, $sql_params, $perpage, $offset); + // $sql = $db->query($sqlexperiment, $sql_params); + $tasks = $db->fetchAllArray($sql); + $id_list = array(); + $limit = array_get($args, 'limit', -1); + $forbidden_tasks_count = 0; + foreach ($tasks as $key => $task) { + $id_list[] = $task['task_id']; + if (!$user->can_view_task($task)) { + unset($tasks[$key]); + $forbidden_tasks_count++; + } + } + +// Work on this is not finished until $forbidden_tasks_count is always zero. +// echo "
$offset : $perpage : $totalcount : $forbidden_tasks_count
"; + return array($tasks, $id_list, $totalcount, $forbidden_tasks_count); +// # end alternative + } + +# end get_task_list +} # end class -- cgit v1.2.3-54-g00ecf