check_account_ok(); } else { $user = new User(0, $proj); } // don't allow anonymous users to access this page at all if ($user->isAnon()) { die(); } load_translations(); if( !Post::has('csrftoken') ){ http_response_code(428); # 'Precondition Required' die('missingtoken'); } elseif( Post::val('csrftoken')==$_SESSION['csrftoken']){ # ok } else{ http_response_code(412); # 'Precondition Failed' die('wrongtoken'); } $task = Flyspray::getTaskDetails(Post::val('task_id')); if (!$user->can_edit_task($task)){ http_response_code(403); # 'Forbidden' die(L('nopermission')); } # check field for update against allowed dbfields for quickedit. # maybe FUTURE: add (dynamic read from database) allowed CUSTOM FIELDS checks for the project and user # (if there is urgent request for implementing custom fields into Flyspray # and using of tag-feature isn't enough to accomplish - like numbers/dates/timestamps as custom fields) $allowedFields=array( 'due_date', 'item_status', 'percent_complete', 'task_type', 'product_category', 'operating_system', 'task_severity', 'task_priority', 'product_version', 'closedby_version' ); if ($proj->prefs['use_effort_tracking'] && $user->perms('track_effort')){ $allowedFields[]='estimated_effort'; } if (!in_array(Post::val('name'), $allowedFields)){ http_response_code(403); die(L('invalidfield')); } $value = Post::val('value'); # check if user is not sending manipulated invalid values switch(Post::val('name')){ case 'due_date': $value = Flyspray::strtotime(Post::val('value')); $value = intval($value); break; case 'estimated_effort': $value = effort::editStringToSeconds(Post::val('value'), $proj->prefs['hours_per_manday'], $proj->prefs['estimated_effort_format']); $value = intval($value); break; case 'task_severity': if(!preg_match("/^[1-5]$/", $value)){ http_response_code(403); die(L('invalidvalue')); } break; case 'task_priority': if(!preg_match("/^[1-6]$/", $value)){ http_response_code(403); die(L('invalidvalue')); } break; case 'percent_complete': if(!is_numeric($value) || $value<0 || $value>100){ http_response_code(403); die(L('invalidvalue')); } break; case 'item_status': $res=$db->query('SELECT * FROM {list_status} WHERE (project_id=0 OR project_id=?) AND show_in_list=1 AND status_id=?', array($task['project_id'], $value) ); if($db->countRows($res)<1){ http_response_code(403); die(L('invalidvalue')); } break; case 'task_type': $res=$db->query('SELECT * FROM {list_tasktype} WHERE (project_id=0 OR project_id=?) AND show_in_list=1 AND tasktype_id=?', array($task['project_id'], $value) ); if($db->countRows($res)<1){ http_response_code(403); die(L('invalidvalue')); } break; case 'operating_system': $res=$db->query('SELECT * FROM {list_os} WHERE (project_id=0 OR project_id=?) AND show_in_list=1 AND os_id=?', array($task['project_id'], $value) ); if($db->countRows($res)<1){ http_response_code(403); die(L('invalidvalue')); } break; case 'product_category': $res=$db->query('SELECT * FROM {list_category} WHERE (project_id=0 OR project_id=?) AND show_in_list=1 AND category_id=?', array($task['project_id'], $value) ); if($db->countRows($res)<1){ http_response_code(403); die(L('invalidvalue')); } break; case 'product_version': $res=$db->query('SELECT * FROM {list_version} WHERE (project_id=0 OR project_id=?) AND show_in_list=1 AND version_id=? AND version_tense=2', array($task['project_id'], $value) ); if($db->countRows($res)<1){ http_response_code(403); die(L('invalidvalue')); } break; case 'closedby_version': $res=$db->query('SELECT * FROM {list_version} WHERE (project_id=0 OR project_id=?) AND show_in_list=1 AND version_id=? AND version_tense=3', array($task['project_id'], $value) ); if($db->countRows($res)<1){ http_response_code(403); die(L('invalidvalue')); } break; default: http_response_code(403); die(L('invalidfield')); break; } $oldvalue = $task[Post::val('name')]; $time=time(); $sql = $db->query("UPDATE {tasks} SET ".Post::val('name')." = ?,last_edited_time = ? WHERE task_id = ?", array($value, $time, Post::val('task_id'))); # load $proj again of task with correct project_id for getting active notification types in notification class $proj= new Project($task['project_id']); // Log the changed field in task history Flyspray::logEvent($task['task_id'], 3, $value, $oldvalue, Post::val('name'), $time); // Get the details of the task we just updated to generate the changed-task message $new_details_full = Flyspray::getTaskDetails($task['task_id']); $changes = Flyspray::compare_tasks($task, $new_details_full); if (count($changes) > 0) { $notify = new Notifications; $notify->create(NOTIFY_TASK_CHANGED, $task['task_id'], $changes, null, NOTIFY_BOTH, $proj->prefs['lang_code']); } ?>