r1559: Closing a SQL injection in register.php with the activationid

[bugdar.git] / docs / changes.txt

1.2.0
===============================
- Fixed: In userctrl_search.tpl, the floated elements need to be before unfloated ones otherwise Gecko engine offsets it by a line
- Fixed: Closed a SQL injection vector in register.php

1.2.0 Release Candidate 1
===============================
- Enhancement: Allow sorting and display of the "assigned to" column on grid display
- Fixed: Comments wouldn't be displayed in a right-to-left fashion if the language is RTL (bug://report/80)
- Fixed: When submitting the lost password form, error checking was disregarded because we were checking for errors the old way
- Change: Force utf8 as the default installation collation for MySQL

1.2.0 Beta 3
===============================
- Fixed: If Gettext isn't installed, a function-not-found error would be thrown
- Fixed: On PHP4 systems, a "call to member non-object" error would be thrown because the Authentication class does not have a PHP4 constructor
- Fixed: In lost password reset emails, the subject would appear as "Array['trackertitle']" because the variable was not enclosed in curly braces
- Fixed: On PHP4 systems, a bug in the BugAPI would prevent any data from being saved because PHP4 doesn't support call_user_func() of parent:: selectors
- Change: When clicking the "[Run Search]" link in the "Saved Searches" section of the "Options" tab, force the search to rerun
- Fixed: Some email roles would not get notified under certain circumstances because the list of users to notify was reset
- Fixed: Errors would occurr on installation due to a problem with not loading all the data at the right time
- Enhancement: The installer will now check to ensure that all the proper MySQL permissions are enabled
- Fixed: A PHP warning could be generated due to passing an argument by reference (bug://report/78)

1.2.0 Beta 2
===============================
- Fixed: Emails wouldn't be sent out for new comments due to a bug with updating the notices array
- Fixed: Searches wouldn't be rerun after 15 minutes because of a typo in the time calculation
- Fixed: The installer would show an error if gettext wasn't installed because the emulator wasn't loaded early enough
- Fixed: Close a large bug that would cause a PHP error to be thrown regarding string offsets during notification processing
- Fixed: Email notifications would be essentially empty in all circumstances
- Change: Removed the stylevars system in place of additional CSS classes for formatting of tables and alternate row colors
- Fixed: Defining the NO_VERSION_CHECK constant wouldn't work due to a typo in admin/index.php
- Fixed: Automations wouldn't properly save custom field changes in the admin section
- Fixed: Automations would have no effect on custom fields when running them from the edit screen
- Fixed: A SQL error would occur when saving a new usergroup
- Fixed: In the product-level permissions screens, not all the products would be listed
- Fixed: A minor display issue would occur in a rare instance when showing an error message when trying to add a version without a product
- Fixed: If any fields had invalid data in editreport.php no validation errors would be thrown
- Fixed: The Logging system would add extra empty logs that would pollute the database; fixed this and then added queries in showhistory.php to clean it up
- Fixed: PHP smart tags were used in the installer, which if not enabled on the server would produce strange output (bug://report/67)
- Enhancement: Users can now belong to a single primary usergroup and multiple secondary groups, greatly increasing permission flexibility (bug://report/70)
- Enahncement: Usergroups can be cloned to allow fast duplication of permissions
- Fixed: Even after calling UsergroupAPI::delete(), there would still be usergroup remnants in bugfieldpermission and permission tables
- Fixed: The javascript cancel buttons wouldn't work due to a parse error
- Fixed: When approving users, the approval email would never be sent and a method not found error would be shown

1.2.0 Beta 1
===============================
- Change: When a user does not have any favorites in his list, show a message instead of an empty screen
- Enhancement: Added the ability to show all the users in a paginated list in the admin section (bug://report/55)
- Enhancement: Can export search results to an XML file (bug://report/41)
- Enhancmenet: Links in comments can be parsed if the option is checked (bug://report/2)
- Enhancement: Components can now be displayed on the bug grid (bug://report/43)
- Enhancement: Votes can now be displayed and sorted on the bug grid (bug://report/13)
- Enhancement: Users can save a search so they can rerun it at any time
- Fixed: Component and product changes wouldn't appear correcly on showhistory.php
- Enhancement: Versions can be marked "Obsolete" so new bugs cannot be filed against them
- Change: When there are no bugs to display on index.php, don't show an empty grid, but rather an error message
- Optimize: Reduce a query on bug updates by not querying the automation system if it is not being used
- Optimize: Move custom field data into the bug table to reduce the use of JOINs
- Optimize: Remove a query on userctrl.php's save options called by build_assignedto() because the API already does this for us
- Optimize: Setting system cleanup that improves speed by reducing queries and not using eval()
- Enhancement: Search results can be mass-updated to change bug fields
- Change: Search system no longer stores the actual query of the search, but rather the paramters
- Enhancement: Added a lost password reset system
- Fixed: Cached usernames would be cleared by the UserAPI if the display name wasn't set in the values array
- Enhancement: Extracted email text to the template system to make it easier to modify them
- Enhancement: Improved the admin security system by creating a session system that is much harder to bypass
- Change: Cleaned and refactored up the MessageReporter class
- Optimize: Template are now cached in the database to greatly improve speed; this does not effect editing templates at all
- Enhancement: An Authentication API was created in order to allow custom applications or databases to be used when authenticating at either login or with cookies

1.1.5
===============================
- Fixed a potential SQL error on search.php because no results were found (bug://report/62)
- Fixed a SQL error on admin/user.php when adding a new user from the admin section (bug://report/63)
- When adding a new user from the admin section, email options were not saved properly
- Added an option to only perform header redirects instead of intermediate-stage redirects (bug://report/65)
- Fixed a foreach() error after adding a new user in the admin section without email options [admin/user.php#102]
- Fixed a minor typo on the guest welcome banner (bug://report/66)

1.1.4
===============================
- Time zones with half-hours are not saved because the field only allows INTs (but://report/38)
- Fixed a SQL error received upon deleting a resolution (but://report/40)
- When searching and selecting multiple items for a field, only the first one is used in the search (but://report/39)
- Need to cast the unserialized data to an array to remove an implode() warning [admin/field.php#235]
- When $bugsys->options['pagelinks'] is set to 0, it now actually does its advertised behavior (but://report/45)
- Foreign langauge users cannot use the product/component editing system beacause localized strings are used to create the do actions instead of english variable ones (but://report/42)
- Fixed a SQL error that would occur when editing a report with no emails linked to it (but://report/46)
- Added the ability to delete attachments from the database (but://report/47)
- Fixed a scrollpane bug related to new reply <textarea>s in IE (but://report/48)
- In the "My Controls" tab, change the name of the email and password fields to prevent autocomplete from working on them
- Include the Gettext mimic functions into the installer so people without the PHP extension can install Bugdar (but://report/51)
- Fixed a SQL error that would occur when editing or deleting comments (but://report/52)
- Allow administrators to set the default time zone which guests view all times and dates in (but://report/53)
- The "[Edit]" and "[Delete]" options for attachments were off by one line (but://report/56)
- Fixed a spelling error in search.php when there is no search criteria
- Adding a quick search feature to the header bar (but://report/57)
- Fixed an occurence in header.tpl where the $stylevar align wasn't used, but a hard-coded one was
- Only allow JPG, JPEG, PNG, and GIF attachments to be displayed inline because all other types could lead to an XSS attack
- Added maxlength attributes to all <input type="text"/> fields so the database doesn't truncate (but://report/58)
- Fixed display issues in Firefox for RTL languages in the bug report screen and attachment display (but://report/59)
- Localized the version checking information strings in admin/index.php
- Localized the word "Home" in the admin/index.php <title>
- Fixed a bug in admin/user.php where email options would be changed for the admin making the changes to another user's account instead of that user
- Emails weren't being sent under certain conditions for new comments

1.1.3
===============================
- If a user leaves a comment and does not have bug change access, data loss occurs
- Fixed IE's redirection issue when using Message_Reporter->redirect() (but://report/32)
- On the admin login page, prevent the number "15" from appearing as text and marked another string for translation that was missed
- Error messages are no longer hidden in IE6 (but://report/30)

1.1.2
===============================
- Fixed a SQL injection on login.php (but://report/36)
- Fixed potential SQL injections on search.php
- Fixed potential SQL injections on install/install.php

1.1.1
===============================
- Registration email functions do not work because they are not ISSO2/Mail compatible [register.php]
- Removed TABLE_PREFIX-related SQL errors in syndicate.php
- Use the correct language variable key for exporting the XML encoding in syndicate.php
- API-level errors are not caught in the registration process before insertion because of user_cumulative [register.php]
- Remove warnings on explain.php?do=products (but://report/29)
- Removed SQL errors when deleting a product or version due to bad column names (but://report/28) [admin/product.php]
- Added a way to view and approve "Pending" and "Awaiting" users
- Prevent a weird bug with notifications where multiple emails would be sent out to the wrong people
- Numerous improvements for RTL languages (but://report/34)

1.1.0
===============================
- When gettext is not installed, a "method call on unobject" error is thrown
- Renamed "automatic action" to "automation"
- If no user comment is entered but there's an automation comment, then the automation comment is no longer disregarded
- Get rid of a foreach() warning if there are no products [admin/product.php#317]
- If no custom fields were setup, an empty query error would be thrown [newreport.php#130]
- If no custom fields were present, adding an automation would fail [admin/automation.php#74]
- Remove a warning when saving a usergroup and there are no custom fields present [admin/usergroup.php#221]
- Update cached usernames when the display name changes

1.1.0 Release Candidate 1
===============================
- Fixed many problems with install/install.php
- Changed array casting instances to is_array() checks, which are better
- Made some of the email notifications better-worded
- Fix the correct stylevar for language codes
- Fixed another can_perform() product-based permissions check [search.php]
- More changes to syndicate.php to increase performance
- Add checks to newreport.php and search.php to see if there are products or versions, if there aren't, then throw a message about needing them to be setup
- Process custom field data on newreport.php
- Add regex matching check to process_custom_fields()
- Missed some string conversions to gettext
- If cookies do not authenticate right, unset them [includes/init.php]

1.1.0 Beta 2
===============================
- Array casting to remove foreach() warnings [editreport.php#132]
- Update last post information after deleting a comment (but://report/25)
- Improved Atom feed by using a <table> and properly specifying type information
- Changed the access key for "Save Report and Add Another" button to E
- Removed potential warnings when there are no products [includes/functions.php#417] (but://report/26)
- Removed potential warnings if there is no page navigator [class_pagination.php#243] (but://report/26)
- Created a Language API
- Fix a call to a non-object error [editcomment.php#116]
- Switch to gettext language system instead of the XML-strings format
- Fixing warnings related to Printer->page_confirm() throughout the entire admin section
- After you delete a resolution, severity, priority, or status, set all bugs with the deleted field item back to the value set as default
- Fixed a bug where there could be two <select> menus in userctrl.php because we double-wrapped a <select> [userctrl.tpl]
- Cast to array to remove foreach() warnings [userctrl.php#160]
- Fixed a bug that would cause searching to result in a SQL error
- Added better checking of hidden bugs for the favorites list
- Better permissions checking in vote.php, viewattachment.php, attachment.php, showhistory.php, and favorite.php
- Fixed numerous permission checks in showreport.php
- Added a permission to allow viewing of one's hidden reported bugs ("canviewownhidden")
- Added an is_array() check to prevent foreach() warnings [admin/user.php#135]

1.1.0 Beta 1
===============================
- User help cache was not rebuilt for descriptions in custom fields (but://report/7)
- Custom fields did not appear on newreport.php (but://report/8)
- If the first SQL query fails (datastore fetch), show a link to the installer (but://report/20)
- Removed potential divide by 0 warnings in showreport.php under PHP5
- No longer highlight the <title> and <input> tags when viewing a bug report (but://report/21)
- Removed potential implode() warnings in showreport.php under PHP5
- When logging out, you will be redirected to the page you were previously viewing
- Rewrote the logging mechanism
- Usernames are now cached in the database for bug reports to remove the need to do complex joins at runtime
- Added notification system (but://report/11)
- When searching, you can now select multiple values for <select> menus (but://report/3)
- Add a notice for guests explaining that registration is a good thing (but://report/19)
- Create a separate screen that lists a user's favourites (but://report/12)
- Atom syndication of the bugs list (but://report/18)
- Removed the useless "dependency" table
- Added the following APIs:
        - Attachment
        - Automatic action
        - Bug
        - Comment
        - Custom field
        - Priority
        - Resolution
        - Severity
        - User
        - Usergroup
        - User help
- Added support for DST observation (but://report/22)
- Data (bugs and comments) can now be removed (but://report/16)
- Specific statuses can be hidden by the administrator and users individually (but://report/9)
- Column sorting of bug lists (but://report/14)
- Added a version checker in the admin section
- Removed the plus sign in "class1 + class2" for HTML CSS class attributes

1.0.1
===============================
- Fixed a SQL error in voting for those with a table prefix (but://report/6)
- Users with register_globals ON can now install software
- Users with register_globals ON can now log in