/**
* Function to be called when a user is attempting to access a page that
* he/she is not authorised to. This outputs an access denied message then
* re-directs to the mainpage.
*
* @return void
*/
function access_denied()
{
if (!auth_is_user_authenticated()) {
if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
$t_return_page = $_SERVER['SCRIPT_NAME'];
if (isset($_SERVER['QUERY_STRING'])) {
$t_return_page .= '?' . $_SERVER['QUERY_STRING'];
}
$t_return_page = string_url(string_sanitize_url($t_return_page));
print_header_redirect('login_page.php?return=' . $t_return_page);
}
} else {
if (current_user_is_anonymous()) {
if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
$t_return_page = $_SERVER['SCRIPT_NAME'];
if (isset($_SERVER['QUERY_STRING'])) {
$t_return_page .= '?' . $_SERVER['QUERY_STRING'];
}
$t_return_page = string_url(string_sanitize_url($t_return_page));
echo '<p class="center">' . error_string(ERROR_ACCESS_DENIED) . '</p><p class="center">';
print_bracket_link(helper_mantis_url('login_page.php') . '?return=' . $t_return_page, lang_get('click_to_login'));
echo '</p><p class="center">';
print_bracket_link(helper_mantis_url(config_get('default_home_page')), lang_get('proceed'));
echo '</p>';
}
} else {
echo '<p class="center">' . error_string(ERROR_ACCESS_DENIED) . '</p>';
echo '<p class="center">';
print_bracket_link(helper_mantis_url(config_get('default_home_page')), lang_get('proceed'));
echo '</p>';
}
}
exit;
}
/**
* prepares the name of the user given the id. also makes it an email link.
* @param int $p_user_id
* @return string
*/
function prepare_user_name($p_user_id)
{
# Catch a user_id of NO_USER (like when a handler hasn't been assigned)
if (NO_USER == $p_user_id) {
return '';
}
$t_username = user_get_name($p_user_id);
if (user_exists($p_user_id) && user_get_field($p_user_id, 'enabled')) {
$t_username = string_display_line($t_username);
// WK/BFE: Original-Zeile auskommentiert: , LB/BFE 2015
// return '<a href="' . string_sanitize_url( 'view_user_page.php?id=' . $p_user_id, true ) . '">' . $t_username . '</a>';
// ersetzt durch: (Link auf view_user_page nur wenn globale Rolle mindestens $g_manage_user_threshold
if (user_is_administrator(auth_get_current_user_id())) {
return '<a href="' . string_sanitize_url('view_user_page.php?id=' . $p_user_id, true) . '">' . $t_username . '</a>';
} else {
return $t_username;
}
// WK/BFE: Ende der Modifikation
} else {
$t_result = '<font STYLE="text-decoration: line-through">';
$t_result .= string_display_line($t_username);
$t_result .= '</font>';
return $t_result;
}
}
function access_denied()
{
if (!auth_is_user_authenticated()) {
if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
$t_return_page = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$t_return_page .= '?' . $_SERVER['QUERY_STRING'];
}
$t_return_page = string_url(string_sanitize_url($t_return_page));
print_header_redirect('login_page.php?return=' . $t_return_page);
}
} else {
if (auth_get_current_user_id() == user_get_id_by_name(config_get_global('anonymous_account'))) {
if (basename($_SERVER['SCRIPT_NAME']) != 'login_page.php') {
$t_return_page = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$t_return_page .= '?' . $_SERVER['QUERY_STRING'];
}
$t_return_page = string_url(string_sanitize_url($t_return_page));
echo '<center>';
echo '<p>' . error_string(ERROR_ACCESS_DENIED) . '</p>';
print_bracket_link('login_page.php?return=' . $t_return_page, lang_get('click_to_login'));
echo '<p></p>';
print_bracket_link('main_page.php', lang_get('proceed'));
echo '</center>';
}
} else {
echo '<center>';
echo '<p>' . error_string(ERROR_ACCESS_DENIED) . '</p>';
print_bracket_link('main_page.php', lang_get('proceed'));
echo '</center>';
}
}
exit;
}
function print_header_redirect($p_url, $p_die = true, $p_sanitize = false)
{
$t_use_iis = config_get('use_iis');
if (ON == config_get('stop_on_errors') && error_handled()) {
return false;
}
# validate the url as part of this site before continuing
$t_url = $p_sanitize ? string_sanitize_url($p_url) : $p_url;
# don't send more headers if they have already been sent (guideweb)
if (!headers_sent()) {
header('Content-Type: text/html; charset=' . lang_get('charset'));
if (ON == $t_use_iis) {
header("Refresh: 0;url={$t_url}");
} else {
header("Location: {$t_url}");
}
} else {
trigger_error(ERROR_PAGE_REDIRECTION, ERROR);
return false;
}
if ($p_die) {
die;
# additional output can cause problems so let's just stop output here
}
return true;
}
/**
* Tests string_sanitize_url()
*
* @dataProvider provider
* @param string $p_in Input.
* @param string $p_out Expected output.
* @return void
*/
public function testStringSanitize($p_in, $p_out)
{
$t_a = string_sanitize_url($p_in, false);
$this->assertEquals($p_out, $t_a);
# Since unit tests are run from command-line, with a default MantisBT
# config $g_short_path will be that of the phpunit binary. We also
# need to cover the case of Mantis being installed at the server's
# root (i.e. $g_short_path = '/')
config_set_global('short_path', '/');
$t_a = string_sanitize_url($p_in, false);
$this->assertEquals($p_out, $t_a);
}
/**
* prepares the name of the user given the id. also makes it an email link.
* @param int $p_user_id
* @return string
*/
function prepare_user_name( $p_user_id ) {
# Catch a user_id of NO_USER (like when a handler hasn't been assigned)
if( NO_USER == $p_user_id ) {
return '';
}
$t_username = user_get_name( $p_user_id );
$t_username = string_display_line( $t_username );
if( user_exists( $p_user_id ) && user_get_field( $p_user_id, 'enabled' ) ) {
return '<a class="user" href="' . string_sanitize_url( 'view_user_page.php?id=' . $p_user_id, true ) . '">' . $t_username . '</a>';
} else {
return '<del class="user">' . $t_username . '</del>';
}
}
/**
* prepares the name of the user given the id. also makes it an email link.
* @param int $p_user_id
* @return string
*/
function prepare_user_name($p_user_id)
{
# Catch a user_id of NO_USER (like when a handler hasn't been assigned)
if (NO_USER == $p_user_id) {
return '';
}
$t_username = user_get_name($p_user_id);
if (user_exists($p_user_id) && user_get_field($p_user_id, 'enabled')) {
$t_username = string_display_line($t_username);
return '<a href="' . string_sanitize_url('view_user_page.php?id=' . $p_user_id, true) . '">' . $t_username . '</a>';
} else {
$t_result = '<font STYLE="text-decoration: line-through">';
$t_result .= string_display_line($t_username);
$t_result .= '</font>';
return $t_result;
}
}
function html_meta_redirect($p_url, $p_time = null, $p_sanitize = false)
{
if (ON == config_get('stop_on_errors') && error_handled()) {
return false;
}
if (null === $p_time) {
$p_time = current_user_get_pref('redirect_delay');
}
if ($p_sanitize) {
$t_url = string_sanitize_url($p_url);
} else {
$t_url = $p_url;
}
echo "\t<meta http-equiv=\"Refresh\" content=\"{$p_time};URL={$t_url}\" />\n";
return true;
}
#
# You should have received a copy of the GNU General Public License
# along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
/**
* login_anon.php logs a user in anonymously without having to enter a username
* or password.
*
* Depends on two global configuration variables:
* allow_anonymous_login - bool which must be true to allow anonymous login.
* anonymous_account - name of account to login with.
*
* TODO:
* Check how manage account is impacted.
* Might be extended to allow redirects for bug links etc.
* @package MantisBT
* @copyright Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
* @copyright Copyright (C) 2002 - 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net
* @link http://www.mantisbt.org
*/
/**
* MantisBT Core API's
*/
require_once 'core.php';
$f_return = gpc_get_string('return', '');
$t_anonymous_account = config_get('anonymous_account');
if ($f_return !== '') {
$t_return = string_url(string_sanitize_url($f_return));
print_header_redirect("login.php?username={$t_anonymous_account}&perm_login=false&return={$t_return}");
} else {
print_header_redirect("login.php?username={$t_anonymous_account}&perm_login=false");
}
/**
* Tests string_sanitize_url()
* @dataProvider provider
*/
public function testStringSanitize($in, $out)
{
$a = string_sanitize_url($in, false);
$this->assertEquals($out, $a);
}
* @uses session_api.php
* @uses string_api.php
*/
require_once 'core.php';
require_api('authentication_api.php');
require_api('config_api.php');
require_api('constant_inc.php');
require_api('gpc_api.php');
require_api('print_api.php');
require_api('session_api.php');
require_api('string_api.php');
$t_allow_perm_login = ON == config_get('allow_permanent_cookie');
$f_username = gpc_get_string('username', '');
$f_password = gpc_get_string('password', '');
$f_perm_login = $t_allow_perm_login && gpc_get_bool('perm_login');
$t_return = string_url(string_sanitize_url(gpc_get_string('return', config_get('default_home_page'))));
$f_from = gpc_get_string('from', '');
$f_secure_session = gpc_get_bool('secure_session', false);
$f_install = gpc_get_bool('install');
# If upgrade required, always redirect to install page.
if ($f_install) {
$t_return = 'admin/install.php';
}
$f_username = auth_prepare_username($f_username);
$f_password = auth_prepare_password($f_password);
gpc_set_cookie(config_get_global('cookie_prefix') . '_secure_session', $f_secure_session ? '1' : '0');
if (auth_attempt_login($f_username, $f_password, $f_perm_login)) {
session_set('secure_session', $f_secure_session);
if ($f_username == 'administrator' && $f_password == 'root' && (is_blank($t_return) || $t_return == 'index.php')) {
$t_return = 'account_page.php';
}
/**
* A function that outputs that an operation was successful and provides a redirect link.
* @param string $p_redirect_url The url to redirect to.
* @param string $p_message Message to display to the user.
* @return void
*/
function html_operation_successful($p_redirect_url, $p_message = '')
{
echo '<div class="success-msg">';
if (!is_blank($p_message)) {
echo $p_message . '<br />';
}
echo lang_get('operation_successful') . '<br />';
print_bracket_link(string_sanitize_url($p_redirect_url), lang_get('proceed'));
echo '</div>';
}
* @uses string_api.php
*/
/**
* MantisBT Core API's
*/
require_once 'core.php';
require_api('authentication_api.php');
require_api('constant_inc.php');
require_api('current_user_api.php');
require_api('gpc_api.php');
require_api('html_api.php');
require_api('lang_api.php');
require_api('print_api.php');
require_api('string_api.php');
auth_ensure_user_authenticated();
$f_ref = string_sanitize_url(gpc_get_string('ref', ''));
if (count(current_user_get_accessible_projects()) == 1) {
$t_project_ids = current_user_get_accessible_projects();
$t_project_id = (int) $t_project_ids[0];
if (count(current_user_get_accessible_subprojects($t_project_id)) == 0) {
$t_ref_urlencoded = string_url($f_ref);
print_header_redirect("set_project.php?project_id={$t_project_id}&ref={$t_ref_urlencoded}", true);
/* print_header_redirect terminates script execution */
}
}
html_page_top(lang_get('select_project_button'));
?>
<!-- Project Select Form BEGIN -->
<div id="select-project-div" class="form-container">
<form id="select-project-form" method="post" action="set_project.php">
# (at your option) any later version.
#
# Mantis is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Mantis. If not, see <http://www.gnu.org/licenses/>.
# --------------------------------------------------------
# $Id: permalink_page.php,v 1.4.2.1 2007-10-13 22:34:11 giallu Exp $
# --------------------------------------------------------
require_once 'core.php';
$t_core_path = config_get('core_path');
html_page_top1();
html_page_top2();
$f_url = string_sanitize_url(gpc_get_string('url'));
?>
<div align="center">
<p>
<?php
echo lang_get('filter_permalink'), '<br />';
echo "<a href=\"{$f_url}\">{$f_url}</a>";
?>
</p><br />
<?php
print_bracket_link(sprintf(config_get('create_short_url'), $f_url), lang_get('create_short_link'), true);
?>
</div>
<?php
html_page_bottom1(__FILE__);
/**
* Format and hyperlink mentions
*
* @param string $p_text The text to process.
* @param bool $p_html true for html, false otherwise.
* @return string The processed text.
*/
function mention_format_text($p_text, $p_html = true)
{
$t_mentioned_users = mention_get_users($p_text);
if (empty($t_mentioned_users)) {
return $p_text;
}
$t_mentions_tag = mentions_tag();
$t_formatted_mentions = array();
foreach ($t_mentioned_users as $t_username => $t_user_id) {
$t_mention = $t_mentions_tag . $t_username;
$t_mention_formatted = $t_mention;
if ($p_html) {
$t_mention_formatted = string_display_line($t_mention_formatted);
$t_mention_formatted = '<a class="user" href="' . string_sanitize_url('view_user_page.php?id=' . $t_user_id, true) . '">' . $t_mention_formatted . '</a>';
if (!user_is_enabled($t_user_id)) {
$t_mention_formatted = '<s>' . $t_mention_formatted . '</s>';
}
$t_mention_formatted = '<span class="mention">' . $t_mention_formatted . '</span>';
}
$t_formatted_mentions[$t_mention] = $t_mention_formatted;
}
# Replace the mentions, ignoring existing anchor tags (otherwise
# previously set mailto links would be processed as mentions,
# corrupting the output
$t_text = string_process_exclude_anchors($p_text, function ($p_string) use($t_formatted_mentions) {
return str_replace(array_keys($t_formatted_mentions), array_values($t_formatted_mentions), $p_string);
});
return $t_text;
}
/**
* Tests string_sanitize_url()
*
* @dataProvider provider
* @param string $p_in Input.
* @param string $p_out Expected output.
* @return void
*/
public function testStringSanitize($p_in, $p_out)
{
$t_a = string_sanitize_url($p_in, false);
$this->assertEquals($p_out, $t_a);
}
$f_perm_login = gpc_get_bool('perm_login');
$f_return = gpc_get_string('return', config_get('default_home_page'));
$f_from = gpc_get_string('from', '');
if (BASIC_AUTH == config_get('login_method')) {
$f_username = $_SERVER['REMOTE_USER'];
$f_password = $_SERVER['PHP_AUTH_PW'];
}
if (HTTP_AUTH == config_get('login_method')) {
if (!auth_http_is_logout_pending()) {
if (isset($_SERVER['PHP_AUTH_USER'])) {
$f_username = $_SERVER['PHP_AUTH_USER'];
}
if (isset($_SERVER['PHP_AUTH_PW'])) {
$f_password = $_SERVER['PHP_AUTH_PW'];
}
} else {
auth_http_set_logout_pending(false);
auth_http_prompt();
return;
}
}
if (auth_attempt_login($f_username, $f_password, $f_perm_login)) {
$t_redirect_url = 'login_cookie_test.php?return=' . string_sanitize_url($f_return);
} else {
$t_redirect_url = 'login_page.php?return=' . string_sanitize_url($f_return) . '&error=1';
if (HTTP_AUTH == config_get('login_method')) {
auth_http_prompt();
exit;
}
}
print_header_redirect($t_redirect_url);
require_api('authentication_api.php');
require_api('config_api.php');
require_api('constant_inc.php');
require_api('current_user_api.php');
require_api('database_api.php');
require_api('gpc_api.php');
require_api('html_api.php');
require_api('lang_api.php');
require_api('print_api.php');
require_api('string_api.php');
require_api('user_api.php');
require_api('utility_api.php');
require_css('login.css');
$f_error = gpc_get_bool('error');
$f_cookie_error = gpc_get_bool('cookie_error');
$f_return = string_sanitize_url(gpc_get_string('return', ''));
$f_username = gpc_get_string('username', '');
$f_perm_login = gpc_get_bool('perm_login', false);
$f_secure_session = gpc_get_bool('secure_session', false);
$f_secure_session_cookie = gpc_get_cookie(config_get_global('cookie_prefix') . '_secure_session', null);
# Set username to blank if invalid to prevent possible XSS exploits
if (!user_is_name_valid($f_username)) {
$f_username = '';
}
$t_session_validation = ON == config_get_global('session_validation');
# If user is already authenticated and not anonymous
if (auth_is_user_authenticated() && !current_user_is_anonymous()) {
# If return URL is specified redirect to it; otherwise use default page
if (!is_blank($f_return)) {
print_header_redirect($f_return, false, false, true);
} else {
* @uses user_api.php
* @uses user_pref_api.php
*/
require_once 'core.php';
require_api('access_api.php');
require_api('authentication_api.php');
require_api('config_api.php');
require_api('form_api.php');
require_api('gpc_api.php');
require_api('print_api.php');
require_api('string_api.php');
require_api('user_api.php');
require_api('user_pref_api.php');
#============ Parameters ============
$f_user_id = gpc_get_int('user_id');
$f_redirect_url = string_sanitize_url(gpc_get_string('redirect_url', 'account_prefs_page.php'));
#============ Permissions ============
form_security_validate('account_prefs_reset');
auth_ensure_user_authenticated();
user_ensure_exists($f_user_id);
$t_user = user_get_row($f_user_id);
# This page is currently called from the manage_* namespace and thus we
# have to allow authorised users to update the accounts of other users.
# TODO: split this functionality into manage_user_prefs_reset.php
if (auth_get_current_user_id() != $f_user_id) {
access_ensure_global_level(config_get('manage_user_threshold'));
access_ensure_global_level($t_user['access_level']);
} else {
# Protected users should not be able to update the preferences of their
# user account. The anonymous user is always considered a protected
# user and hence will also not be allowed to update preferences.
function print_header_redirect($p_url, $p_die = true, $p_sanitize = false, $p_absolute = false)
{
if (ON == config_get_global('stop_on_errors') && error_handled()) {
return false;
}
# validate the url as part of this site before continuing
if ($p_absolute) {
if ($p_sanitize) {
$t_url = string_sanitize_url($p_url);
} else {
$t_url = $p_url;
}
} else {
if ($p_sanitize) {
$t_url = string_sanitize_url($p_url, true);
} else {
$t_url = config_get('path') . $p_url;
}
}
$t_url = string_prepare_header($t_url);
# don't send more headers if they have already been sent (guideweb)
if (!headers_sent()) {
header('Content-Type: text/html; charset=utf-8');
header("Location: {$t_url}");
} else {
trigger_error(ERROR_PAGE_REDIRECTION, ERROR);
return false;
}
if ($p_die) {
die;
# additional output can cause problems so let's just stop output here
}
return true;
}
/**
* (6) Print an HTML meta tag to redirect to another page
* This function is optional and may be called by pages that need a redirect.
* $p_time is the number of seconds to wait before redirecting.
* If we have handled any errors on this page return false and don't redirect.
*
* @param string $p_url The page to redirect: has to be a relative path.
* @param integer $p_time Seconds to wait for before redirecting.
* @param boolean $p_sanitize Apply string_sanitize_url to passed URL.
* @return boolean
*/
function html_meta_redirect($p_url, $p_time = null, $p_sanitize = true)
{
if (ON == config_get_global('stop_on_errors') && error_handled()) {
return false;
}
if (null === $p_time) {
$p_time = current_user_get_pref('redirect_delay');
}
$t_url = config_get('path');
if ($p_sanitize) {
$t_url .= string_sanitize_url($p_url);
} else {
$t_url .= $p_url;
}
$t_url = htmlspecialchars($t_url);
echo "\t" . '<meta http-equiv="Refresh" content="' . $p_time . ';URL=' . $t_url . '" />' . "\n";
return true;
}