1<?php
2# MantisBT - A PHP based bugtracking system
3
4# MantisBT is free software: you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation, either version 2 of the License, or
7# (at your option) any later version.
8#
9# MantisBT is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
16
17/**
18 * Return Dynamic Filters
19 *
20 * @package MantisBT
21 * @copyright Copyright 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
22 * @copyright Copyright 2002  MantisBT Team - mantisbt-dev@lists.sourceforge.net
23 * @link http://www.mantisbt.org
24 *
25 * @uses core.php
26 * @uses authentication_api.php
27 * @uses compress_api.php
28 * @uses config_api.php
29 * @uses constant_inc.php
30 * @uses current_user_api.php
31 * @uses custom_field_api.php
32 * @uses error_api.php
33 * @uses filter_api.php
34 * @uses filter_constants_inc.php
35 * @uses filter_form_api.php
36 * @uses gpc_api.php
37 * @uses helper_api.php
38 */
39
40use Mantis\Exceptions\StateException;
41
42# Prevent output of HTML in the content if errors occur
43define( 'DISABLE_INLINE_ERROR_REPORTING', true );
44
45require_once( 'core.php' );
46require_api( 'authentication_api.php' );
47require_api( 'compress_api.php' );
48require_api( 'config_api.php' );
49require_api( 'constant_inc.php' );
50require_api( 'current_user_api.php' );
51require_api( 'custom_field_api.php' );
52require_api( 'error_api.php' );
53require_api( 'filter_api.php' );
54require_api( 'filter_constants_inc.php' );
55require_api( 'filter_form_api.php' );
56require_api( 'gpc_api.php' );
57require_api( 'helper_api.php' );
58
59if( !auth_is_user_authenticated() ) {
60	trigger_error( ERROR_ACCESS_DENIED, ERROR );
61}
62
63compress_enable();
64
65$f_filter_id = gpc_get( 'filter_id', null );
66if( null !== $f_filter_id ) {
67	$t_filter = filter_get( $f_filter_id, null );
68	if( null === $t_filter ) {
69		trigger_error( ERROR_ACCESS_DENIED, ERROR );
70	}
71} else {
72	$t_filter = current_user_get_bug_filter();
73}
74
75$f_view_type = gpc_get_string( 'view_type', $t_filter['_view_type'] );
76$t_filter['_view_type'] = $f_view_type;
77# call to filter_ensure_valid_filter to clean up after adding unsafe values from gpc vars
78$t_filter = filter_ensure_valid_filter( $t_filter );
79
80/**
81 * Prepend headers to the dynamic filter forms that are sent as the response from this page.
82 * @return void
83 */
84function return_dynamic_filters_prepend_headers() {
85	if( !headers_sent() ) {
86		header( 'Content-Type: text/html; charset=utf-8' );
87	}
88}
89
90$f_filter_target = gpc_get_string( 'filter_target' );
91$filter_target = mb_substr( $f_filter_target, 0, -7 ); # -7 for '_filter'
92$t_found = false;
93try {
94	$t_content = filter_form_get_input( $t_filter, $filter_target );
95} catch( StateException $e ) {
96	$t_content = false;
97}
98
99if( false !== $t_content ) {
100	return_dynamic_filters_prepend_headers();
101	$t_found = true;
102	echo $t_content;
103} else if( 'custom_field' == mb_substr( $f_filter_target, 0, 12 ) ) {
104	# Check existence of custom field id, and if the user has access to read and filter by
105	$t_custom_id = mb_substr( $f_filter_target, 13, -7 );
106	$t_cfdef = custom_field_get_definition( $t_custom_id );
107	if( $t_cfdef && access_has_any_project_level( $t_cfdef['access_level_r'] ) && $t_cfdef['filter_by'] ) {
108		$t_found = true;
109		return_dynamic_filters_prepend_headers();
110		print_filter_custom_field( $t_custom_id, $t_filter );
111	} else {
112		trigger_error( ERROR_ACCESS_DENIED, ERROR );
113	}
114} else {
115	$t_plugin_filters = filter_get_plugin_filters();
116	foreach ( $t_plugin_filters as $t_field_name => $t_filter_object ) {
117		if( $t_field_name . '_filter' == $f_filter_target ) {
118			return_dynamic_filters_prepend_headers();
119			print_filter_plugin_field( $t_field_name, $t_filter_object, $t_filter );
120			$t_found = true;
121			break;
122		}
123	}
124}
125
126if( !$t_found ) {
127	# error - no function to populate the target (e.g., print_filter_foo)
128	error_parameters( $f_filter_target );
129	trigger_error( ERROR_FILTER_NOT_FOUND, ERROR );
130}
131