From 8df3db566a3a937b45ebf11adb90d265e6f5e2d4 Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Sun, 17 Nov 2019 20:45:02 +0100
Subject: initial checking of customized version 1.0rc9

---
 includes/modify.inc.php | 3053 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 3053 insertions(+)
 create mode 100644 includes/modify.inc.php

(limited to 'includes/modify.inc.php')

diff --git a/includes/modify.inc.php b/includes/modify.inc.php
new file mode 100644
index 0000000..004a5a8
--- /dev/null
+++ b/includes/modify.inc.php
@@ -0,0 +1,3053 @@
+<?php
+
+/**
+ * Database Modifications
+ * @version  $Id$
+ */
+
+if (!defined('IN_FS')) {
+    die('Do not access this file directly.');
+}
+
+$notify = new Notifications;
+
+$lt = Post::isAlnum('list_type') ? Post::val('list_type') : '';
+$list_table_name = null;
+$list_column_name = null;
+$list_id = null;
+
+if (strlen($lt)) {
+    $list_table_name  = '{list_'.$lt .'}';
+    $list_column_name = $lt . '_name';
+    $list_id = $lt . '_id';
+}
+
+function Post_to0($key) { return Post::val($key, 0); }
+
+function resizeImage($file, $max_x, $max_y, $forcePng = false)
+{
+	if ($max_x <= 0 || $max_y <= 0) {
+		$max_x = 5;
+		$max_y = 5;
+	}
+
+	$src = BASEDIR.'/avatars/'.$file;
+
+	list($width, $height, $type) = getImageSize($src);
+
+	$scale = min($max_x / $width, $max_y / $height);
+	$newWidth = $width * $scale;
+	$newHeight = $height * $scale;
+
+	$img = imagecreatefromstring(file_get_contents($src));
+	$black = imagecolorallocate($img, 0, 0, 0);
+	$resizedImage = imageCreateTrueColor($newWidth, $newHeight);
+	imagecolortransparent($resizedImage, $black);
+	imageCopyResampled($resizedImage, $img, 0, 0, 0, 0, $newWidth, $newHeight, $width, $height);
+	imageDestroy($img);
+	unlink($src);
+
+	if (!$forcePng) {
+		switch ($type) {
+			case IMAGETYPE_JPEG:
+				imageJpeg($resizedImage, BASEDIR.'/avatars/'.$file);
+				break;
+			case IMAGETYPE_GIF:
+				imageGif($resizedImage, BASEDIR.'/avatars/'.$file);
+				break;
+			case IMAGETYPE_PNG:
+				imagePng($resizedImage, BASEDIR.'/avatars/'.$file);
+				break;
+			default:
+				imagePng($resizedImage, BASEDIR.'/avatars/'.$file);
+				break;
+		}
+	}
+	else {
+		imagePng($resizedImage, BASEDIR.'/avatars/'.$file.'.png');
+	}
+
+	return;
+}
+
+if (Req::num('task_id')) {
+    $task = Flyspray::getTaskDetails(Req::num('task_id'));
+}
+
+if(isset($_SESSION)) {
+    unset($_SESSION['SUCCESS'], $_SESSION['ERROR'], $_SESSION['ERRORS']);
+}
+
+switch ($action = Req::val('action'))
+{
+    // ##################
+    // Adding a new task
+    // ##################
+    case 'newtask.newtask':
+
+		$newtaskerrors=array();
+
+		if (!Post::val('item_summary') || trim(Post::val('item_summary')) == '') { // description not required anymore
+			$newtaskerrors['summaryrequired']=1;
+		}
+
+		if ($user->isAnon() && !filter_var(Post::val('anon_email'), FILTER_VALIDATE_EMAIL)) {
+			$newtaskerrors['invalidemail']=1;
+		}
+
+		if (count($newtaskerrors)>0){
+			$_SESSION['ERRORS']=$newtaskerrors;
+			$_SESSION['ERROR']=L('invalidnewtask');
+			break;
+		}
+
+        list($task_id, $token) = Backend::create_task($_POST);
+        // Status and redirect
+        if ($task_id) {
+            $_SESSION['SUCCESS'] = L('newtaskadded');
+
+            if ($user->isAnon()) {
+                Flyspray::redirect(createURL('details', $task_id, null, array('task_token' => $token)));
+            } else {
+                Flyspray::redirect(createURL('details', $task_id));
+            }
+        } else {
+            Flyspray::show_error(L('databasemodfailed'));
+            break;
+        }
+        break;
+
+        // ##################
+        // Adding multiple new tasks
+        // ##################
+    case 'newmultitasks.newmultitasks':
+        if(!isset($_POST['item_summary'])) {
+            #Flyspray::show_error(L('summaryanddetails'));
+            Flyspray::show_error(L('summaryrequired'));
+            break;
+        }
+        $flag = true;
+        foreach($_POST['item_summary'] as $summary) {
+            if(!$summary || trim($summary) == "") {
+                $flag = false;
+                break;
+            }
+        }
+        $i = 0;
+        foreach($_POST['detailed_desc'] as $detail) {
+            if($detail){
+            	# only for ckeditor/html, not for dokuwiki (or other syntax plugins in future)
+            	if ($conf['general']['syntax_plugin'] != 'dokuwiki') {
+                  $_POST['detailed_desc'][$i] = "<p>" . $detail . "</p>";
+            	}
+            }
+            $i++;
+        }
+        if(!$flag) {
+            #Flyspray::show_error(L('summaryanddetails'));
+            Flyspray::show_error(L('summaryrequired'));
+            break;
+        }
+
+        $flag = true;
+        $length = count($_POST['detailed_desc']);
+        for($i = 0; $i < $length; $i++) {
+            $ticket = array();
+            foreach($_POST as $key => $value) {
+                if($key == "assigned_to") {
+                    $sql = $db->query("SELECT user_id FROM {users} WHERE user_name = ? or real_name = ?", array($value[$i], $value[$i]));
+                    $ticket["rassigned_to"] = array(intval($db->fetchOne($sql)));
+                    continue;
+                }
+                if(is_array($value))
+                    $ticket[$key] = $value[$i];
+                else
+                    $ticket[$key] = $value;
+            }
+            list($task_id, $token) = Backend::create_task($ticket);
+            if (!$task_id) {
+                $flag = false;
+                break;
+            }
+        }
+
+        if(!$flag) {
+            Flyspray::show_error(L('databasemodfailed'));
+            break;
+        }
+
+        $_SESSION['SUCCESS'] = L('newtaskadded');
+        Flyspray::redirect(createURL('index', $proj->id));
+        break;
+
+        // ##################
+        // Modifying an existing task
+        // ##################
+    case 'details.update':
+        if (!$user->can_edit_task($task)) {
+		Flyspray::show_error(L('nopermission')); # TODO create a better error message
+		break;
+        }
+
+	$errors=array();
+
+	# TODO add checks who should be able to move a task, modify_all_tasks perm should not be enough and the target project perms are required too.
+	# - User has project manager permission in source project AND in target project: Allowed to move task
+	# - User has project manager permission in source project, but NOT in target project: Can send request to PUSH task to target project. A user with project manager permission of target project can accept the PUSH request.
+	# - User has NO project manager permission in source project, but in target project: Can send request to PULL task to target project. A user with project manager permission of source project can accept the PULL request.
+	# - User has calculated can_edit_task permission in source project AND (at least) newtask perm in target project: Can send a request to move task (similiar to 'close task please'-request) with the target project id, sure.
+
+	$move=0;
+	if($task['project_id'] != Post::val('project_id')) {
+		$toproject=new Project(Post::val('project_id'));
+		if($user->perms('modify_all_tasks', $toproject->id)){
+			$move=1;
+		} else{
+			$errors['invalidtargetproject']=1;
+		}
+	}
+
+	if($move==1){
+		# Check that a task is not moved to a different project than its
+		# possible parent or subtasks. Note that even closed tasks are
+		# included in the result, a task can be always reopened later.
+		$result = $db->query('
+			SELECT parent.task_id, parent.project_id FROM {tasks} p
+			JOIN {tasks} parent ON parent.task_id = p.supertask_id
+			WHERE p.task_id = ?
+			AND parent.project_id <> ?',
+			array( $task['task_id'], Post::val('project_id') )
+		);
+		$parentcheck = $db->fetchRow($result);
+		if ($parentcheck && $parentcheck['task_id']) {
+			if ($parentcheck['project_id'] != Post::val('project_id')) {
+				$errors['denymovehasparent']=L('denymovehasparent');
+			}
+		}
+
+		$result = $db->query('
+			SELECT sub.task_id, sub.project_id FROM {tasks} p
+			JOIN {tasks} sub ON p.task_id = sub.supertask_id
+			WHERE p.task_id = ?
+			AND sub.project_id <> ?',
+			array( $task['task_id'], Post::val('project_id') )
+		);
+		$subcheck = $db->fetchRow($result);
+
+		# if there are any subtasks, check that the project is not changed
+		if ($subcheck && $subcheck['task_id']) {
+			$errors['denymovehassub']=L('denymovehassub');
+		}
+	}
+
+	# summary form input fields, so user get notified what needs to be done right to be accepted
+        if (!Post::val('item_summary')) {
+		# description can be empty now
+		#Flyspray::show_error(L('summaryanddetails'));
+		#Flyspray::show_error(L('summaryrequired'));
+		$errors['summaryrequired']=L('summaryrequired');
+        }
+
+	# ids of severity and priority are (probably!) intentional fixed in Flyspray. 
+	if( isset($_POST['task_severity']) && (!is_numeric(Post::val('task_severity')) || Post::val('task_severity')>5 || Post::val('task_severity')<0 ) ){
+		$errors['invalidseverity']=1;
+	}
+	
+	# peterdd:temp fix to allow priority 6 again
+	# But I think about 1-5 valid (and 0 for unset) only in future to harmonize
+	# with other trackers/taskplaner software and for severity-priority graphs like
+	# https://en.wikipedia.org/wiki/Time_management#The_Eisenhower_Method
+	if( isset($_POST['task_priority']) && (!is_numeric(Post::val('task_priority')) || Post::val('task_priority')>6 || Post::val('task_priority')<0 ) ){
+		$errors['invalidpriority']=1;
+	}
+
+	if( isset($_POST['percent_complete']) && (!is_numeric(Post::val('percent_complete')) || Post::val('percent_complete')>100 || Post::val('percent_complete')<0 ) ){
+		$errors['invalidprogress']=1;
+	}
+
+	# Description for the following list values here when moving a task to a different project:
+	# - Do we use the old invalid values? (current behavior until 1.0-beta2, invalid id-values in database can be set, can result in php-'notices' or values arent shown on pages)
+	# - Or set to default value of the new project? And inform the user to adjust the task properties in the new project?
+	# - Or create a new tasktype for the new project, but:
+	#    - Has the user the permission to create a new tasktype for the new project?
+	#    - similiar named tasktypes exists?
+	#
+	# Maybe let's go with 2 steps when in this situation:
+	# When user want move task to other project, a second page shows the form again but:
+	# dropdown list forms show - maybe divided as optiongroups - :
+	# -global list values ()
+	# -current project list values
+	# -target project list values
+	# -option to create a new option based on current project value (if the user has the permission for the target project!)
+	# -option to set to default value in target project or unset value
+	# Also consider that not all list dropdown field may be shown to the user because of project settings (visible_fields)!
+	
+
+	# which $proj should we use here? $proj object is set in header.php by a request param before modify.inc.php is loaded, so it can differ from $task['project_id']!
+	if($move==1){
+		$statusarray=$toproject->listTaskStatuses();
+	} else{
+		$statusarray=$proj->listTaskStatuses();
+	}
+
+	# FIXME what if we move to different project, but the status_id is defined for the old project only (not global)?
+	# FIXME what if we move to different project and item_status selection is deactivated/not shown in edit task page?
+	if( isset($_POST['item_status']) && (!is_numeric(Post::val('item_status')) || false===Flyspray::array_find('status_id', Post::val('item_status'), $statusarray) ) ){
+		$errors['invalidstatus']=1;
+	}
+
+	if($move==1){
+		$typearray=$toproject->listTaskTypes();
+	} else{
+		$typearray=$proj->listTaskTypes();
+	}
+
+	# FIXME what if we move to different project, but tasktype_id is defined for the old project only (not global)?
+	# FIXME what if we move to different project and task_type selection is deactiveated/not shown in edit task page?
+	if( isset($_POST['task_type']) && (!is_numeric(Post::val('task_type')) || false===Flyspray::array_find('tasktype_id', Post::val('task_type'), $typearray) ) ){
+		$errors['invalidtasktype']=1;
+	}
+
+        # FIXME what if we move to different project and reportedver selection is deactivated/not shown in edit task page?
+        # FIXME what if we move to different project and reportedver is deactivated/not shown in edit task page?
+        # FIXME what if we move to different project and closedby_version selection is deactivated/not shown in edit task page?
+        # FIXME what if we move to different project and closedby_version is deactivated/not shown in edit task page?
+	if($move==1){
+		$versionarray=$toproject->listVersions();
+	} else{
+		$versionarray=$proj->listVersions();
+	}
+	if( isset($_POST['reportedver']) && (!is_numeric(Post::val('reportedver')) || ( $_POST['reportedver']!=='0' && false===Flyspray::array_find('version_id', Post::val('reportedver'), $versionarray)) ) ){
+		$errors['invalidreportedversion']=1;
+	}
+	if( isset($_POST['closedby_version']) && (!is_numeric(Post::val('closedby_version')) || ( $_POST['closedby_version']!=='0' && false===Flyspray::array_find('version_id', Post::val('closedby_version'), $versionarray)) ) ){
+		$errors['invaliddueversion']=1;
+	}
+
+	# FIXME what if we move to different project, but category_id is defined for the old project only (not global)?
+        # FIXME what if we move to different project and category selection is deactivated/not shown in edit task page?
+	if($move==1){
+		$catarray=$toproject->listCategories();
+	} else{
+		$catarray=$proj->listCategories();
+	}
+	if( isset($_POST['product_category']) && (!is_numeric(Post::val('product_category')) || false===Flyspray::array_find('category_id', Post::val('product_category'), $catarray) ) ){
+		$errors['invalidcategory']=1;
+	}
+
+	# FIXME what if we move to different project, but os_id is defined for the old project only (not global)?
+	# FIXME what if we move to different project and operating_system selection is deactivated/not shown in edit task page?
+	if($move==1){
+		$osarray=$toproject->listOs();
+	} else{
+		$osarray=$proj->listOs();
+	}
+	if( isset($_POST['operating_system']) && (!is_numeric(Post::val('operating_system')) || ( $_POST['operating_system']!=='0' && false===Flyspray::array_find('os_id', Post::val('operating_system'), $osarray)) ) ){
+		$errors['invalidos']=1;
+	}
+
+	if ($due_date = Post::val('due_date', 0)) {
+		$due_date = Flyspray::strtotime(Post::val('due_date'));
+	}
+
+        $estimated_effort = 0;
+        if (($estimated_effort = effort::editStringToSeconds(Post::val('estimated_effort'), $proj->prefs['hours_per_manday'], $proj->prefs['estimated_effort_format'])) === FALSE) {
+		$errors['invalideffort']=1;
+        }
+
+        $time = time();
+
+        $result = $db->query('SELECT * from {tasks} WHERE task_id = ?', array($task['task_id']));
+        $defaults = $db->fetchRow($result);
+        
+	if (!Post::has('due_date')) {
+		$due_date = $defaults['due_date'];
+	}
+
+	if (!Post::has('estimated_effort')) {
+		$estimated_effort = $defaults['estimated_effort'];
+	}
+
+
+	if(count($errors)>0){
+		# some invalid input by the user. Do not save the input and in the details-edit-template show the user where in the form the invalid values are.
+		$_SESSION['ERRORS']=$errors; # $_SESSION['ERROR'] is very limited, holds only one string and often just overwritten
+		$_SESSION['ERROR']=L('invalidinput'); 
+		# pro and contra http 303 redirect here:
+                # - good: browser back button works, browser history.
+                # -  bad: form inputs of user not preserved (at the moment). Annoying if user wrote a long description and then the form submit gets denied because of other reasons.
+                #Flyspray::redirect(createURL('edittask', $task['task_id']));
+		break;
+	}
+
+	# FIXME/TODO: If a user has only 'edit own task edit' permission and task remains in the same project,
+	# but there are not all fields visible/editable so the browser do not send that values with the form,
+	# the sql update query should not touch that fields. And it should not overwrite the field with the default value in this case.
+	# So this update query should be build dynamic (And for the future: when 'custom fields' are implemented ..)
+	# Alternative: Read task field values before update query.
+	# And we should check too what task fields the 'edit own task only'-user is allowed to change.
+	# (E.g ignore form fields the user is not allowed to change. Currently hardcoded in template..)
+
+/*
+	# Dynamic creation of the UPDATE query required
+	# First step: Settings which task fields can be changed by 'permission level': Based on situation found in FS 1.0-rc1 'status quo' in backend::create_task() and CleanFS/templates/template details.edit.tpl
+	#$basicfields[]=array('item_summary','detailed_desc', 'task_type', 'product_category', 'operating_system', 'task_severity', 'percent_complete', 'product_version', 'estimated_effort'); # modify_own_tasks, anon_open
+	$basicfields=$proj->prefs['basic_fields'];
+
+	# peterdd: just saved a bit work in progress for future dynamic sql update string
+	$sqlup='';
+	foreach($basicfields as $bf){
+		$sqlup.=' '.$bf.' = ?,';
+		$sqlparam[]= Post::val($bf, $oldvals[$bf]);
+	}
+	$sqlup.=' last_edited_by = ?,';
+	$sqlparam[]= $user->id;
+	$sqlup.=' last_edited_time = ?,';
+	$sqlparam[]= $time;
+
+	$devfields[]=array('task_priority', 'due_date', 'item_status', 'closedby_version'); # modify_all_tasks
+	$managerfields[]=array('project_id','mark_private'); # manage_project
+	#$customfields[]=array(); # Flyspray 1.? future: perms depend of each custom field setting in a project..
+
+	$sqlparam[]=$task['task_id'];
+	$sqlupdate='UPDATE {tasks} SET '.$sqlup.' WHERE task_id = ?';
+
+	echo '<pre>';print_r($sqlupdate);print_r($sqlparam);die();
+	$db->query($sqlupdate, $sqlparam);
+*/
+
+	$detailed_desc = Post::val('detailed_desc', $defaults['detailed_desc']);
+
+	# dokuwiki syntax plugin filters on output
+	if($conf['general']['syntax_plugin'] != 'dokuwiki'){
+		$purifierconfig = HTMLPurifier_Config::createDefault();
+		$purifier = new HTMLPurifier($purifierconfig);
+		$detailed_desc = $purifier->purify($detailed_desc);
+	}
+		
+	$db->query('UPDATE {tasks}
+		SET
+		project_id = ?,
+		task_type = ?,
+		item_summary = ?,
+		detailed_desc = ?,
+		item_status = ?,
+		mark_private = ?,
+		product_category = ?,
+		closedby_version = ?,
+		operating_system = ?,
+		task_severity = ?,
+		task_priority = ?,
+		last_edited_by = ?,
+		last_edited_time = ?,
+		due_date = ?,
+		percent_complete = ?,
+		product_version = ?,
+		estimated_effort = ?
+		WHERE task_id = ?',
+		array(
+			Post::val('project_id', $defaults['project_id']),
+			Post::val('task_type', $defaults['task_type']),
+			Post::val('item_summary', $defaults['item_summary']),
+			$detailed_desc,
+			Post::val('item_status', $defaults['item_status']),
+			intval($user->can_change_private($task) && Post::val('mark_private', $defaults['mark_private'])),
+			Post::val('product_category', $defaults['product_category']),
+			Post::val('closedby_version', $defaults['closedby_version']),
+			Post::val('operating_system', $defaults['operating_system']),
+			Post::val('task_severity', $defaults['task_severity']),
+			Post::val('task_priority', $defaults['task_priority']),
+			intval($user->id), $time, intval($due_date),
+			Post::val('percent_complete', $defaults['percent_complete']),
+			Post::val('reportedver', $defaults['product_version']),
+			intval($estimated_effort),
+			$task['task_id']
+		)
+	);
+
+        // Update the list of users assigned this task
+        $assignees = (array) Post::val('rassigned_to');
+        $assignees_changed = count(array_diff($task['assigned_to'], $assignees)) + count(array_diff($assignees, $task['assigned_to']));
+        if ($user->perms('edit_assignments') && $assignees_changed) {
+
+            // Delete the current assignees for this task
+            $db->query('DELETE FROM {assigned}
+                              WHERE task_id = ?',
+            array($task['task_id']));
+
+            // Convert assigned_to and store them in the 'assigned' table
+            foreach ((array) Post::val('rassigned_to') as $key => $val)
+            {
+                $db->replace('{assigned}', array('user_id'=> $val, 'task_id'=> $task['task_id']), array('user_id','task_id'));
+            }
+        }
+
+	# FIXME what if we move to different project, but tag(s) is/are defined for the old project only (not global)?
+	# FIXME what if we move to different project and tag input field is deactivated/not shown in edit task page?
+	#   - Create new tag(s) in target project if user has permission to create new tags but what with the users who have not the permission?
+	# update tags
+	$tagList = explode(';', Post::val('tags'));  
+	$tagList = array_map('strip_tags', $tagList);
+	$tagList = array_map('trim', $tagList);
+	$tagList = array_unique($tagList); # avoid duplicates for inputs like: "tag1;tag1" or "tag1; tag1<p></p>"
+	$storedtags=array();
+	foreach($task['tags'] as $temptag){
+		$storedtags[]=$temptag['tag'];
+	}
+	$tags_changed = count(array_diff($storedtags, $tagList)) + count(array_diff($tagList, $storedtags));
+
+	if($tags_changed){
+		// Delete the current assigned tags for this task
+		$db->query('DELETE FROM {task_tag} WHERE task_id = ?',  array($task['task_id']));
+		foreach ($tagList as $tag){
+			if ($tag == ''){
+				continue;
+			}
+			# size of {list_tag}.tag_name, see flyspray-install.xml
+			if(mb_strlen($tag) > 40){
+				# report that softerror
+				$errors['tagtoolong']=1;
+				continue;
+			}
+
+			$res=$db->query("SELECT tag_id FROM {list_tag} WHERE (project_id=0 OR project_id=?) AND tag_name LIKE ? ORDER BY project_id", array($proj->id,$tag) );
+			if($t=$db->fetchRow($res)){  
+				$tag_id=$t['tag_id'];
+			} else{
+				if( $proj->prefs['freetagging']==1){   
+					# add to taglist of the project
+					$db->query("INSERT INTO {list_tag} (project_id,tag_name) VALUES (?,?)", array($proj->id,$tag));
+					$tag_id=$db->insert_ID();
+				} else{
+					continue;
+				}
+			};
+			$db->query("INSERT INTO {task_tag}(task_id,tag_id) VALUES(?,?)", array($task['task_id'], $tag_id) );
+		}
+	}
+
+        // Get the details of the task we just updated
+        // To generate the changed-task message
+        $new_details_full = Flyspray::getTaskDetails($task['task_id']);
+        // Not very nice...maybe combine compare_tasks() and logEvent() ?
+        $result = $db->query("SELECT * FROM {tasks} WHERE task_id = ?",
+                             array($task['task_id']));
+        $new_details = $db->fetchRow($result);
+
+        foreach ($new_details as $key => $val) {
+            if (strstr($key, 'last_edited_') || $key == 'assigned_to' || is_numeric($key)) {
+                continue;
+            }
+
+            if ($val != $task[$key]) {
+                // Log the changed fields in the task history
+                Flyspray::logEvent($task['task_id'], 3, $val, $task[$key], $key, $time);
+            }
+        }
+
+        $changes = Flyspray::compare_tasks($task, $new_details_full);
+        if (count($changes) > 0) {
+            $notify->create(NOTIFY_TASK_CHANGED, $task['task_id'], $changes, null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+        }
+
+        if ($assignees_changed) {
+            // Log to task history
+            Flyspray::logEvent($task['task_id'], 14, implode(' ', $assignees), implode(' ', $task['assigned_to']), '', $time);
+
+            // Notify the new assignees what happened.  This obviously won't happen if the task is now assigned to no-one.
+            if (count($assignees)) {
+                $new_assignees = array_diff($task['assigned_to'], $assignees);
+                // Remove current user from notification list
+                if (!$user->infos['notify_own']) {
+                    $new_assignees = array_filter($new_assignees, function($u) use($user) { return $user->id != $u; } );
+                }
+                if(count($new_assignees)) {
+                    $notify->create(NOTIFY_NEW_ASSIGNEE, $task['task_id'], null, $notify->specificAddresses($new_assignees), NOTIFY_BOTH, $proj->prefs['lang_code']);
+                }
+            }
+        }
+
+        Backend::add_comment($task, Post::val('comment_text'), $time);
+        Backend::delete_files(Post::val('delete_att'));
+        Backend::upload_files($task['task_id'], '0', 'usertaskfile');
+        Backend::delete_links(Post::val('delete_link'));
+        Backend::upload_links($task['task_id'], '0', 'userlink');
+
+		$_SESSION['SUCCESS'] = L('taskupdated');
+		# report minor/soft errors too that does not hindered saving task
+		if(count($errors)>0){
+			$_SESSION['ERRORS']=$errors;
+		}
+		Flyspray::redirect(createURL('details', $task['task_id']));
+		break;
+
+        // ##################
+        // closing a task
+        // ##################
+    case 'details.close':
+        if (!$user->can_close_task($task)) {
+            break;
+        }
+
+        if ($task['is_closed']) {
+            break;
+        }
+
+        if (!Post::val('resolution_reason')) {
+            Flyspray::show_error(L('noclosereason'));
+            break;
+        }
+
+        Backend::close_task($task['task_id'], Post::val('resolution_reason'), Post::val('closure_comment', ''), Post::val('mark100', false));
+
+        $_SESSION['SUCCESS'] = L('taskclosedmsg');
+        # FIXME there are several pages using this form, details and pendingreq at least
+        #Flyspray::redirect(createURL('details', $task['task_id']));
+        break;
+
+    case 'details.associatesubtask':
+	if ( $task['task_id'] == Post::num('associate_subtask_id')) {
+            Flyspray::show_error(L('selfsupertasknotallowed'));
+            break;
+        }	
+        $sql = $db->query('SELECT supertask_id, project_id FROM {tasks} WHERE task_id = ?',
+            array(Post::num('associate_subtask_id')));
+
+        $suptask = $db->fetchRow($sql);
+
+        // check to see if the subtask exists.
+        if (!$suptask) {
+            Flyspray::show_error(L('subtasknotexist'));
+            break;
+        }
+
+        // if the user has not the permission to view all tasks, check if the task
+        // is in tasks allowed to see, otherwise tell that the task does not exist.
+        if (!$user->perms('view_tasks')) {
+            $taskcheck = Flyspray::getTaskDetails(Post::num('associate_subtask_id'));
+            if (!$user->can_view_task($taskcheck)) {
+                Flyspray::show_error(L('subtasknotexist'));
+                break;
+            }
+        }
+
+        // check to see if associated subtask is already the parent of this task
+        if ($suptask['supertask_id'] == Post::num('associate_subtask_id')) {
+            Flyspray::show_error(L('subtaskisparent'));
+            break;
+        }
+
+        // check to see if associated subtask already has a parent task
+        if ($suptask['supertask_id']) {
+            Flyspray::show_error(L('subtaskalreadyhasparent'));
+            break;
+        }
+
+        // check to see that both tasks belong to the same project
+        if ($task['project_id'] != $suptask['project_id']) {
+            Flyspray::show_error(L('musthavesameproject'));
+            break;
+        }
+
+        //associate the subtask
+        $db->query('UPDATE {tasks} SET supertask_id=? WHERE task_id=?',array( $task['task_id'], Post::num('associate_subtask_id')));
+        Flyspray::logEvent($task['task_id'], 32, Post::num('associate_subtask_id'));
+        Flyspray::logEvent(Post::num('associate_subtask_id'), 34, $task['task_id']);
+
+        $_SESSION['SUCCESS'] = sprintf( L('associatedsubtask'), Post::num('associate_subtask_id') );
+        break;
+
+
+    case 'reopen':
+        // ##################
+        // re-opening an task
+        // ##################
+        if (!$user->can_close_task($task)) {
+            break;
+        }
+
+        // Get last %
+        $old_percent = $db->query("SELECT old_value, new_value
+                                     FROM {history}
+                                    WHERE field_changed = 'percent_complete'
+                                          AND task_id = ? AND old_value != '100'
+                                 ORDER BY event_date DESC
+                                    LIMIT 1",
+        array($task['task_id']));
+        $old_percent = $db->fetchRow($old_percent);
+
+        $db->query("UPDATE  {tasks}
+                       SET  resolution_reason = 0, closure_comment = '', date_closed = 0,
+                            last_edited_time = ?, last_edited_by = ?, is_closed = 0, percent_complete = ?
+                     WHERE  task_id = ?",
+        array(time(), $user->id, intval($old_percent['old_value']), $task['task_id']));
+
+        Flyspray::logEvent($task['task_id'], 3, $old_percent['old_value'], $old_percent['new_value'], 'percent_complete');
+
+        $notify->create(NOTIFY_TASK_REOPENED, $task['task_id'], null, null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+
+        // add comment of PM request to comment page if accepted
+        $sql = $db->query('SELECT * FROM {admin_requests} WHERE  task_id = ? AND request_type = ? AND resolved_by = 0',
+                              array($task['task_id'], 2));
+        $request = $db->fetchRow($sql);
+        if ($request) {
+            $db->query('INSERT INTO  {comments}
+                                     (task_id, date_added, last_edited_time, user_id, comment_text)
+                             VALUES  ( ?, ?, ?, ?, ? )',
+            array($task['task_id'], time(), time(), $request['submitted_by'], $request['reason_given']));
+            // delete existing PM request
+            $db->query('UPDATE  {admin_requests}
+                           SET  resolved_by = ?, time_resolved = ?
+                         WHERE  request_id = ?',
+            array($user->id, time(), $request['request_id']));
+        }
+
+        Flyspray::logEvent($task['task_id'], 13);
+
+        $_SESSION['SUCCESS'] = L('taskreopenedmsg');
+	# FIXME there are several pages using this form, details and pendingreq at least
+	#Flyspray::redirect(createURL('details', $task['task_id']));
+        break;
+
+        // ##################
+        // adding a comment
+        // ##################
+    case 'details.addcomment':
+        if (!Backend::add_comment($task, Post::val('comment_text'))) {
+            Flyspray::show_error(L('nocommententered'));
+            break;
+        }
+
+        if (Post::val('notifyme') == '1') {
+            // If the user wanted to watch this task for changes
+            Backend::add_notification($user->id, $task['task_id']);
+        }
+
+	$_SESSION['SUCCESS'] = L('commentaddedmsg');
+	Flyspray::redirect(createURL('details', $task['task_id']));
+	break;
+
+        // ##################
+        // Tracking
+        // ##################
+    case 'details.efforttracking':
+
+        require_once BASEDIR . '/includes/class.effort.php';
+        $effort = new effort($task['task_id'],$user->id);
+
+
+        if(Post::val('start_tracking')){
+            if($effort->startTracking())
+            {
+                $_SESSION['SUCCESS'] = L('efforttrackingstarted');
+            }
+            else
+            {
+                $_SESSION['ERROR'] = L('efforttrackingnotstarted');
+            }
+        }
+
+        if(Post::val('stop_tracking')){
+            $effort->stopTracking();
+            $_SESSION['SUCCESS'] = L('efforttrackingstopped');
+        }
+
+        if(Post::val('cancel_tracking')){
+            $effort->cancelTracking();
+            $_SESSION['SUCCESS'] = L('efforttrackingcancelled');
+        }
+
+	if(Post::val('manual_effort')){
+		if($effort->addEffort(Post::val('effort_to_add'), $proj)){
+			$_SESSION['SUCCESS'] = L('efforttrackingadded');
+		}
+	}
+        
+        Flyspray::redirect(createURL('details', $task['task_id']).'#effort');
+        break;
+
+        // ##################
+        // sending a new user a confirmation code
+        // ##################
+    case 'register.sendcode':
+        if (!$user->can_register()) {
+            break;
+        }
+
+		$captchaerrors=array();
+		if($fs->prefs['captcha_securimage']){
+			$image = new Securimage(); 
+			if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {
+				$captchaerrors['invalidsecurimage']=1;
+			}
+		}
+
+		if($fs->prefs['captcha_recaptcha']){
+			require_once('class.recaptcha.php');
+			if( !recaptcha::verify()) {
+				$captchaerrors['invalidrecaptcha']=1;
+			}
+		}
+
+		if(count($captchaerrors)){
+			$_SESSION['ERRORS']=$captchaerrors;
+			Flyspray::show_error(L('captchaerror'));
+			break;
+		}
+
+        if (!Post::val('user_name') || !Post::val('real_name')
+            || !Post::val('email_address'))
+        {
+            // If the form wasn't filled out correctly, show an error
+            Flyspray::show_error(L('registererror'));
+            break;
+        }
+
+        if ($fs->prefs['repeat_emailaddress'] && Post::val('email_address') != Post::val('verify_email_address'))
+        {
+            Flyspray::show_error(L('emailverificationwrong'));
+            break;
+        }
+
+        $email =  strtolower(Post::val('email_address'));
+        $jabber_id = strtolower(Post::val('jabber_id'));
+
+        //email is mandatory
+        if (!$email || !Flyspray::check_email($email)) {
+            Flyspray::show_error(L('novalidemail'));
+            break;
+        }
+        //jabber_id is optional
+        if ($jabber_id && !Jabber::check_jid($jabber_id)) {
+            Flyspray::show_error(L('novalidjabber'));
+            break;
+        }
+
+        $user_name = Backend::clean_username(Post::val('user_name'));
+
+        // Limit length
+        $real_name = substr(trim(Post::val('real_name')), 0, 100);
+        // Remove doubled up spaces and control chars
+        $real_name = preg_replace('![\x00-\x1f\s]+!u', ' ', $real_name);
+
+        if (!$user_name || empty($user_name) || !$real_name) {
+            Flyspray::show_error(L('entervalidusername'));
+            break;
+        }
+
+        // Delete registration codes older than 24 hours
+        $yesterday = time() - 86400;
+        $db->query('DELETE FROM {registrations} WHERE reg_time < ?', array($yesterday));
+
+        $sql = $db->query('SELECT COUNT(*) FROM {users} u, {registrations} r
+                           WHERE  u.user_name = ? OR r.user_name = ?',
+        array($user_name, $user_name));
+        if ($db->fetchOne($sql)) {
+            Flyspray::show_error(L('usernametaken'));
+            break;
+        }
+
+        $sql = $db->query("SELECT COUNT(*) FROM {users} WHERE
+                           jabber_id = ? AND jabber_id != ''
+                           OR email_address = ? AND email_address != ''",
+        array($jabber_id, $email));
+        if ($db->fetchOne($sql)) {
+            Flyspray::show_error(L('emailtaken'));
+            break;
+        }
+
+        // Generate a random bunch of numbers for the confirmation code and the confirmation url
+
+        foreach(array('randval','magic_url') as $genrandom) {
+
+            $$genrandom = md5(function_exists('openssl_random_pseudo_bytes') ?
+                              openssl_random_pseudo_bytes(32) :
+                              uniqid(mt_rand(), true));
+        }
+
+        $confirm_code = substr($randval, 0, 20);
+
+        // echo "<pre>Am I here?</pre>";
+        // send the email first
+        $userconfirmation = array();
+        $userconfirmation[$email] = array('recipient' => $email, 'lang' => $fs->prefs['lang_code']);
+        $recipients = array($userconfirmation);
+        if($notify->create(NOTIFY_CONFIRMATION, null, array($baseurl, $magic_url, $user_name, $confirm_code),
+            $recipients,
+            NOTIFY_EMAIL)) {
+
+            //email sent succefully, now update the database.
+            $reg_values = array(time(), $confirm_code, $user_name, $real_name,
+                        $email, $jabber_id,
+                        Post::num('notify_type'), $magic_url, Post::num('time_zone'));
+            // Insert everything into the database
+            $query = $db->query("INSERT INTO  {registrations}
+                                 ( reg_time, confirm_code, user_name, real_name,
+                                   email_address, jabber_id, notify_type,
+                                   magic_url, time_zone )
+                         VALUES ( " . $db->fill_placeholders($reg_values) . ' )', $reg_values);
+
+            if ($query) {
+                $_SESSION['SUCCESS'] = L('codesent');
+                Flyspray::redirect($baseurl);
+            }
+
+        } else {
+            Flyspray::show_error(L('codenotsent'));
+            break;
+        }
+
+        break;
+
+        // ##################
+        // new user self-registration with a confirmation code
+        // ##################
+    case 'register.registeruser':
+        if (!$user->can_register()) {
+            break;
+        }
+
+        if (!Post::val('user_pass') || !Post::val('confirmation_code')) {
+            Flyspray::show_error(L('formnotcomplete'));
+            break;
+        }
+
+	if (strlen(Post::val('user_pass')) < MIN_PW_LENGTH) {
+            Flyspray::show_error(L('passwordtoosmall'));
+            break;
+        }
+
+        if ( $fs->prefs['repeat_password'] && Post::val('user_pass') != Post::val('user_pass2')) {
+            Flyspray::show_error(L('nomatchpass'));
+            break;
+        }
+
+        // Check that the user entered the right confirmation code
+        $sql = $db->query("SELECT * FROM {registrations} WHERE magic_url = ?",
+                array(Post::val('magic_url')));
+        $reg_details = $db->fetchRow($sql);
+
+        if ($reg_details['confirm_code'] != trim(Post::val('confirmation_code'))) {
+            Flyspray::show_error(L('confirmwrong'));
+            break;
+        }
+
+        $profile_image = 'profile_image';
+        $image_path = '';
+
+        if(isset($_FILES[$profile_image])) {
+            if(!empty($_FILES[$profile_image]['name'])) {
+                $allowed = array('jpg', 'jpeg', 'gif', 'png');
+
+                $image_name = $_FILES[$profile_image]['name'];
+                $explode = explode('.', $image_name);
+                $image_extn = strtolower(end($explode));
+                $image_temp = $_FILES[$profile_image]['tmp_name'];
+
+                if(in_array($image_extn, $allowed)) {
+                    $avatar_name = substr(md5(time()), 0, 10).'.'.$image_extn;
+                    $image_path = BASEDIR.'/avatars/'.$avatar_name;
+                    move_uploaded_file($image_temp, $image_path);
+                	resizeImage($avatar_name, $fs->prefs['max_avatar_size'], $fs->prefs['max_avatar_size']);
+                } else {
+                    Flyspray::show_error(L('incorrectfiletype'));
+                    break;
+                }
+            }
+        }
+
+        $enabled = 1;
+        if (!Backend::create_user($reg_details['user_name'],
+                Post::val('user_pass'),
+                $reg_details['real_name'],
+                $reg_details['jabber_id'],
+                $reg_details['email_address'],
+                $reg_details['notify_type'], $reg_details['time_zone'], $fs->prefs['anon_group'], $enabled ,'', '', $image_path)) {
+            Flyspray::show_error(L('usernametaken'));
+            break;
+        }
+
+        $db->query('DELETE FROM {registrations} WHERE magic_url = ? AND confirm_code = ?',
+                   array(Post::val('magic_url'), Post::val('confirmation_code')));
+
+
+        $_SESSION['SUCCESS'] = L('accountcreated');
+        // If everything is ok, add here a notify to both administrators and the user.
+        // Otherwise, explain what wen wrong.
+        
+        define('NO_DO', true);
+        break;
+
+        // ##################
+        // new user self-registration without a confirmation code
+        // ##################
+    case 'register.newuser':
+    case 'admin.newuser':
+        if (!($user->perms('is_admin') || $user->can_self_register())) {
+            break;
+        }
+
+		$captchaerrors=array();
+		if( !($user->perms('is_admin')) && $fs->prefs['captcha_securimage']) {
+			$image = new Securimage(); 
+			if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {
+				$captchaerrors['invalidsecurimage']=1;
+			}
+		}
+		
+		if( !($user->perms('is_admin')) && $fs->prefs['captcha_recaptcha']){
+			require_once('class.recaptcha.php');
+			if( !recaptcha::verify()) {
+				$captchaerrors['invalidrecaptcha']=1;
+			}
+		}
+		
+		# if both captchatypes are configured, maybe show the user which one or both failed.
+		if(count($captchaerrors)){
+			$_SESSION['ERRORS']=$captchaerrors;
+			Flyspray::show_error(L('captchaerror'));
+			break;
+		}
+
+        if (!Post::val('user_name') || !Post::val('real_name') || !Post::val('email_address'))
+        {
+            // If the form wasn't filled out correctly, show an error
+            Flyspray::show_error(L('registererror'));
+            break;
+        }
+
+	// Check email format
+        if (!Post::val('email_address') || !Flyspray::check_email(Post::val('email_address')))
+        {
+            Flyspray::show_error(L('novalidemail'));
+            break;
+        }
+		
+        if ( $fs->prefs['repeat_emailaddress'] && Post::val('email_address') != Post::val('verify_email_address'))
+        {
+            Flyspray::show_error(L('emailverificationwrong'));
+            break;
+        }
+
+        if (strlen(Post::val('user_pass')) && (strlen(Post::val('user_pass')) < MIN_PW_LENGTH)) {
+            Flyspray::show_error(L('passwordtoosmall'));
+            break;
+        }
+		
+	if ( $fs->prefs['repeat_password'] && Post::val('user_pass') != Post::val('user_pass2')) {
+            Flyspray::show_error(L('nomatchpass'));
+            break;
+        }
+
+        if ($user->perms('is_admin')) {
+            $group_in = Post::val('group_in');
+        } else {
+            $group_in = $fs->prefs['anon_group'];
+        }
+
+        if(!$user->perms('is_admin')) {
+
+            $sql = $db->query("SELECT COUNT(*) FROM {users} WHERE
+                           jabber_id = ? AND jabber_id != ''
+                           OR email_address = ? AND email_address != ''",
+            array(Post::val('jabber_id'), Post::val('email_address')));
+
+            if ($db->fetchOne($sql)) {
+                Flyspray::show_error(L('emailtaken'));
+                break;
+            }
+        }
+
+        $enabled = 1;
+        if($user->need_admin_approval()) $enabled = 0;
+
+        $profile_image = 'profile_image';
+        $image_path = '';
+
+        if(isset($_FILES[$profile_image])) {
+            if(!empty($_FILES[$profile_image]['name'])) {
+                $allowed = array('jpg', 'jpeg', 'gif', 'png');
+
+                $image_name = $_FILES[$profile_image]['name'];
+                $explode = explode('.', $image_name);
+                $image_extn = strtolower(end($explode));
+                $image_temp = $_FILES[$profile_image]['tmp_name'];
+
+                if(in_array($image_extn, $allowed)) {
+                    $avatar_name = substr(md5(time()), 0, 10).'.'.$image_extn;
+                    $image_path = BASEDIR.'/avatars/'.$avatar_name;
+                    move_uploaded_file($image_temp, $image_path);
+                	resizeImage($avatar_name, $fs->prefs['max_avatar_size'], $fs->prefs['max_avatar_size']);
+                } else {
+                    Flyspray::show_error(L('incorrectfiletype'));
+                    break;
+                }
+            }
+        }
+
+        if (!Backend::create_user(Post::val('user_name'), Post::val('user_pass'),
+            Post::val('real_name'), Post::val('jabber_id'),
+            Post::val('email_address'), Post::num('notify_type'),
+            Post::num('time_zone'), $group_in, $enabled, '', '', $image_path)) {
+            Flyspray::show_error(L('usernametaken'));
+            break;
+        }
+
+        $_SESSION['SUCCESS'] = L('newusercreated');
+
+        if (!$user->perms('is_admin')) {
+            define('NO_DO', true);
+        }
+        break;
+
+
+        // ##################
+        // Admin based bulk registration of users
+        // ##################
+    case 'register.newuserbulk':
+    case 'admin.newuserbulk':
+        if (!($user->perms('is_admin')))
+            break;
+
+        $group_in = Post::val('group_in');
+        $error = '';
+        $success = '';
+        $noUsers = true;
+
+        // For each user in post, add them
+        for ($i = 0 ; $i < 10 ; $i++)
+        {
+            $user_name     = Post::val('user_name' . $i);
+            $real_name     = Post::val('real_name' . $i);
+            $email_address = Post::val('email_address' . $i);
+
+
+            if( $user_name == '' || $real_name == '' || $email_address == '')
+                continue;
+            else
+                $noUsers = false;
+
+            $enabled = 1;
+
+            // Avoid dups
+            $sql = $db->query("SELECT COUNT(*) FROM {users} WHERE email_address = ?",
+                              array($email_address));
+
+            if ($db->fetchOne($sql))
+            {
+                $error .= "\n" . L('emailtakenbulk') . ": $email_address\n";
+                continue;
+            }
+
+            if (!Backend::create_user($user_name, Post::val('user_pass'),
+                $real_name, '',
+                $email_address,
+                Post::num('notify_type'),
+                Post::num('time_zone'), $group_in, $enabled, '', '', ''))
+            {
+                $error .= "\n" . L('usernametakenbulk') .": $user_name\n";
+                continue;
+            }
+            else
+                $success .= ' '.$user_name.' ';
+        }
+
+        if ($error != '')
+            Flyspray::show_error($error);
+        else if ( $noUsers == true)
+            Flyspray::show_error(L('nouserstoadd'));
+        else
+        {
+            $_SESSION['SUCCESS'] = L('created').$success;
+            if (!$user->perms('is_admin')) {
+                define('NO_DO', true);
+            }
+        }
+        break;
+
+
+        // ##################
+        // Bulk User Edit Form
+        // ##################
+    case 'admin.editallusers':
+
+        if (!($user->perms('is_admin'))) {
+            break;
+        }
+
+	$userids = Post::val('checkedUsers');
+
+	if(!is_array($userids)){
+		break;
+	}
+
+	$users=array();
+
+	foreach ($userids as $uid) {
+		if( ctype_digit($uid) ) {
+			if( $user->id == $uid ){
+				Flyspray::show_error(L('nosuicide'));
+			} else{
+				$users[]=$uid;
+			}
+		} else{
+			Flyspray::show_error(L('invalidinput'));
+			break 2;
+		}
+	}
+
+  	if (count($users) == 0){
+            Flyspray::show_error(L('nouserselected'));
+            break;
+        }
+
+        // Make array of users to modify
+        $ids = "(" . $users[0];
+        for ($i = 1 ; $i < count($users) ; $i++)
+        {
+            $ids .= ", " . $users[$i];
+        }
+        $ids .= ")";
+
+        // Grab the action
+        if (isset($_POST['enable']))
+        {
+            $sql = $db->query("UPDATE {users} SET account_enabled = 1 WHERE user_id IN $ids");
+        }
+        else if (isset($_POST['disable']))
+        {
+            $sql = $db->query("UPDATE {users} SET account_enabled = 0 WHERE user_id IN $ids");
+        }
+        else if (isset($_POST['delete']))
+        {
+            //$sql = $db->query("DELETE FROM {users} WHERE user_id IN $ids");
+            foreach ($users as $uid) {
+                Backend::delete_user($uid);
+            }
+        }
+
+        // Show success message and exit
+        $_SESSION['SUCCESS'] = L('usersupdated');
+        break;
+
+
+
+        // ##################
+        //  adding a new group
+        // ##################
+    case 'pm.newgroup':
+    case 'admin.newgroup':
+        if (!$user->perms('manage_project')) {
+            break;
+        }
+
+        if (!Post::val('group_name')) {
+            Flyspray::show_error(L('groupanddesc'));
+            break;
+        } else {
+            // Check to see if the group name is available
+            $sql = $db->query("SELECT  COUNT(*)
+                                 FROM  {groups}
+                                WHERE  group_name = ? AND project_id = ?",
+            array(Post::val('group_name'), $proj->id));
+
+            if ($db->fetchOne($sql)) {
+                Flyspray::show_error(L('groupnametaken'));
+                break;
+            } else {
+                $cols = array('group_name', 'group_desc', 'manage_project', 'edit_own_comments',
+                        'view_tasks', 'open_new_tasks', 'modify_own_tasks', 'add_votes',
+                        'modify_all_tasks', 'view_comments', 'add_comments', 'edit_assignments',
+                        'edit_comments', 'delete_comments', 'create_attachments',
+                        'delete_attachments', 'view_history', 'close_own_tasks',
+                        'close_other_tasks', 'assign_to_self', 'show_as_assignees',
+                        'assign_others_to_self', 'add_to_assignees', 'view_reports', 'group_open',
+                        'view_estimated_effort', 'track_effort', 'view_current_effort_done',
+                        'add_multiple_tasks', 'view_roadmap', 'view_own_tasks', 'view_groups_tasks');
+
+                $params = array_map('Post_to0',$cols);
+                array_unshift($params, $proj->id);
+
+                $db->query("INSERT INTO  {groups} (project_id, ". join(',', $cols).")
+                                 VALUES  (". $db->fill_placeholders($cols, 1) . ')', $params);
+
+                $_SESSION['SUCCESS'] = L('newgroupadded');
+            }
+        }
+
+        break;
+
+        // ##################
+        //  Update the global application preferences
+        // ##################
+    case 'globaloptions':
+        if (!$user->perms('is_admin')) {
+            break;
+        }
+
+		$errors=array();
+		
+		$settings = array('jabber_server', 'jabber_port', 'jabber_username', 'notify_registration',
+		'jabber_password', 'anon_group', 'user_notify', 'admin_email', 'email_ssl', 'email_tls',
+		'lang_code', 'gravatars', 'hide_emails', 'spam_proof', 'default_project', 'default_entry',
+		'dateformat','dateformat_extended',
+		'jabber_ssl', 'anon_reg', 'global_theme', 'smtp_server', 'page_title',
+		'smtp_user', 'smtp_pass', 'funky_urls', 'reminder_daemon','cache_feeds', 'intro_message',
+		'disable_lostpw','disable_changepw','days_before_alert', 'emailNoHTML', 'need_approval', 'pages_welcome_msg',
+		'active_oauths', 'only_oauth_reg', 'enable_avatars', 'max_avatar_size', 'default_order_by',
+		'max_vote_per_day', 'votes_per_project', 'url_rewriting',
+		'custom_style', 'general_integration', 'footer_integration',
+		'repeat_password', 'repeat_emailaddress', 'massops');
+
+		if(!isset($fs->prefs['massops'])){
+			$db->query("INSERT INTO {prefs} (pref_name,pref_value) VALUES('massops',0)");
+                }
+		
+		# candid for a plugin, so separate them for the future.
+		$settings[]='captcha_securimage';
+		if(!isset($fs->prefs['captcha_securimage'])){
+			$db->query("INSERT INTO {prefs} (pref_name,pref_value) VALUES('captcha_securimage',0)");
+		}
+
+		# candid for a plugin
+		$settings[]='captcha_recaptcha';
+		$settings[]='captcha_recaptcha_sitekey';
+		$settings[]='captcha_recaptcha_secret';
+		if(!isset($fs->prefs['captcha_recaptcha'])){
+			$db->query("INSERT INTO {prefs} (pref_name,pref_value) VALUES('captcha_recaptcha',0),('captcha_recaptcha_sitekey',''),('captcha_recaptcha_secret','')");
+		}
+
+        if(Post::val('need_approval') == '1' && Post::val('spam_proof')){
+            unset($_POST['spam_proof']); // if self register request admin to approve, disable spam_proof
+        	// if you think different, modify functions in class.user.php directing different regiser tpl
+        }
+	if (Post::val('url_rewriting') == '1' && !$fs->prefs['url_rewriting']) {
+		# Setenv can't be used to set the env variable in .htaccess, because apache module setenv is often disabled on hostings and brings server error 500.
+		# First check if htaccess is turned on
+		#if (!array_key_exists('HTTP_HTACCESS_ENABLED', $_SERVER)) {
+		#	Flyspray::show_error(L('enablehtaccess'));
+		#	break;
+		#}
+		
+		# Make sure mod_rewrite is enabled by checking a env var defined as HTTP_MOD_REWRITE in the .htaccess .
+		# It is possible to be converted to REDIRECT_HTTP_MOD_REWRITE . It's sound weired, but that's the case here.
+		if ( !array_key_exists('HTTP_MOD_REWRITE', $_SERVER) && !array_key_exists('REDIRECT_HTTP_MOD_REWRITE' , $_SERVER) ) {
+			#print_r($_SERVER);die();
+			Flyspray::show_error(L('nomodrewrite'));
+			break;
+		}
+	}
+
+	if( substr(Post::val('custom_style'), -4) != '.css'){
+		$_POST['custom_style']='';
+	}
+
+	# TODO validation
+	if( Post::val('default_order_by2') !='' && Post::val('default_order_by2') !='n'){
+		$_POST['default_order_by']=$_POST['default_order_by'].' '.$_POST['default_order_by_dir'].', '.$_POST['default_order_by2'].' '.$_POST['default_order_by_dir2'];
+	} else{
+		$_POST['default_order_by']=$_POST['default_order_by'].' '.$_POST['default_order_by_dir'];
+	}
+	
+	
+        foreach ($settings as $setting) {
+            $db->query('UPDATE {prefs} SET pref_value = ? WHERE pref_name = ?',
+                    array(Post::val($setting, 0), $setting));
+            // Update prefs for following scripts
+            $fs->prefs[$setting] = Post::val($setting, 0);
+        }
+
+        // Process the list of groups into a format we can store
+        $viscols = trim(Post::val('visible_columns'));
+        $db->query("UPDATE  {prefs} SET pref_value = ?
+                     WHERE  pref_name = 'visible_columns'",
+        array($viscols));
+        $fs->prefs['visible_columns'] = $viscols;
+
+        $visfields = trim(Post::val('visible_fields'));
+        $db->query("UPDATE  {prefs} SET pref_value = ?
+                     WHERE  pref_name = 'visible_fields'",
+        array($visfields));
+        $fs->prefs['visible_fields'] = $visfields;
+
+		//save logo
+		if($_FILES['logo']['error'] == 0){
+			if( in_array(exif_imagetype($_FILES['logo']['tmp_name']), array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG)) ) {
+				$logofilename=strtolower(basename($_FILES['logo']['name']));
+				$logoexplode = explode('.', $logofilename);
+				$logoextension = strtolower(end($logoexplode));
+				$allowedextensions = array('gif', 'jpg', 'jpeg', 'png');
+
+				if(in_array($logoextension, $allowedextensions)){
+					move_uploaded_file($_FILES['logo']['tmp_name'], './' . $logofilename);
+					$sql = $db->query("SELECT * FROM {prefs} WHERE pref_name='logo'");
+					if(!$db->fetchOne($sql)){
+						$db->query("INSERT INTO {prefs} (pref_name) VALUES('logo')");
+					}
+					$db->query("UPDATE {prefs} SET pref_value = ? WHERE pref_name='logo'", $logofilename);
+				} else{
+					$errors['invalidfileextension']=1;
+				}
+			}
+		}
+		//saved logo
+
+        $_SESSION['SUCCESS'] = L('optionssaved');
+		if(count($errors)>0){
+			$_SESSION['ERRORS']=$errors;
+		}
+
+        break;
+
+        // ##################
+        // adding a new project
+        // ##################
+    case 'admin.newproject':
+        if (!$user->perms('is_admin')) {
+            break;
+        }
+
+        if (!Post::val('project_title')) {
+            Flyspray::show_error(L('emptytitle'));
+            break;
+        }
+
+        $viscols =    $fs->prefs['visible_columns']
+                    ? $fs->prefs['visible_columns']
+                    : 'id tasktype priority severity summary status dueversion progress';
+
+        $visfields =  $fs->prefs['visible_fields']
+                    ? $fs->prefs['visible_fields']
+                    : 'id tasktype priority severity summary status dueversion progress';
+
+
+        $db->query('INSERT INTO  {projects}
+                                 ( project_title, theme_style, intro_message,
+                                   others_view, others_viewroadmap, anon_open, project_is_active,
+                                   visible_columns, visible_fields, lang_code, notify_email, notify_jabber, disp_intro)
+                         VALUES  (?, ?, ?, ?, ?, ?, 1, ?, ?, ?, ?, ?, ?)',
+        array(Post::val('project_title'), Post::val('theme_style'),
+              Post::val('intro_message'), Post::num('others_view', 0), Post::num('others_viewroadmap', 0),
+              Post::num('anon_open', 0),  $viscols, $visfields,
+              Post::val('lang_code', 'en'), '', '',
+        Post::num('disp_intro')
+    ));
+
+        // $sql = $db->query('SELECT project_id FROM {projects} ORDER BY project_id DESC', false, 1);
+        // $pid = $db->fetchOne($sql);
+        $pid = $db->insert_ID();
+
+        $cols = array( 'manage_project', 'view_tasks', 'open_new_tasks',
+                'modify_own_tasks', 'modify_all_tasks', 'view_comments',
+                'add_comments', 'edit_comments', 'delete_comments', 'show_as_assignees',
+                'create_attachments', 'delete_attachments', 'view_history', 'add_votes',
+                'close_own_tasks', 'close_other_tasks', 'assign_to_self', 'edit_own_comments',
+                'assign_others_to_self', 'add_to_assignees', 'view_reports', 'group_open',
+                'view_estimated_effort', 'view_current_effort_done', 'track_effort',
+                'add_multiple_tasks', 'view_roadmap', 'view_own_tasks', 'view_groups_tasks',
+                'edit_assignments');
+        $args = array_fill(0, count($cols), '1');
+        array_unshift($args, 'Project Managers',
+                'Permission to do anything related to this project.',
+                intval($pid));
+
+        $db->query("INSERT INTO  {groups}
+                                 ( group_name, group_desc, project_id,
+                                   ".join(',', $cols).")
+                         VALUES  ( ". $db->fill_placeholders($cols, 3) .")", $args);
+
+        $db->query("INSERT INTO  {list_category}
+                                 ( project_id, category_name,
+                                   show_in_list, category_owner, lft, rgt)
+                         VALUES  ( ?, ?, 1, 0, 1, 4)", array($pid, 'root'));
+
+        $db->query("INSERT INTO  {list_category}
+                                 ( project_id, category_name,
+                                   show_in_list, category_owner, lft, rgt )
+                         VALUES  ( ?, ?, 1, 0, 2, 3)", array($pid, 'Backend / Core'));
+
+        $db->query("INSERT INTO  {list_os}
+                                 ( project_id, os_name, list_position, show_in_list )
+                         VALUES  (?, ?, 1, 1)", array($pid, 'All'));
+
+        $db->query("INSERT INTO  {list_version}
+                                 ( project_id, version_name, list_position,
+                                   show_in_list, version_tense )
+                         VALUES  (?, ?, 1, 1, 2)", array($pid, '1.0'));
+
+        $_SESSION['SUCCESS'] = L('projectcreated');
+        Flyspray::redirect(createURL('pm', 'prefs', $pid));
+        break;
+
+        // ##################
+        // updating project preferences
+        // ##################
+    case 'pm.updateproject':
+        if (!$user->perms('manage_project')) {
+            break;
+        }
+
+        if (Post::val('delete_project')) {
+            if (Backend::delete_project($proj->id, Post::val('move_to'))) {
+                $_SESSION['SUCCESS'] = L('projectdeleted');
+            } else {
+                $_SESSION['ERROR'] = L('projectnotdeleted');
+            }
+
+            if (Post::val('move_to')) {
+                Flyspray::redirect(createURL('pm', 'prefs', Post::val('move_to')));
+            } else {
+                Flyspray::redirect($baseurl);
+            }
+        }
+
+        if (!Post::val('project_title')) {
+            Flyspray::show_error(L('emptytitle'));
+            break;
+        }
+
+        $cols = array( 'project_title', 'theme_style', 'lang_code', 'default_task', 'default_entry',
+                'intro_message', 'notify_email', 'notify_jabber', 'notify_subject', 'notify_reply',
+                'feed_description', 'feed_img_url','default_due_version','use_effort_tracking',
+                'pages_intro_msg', 'estimated_effort_format', 'current_effort_done_format');
+        $args = array_map('Post_to0', $cols);
+        $cols = array_merge($cols, $ints = array('project_is_active', 'others_view', 'others_viewroadmap', 'anon_open', 'comment_closed', 'auto_assign', 'freetagging'));
+        $args = array_merge($args, array_map(array('Post', 'num'), $ints));
+        $cols[] = 'notify_types';
+        $args[] = implode(' ', (array) Post::val('notify_types'));
+        $cols[] = 'last_updated';
+        $args[] = time();
+        $cols[] = 'disp_intro';
+        $args[] = Post::num('disp_intro');
+        $cols[] = 'default_cat_owner';
+        $args[] =  Flyspray::UserNameToId(Post::val('default_cat_owner'));
+        $cols[] = 'custom_style';
+        $args[] = Post::val('custom_style');
+
+        // Convert to seconds.
+        if (Post::val('hours_per_manday')) {
+            $args[] = effort::editStringToSeconds(Post::val('hours_per_manday'), $proj->prefs['hours_per_manday'], $proj->prefs['estimated_effort_format']);
+            $cols[] = 'hours_per_manday';
+        }
+
+        # TODO validation
+        if( Post::val('default_order_by2') !=''){
+                $_POST['default_order_by']=$_POST['default_order_by'].' '.$_POST['default_order_by_dir'].', '.$_POST['default_order_by2'].' '.$_POST['default_order_by_dir2'];
+        } else{
+                $_POST['default_order_by']=$_POST['default_order_by'].' '.$_POST['default_order_by_dir'];
+        }
+        $cols[]='default_order_by';
+        $args[]= $_POST['default_order_by'];
+
+        $args[] = $proj->id;
+
+        $update = $db->query("UPDATE  {projects}
+                                 SET  ".join('=?, ', $cols)."=?
+                               WHERE  project_id = ?", $args);
+
+        $update = $db->query('UPDATE {projects} SET visible_columns = ? WHERE project_id = ?',
+                             array(trim(Post::val('visible_columns')), $proj->id));
+
+        $update = $db->query('UPDATE {projects} SET visible_fields = ? WHERE project_id = ?',
+                             array(trim(Post::val('visible_fields')), $proj->id));
+
+        // Update project prefs for following scripts
+        $proj = new Project($proj->id);
+        $_SESSION['SUCCESS'] = L('projectupdated');
+        Flyspray::redirect(createURL('pm', 'prefs', $proj->id));
+        break;
+
+        // ##################
+        // modifying user details/profile
+        // ##################
+    case 'admin.edituser':
+    case 'myprofile.edituser':
+        if (Post::val('delete_user')) {
+            // There probably is a bug here somewhere but I just can't find it just now.
+            // Anyway, I get the message also when just editing my details.
+            if ($user->id == (int)Post::val('user_id') && $user->perms('is_admin')) {
+                Flyspray::show_error(L('nosuicide'));
+                break;
+            }
+            else {
+                // check that he is not the last user
+                $sql = $db->query('SELECT count(*) FROM {users}');
+                if ($db->fetchOne($sql) > 1) {
+                    Backend::delete_user(Post::val('user_id'));
+                    $_SESSION['SUCCESS'] = L('userdeleted');
+                    Flyspray::redirect(createURL('admin', 'groups'));
+                } else {
+                    Flyspray::show_error(L('lastuser'));
+                    break;
+                }
+            }
+        }
+
+        if (!Post::val('onlypmgroup')):
+            if ($user->perms('is_admin') || $user->id == Post::val('user_id')): // only admin or user himself can change
+
+                if (!Post::val('real_name') || (!Post::val('email_address') && !Post::val('jabber_id'))) {
+                    Flyspray::show_error(L('realandnotify'));
+                    break;
+                }
+
+                // Check email format
+                if (!Post::val('email_address') || !Flyspray::check_email(Post::val('email_address')))
+                {
+                    Flyspray::show_error(L('novalidemail'));
+                    break;
+                }
+
+                # current CleanFS template skips oldpass input requirement for admin accounts: if someone is able to catch an admin session he could simply create another admin acc for example.
+                #if ( (!$user->perms('is_admin') || $user->id == Post::val('user_id')) && !Post::val('oldpass')
+                if ( !$user->perms('is_admin') && !Post::val('oldpass') && (Post::val('changepass') || Post::val('confirmpass')) ) {
+                    Flyspray::show_error(L('nooldpass'));
+                    break;
+                }
+
+                if ($user->infos['oauth_uid'] && Post::val('changepass')) {
+                    Flyspray::show_error(sprintf(L('oauthreqpass'), ucfirst($uesr->infos['oauth_provider'])));
+                    break;
+                }
+
+                if (Post::val('changepass')) {
+                    if ($fs->prefs['repeat_password'] && Post::val('changepass') != Post::val('confirmpass')) {
+                        Flyspray::show_error(L('passnomatch'));
+                        break;
+                    }
+					if (Post::val('oldpass')) {
+						$sql = $db->query('SELECT user_pass FROM {users} WHERE user_id = ?', array(Post::val('user_id')));
+						$oldpass =  $db->fetchRow($sql);
+
+						$pwtest=false;
+						if(strlen($oldpass['user_pass'])==32){
+							$pwtest=hash_equals($oldpass['user_pass'], md5(Post::val('oldpass')));
+						}elseif(strlen($oldpass['user_pass'])==40){
+							$pwtest=hash_equals($oldpass['user_pass'], sha1(Post::val('oldpass')));
+						}elseif(strlen($oldpass['user_pass'])==128){
+							$pwtest=hash_equals($oldpass['user_pass'], hash('sha512',Post::val('oldpass')));
+						}else{
+							$pwtest=password_verify(Post::val('oldpass'), $oldpass['user_pass']);
+						}
+
+						if (!$pwtest){
+							Flyspray::show_error(L('oldpasswrong'));
+							break;
+						}
+					}
+                    $new_hash = Flyspray::cryptPassword(Post::val('changepass'));
+                    $db->query('UPDATE {users} SET user_pass = ? WHERE user_id = ?',
+                            array($new_hash, Post::val('user_id')));
+
+                    // If the user is changing their password, better update their cookie hash
+                    if ($user->id == Post::val('user_id')) {
+                        Flyspray::setCookie('flyspray_passhash',
+                                crypt($new_hash, $conf['general']['cookiesalt']), time()+3600*24*30,null,null,null,true);
+                    }
+                }
+                $jabId = Post::val('jabber_id');
+                if (!empty($jabId) && Post::val('old_jabber_id') != $jabId) {
+                    Notifications::JabberRequestAuth(Post::val('jabber_id'));
+                }
+
+                $db->query('UPDATE {users}
+                       SET  real_name = ?, email_address = ?, notify_own = ?,
+                            jabber_id = ?, notify_type = ?,
+                            dateformat = ?, dateformat_extended = ?,
+                            tasks_perpage = ?, time_zone = ?, lang_code = ?,
+                            hide_my_email = ?, notify_online = ?
+                     WHERE  user_id = ?',
+                array(Post::val('real_name'), Post::val('email_address'), Post::num('notify_own', 0),
+                    Post::val('jabber_id', ''), Post::num('notify_type'),
+                    Post::val('dateformat', 0), Post::val('dateformat_extended', 0),
+                    Post::num('tasks_perpage'), Post::num('time_zone'), Post::val('lang_code', 'en'),
+                    Post::num('hide_my_email', 0), Post::num('notify_online', 0), Post::num('user_id')));
+
+                # 20150307 peterdd: Now we must reload translations, because the user maybe changed his language preferences!
+                # first reload user info
+                $user=new User($user->id);
+                load_translations();
+
+                $profile_image = 'profile_image';
+
+                if(isset($_FILES[$profile_image])) {
+                    if(!empty($_FILES[$profile_image]['name'])) {
+                        $allowed = array('jpg', 'jpeg', 'gif', 'png');
+
+                        $image_name = $_FILES[$profile_image]['name'];
+                        $explode = explode('.', $image_name);
+                        $image_extn = strtolower(end($explode));
+                        $image_temp = $_FILES[$profile_image]['tmp_name'];
+
+                        if(in_array($image_extn, $allowed)) {
+                            $sql = $db->query('SELECT profile_image FROM {users} WHERE user_id = ?', array(Post::val('user_id')));
+                            $avatar_oldname = $db->fetchRow($sql);
+
+                            if (is_file(BASEDIR.'/avatars/'.$avatar_oldname['profile_image']))
+                                unlink(BASEDIR.'/avatars/'.$avatar_oldname['profile_image']);
+
+                            $avatar_name = substr(md5(time()), 0, 10).'.'.$image_extn;
+                            $image_path = BASEDIR.'/avatars/'.$avatar_name;
+                            move_uploaded_file($image_temp, $image_path);
+                        	resizeImage($avatar_name, $fs->prefs['max_avatar_size'], $fs->prefs['max_avatar_size']);
+                            $db->query('UPDATE {users} SET profile_image = ? WHERE user_id = ?',
+                            	array($avatar_name, Post::num('user_id')));
+                        } else {
+                            Flyspray::show_error(L('incorrectfiletype'));
+                            break;
+                        }
+                    }
+                }
+
+                endif; // end only admin or user himself can change
+
+            if ($user->perms('is_admin')) {
+                if($user->id == (int)Post::val('user_id')) {
+                    if (Post::val('account_enabled', 0) <= 0 || Post::val('old_global_id') != 1) {
+                        Flyspray::show_error(L('nosuicide'));
+                        break;
+                    }
+                } else {
+                    $db->query('UPDATE {users} SET account_enabled = ?  WHERE user_id = ?',
+                        array(Post::val('account_enabled', 0), Post::val('user_id')));
+                    $db->query('UPDATE {users_in_groups} SET group_id = ?
+                         WHERE group_id = ? AND user_id = ?',
+                        array(Post::val('group_in'), Post::val('old_global_id'), Post::val('user_id')));
+                }
+            }
+
+            endif; // end non project group changes
+
+        if ($user->perms('manage_project') && !is_null(Post::val('project_group_in')) && Post::val('project_group_in') != Post::val('old_group_id')) {
+            $db->query('DELETE FROM {users_in_groups} WHERE group_id = ? AND user_id = ?',
+                         array(Post::val('old_group_id'), Post::val('user_id')));
+            if (Post::val('project_group_in')) {
+                $db->query('INSERT INTO {users_in_groups} (group_id, user_id) VALUES(?, ?)',
+                           array(Post::val('project_group_in'), Post::val('user_id')));
+            }
+        }
+
+        $_SESSION['SUCCESS'] = L('userupdated');
+        if ($action === 'myprofile.edituser') {
+                Flyspray::redirect(createURL('myprofile'));
+        } elseif ($action === 'admin.edituser' && Post::val('area') === 'users') {
+                Flyspray::redirect(createURL('edituser', Post::val('user_id')));
+        } else {
+                Flyspray::redirect(createURL('user', Post::val('user_id')));
+        }
+        break;
+        // ##################
+        // approving a new user registration
+        // ##################
+    case 'approve.user':
+        if($user->perms('is_admin')) {
+            $db->query('UPDATE {users} SET account_enabled = ?  WHERE user_id = ?',
+                    array(1, Post::val('user_id')));
+
+            $db->query('UPDATE  {admin_requests}
+                       SET  resolved_by = ?, time_resolved = ?
+                     WHERE  submitted_by = ? AND request_type = ?',
+            array($user->id, time(), Post::val('user_id'), 3));
+            // Missing event constant, can't log yet...
+            // Missing notification constant, can't notify yet...
+            // Notification constant added, write the code for sending that message...
+
+        }
+        break;
+        // ##################
+        // updating a group definition
+        // ##################
+    case 'pm.editgroup':
+    case 'admin.editgroup':
+        if (!$user->perms('manage_project')) {
+            break;
+        }
+
+        if (!Post::val('group_name')) {
+            Flyspray::show_error(L('groupanddesc'));
+            break;
+        }
+
+        $cols = array('group_name', 'group_desc');
+
+        // Add a user to a group
+        if ($uid = Post::val('uid')) {
+            $uids = preg_split('/[,;]+/', $uid, -1, PREG_SPLIT_NO_EMPTY);
+            foreach ($uids as $uid) {
+                $uid = Flyspray::usernameToId($uid);
+                if (!$uid) {
+                    continue;
+                }
+
+                // If user is already a member of one of the project's groups, **move** (not add) him to the new group
+                $sql = $db->query('SELECT g.group_id
+                                     FROM {users_in_groups} uig, {groups} g
+                                    WHERE g.group_id = uig.group_id AND uig.user_id = ? AND project_id = ?',
+                array($uid, $proj->id));
+                if ($db->countRows($sql)) {
+                    $oldid = $db->fetchOne($sql);
+                    $db->query('UPDATE {users_in_groups} SET group_id = ? WHERE user_id = ? AND group_id = ?',
+                                array(Post::val('group_id'), $uid, $oldid));
+                } else {
+                    $db->query('INSERT INTO {users_in_groups} (group_id, user_id) VALUES(?, ?)',
+                                array(Post::val('group_id'), $uid));
+                }
+            }
+        }
+
+        if (Post::val('delete_group') && Post::val('group_id') != '1') {
+            $db->query('DELETE FROM {groups} WHERE group_id = ?', Post::val('group_id'));
+
+            if (Post::val('move_to')) {
+                $db->query('UPDATE {users_in_groups} SET group_id = ? WHERE group_id = ?',
+                            array(Post::val('move_to'), Post::val('group_id')));
+            }
+
+            $_SESSION['SUCCESS'] = L('groupupdated');
+            Flyspray::redirect(createURL( (($proj->id) ? 'pm' : 'admin'), 'groups', $proj->id));
+        }
+        // Allow all groups to update permissions except for global Admin
+        if (Post::val('group_id') != '1') {
+            $cols = array_merge($cols,
+            array('manage_project', 'view_tasks', 'edit_own_comments',
+              'open_new_tasks', 'modify_own_tasks', 'modify_all_tasks',
+              'view_comments', 'add_comments', 'edit_comments', 'delete_comments',
+              'create_attachments', 'delete_attachments', 'show_as_assignees',
+              'view_history', 'close_own_tasks', 'close_other_tasks', 'edit_assignments',
+              'assign_to_self', 'assign_others_to_self', 'add_to_assignees', 'view_reports',
+              'add_votes', 'group_open', 'view_estimated_effort', 'track_effort',
+              'view_current_effort_done', 'add_multiple_tasks', 'view_roadmap',
+              'view_own_tasks', 'view_groups_tasks'));
+        }
+
+        $args = array_map('Post_to0', $cols);
+        $args[] = Post::val('group_id');
+        $args[] = $proj->id;
+
+        $db->query("UPDATE  {groups}
+                       SET  ".join('=?,', $cols)."=?
+                     WHERE  group_id = ? AND project_id = ?", $args);
+
+        $_SESSION['SUCCESS'] = L('groupupdated');
+        break;
+
+        // ##################
+        // updating a list
+        // ##################
+    case 'update_list':
+        if (!$user->perms('manage_project') || !isset($list_table_name)) {
+            break;
+        }
+
+        $listnames    = Post::val('list_name');
+        $listposition = Post::val('list_position');
+        $listshow     = Post::val('show_in_list');
+        $listdelete   = Post::val('delete');
+        if($lt=='tag'){
+                $listclass = Post::val('list_class');
+        }
+	foreach ($listnames as $id => $listname) {
+        	if ($listname != '') {
+			if (!isset($listshow[$id])) {
+				$listshow[$id] = 0;
+			}
+
+			$check = $db->query("SELECT COUNT(*)
+                                       FROM $list_table_name
+                                      WHERE (project_id = 0 OR project_id = ?)
+                                        AND $list_column_name = ?
+                                        AND $list_id <> ?",
+                                    array($proj->id, $listnames[$id], $id)
+			);
+			$itemexists = $db->fetchOne($check);
+
+			if ($itemexists) {
+				Flyspray::show_error(sprintf(L('itemexists'), $listnames[$id]));
+				return;
+			}
+
+			if($lt=='tag'){
+				$update = $db->query("UPDATE $list_table_name
+					SET $list_column_name=?, list_position=?, show_in_list=?, class=?
+					WHERE $list_id=? AND project_id=?",
+					array($listnames[$id], intval($listposition[$id]), intval($listshow[$id]), $listclass[$id], $id, $proj->id)
+				);
+			} else{
+				$update = $db->query("UPDATE $list_table_name
+					SET $list_column_name=?, list_position=?, show_in_list=?
+					WHERE $list_id=? AND project_id=?",
+					array($listnames[$id], intval($listposition[$id]), intval($listshow[$id]), $id, $proj->id)
+				);
+			}
+		} else {
+			Flyspray::show_error(L('fieldsmissing'));
+		}
+	}
+
+        if (is_array($listdelete) && count($listdelete)) {
+            $deleteids = "$list_id = " . join(" OR $list_id =", array_map('intval', array_keys($listdelete)));
+            $db->query("DELETE FROM $list_table_name WHERE project_id = ? AND ($deleteids)", array($proj->id));
+        }
+
+        $_SESSION['SUCCESS'] = L('listupdated');
+        break;
+
+        // ##################
+        // adding a list item
+        // ##################
+    case 'pm.add_to_list':
+    case 'admin.add_to_list':
+        if (!$user->perms('manage_project') || !isset($list_table_name)) {
+            break;
+        }
+
+        if (!Post::val('list_name')) {
+            Flyspray::show_error(L('fillallfields'));
+            break;
+        }
+
+        $position = Post::num('list_position');
+        if (!$position) {
+            $position = intval($db->fetchOne($db->query("SELECT max(list_position)+1
+                                                    FROM $list_table_name
+                                                   WHERE project_id = ?",
+            array($proj->id))));
+        }
+
+        $check = $db->query("SELECT COUNT(*)
+                               FROM $list_table_name
+                              WHERE (project_id = 0 OR project_id = ?)
+                                AND $list_column_name = ?",
+                            array($proj->id, Post::val('list_name')));
+        $itemexists = $db->fetchOne($check);
+
+        if ($itemexists) {
+            Flyspray::show_error(sprintf(L('itemexists'), Post::val('list_name')));
+            return;
+        }
+
+        $db->query("INSERT INTO  $list_table_name
+                                 (project_id, $list_column_name, list_position, show_in_list)
+                         VALUES  (?, ?, ?, ?)",
+        array($proj->id, Post::val('list_name'), $position, '1'));
+
+        $_SESSION['SUCCESS'] = L('listitemadded');
+        break;
+
+        // ##################
+        // updating the version list
+        // ##################
+    case 'update_version_list':
+        if (!$user->perms('manage_project') || !isset($list_table_name)) {
+            break;
+        }
+
+        $listnames    = Post::val('list_name');
+        $listposition = Post::val('list_position');
+        $listshow     = Post::val('show_in_list');
+        $listtense    = Post::val('version_tense');
+        $listdelete   = Post::val('delete');
+
+        foreach ($listnames as $id => $listname) {
+            if (is_numeric($listposition[$id]) && $listnames[$id] != '') {
+                if (!isset($listshow[$id])) {
+                    $listshow[$id] = 0;
+                }
+
+                $check = $db->query("SELECT COUNT(*)
+                                       FROM $list_table_name
+                                      WHERE (project_id = 0 OR project_id = ?)
+                                        AND $list_column_name = ?
+                                        AND $list_id <> ?",
+                                    array($proj->id, $listnames[$id], $id));
+                $itemexists = $db->fetchOne($check);
+
+                if ($itemexists) {
+                    Flyspray::show_error(sprintf(L('itemexists'), $listnames[$id]));
+                    return;
+                }
+
+                $update = $db->query("UPDATE  $list_table_name
+                                         SET  $list_column_name = ?, list_position = ?,
+                                              show_in_list = ?, version_tense = ?
+                                       WHERE  $list_id = ? AND project_id = ?",
+                array($listnames[$id], intval($listposition[$id]),
+                    intval($listshow[$id]), intval($listtense[$id]), $id, $proj->id));
+            } else {
+                Flyspray::show_error(L('fieldsmissing'));
+            }
+        }
+
+        if (is_array($listdelete) && count($listdelete)) {
+            $deleteids = "$list_id = " . join(" OR $list_id =", array_map('intval', array_keys($listdelete)));
+            $db->query("DELETE FROM $list_table_name WHERE project_id = ? AND ($deleteids)", array($proj->id));
+        }
+
+        $_SESSION['SUCCESS'] = L('listupdated');
+        break;
+
+        // ##################
+        // adding a version list item
+        // ##################
+    case 'pm.add_to_version_list':
+    case 'admin.add_to_version_list':
+        if (!$user->perms('manage_project') || !isset($list_table_name)) {
+            break;
+        }
+
+        if (!Post::val('list_name')) {
+            Flyspray::show_error(L('fillallfields'));
+            break;
+        }
+
+        $position = Post::num('list_position');
+        if (!$position) {
+            $position = $db->fetchOne($db->query("SELECT max(list_position)+1
+                                                    FROM $list_table_name
+                                                   WHERE project_id = ?",
+            array($proj->id)));
+        }
+
+        $check = $db->query("SELECT COUNT(*)
+                               FROM $list_table_name
+                              WHERE (project_id = 0 OR project_id = ?)
+                                AND $list_column_name = ?",
+                            array($proj->id, Post::val('list_name')));
+        $itemexists = $db->fetchOne($check);
+
+        if ($itemexists) {
+            Flyspray::show_error(sprintf(L('itemexists'), Post::val('list_name')));
+            return;
+        }
+
+        $db->query("INSERT INTO  $list_table_name
+                                (project_id, $list_column_name, list_position, show_in_list, version_tense)
+                        VALUES  (?, ?, ?, ?, ?)",
+        array($proj->id, Post::val('list_name'),
+            intval($position), '1', Post::val('version_tense')));
+
+        $_SESSION['SUCCESS'] = L('listitemadded');
+        break;
+
+        // ##################
+        // updating the category list
+        // ##################
+    case 'update_category':
+        if (!$user->perms('manage_project')) {
+            break;
+        }
+
+        $listnames    = Post::val('list_name');
+        $listshow     = Post::val('show_in_list');
+        $listdelete   = Post::val('delete');
+        $listlft      = Post::val('lft');
+        $listrgt      = Post::val('rgt');
+        $listowners   = Post::val('category_owner');
+
+        foreach ($listnames as $id => $listname) {
+            if ($listname != '') {
+                if (!isset($listshow[$id])) {
+                    $listshow[$id] = 0;
+                }
+
+                // Check for duplicates on the same sub-level under same parent category.
+                // First, we'll have to find the right parent for the current category.
+                $sql = $db->query('SELECT *
+                                     FROM {list_category}
+                                    WHERE project_id = ? AND lft < ? and rgt > ?
+                                      AND lft = (SELECT MAX(lft) FROM {list_category} WHERE lft < ? and rgt > ?)',
+                                  array($proj->id, intval($listlft[$id]), intval($listrgt[$id]), intval($listlft[$id]), intval($listrgt[$id])));
+
+                $parent = $db->fetchRow($sql);
+
+                $check = $db->query('SELECT COUNT(*)
+                                      FROM {list_category} c
+                                     WHERE project_id = ? AND category_name = ? AND lft > ? AND rgt < ?
+                                       AND category_id <> ?
+                            AND NOT EXISTS (SELECT *
+                                              FROM {list_category}
+                                             WHERE project_id = ?
+                                               AND lft > ? AND rgt < ?
+                                               AND lft < c.lft AND rgt > c.rgt)',
+                                array($proj->id, $listname, $parent['lft'], $parent['rgt'], intval($id), $proj->id, $parent['lft'], $parent['rgt']));
+                $itemexists = $db->fetchOne($check);
+
+                // echo "<pre>" . $parent['category_name'] . "," . $listname . ", " . intval($id) . ", " . intval($listlft[$id]) . ", " . intval($listrgt[$id]) . ", " . $itemexists ."</pre>";
+
+                if ($itemexists) {
+                    Flyspray::show_error(sprintf(L('categoryitemexists'), $listname, $parent['category_name']));
+                    return;
+                }
+
+
+                $update = $db->query('UPDATE  {list_category}
+                                         SET  category_name = ?,
+                                              show_in_list = ?, category_owner = ?,
+                                              lft = ?, rgt = ?
+                                       WHERE  category_id = ? AND project_id = ?',
+                array($listname, intval($listshow[$id]), Flyspray::UserNameToId($listowners[$id]), intval($listlft[$id]), intval($listrgt[$id]), intval($id), $proj->id));
+                // Correct visibility for sub categories
+                if ($listshow[$id] == 0) {
+                    foreach ($listnames as $key => $value) {
+                        if ($listlft[$key] > $listlft[$id] && $listrgt[$key] < $listrgt[$id]) {
+                            $listshow[$key] = 0;
+                        }
+                    }
+                }
+            } else {
+                Flyspray::show_error(L('fieldsmissing'));
+            }
+        }
+
+        if (is_array($listdelete) && count($listdelete)) {
+            $deleteids = "$list_id = " . join(" OR $list_id =", array_map('intval', array_keys($listdelete)));
+            $db->query("DELETE FROM {list_category} WHERE project_id = ? AND ($deleteids)", array($proj->id));
+        }
+
+        $_SESSION['SUCCESS'] = L('listupdated');
+        break;
+
+        // ##################
+        // adding a category list item
+        // ##################
+    case 'pm.add_category':
+    case 'admin.add_category':
+        if (!$user->perms('manage_project')) {
+            break;
+        }
+
+        if (!Post::val('list_name')) {
+            Flyspray::show_error(L('fillallfields'));
+            break;
+        }
+
+        // Get right value of last node
+        // Need also left value of parent for duplicate check and category name for errormessage.
+        $sql = $db->query('SELECT rgt, lft, category_name FROM {list_category} WHERE category_id = ?', array(Post::val('parent_id', -1)));
+        $parent = $db->fetchRow($sql);
+        $right = $parent['rgt'];
+        $left = $parent['lft'];
+
+        // echo "<pre>Parent: " . Post::val('parent_id', -1) . ", left: $left, right: $right</pre>";
+
+        // If parent has subcategories, check for possible duplicates
+        // on the same sub-level and under the same parent.
+        if ($left + 1 != $right) {
+            $check = $db->query('SELECT COUNT(*)
+                                  FROM {list_category} c
+                                 WHERE project_id = ? AND category_name = ? AND lft > ? AND rgt < ?
+                        AND NOT EXISTS (SELECT *
+                                          FROM {list_category}
+                                         WHERE project_id = ?
+                                           AND lft > ? AND rgt < ?
+                                           AND lft < c.lft AND rgt > c.rgt)',
+                                array($proj->id, Post::val('list_name'), $left, $right, $proj->id, $left, $right));
+            $itemexists = $db->fetchOne($check);
+
+            if ($itemexists) {
+                Flyspray::show_error(sprintf(L('categoryitemexists'), Post::val('list_name'), $parent['category_name']));
+                return;
+            }
+        }
+
+        $db->query('UPDATE {list_category} SET rgt=rgt+2 WHERE rgt >= ? AND project_id = ?', array($right, $proj->id));
+        $db->query('UPDATE {list_category} SET lft=lft+2 WHERE lft >= ? AND project_id = ?', array($right, $proj->id));
+
+        $db->query("INSERT INTO  {list_category}
+                                 ( project_id, category_name, show_in_list, category_owner, lft, rgt )
+                         VALUES  (?, ?, 1, ?, ?, ?)",
+        array($proj->id, Post::val('list_name'),
+              Post::val('category_owner', 0) == '' ? '0' : Flyspray::usernameToId(Post::val('category_owner', 0)), $right, $right+1));
+
+        $_SESSION['SUCCESS'] = L('listitemadded');
+        break;
+
+        // ##################
+        // adding a related task entry
+        // ##################
+    case 'details.add_related':
+        if (!$user->can_edit_task($task)) {
+            Flyspray::show_error(L('nopermission'));//TODO: create a better error message
+            break;
+        }
+
+        // if the user has not the permission to view all tasks, check if the task
+        // is in tasks allowed to see, otherwise tell that the task does not exist.
+        if (!$user->perms('view_tasks')) {
+            $taskcheck = Flyspray::getTaskDetails(Post::val('related_task'));
+            if (!$user->can_view_task($taskcheck)) {
+                Flyspray::show_error(L('relatedinvalid'));
+                break;
+            }
+        }
+
+        $sql = $db->query('SELECT  project_id
+                             FROM  {tasks}
+                            WHERE  task_id = ?',
+        array(Post::val('related_task')));
+        if (!$db->countRows($sql)) {
+            Flyspray::show_error(L('relatedinvalid'));
+            break;
+        }
+
+        $sql = $db->query("SELECT related_id
+                             FROM {related}
+                            WHERE this_task = ? AND related_task = ?
+                                  OR
+                                  related_task = ? AND this_task = ?",
+        array($task['task_id'], Post::val('related_task'),
+              $task['task_id'], Post::val('related_task')));
+
+        if ($db->countRows($sql)) {
+            Flyspray::show_error(L('relatederror'));
+            break;
+        }
+
+        $db->query("INSERT INTO {related} (this_task, related_task) VALUES(?,?)",
+                array($task['task_id'], Post::val('related_task')));
+
+        Flyspray::logEvent($task['task_id'], 11, Post::val('related_task'));
+        Flyspray::logEvent(Post::val('related_task'), 15, $task['task_id']);
+        $notify->create(NOTIFY_REL_ADDED, $task['task_id'], Post::val('related_task'), null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+
+        $_SESSION['SUCCESS'] = L('relatedaddedmsg');
+        break;
+
+        // ##################
+        // Removing a related task entry
+        // ##################
+    case 'remove_related':
+        if (!$user->can_edit_task($task)) {
+            Flyspray::show_error(L('nopermission'));//TODO: create a better error message
+            break;
+        }
+        if (!is_array(Post::val('related_id'))) {
+            Flyspray::show_error(L('formnotcomplete'));
+            break;
+        }
+
+        foreach (Post::val('related_id') as $related) {
+            $sql = $db->query('SELECT this_task, related_task FROM {related} WHERE related_id = ?',
+                              array($related));
+            $db->query('DELETE FROM {related} WHERE related_id = ? AND (this_task = ? OR related_task = ?)',
+                        array($related, $task['task_id'], $task['task_id']));
+            if ($db->affectedRows()) {
+                $related_task = $db->fetchRow($sql);
+                $related_task = ($related_task['this_task'] == $task['task_id']) ? $related_task['related_task'] : $task['task_id'];
+                Flyspray::logEvent($task['task_id'], 12, $related_task);
+                Flyspray::logEvent($related_task, 16, $task['task_id']);
+                $_SESSION['SUCCESS'] = L('relatedremoved');
+            }
+        }
+
+        break;
+
+        // ##################
+        // adding a user to the notification list
+        // ##################
+    case 'details.add_notification':
+        if (Req::val('user_id')) {
+            $userId = Req::val('user_id');
+        } else {
+            $userId = Flyspray::usernameToId(Req::val('user_name'));
+        }
+        if (!Backend::add_notification($userId, Req::val('ids'))) {
+            Flyspray::show_error(L('couldnotaddusernotif'));
+            break;
+        }
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('notifyadded');
+        Flyspray::redirect(createURL('details', $task['task_id']).'#notify');
+        break;
+
+        // ##################
+        // removing a notification entry
+        // ##################
+    case 'remove_notification':
+        Backend::remove_notification(Req::val('user_id'), Req::val('ids'));
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('notifyremoved');
+        # if on details page we should redirect to details with a GET
+        # but what if the request comes from another page (like myprofile for instance maybe in future)
+        Flyspray::redirect(createURL('details', $task['task_id']).'#notify');
+        break;
+
+        // ##################
+        // editing a comment
+        // ##################
+    case 'editcomment':
+        if (!($user->perms('edit_comments') || $user->perms('edit_own_comments'))) {
+            break;
+        }
+
+        $where = '';
+
+		$comment_text=Post::val('comment_text');
+		$previous_text=Post::val('previous_text');
+		
+		# dokuwiki syntax plugin filters on output
+		if($conf['general']['syntax_plugin'] != 'dokuwiki'){
+			$purifierconfig = HTMLPurifier_Config::createDefault();
+			$purifier = new HTMLPurifier($purifierconfig);
+			$comment_text = $purifier->purify($comment_text);
+			$previous_text= $purifier->purify($comment_text);
+		}
+
+		$params = array($comment_text, time(), Post::val('comment_id'), $task['task_id']);
+ 
+        if ($user->perms('edit_own_comments') && !$user->perms('edit_comments')) {
+            $where = ' AND user_id = ?';
+            array_push($params, $user->id);
+        }
+
+        $db->query("UPDATE  {comments}
+                       SET  comment_text = ?, last_edited_time = ?
+                     WHERE  comment_id = ? AND task_id = ? $where", $params);
+        $db->query("DELETE FROM {cache} WHERE  topic = ? AND type = ?", array(Post::val('comment_id'), 'comm'));
+
+        Flyspray::logEvent($task['task_id'], 5, $comment_text, $previous_text, Post::val('comment_id'));
+
+        Backend::upload_files($task['task_id'], Post::val('comment_id'));
+        Backend::delete_files(Post::val('delete_att'));
+        Backend::upload_links($task['task_id'], Post::val('comment_id'));
+        Backend::delete_links(Post::val('delete_link'));
+
+        $_SESSION['SUCCESS'] = L('editcommentsaved');
+        break;
+
+        // ##################
+        // deleting a comment
+        // ##################
+    case 'details.deletecomment':
+        if (!$user->perms('delete_comments')) {
+            break;
+        }
+
+        $result = $db->query('SELECT  task_id, comment_text, user_id, date_added
+                                FROM  {comments}
+                               WHERE  comment_id = ?',
+        array(Get::val('comment_id')));
+        $comment = $db->fetchRow($result);
+
+        // Check for files attached to this comment
+        $check_attachments = $db->query('SELECT  *
+                                           FROM  {attachments}
+                                          WHERE  comment_id = ?',
+        array(Req::val('comment_id')));
+
+        if ($db->countRows($check_attachments) && !$user->perms('delete_attachments')) {
+            Flyspray::show_error(L('commentattachperms'));
+            break;
+        }
+
+        $db->query("DELETE FROM {comments} WHERE comment_id = ? AND task_id = ?",
+                   array(Req::val('comment_id'), $task['task_id']));
+
+        if ($db->affectedRows()) {
+            Flyspray::logEvent($task['task_id'], 6, $comment['user_id'],
+                    $comment['comment_text'], '', $comment['date_added']);
+        }
+
+        while ($attachment = $db->fetchRow($check_attachments)) {
+            $db->query("DELETE from {attachments} WHERE attachment_id = ?",
+                    array($attachment['attachment_id']));
+
+            @unlink(BASEDIR .'/attachments/' . $attachment['file_name']);
+
+            Flyspray::logEvent($attachment['task_id'], 8, $attachment['orig_name']);
+        }
+
+        $_SESSION['SUCCESS'] = L('commentdeletedmsg');
+        break;
+
+        // ##################
+        // adding a reminder
+        // ##################
+    case 'details.addreminder':
+        $how_often  = Post::val('timeamount1', 1) * Post::val('timetype1');
+        $start_time = Flyspray::strtotime(Post::val('timeamount2', 0));
+
+        $userId = Flyspray::usernameToId(Post::val('to_user_id'));
+        if (!Backend::add_reminder($task['task_id'], Post::val('reminder_message'), $how_often, $start_time, $userId)) {
+            Flyspray::show_error(L('usernotexist'));
+            break;
+        }
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('reminderaddedmsg');
+        break;
+
+        // ##################
+        // removing a reminder
+        // ##################
+    case 'deletereminder':
+        if (!$user->perms('manage_project') || !is_array(Post::val('reminder_id'))) {
+            break;
+        }
+
+        foreach (Post::val('reminder_id') as $reminder_id) {
+            $sql = $db->query('SELECT to_user_id FROM {reminders} WHERE reminder_id = ?',
+                              array($reminder_id));
+            $reminder = $db->fetchOne($sql);
+            $db->query('DELETE FROM {reminders} WHERE reminder_id = ? AND task_id = ?',
+                       array($reminder_id, $task['task_id']));
+            if ($db && $db->affectedRows()) {
+                Flyspray::logEvent($task['task_id'], 18, $reminder);
+            }
+        }
+
+        $_SESSION['SUCCESS'] = L('reminderdeletedmsg');
+        break;
+
+        // ##################
+        // change a bunch of users' groups
+        // ##################
+    case 'movetogroup':
+        // Check that both groups belong to the same project
+        $sql = $db->query('SELECT project_id FROM {groups} WHERE group_id = ? OR group_id = ?',
+                          array(Post::val('switch_to_group'), Post::val('old_group')));
+        $old_pr = $db->fetchOne($sql);
+        $new_pr = $db->fetchOne($sql);
+        if ($proj->id != $old_pr || ($new_pr && $new_pr != $proj->id)) {
+            break;
+        }
+
+        if (!$user->perms('manage_project', $old_pr) || !is_array(Post::val('users'))) {
+            break;
+        }
+
+	foreach (Post::val('users') as $user_id => $val) {
+                if($user->id!=$user_id || $proj->id!=0){
+			if (Post::val('switch_to_group') == '0') {
+				$db->query('DELETE FROM {users_in_groups} WHERE user_id=? AND group_id=?',
+					array($user_id, Post::val('old_group'))
+				);
+			} else {
+				# special case: user exists in multiple global groups (shouldn't, but happened)
+				# avoids duplicate entry error
+				if($old_pr==0){
+					$sql = $db->query('SELECT group_id FROM {users_in_groups} WHERE user_id = ? AND group_id = ?',
+						array($user_id, Post::val('switch_to_group'))
+					);
+					$uigexists = $db->fetchOne($sql);
+					if($uigexists > 0){
+						$db->query('DELETE FROM {users_in_groups} WHERE user_id=? AND group_id=?',
+							array($user_id, Post::val('old_group'))
+						);
+					}
+				}
+
+				$db->query('UPDATE {users_in_groups} SET group_id=? WHERE user_id=? AND group_id=?',
+					array(Post::val('switch_to_group'), $user_id, Post::val('old_group'))
+				);
+			}
+		} else {
+			Flyspray::show_error(L('nosuicide'));
+		}	
+	}
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('groupswitchupdated');
+        break;
+
+        // ##################
+        // taking ownership
+        // ##################
+    case 'takeownership':
+        Backend::assign_to_me($user->id, Req::val('ids'));
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('takenownershipmsg');
+        break;
+
+        // ##################
+        // add to assignees list
+        // ##################
+    case 'addtoassignees':
+        Backend::add_to_assignees($user->id, Req::val('ids'));
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('addedtoassignees');
+        break;
+
+        // ##################
+        // admin request
+        // ##################
+    case 'requestclose':
+    case 'requestreopen':
+        if ($action == 'requestclose') {
+            Flyspray::adminRequest(1, $proj->id, $task['task_id'], $user->id, Post::val('reason_given'));
+            Flyspray::logEvent($task['task_id'], 20, Post::val('reason_given'));
+        } elseif ($action == 'requestreopen') {
+            Flyspray::adminRequest(2, $proj->id, $task['task_id'], $user->id, Post::val('reason_given'));
+            Flyspray::logEvent($task['task_id'], 21, Post::val('reason_given'));
+            Backend::add_notification($user->id, $task['task_id']);
+        }
+
+        // Now, get the project managers' details for this project
+        $sql = $db->query("SELECT  u.user_id
+                             FROM  {users} u
+                        LEFT JOIN  {users_in_groups} uig ON u.user_id = uig.user_id
+                        LEFT JOIN  {groups} g ON uig.group_id = g.group_id
+                            WHERE  g.project_id = ? AND g.manage_project = '1'",
+        array($proj->id));
+
+        $pms = $db->fetchCol($sql);
+        if (count($pms)) {
+            // Call the functions to create the address arrays, and send notifications
+        $notify->create(NOTIFY_PM_REQUEST, $task['task_id'], null, $notify->specificAddresses($pms), NOTIFY_BOTH, $proj->prefs['lang_code']);
+        }
+
+        $_SESSION['SUCCESS'] = L('adminrequestmade');
+        break;
+
+        // ##################
+        // denying a PM request
+        // ##################
+    case 'denypmreq':
+        $result = $db->query("SELECT  task_id, project_id
+                                FROM  {admin_requests}
+                               WHERE  request_id = ?",
+        array(Req::val('req_id')));
+        $req_details = $db->fetchRow($result);
+
+        if (!$user->perms('manage_project', $req_details['project_id'])) {
+            break;
+        }
+
+        // Mark the PM request as 'resolved'
+        $db->query("UPDATE  {admin_requests}
+                       SET  resolved_by = ?, time_resolved = ?, deny_reason = ?
+                     WHERE  request_id = ?",
+        array($user->id, time(), Req::val('deny_reason'), Req::val('req_id')));
+
+        Flyspray::logEvent($req_details['task_id'], 28, Req::val('deny_reason'));
+        $notify->create(NOTIFY_PM_DENY_REQUEST, $req_details['task_id'], Req::val('deny_reason'), null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+
+        $_SESSION['SUCCESS'] = L('pmreqdeniedmsg');
+        break;
+
+        // ##################
+        // deny a new user request
+        // ##################
+    case 'denyuserreq':
+        if($user->perms('is_admin')) {
+            $db->query("UPDATE  {admin_requests}
+                       SET  resolved_by = ?, time_resolved = ?, deny_reason = ?
+                     WHERE  request_id = ?",
+            array($user->id, time(), Req::val('deny_reason'), Req::val('req_id')));
+            // Wrong event constant
+            Flyspray::logEvent(0, 28, Req::val('deny_reason'));//nee a new event number. need notification. fix smtp first
+            // Missing notification constant, can't notify yet...
+            $_SESSION['SUCCESS'] = "New user register request denied";
+        }
+        break;
+
+        // ##################
+        // adding a dependency
+        // ##################
+    case 'details.newdep':
+        if (!$user->can_edit_task($task)) {
+            Flyspray::show_error(L('nopermission'));//TODO: create a better error message
+            break;
+        }
+
+        if (!Post::val('dep_task_id')) {
+            Flyspray::show_error(L('formnotcomplete'));
+            break;
+        }
+
+        // TODO: do the checks in some other order. Think about possibility
+        // to combine many of the checks used to to see if a task exists,
+        // if it's something user is allowed to know about etc to just one
+        // function taking the necessary arguments and could be used in
+        // several other places too.
+
+        // if the user has not the permission to view all tasks, check if the task
+        // is in tasks allowed to see, otherwise tell that the task does not exist.
+        if (!$user->perms('view_tasks')) {
+            $taskcheck = Flyspray::getTaskDetails(Post::val('dep_task_id'));
+            if (!$user->can_view_task($taskcheck)) {
+                Flyspray::show_error(L('dependaddfailed'));
+                break;
+            }
+        }
+
+        // First check that the user hasn't tried to add this twice
+        $sql1 = $db->query('SELECT  COUNT(*) FROM {dependencies}
+                             WHERE  task_id = ? AND dep_task_id = ?',
+        array($task['task_id'], Post::val('dep_task_id')));
+
+        // or that they are trying to reverse-depend the same task, creating a mutual-block
+        $sql2 = $db->query('SELECT  COUNT(*) FROM {dependencies}
+                             WHERE  task_id = ? AND dep_task_id = ?',
+        array(Post::val('dep_task_id'), $task['task_id']));
+
+        // Check that the dependency actually exists!
+        $sql3 = $db->query('SELECT COUNT(*) FROM {tasks} WHERE task_id = ?',
+                array(Post::val('dep_task_id')));
+
+        if ($db->fetchOne($sql1) || $db->fetchOne($sql2) || !$db->fetchOne($sql3)
+            // Check that the user hasn't tried to add the same task as a dependency
+            || Post::val('task_id') == Post::val('dep_task_id'))
+        {
+            Flyspray::show_error(L('dependaddfailed'));
+            break;
+        }
+        $notify->create(NOTIFY_DEP_ADDED, $task['task_id'], Post::val('dep_task_id'), null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+        $notify->create(NOTIFY_REV_DEP, Post::val('dep_task_id'), $task['task_id'], null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+
+        // Log this event to the task history, both ways
+        Flyspray::logEvent($task['task_id'], 22, Post::val('dep_task_id'));
+        Flyspray::logEvent(Post::val('dep_task_id'), 23, $task['task_id']);
+
+        $db->query('INSERT INTO  {dependencies} (task_id, dep_task_id)
+                         VALUES  (?,?)',
+        array($task['task_id'], Post::val('dep_task_id')));
+
+        $_SESSION['SUCCESS'] = L('dependadded');
+        break;
+
+        // ##################
+        // removing a subtask
+        // ##################
+    case 'removesubtask':
+
+        //check if the user has permissions to remove the subtask
+        if (!$user->can_edit_task($task)) {
+            Flyspray::show_error(L('nopermission'));//TODO: create a better error message
+            break;
+        }
+
+        //set the subtask supertask_id to 0 removing parent child relationship
+        $db->query("UPDATE {tasks} SET supertask_id=0 WHERE task_id = ?",
+                   array(Post::val('subtaskid')));
+
+        //write event log
+        Flyspray::logEvent(Get::val('task_id'), 33, Post::val('subtaskid'));
+        //post success message to the user
+        $_SESSION['SUCCESS'] = L('subtaskremovedmsg');
+        //redirect the user back to the right task
+        Flyspray::redirect(createURL('details', Get::val('task_id')));
+        break;
+
+        // ##################
+        // removing a dependency
+        // ##################
+    case 'removedep':
+        if (!$user->can_edit_task($task)) {
+            Flyspray::show_error(L('nopermission'));//TODO: create a better error message
+            break;
+        }
+
+        $result = $db->query('SELECT  * FROM {dependencies}
+                               WHERE  depend_id = ?',
+        array(Post::val('depend_id')));
+        $dep_info = $db->fetchRow($result);
+
+        $db->query('DELETE FROM {dependencies} WHERE depend_id = ? AND task_id = ?',
+                    array(Post::val('depend_id'), $task['task_id']));
+
+        if ($db->affectedRows()) {
+            $notify->create(NOTIFY_DEP_REMOVED, $dep_info['task_id'], $dep_info['dep_task_id'], null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+            $notify->create(NOTIFY_REV_DEP_REMOVED, $dep_info['dep_task_id'], $dep_info['task_id'], null, NOTIFY_BOTH, $proj->prefs['lang_code']);
+
+            Flyspray::logEvent($dep_info['task_id'], 24, $dep_info['dep_task_id']);
+            Flyspray::logEvent($dep_info['dep_task_id'], 25, $dep_info['task_id']);
+
+            $_SESSION['SUCCESS'] = L('depremovedmsg');
+        } else {
+            Flyspray::show_error(L('erroronform'));
+        }
+
+        //redirect the user back to the right task
+        Flyspray::redirect(createURL('details', Post::val('return_task_id')));
+        break;
+
+        // ##################
+        // user requesting a password change
+        // ##################
+    case 'lostpw.sendmagic':
+        // Check that the username exists
+        $sql = $db->query('SELECT * FROM {users} WHERE user_name = ?',
+                          array(Post::val('user_name')));
+
+        // If the username doesn't exist, throw an error
+        if (!$db->countRows($sql)) {
+            Flyspray::show_error(L('usernotexist'));
+            break;
+        }
+
+        $user_details = $db->fetchRow($sql);
+
+        if ($user_details['oauth_provider']) {
+            Flyspray::show_error(sprintf(L('oauthreqpass'), ucfirst($user_details['oauth_provider'])));
+            Flyspray::redirect($baseurl);
+            break;
+        }
+
+        //no microtime(), time,even with microseconds is predictable ;-)
+        $magic_url    = md5(function_exists('openssl_random_pseudo_bytes') ?
+                              openssl_random_pseudo_bytes(32) :
+                              uniqid(mt_rand(), true));
+
+
+        // Insert the random "magic url" into the user's profile
+        $db->query('UPDATE {users}
+                       SET magic_url = ?
+                     WHERE user_id = ?',
+        array($magic_url, $user_details['user_id']));
+
+        if(count($user_details)) {
+            $notify->create(NOTIFY_PW_CHANGE, null, array($baseurl, $magic_url), $notify->specificAddresses(array($user_details['user_id']), NOTIFY_EMAIL));
+        }
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('magicurlsent');
+        break;
+
+        // ##################
+        // Change the user's password
+        // ##################
+    case 'lostpw.chpass':
+        // Check that the user submitted both the fields, and they are the same
+        if (!Post::val('pass1') || strlen(trim(Post::val('magic_url'))) !== 32) {
+            Flyspray::show_error(L('erroronform'));
+            break;
+        }
+
+        if ($fs->prefs['repeat_password'] && Post::val('pass1') != Post::val('pass2')) {
+            Flyspray::show_error(L('passnomatch'));
+            break;
+        }
+
+        $new_pass_hash = Flyspray::cryptPassword(Post::val('pass1'));
+        $db->query("UPDATE  {users} SET user_pass = ?, magic_url = ''
+                     WHERE  magic_url = ?",
+        array($new_pass_hash, Post::val('magic_url')));
+
+        // TODO: Log event in a later version.
+
+        $_SESSION['SUCCESS'] = L('passchanged');
+        Flyspray::redirect($baseurl);
+        break;
+
+        // ##################
+        // making a task private
+        // ##################
+    case 'makeprivate':
+        // TODO: Have to think about this one a bit more. Are project manager
+        // rights really needed for making a task a private? Are there some
+        // other conditions that would permit it? Also making it back to public.
+        if (!$user->perms('manage_project')) {
+            break;
+        }
+
+        $db->query('UPDATE  {tasks}
+                       SET  mark_private = 1
+                     WHERE  task_id = ?', array($task['task_id']));
+
+        Flyspray::logEvent($task['task_id'], 3, 1, 0, 'mark_private');
+
+        $_SESSION['SUCCESS'] = L('taskmadeprivatemsg');
+        break;
+
+        // ##################
+        // making a task public
+        // ##################
+    case 'makepublic':
+        if (!$user->perms('manage_project')) {
+            break;
+        }
+
+        $db->query('UPDATE  {tasks}
+                       SET  mark_private = 0
+                     WHERE  task_id = ?', array($task['task_id']));
+
+        Flyspray::logEvent($task['task_id'], 3, 0, 1, 'mark_private');
+
+        $_SESSION['SUCCESS'] = L('taskmadepublicmsg');
+        break;
+
+        // ##################
+        // Adding a vote for a task
+        // ##################
+    case 'details.addvote':
+        if (Backend::add_vote($user->id, $task['task_id'])) {
+            $_SESSION['SUCCESS'] = L('voterecorded');
+        } else {
+            Flyspray::show_error(L('votefailed'));
+            break;
+        }
+        // TODO: Log event in a later version.
+        break;
+
+
+	// ##################
+	// Removing a vote for a task
+	// ##################
+	# used to remove a vote from myprofile page
+	case 'removevote':
+	# peterdd: I found no details.removevote action in source, so details.removevote is not used, but was planned on the task details page or in the old blue theme?
+	case 'details.removevote':
+		if (Backend::remove_vote($user->id, $task['task_id'])) {
+			$_SESSION['SUCCESS'] = L('voteremoved');
+		} else {
+			Flyspray::show_error(L('voteremovefailed'));
+			break;
+		}
+		// TODO: Log event in a later version, but also see if maybe done here Backend::remove_vote()...
+	break;
+
+
+        // ##################
+        // set supertask id
+        // ##################
+    case 'details.setparent':
+        if (!$user->can_edit_task($task)) {
+            Flyspray::show_error(L('nopermission'));//TODO: create a better error message
+            break;
+        }
+
+        if (!Post::val('supertask_id')) {
+            Flyspray::show_error(L('formnotcomplete'));
+            break;
+        }
+
+        // check that supertask_id is not same as task_id
+        // preventing it from referring to itself
+        if (Post::val('task_id') == Post::val('supertask_id')) {
+            Flyspray::show_error(L('selfsupertasknotallowed'));
+            break;
+        }
+ 
+	// Check that the supertask_id looks like unsigned integer
+	if ( !preg_match("/^[1-9][0-9]{0,8}$/", Post::val('supertask_id')) ) {
+		Flyspray::show_error(L('invalidsupertaskid'));
+		break;
+	}
+	
+	$sql = $db->query('SELECT project_id FROM {tasks} WHERE task_id = ?', array(Post::val('supertask_id')) );
+	// check that supertask_id is a valid task id
+	$parent = $db->fetchRow($sql);
+	if (!$parent) {
+		Flyspray::show_error(L('invalidsupertaskid'));
+		break;
+	}
+
+	// if the user has not the permission to view all tasks, check if the task
+	// is in tasks allowed to see, otherwise tell that the task does not exist.
+	if (!$user->perms('view_tasks')) {
+            $taskcheck = Flyspray::getTaskDetails(Post::val('supertask_id'));
+            if (!$user->can_view_task($taskcheck)) {
+                Flyspray::show_error(L('invalidsupertaskid'));
+                break;
+            }
+	}
+
+        // check to see that both tasks belong to the same project
+        if ($task['project_id'] != $parent['project_id']) {
+            Flyspray::show_error(L('musthavesameproject'));
+            break;
+        }
+
+        // finally looks like all the checks are valid so update the supertask_id for the current task
+        $db->query('UPDATE  {tasks}
+                       SET  supertask_id = ?
+                     WHERE  task_id = ?',
+        array(Post::val('supertask_id'),Post::val('task_id')));
+
+        // If task already had a different parent, then log removal too
+        if ($task['supertask_id']) {
+            Flyspray::logEvent($task['supertask_id'], 33, Post::val('task_id'));
+            Flyspray::logEvent(Post::val('task_id'), 35, $task['supertask_id']);
+        }
+
+        // Log the events in the task history
+        Flyspray::logEvent(Post::val('supertask_id'), 32, Post::val('task_id'));
+        Flyspray::logEvent(Post::val('task_id'), 34, Post::val('supertask_id'));
+
+        // set success message
+        $_SESSION['SUCCESS'] = L('supertaskmodified');
+
+        break;
+    case 'notifications.remove':
+        if(!isset($_POST['message_id'])) {
+            // Flyspray::show_error(L('summaryanddetails'));
+            break;
+        }
+
+        if (!is_array($_POST['message_id'])) {
+            // Flyspray::show_error(L('summaryanddetails'));
+            break;
+        }
+        if (!count($_POST['message_id'])) {
+            // Nothing to do.
+            break;
+        }
+
+        $validids = array();
+        foreach ($_POST['message_id'] as $id) {
+            if (is_numeric($id)) {
+                if (settype($id, 'int') && $id > 0) {
+                    $validids[] = $id;
+                }
+            }
+        }
+
+        if (!count($validids)) {
+            // Nothing to do.
+            break;
+        }
+
+        Notifications::NotificationsHaveBeenRead($validids);
+        break;
+    case 'task.bulkupdate':
+        # TODO check if the user has the right to do each action on each task id he send with the form!
+        # TODO check if tasks have open subtasks before closing
+        # TODO SQL Transactions with rollback function if something went wrong in the middle of bulk action
+        # disabled by default and if currently allowed only for admins until proper checks are done
+        if(isset($fs->prefs['massops']) && $fs->prefs['massops']==1 && $user->perms('is_admin')){
+
+        // TODO: Log events in a later version.
+
+        if(Post::val('updateselectedtasks') == "true") {
+            //process quick actions
+            switch(Post::val('bulk_quick_action'))
+            {
+                case 'bulk_take_ownership':
+                    Backend::assign_to_me(Post::val('user_id'),Post::val('ids'));
+                    break;
+                case 'bulk_start_watching':
+                    Backend::add_notification(Post::val('user_id'),Post::val('ids'));
+                    break;
+                case 'bulk_stop_watching':
+                    Backend::remove_notification(Post::val('user_id'),Post::val('ids'));
+                    break;
+            }
+
+            //Process the tasks.
+            $columns = array();
+            $values = array();
+
+            //determine the tasks properties that have been modified.
+            if(!Post::val('bulk_status')==0){
+                array_push($columns,'item_status');
+                array_push($values, Post::val('bulk_status'));
+            }
+            if(!Post::val('bulk_percent_complete')==0){
+                array_push($columns,'percent_complete');
+                array_push($values, Post::val('bulk_percent_complete'));
+            }
+            if(!Post::val('bulk_task_type')==0){
+                array_push($columns,'task_type');
+                array_push($values, Post::val('bulk_task_type'));
+            }
+            if(!Post::val('bulk_category')==0){
+                array_push($columns,'product_category');
+                array_push($values, Post::val('bulk_category'));
+            }
+            if(!Post::val('bulk_os')==0){
+                array_push($columns,'operating_system');
+                array_push($values, Post::val('bulk_os'));
+            }
+            if(!Post::val('bulk_severity')==0){
+                array_push($columns,'task_severity');
+                array_push($values, Post::val('bulk_severity'));
+            }
+            if(!Post::val('bulk_priority')==0){
+                array_push($columns,'task_priority');
+                array_push($values, Post::val('bulk_priority'));
+            }
+            if(!Post::val('bulk_reportedver')==0){
+                array_push($columns,'product_version');
+                array_push($values, Post::val('bulk_reportedver'));
+            }
+            if(!Post::val('bulk_due_version')==0){
+                array_push($columns,'closedby_version');
+                array_push($values, Post::val('bulk_due_version'));
+            }
+            # TODO Does the user has similiar rights in current and target projects?
+            # TODO Does a task has subtasks? What happens to them? What if they are open/closed?
+            # But: Allowing task dependencies between tasks in different projects is a feature!
+            if(!Post::val('bulk_projects')==0){
+                array_push($columns,'project_id');
+                array_push($values, Post::val('bulk_projects'));
+            }
+            if(!is_null(Post::val('bulk_due_date'))){
+                array_push($columns,'due_date');
+                array_push($values, Flyspray::strtotime(Post::val('bulk_due_date')));
+            }
+
+            //only process if one of the task fields has been updated.
+            if(!array_count_values($columns)==0 && Post::val('ids')){
+                //add the selected task id's to the query string
+                $task_ids = Post::val('ids');
+                $valuesAndTasks = array_merge_recursive($values,$task_ids);
+
+                //execute the database update on all selected queries
+                $update = $db->query("UPDATE  {tasks}
+                                     SET  ".join('=?, ', $columns)."=?
+                                   WHERE". substr(str_repeat(' task_id = ? OR ', count(Post::val('ids'))), 0, -3), $valuesAndTasks);
+            }
+
+            //Set the assignments
+            if(Post::val('bulk_assignment')){
+                // Delete the current assignees for the selected tasks
+                $db->query("DELETE FROM {assigned} WHERE". substr(str_repeat(' task_id = ? OR ', count(Post::val('ids'))), 0, -3),Post::val('ids'));
+
+                // Convert assigned_to and store them in the 'assigned' table
+                foreach ((array)Post::val('ids') as $id){
+                    //iterate the users that are selected on the user list.
+                    foreach ((array) Post::val('bulk_assignment') as $assignee){
+                        //if 'noone' has been selected then dont do the database update.
+                        if(!$assignee == 0){
+                            //insert the task and user id's into the assigned table.
+                            $db->query('INSERT INTO  {assigned}
+                                             (task_id,user_id)
+                                     VALUES  (?, ?)',array($id,$assignee));
+                        }
+                    }
+                }
+            }
+
+            // set success message
+            $_SESSION['SUCCESS'] = L('tasksupdated');
+            break;
+        }
+        //bulk close
+        else {
+            if (!Post::val('resolution_reason')) {
+                Flyspray::show_error(L('noclosereason'));
+                break;
+            }
+            $task_ids = Post::val('ids');
+            foreach($task_ids as $task_id) {
+                $task = Flyspray::getTaskDetails($task_id);
+                if (!$user->can_close_task($task)) {
+                    continue;
+                }
+
+                if ($task['is_closed']) {
+                    continue;
+                }
+
+                Backend::close_task($task_id, Post::val('resolution_reason'), Post::val('closure_comment', ''), Post::val('mark100', false));
+            }
+            $_SESSION['SUCCESS'] = L('taskclosedmsg');
+            break;
+        }
+        } # end if massopsenabled
+        else{
+        	Flyspray::show_error(L('massopsdisabled'));
+        }
+    }
-- 
cgit v1.2.3-54-g00ecf