Anthill Changelog

0.2.6 - November 20th, 2003
============================================================================
- serious security fixes with the new attachment handling code; did a semi-
  reversion and included more checks
  NOTE: you will need to modify your apache configuration to look like this:
    <Directory /path/to/anthill/html/attachments>
      Order Deny, Allow
      Deny From All
    </Directory
  or put "AllowOverride All" in there instead to use the bundled .htaccess
  file.  If you don't, users will still be able to get to the files
  directly via /attachments/1/filename rather than going through our
  wrapper
+ updated README.html with more info
+ new config.inc.php option: $_CONF['forcereturn'] which allows you to use
  the -f option for your MTA to force the Return-Path to be set correctly
  NOTE: You should merge in the changes to your config.inc.php file

0.2.5 - November 6th, 2003
============================================================================
+ new index page (anyone with graphical skills want to make it look a little
  sharper?)
+ new way to handle attachments; the server needs perms to create subdirs
  under attachments/ for this to work... existing attachments are
  automagically moved the first time they are viewed.. thanks to Bas ten
  Berge <sam.ten.berge@hccnet.nl> for his code that I could build on
- some cleanups to how we handle diffs
- multi-lingual stuff is a bit of a mess... starting a cleanup to ensure
  that system comments written to the database (bug reassigned, etc.) are not
  done with gettext and likewise for email... we can't know who is going to be
  reading this, so try to isolate gettext() usage for web display and english
  everywhere else
- when reassigning a bug to component owner, the assigned to value went
  blank so the bug ended up being unassigned; fixed
- remove component change preference
+ component change is now always available via the query page but using a
  different action page to keep delays on loading the page down
+ developers can now do everything with a bug as if they were admin, so pay
  attention when assigining developer access
+ we now make a "back to bug" page when submitting changes to a bug... this
  should prevent duplicate comments by users doing a refresh of the page as
  they might do when we bump back to query.php automatically
+ for reports, default to auto-selecting all products and not the first on
  the list
+ new status: NEEDINFO (NOTE: use the 0.2.4-0.2.5.sql script to upgrade your
  database)
- make the textarea/input/tiny css styles to be a little bigger so they are
  easier to read
+ force the Date: header in all emails; makes things cleaner

0.2.4 - September 30th, 2003
============================================================================
+ force setting error_reporting(0); if you need to debug, set to E_ALL
- fix bug #81 (set charset in headers)
+ add a DOCTYPE to the header
+ README.html replaces README, README.OSX, and TRANSLATORS and is the
  beginning of some real documentation
- fix diff generation for windows users
- use CC: not Cc: as this messes up some windows MTAs
- just use the email address (not name <email>) for the new user email as
  this seems to break some windows MTAs
+ use css for the navbar (class="navbar")
- sort components and products list by name
+ filesystem layout changes; new subdir contains the user-exposed stuff and
  include, etc, contrib, and documents are in the root
  ** NOTE: users may have to change the documentroot to accomodate this
+ removed $rincdir and $wincdir vars; now we can put include/ wherever we
  want because $_CONF['incdir'] is a full path
  ** NOTE: users will have to modify confic.inc.php accordingly!
+ moved include/anthill.css to /anthill.css
+ added configurable footer to diff email messages
+ revamped the summary reports; a lot more info is available now
+ new theme: blue (note that this is a "in use" production theme for
  MandrakeSoft bug reporting so the bug rules are specialized)
+ bug rules are now shown in the FAQ page
+ new configuration option allows you to turn on and off the ability for
  owners/admins to change a bug's component after is has been reported (SQL
  update required).  This should only be enabled if you really want this
  because on products with a lot of components it really slows down the
  loading of the bug info.
+ you can now search bugs by a timeframe two ways:  by the date they were
  reported or closed/resolved bugs by date (in this case, the date is the
  last modified date so even if a bug was closed a year ago but someone adds
  a comment, it will show up in the search for "a day ago", etc.)
  (NOTE: if you have custom templates, you will need to update them)
- fixed bug with using 24hr date format not padded with 0's for bug creation
  time and attachment creation
- edit{components,versions,products,users} had the barcol hardcoded; changed
  to use barcol1
- use a lighter grey in the default theme to make it easier to read the menu
  bar
- don't append :en to $BROWSER_LANGUAGE since we don't need it
+ new configuration option allows you to turn on and off showing the "rules
  to good bug reporting" (you will need to update your SQL database with the
  import script in etc/)
+ reporters can now re-open their bugs and modify the url
+ include anthill2rss script contributed by Jilles Oldenbeuving
- security fix: although we don't display admin stuff in query page to non-
  admin/owner, we should really make sure that someone doesn't manually
  stuff the form and set the admin flag; now we make sure they are owner/
  admin before making any changes
+ fix bug #65 (admin/owner can change component of product for bug)
+ fix bug #71 (admin/owner can change version of product for bug)
+ fix bug #73 (reverse sort version field in enterbug)
- fix bug #74 (permanent cookies not working properly)
+ advanced query now has it's own page to speed up loading of query.php
+ bug listing page is now sortable by all column criteria (bug #69); however
  sorting is not implemented in the advanced query page
+ make welcome title in theme file consistent with the headers we send
+ lots of return links when editing versions and components (bug #67)
+ alternate colors on bug listings for each row (bug #63)
+ don't display deleted users in the query forms
+ don't display TOVALIDATE in "my new bugs" view (re: Jilles Oldenbeu) 
- use $_SERVER['HTTP_ACCEPT_LANGUAGE'] instead of $HTTP_ACCEPT_LANGUAGE
+ if only one version exists, default to auto-selecting it in enterbug.php

0.2.3 - June 6th, 2003
============================================================================
+ update index page to show all bugs requiring validation (TOVALIDATE)
+ new function d_DrawRules(): loads t_rules() (from theme.php) which
  displays the rules for submitting new bugs prior to allowing a user to
  enter a new bug
+ updated FAQ in template to reference new status types
+ two new status types: TOVALIDATE and NEEDSWORK; should aid in QA
  participation in a bug cycle
- when listing components and versions in editproducts, sort by name
- don't double addslashes() attachment descriptions
- fix bug #62 (improper meta syntax for charset)

0.2.2 - May 15th, 2003
============================================================================
- force order of bugs in case the database is inconsistent (always sort by
  bid ascending)
- update README
- update README.OSX
- be more strict with setting cookies
- a bug that prevented a user who had been deleted, and re-registered and
  was subsequently unable to login again has been fixed
- make comment text entry box larger for comments and initial bug submision
- fix language detection so now languages other than english will be
  displayed
- patch from Dan Lark to make the query page display better in IE

0.2.1 - December 24th, 2002
============================================================================
- NOTE: you will need to modify your config.inc.php and change
  $_CONF['cookie_domain'] from $SERVER_NAME to $_SERVER['SERVER_NAME'] if you
  don't explicitly set it
+ allow admin or owner of component to change the short description of a bug
+ add a test to make sure we are using PHP 4.1.0 or higher
+ new function: do_configtest() which tests config stuff to make sure
  Anthill will work properly
- use $_SERVER['REMOTE_ADDR'] instead of $REMOTE_ADDR (now Anthill works
  with php 4.2.3+)
- use $_COOKIE instead of $HTTP_COOKIE_VARS
- use $_SERVER['SERVER_NAME'] instead of $SERVER_NAME
+ add component as prefix in bug mails (ie. [Bug #100] [tcl] short desc)

0.2.0 - October 19th, 2002
============================================================================
- added dutch language file (thanks to Arnold Ligtvoet
+ added README.OSX which contains info for Mac OS X users
- fixed bug showing htmlspecialchars in bug text (again)

0.2.0rc3 - September 19th, 2002
============================================================================
+ add ability to list bugs by specifying a range of fixed versions (re:
  Arnold Ligtvoet)
+ add ability to list bugs by specifying product (re: Arnold Ligtvoet)
+ add entry to allow specifying what version a bug is fixed in (free-form)
  (re: Arnold Ligtvoet)
- don't allow null values for components, products, or versions
- editing products no longer shows deleted components/versions
- set Return-Path on diff messages
- cleanup creation of attachments a little

0.2.0rc2 - September 7th, 2002
============================================================================
- lots of setting variables to NULL as this apparently makes Anthill work on
  Win32 where otherwise lots of errors come up (thanks to Oleg
  <oleg@lot.kharkov.ua> for the great help in testing Anthill on Win32
+ new config variable $_CONF['meta_lang'] to set the value of the meta
  charset tag in the page headers
- redirect empty requests on buglist.php to query.php so our query form is
  only in one place
- rewrote d_mailUser() from scratch; it works on a system where the old
  function did not work previously
- fix bad HTML in preferences page that makes IE display it a little off and
  Konqueror nearly unuseable to change user preferences
- fix bug #37; should work with register_globals=Off now
- don't call htmlspecialchars() on user comments before and after saving to
  the dbase as it messes up how comments look (displaying &quot; instead of 
  ")
- fix typeo in setcookie() call in user.inc.php
- fix bug in showattachment.php where the mimetype was not being properly
  passed to the browser
- when marking a bug duplicate, run the diff on the other bug as well since
  it's description is also updated
- the same version number can now be used in mutiple products
- fix bug #42
- fix some minor problems with d_mailUser() (used in the cron email script)
- new test: if safe_mode is on, make sure that diff is in safe_mode_exec_dir
  otherwise we get an inexplicable return error of 127 which diff could never
  generate; so now we test that, if in safe_mode, that safe_mode_exec_dir is
  a) set, and b) that the config option "difftool" is in there
  (unfortunately, it's not too specific as it's a simple regex, but it should
  be fine)
- fix test on whether mdaemonreplyto is set so we don't end up with an extra
  (and empty) Reply-To: header
- make the cc work again in the diff mails
- fix a typeo in the SQL upgrade script

0.2.0rc1 - July 24, 2002
============================================================================
+ new functions to the database abstraction layer (postgres support is still
  horrible)
- minor bugfixes
+ add Ali Ziad's awesome super industrial strength query engine (with some
  modifications)
- allow quotes in comments

0.2.0pre3 - July 19, 2002
============================================================================
+ new configurable option: $_CONF['difftool'] which contains the full path
  and filename to the diff utility (defaults to /usr/bin/diff)
+ rework diff-handling so that it will work with PHP's safe_mode.
+ put a default .htaccess in include/ that denies access to all of the .php
  files stored there for some extra safety
+ add a new configurable admin option: mailer daemon reply-to address; if
  set all diff messages will be tagged with the address specified in the
  Reply-To header (useful for mailing lists if people want to reply to the
  daemon's messages since the daemon itself may not be a "real" email 
  address)
- if the To: and CC: fields are identical, drop the CC; if the CC contains
  the same address more than once (ie. reporter adds themself to the CC list),
  filter the CC list so it only sends one email to the address (see bug #22)
+ do duplicate checking for components, versions, and products
+ you can no longer remove the administrator user
+ if deleting a user who is the owner of some components, reassign the
  components to another user
+ if deleting a user who is the owner of some bugs, reassign the bugs to
  another user
+ no longer really delete components, products, or versions; we just flag
  them deleted (like users)
+ we now check to make sure that the gpg dir, attachments dir, tmp dir, and
  shadow dir are writable by the webserver user (ie. apache, etc.).  If any of
  these directories are not writable, we print a warning in bold red at the
  very top of any given page to indicate the problem, but don't "shut off" the
  site (this will help narrow down some mis-configurations)
+ we no longer really delete users; we simply "flag" them as deleted.  This
  keeps the user information available, but the user is unable to login. 
  Duplicate checking is not done against deleted users, so to "re-enable" a
  deleted user, they must create a new account
+ new column in bugdesc: system; set to 1 if this is a system-written
  comment (and thus trusted), 0 if this is user-supplied (untrusted).  We do
  all the sanitizing on user comments but leave system comments alone so that
  we can embed HTML tags (ie. for duplicate bugs we can link directly to the
  bug, etc.)
- fixed bug #40
- fixed contributor email not showing up in diff reports
+ owners and admins can now change the resolution priority and severity of
  bugs (see bug #27 and #32)
+ add support for automatic email CC based on component; this can only be
  modified by a site admin in the preferences for that component.  It allows
  multiple users who may not be the owner of the component to get cc'd on new
  bugs reported on that component by automatically adding them to the bug's
  autocc list (see bug #33)
- reports should only show developers; basic users cannot own bugs so no
  point in listing them
- fix closed site settings; now we check if the site is closed AND if a user
  is logged in, instead of OR
- make sure that all include() that contain variables (ie. $rincdir) check
  that the file exists before opening
+ only list developers who can own bugs when submitting a new bug (instead
  of everyone)
- fixed bug #38
- fixed bug #39
+ minimum requirement: PHP 4.1; now we use $_REQUEST to get POST/GET
  variables so that safemode will work if enabled
- fix some more stupid typeos
- fix text reporting (was using the old config vars for the date/time
  formats)
- really fix the new user registration bug (no more sessions stored in users
  table)

0.2.0pre2 - June 13, 2002
============================================================================
- some other small typeo fixes
- liberally use htmlspecialchars() all over the place to prevent things like
  cross-site scripting vulnerabilities; ie. all user input is untrusted and
  should be treated as such.  As an aside, Anthill was featured on bugtraq
  with this problem, here are the references:
    http://www.vmlinuz.ca/archives/bugtraq/2002-04/msg00100.html
    http://online.securityfocus.com/bid/4443
    http://online.securityfocus.com/bid/4442
  These issues are now resolved with this release
- add some more fixes to prevent un-authenticated users from getting into
  reports, bug entries, and bug listings.
- changed index page to not display the Problem Tracking column if the
  global preferences are set to "Closed Site" (aka no new users allowed)
- changed d_DrawNav() to use index.php as home instead of $webroot
+ added include/reportengine.php, etc/testreportengine.php, textreport.php,
  contributed by John Ham.  The reportengine.php file is a set of routines
  to ease generation of a text mode report suitable for printing on almost
  any printer.  The testreportengine.php script can be run stand-alone with
  a php executable to test the report engine code.  It serves as a trivial
  example of how to use the reportengine.php routines.  The textreport.php
  file actually implements a full dump of the bug information for all bugs
  in the database as a text mode report using reportengine.php, and shows
  what would be a more typical use of the reportengine.php code.  Thanks
  John for this beautiful reporting code!
+ add developer and basic user access levels:  basic users can open bug
  reports, report on them, etc.  developers actually get to own bug reports
  (users can no longer assign themselves bugs)
- fixes to session support
+ add user-definable session timeouts
- fixed a bug that changes to a bug would be comitted even if the user's
  session expired (auto-logout)
- fixed some password changing bugs that were due to old session support

0.2.0pre1 - February 22, 2002
============================================================================
+ added README.1st for very important (ie. security-like) info
+ added three mailing lists:  anthill-announce@vmlinuz.ca (announcements,
  read-only), anthill-workers@vmlinuz.ca (development list), and
  anthill-users@vmlinuz.ca (user discussion list).  To subscribe, email
  listname-subscribe@vmlinuz.ca (ie. anthill-announce-subscribe@vmlinuz.ca)
+ optimized GPG upload code; now we make sure that what is uploaded is a
  valid GPG or PGP keyfile before saving it
- fixed bug where keyword search would print a PHP error on no matching
  keywords (ie. if return list is empty)
+ new session support for logins based on GeekLog session support
+ support for marking bugs CLOSED (not resolved), VERIFIED (fix in
  progress), and UNCONFIRMED (don't know if it's valid or not)... the status
  types have been in there forever, we just never used them (this will help
  to better track the life of a bug)
+ don't ask for product if only one defined product on the system
+ support for creating attachments associated with bugs
- fix HTML code parsing in comments; sanitize comments when saving them to
  the dbase instead of when displaying, this allows us to use HTML tags in
  system comments, etc.
+ make duplicate bugs link to each other in comments
+ cron script to mail users periodically with NEW and UNRESOLVED status bugs
  (contributed by Donncha O Caoimh <donncha@linux.ie>); this is a PHP script
  executed on the commandline so users must have a standalone PHP executable
  in order to use it
+ new file: upgradepw.php which will generate new passwords for users and
  email them (new md5 passwords); this file is located in etc/ and should be
  removed after the upgrade
+ use md5 passwords instead of crypt passwords
+ add database abstraction layer (only support MySQL for now, but the layer
  is there to add support for others); based on phplib
+ add website URL to new user/new password email messages so people know
  what site the message is coming from
+ all configuration variables are now wrapped in the _CONF array to make it
  easier to access (also makes code easier to understand); NOTE: you will
  need to reconfigure Anthill's config.inc.php because of this 
+ new config file: config.inc.php; all configuration options will be here
  and here alone (no more mixing with site initialization)

0.1.6.1 - February 18, 2002
============================================================================
- fixed bad bug where if the admin changes a user's settings but does not
  change the password (ie. password fields are blank) the user's password
  would be set to a NULL value, allowing the user to login without entering a
  password
- don't parse HTML code in comments during display as the code may mess up
  page displays
- fixed README to include info regarding ownership of shadow/, tmp/ and gpg/
  directories
- fixed bug when posting new bug with URL entry having a leading space
- fix bug#12 (http://anthill.vmlinuz.ca/anthill/query.php?bug=12); List all
  bugs for user in buglist.php uses the input drop box for List all bugs
  reported by

0.1.6 - January 26, 2002
============================================================================
+ show Product in the buglist view
- fixed bug where comments would be lost when re-assigning the ownership of
  a bug
- fixed annoying bug that would change creation time of the bug to the
  current time whenever you changed a bugs status (this is due to having two
  timestamp fields in the bugs dbase instead of one.. creation is now
  varchar(16) and modified remains timestamp (modified was not being updated
  because creation appeared in the dbase first))
- modified anthill.css to use pixels not points (draw back is it looks good
  in Mozilla/Galeon but very small in Netscape)
+ Reported column on reports page to see how many bugs each user has
  reported (re: Donncha O Caoimh)
+ email diffs are now cc'd to the person who reported the bug (re: Donncha O
  Caoimh)
+ added info in README regarding pre-req of gettext support in PHP
+ added chinese translation courtesy of Joe Man <trmetal@yahoo.com.hk>

0.1.5 - October 6, 2001
============================================================================
- made it so anonymous users cannot post bug reports (index page displayed
  link for all and submission did not check to see if a user was logged in)
+ implemented history tracking per bug (tracks status changes, state
  changes, user reassignments, etc.)
- made unassigned bugs on reports page show up as "Unassigned"
- removed gettext() calls from generated diff emails (everything goes out in
  english now)... the problem was the strings in the diff files were being
  written and translated depending on the user's language settings (big
  mess)
+ added "view all unresolved bugs" to main page and buglist
+ added italian translation courtesy of Mandelli Alesandro
  <almasoft@almasoft.it>
+ added french translation courtesy of Christophe Gonnet 
  <info@eurolidays.com>

0.1.4 - September 19, 2001
============================================================================
- moved password salt from site.inc.php to site preferences page
- moved Admin Access Level definition to site preferences page
+ added ability to use HTTP_AUTH to validate users instead of requiring
  internal mechanism
- change password storage from plaintext to crypt
- fix language processing so that if it is english first, we don't set
  $LANGUAGE or bind to a domain (prevents things like en:es:en showing
  spanish instead of english)
+ added reports per product
+ added reporternew type to buglist (reports new bugs you reported)
+ added menu to index page
+ added support for storing GPG/PGP keys on server
- changed sorting of comments to by date not by id
- rewrote language system, use gettext() now instead of defines
- fixed search problems
- fixed bug with changing user preferences
+ added support to edit user access levels
+ added URL field for bugs
+ implemented new template system
- language system is now per-user, not system-wide (based on language
  preference selected in user's browser)
+ added default bug state (private/public)
+ added autocc for automatic cc's of each bug (good for ml's)
+ added admin user editing form
+ added new user selection (allow or disallow)
+ added private/public bug types
+ use CSS for templates
- use *.inc.php for includes instead of *.inc (protection from external
  viewing)
- fixed URLs (do not assume http://)
+ add URL field for bugs
+ added support to re-open bugs
- finished admin interface


0.1.3 - May 20, 2001
============================================================================
- first functional semi-public release

$Id: CHANGES,v 1.45 2003/11/21 06:21:13 vdanen Exp $