Change Log - MantisBT

Feature and maintenance release. New configuration options were added to control access to Export and Print Report features (see 0022224). The default value for the latter was set to UPDATER for security reasons (see 0025492); to restore earlier behavior, administrators should set $g_print_reports_threshold = VIEWER;.

0029585: [email] Unable to set the In-Reply-To header to a domain different from the current one (community)
0029454: [email] monitor receives no mails if he is not project member (atrol)
0029583: [email] Support for sending emails with CC and/or BCC (community)
0030283: [html] Invalid 'literal' tag used in MantisCoreFormatting language strings (dregad)
0027114: [ui] Long unbreakable text does not auto wrap in bug details page (community)
0022224: [bugtracker] Access Restrictions to "Print Reports", "CSV Export", "Excel Export" in view all bugs page (dregad)
0025492: [security] Printing (print_all_bug_page) is a perf/security risk (dregad)
0030192: [change log] Changelog/Roadmap items are printed without any structure (dregad)
0028618: [bugtracker] Category empty but required does not prevent form submission on Firefox Windows and Safari (dregad)
0028902: [db mssql] APPLICATION ERROR 0000401 / Error MSSQL 4145 when view all bugs for 1000 projects or more (atrol)
0029903: [relationships] Wrong html syntax
0022109: [ui] Bugnotes links tilde ' ~' sign rendered as dash '-' in View page (dregad)
0028964: [tools] New build script to download updated font files (dregad)
0029882: [tools] Enable PHP 8.1 builds on Travis-CI (dregad)
0029025: [email] Update PHPMailer to 6.6.0 (dregad)
0029616: [bugtracker] collapse_settings cookie is hardcoded (dregad)
0029611: [bugtracker] Cookies "SameSite" attribute triggers warnings in Firefox console (dregad)
0028122: [administration] Improve handling of project assignment in manage_user_edit_page.php (dregad)
0022371: [wiki] Support for WackoWiki (dregad)
0029517: [authentication] Login redirection to plugin credentials page for non-existent user (community)
0028015: [db schema] Update ADOdb to 5.21.4 (dregad)
0029511: [installation] MSSQL blocking error during installation. (dregad)
0029269: [administration] Filter settings are not available on "Workflow Thresholds" page (atrol)
0028965: [attachments] Show issue attachments along with issue header information (vboctor)
0029230: [ldap] Can't set a custom field for ldap email (dregad)
0026148: [ui] Add hash to MantisBT CSS files to force browser cache update (vboctor)
0029027: [other] function gpc_set_cookie() ignores $p_httponly argument (community)
0028963: [administration] Do not buffer output for CLI scripts (dregad)
0028918: [upgrade] Improve handling of unserialize->json conversion during upgrade (dregad)
0027383: [administration] Refactor and improve output of 'test_langs.php' admin script (dregad)
0029026: [administration] Language checks should warn about languages not defined in config (dregad)
0028861: [localization] Incorrectly configured saraiki language (dregad)
0008664: [localization] Translation in Espéranto (dregad)
0028905: [localization] String optimizations for English language (atrol)
0028826: [ui] Removing vertical lines in tabular presentation to reduce clutter (community)
0028528: [administration] Outdated PostgreSQL version information in Admin Checks (dregad)
0028648: [localization] New Hindi Language Translation (dregad)
0025956: [installation] Increase minimum PHP requirement to 7.0 (dregad)
0028830: [code cleanup] Remove PHP < 5.4 compatibility code from user_get_all_accessible_projects() (dregad)
0026998: [plug-ins] Event on access level modifications (dregad)
0028533: [bugtracker] print_form_button() generates bad security token name for plugin action page (dregad)
0028668: [localization] Missing language codes in browser's auto map (dregad)
0028182: [ui] progress bar on the title bar (road map) (dregad)
0028525: [administration] Using MySQL 8.0 gives warning in admin checks (atrol)
0028114: [code cleanup] Invalid HTML in manage_user_edit_page.php (dregad)
0028124: [ui] Visually align the 1st column's width in manage_user_proj_delete.php (dregad)
0028119: [code cleanup] Calling user_get_field() with non-existing user throws incorrect warning (dregad)
0028120: [performance] Improve performance of user_pref_clear_invalid_project_default() (dregad)

Maintenance release fixing a couple of regressions introduced in 2.25.3, loading a JavaScript library from CDN and initializing the path on PHP 5.6.

0029991: [installation] Javascript error in browser console when upgrading (dregad)
0024393: [db mssql] APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP (dregad)
0029751: [authorization] APPLICATION ERROR #13 (access denied) while creating new user when theshold configured as MANAGER in administration interface (atrol)
0029857: [bugtracker] Errors trying to load moment.js library from CDN (dregad)
0029853: [bugtracker] $g_path incorrectly set in config_defaults_inc.php on PHP 5.6 (dregad)
0030077: [installation] Installer's Oracle-specific warning regarding identifiers' length is shown initially for MySQL (dregad)
0030178: [authorization] Update issue icon on "My View" page is displayed even without having appropriate access rights (atrol)
0030182: [authorization] Update issue icon on "View Issues" page is displayed even without having appropriate access rights (atrol)

Security and maintenance release, fixing vulnerabilities in CSV Export (CVE-2021-43257) and Plugins management pages (CVE-2022-26144), as well as in bundled libraries guzzlehttp/psr7 (CVE-2022-24775) and moment.js (CVE-2022-24785). It also addresses several PHP 8.1 compatibility issues.

0029849: [security] Update moment.js to 2.29.2 (dregad)
0029485: [security] Update ADOdb to 5.20.21 (dregad)
0029848: [security] Update guzzlehttp/psr7 to 1.8.5 (dregad)
0029034: [api soap] SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2 (community)
0029846: [bugtracker] Passing null to parameter of type XXX is deprecated (dregad)
0028927: [api rest] Slim Application Error when RestFault generated (community)
0029845: [bugtracker] Constant FILTER_SANITIZE_STRING is deprecated (dregad)
0029130: [security] CVE-2021-43257: CSV Injection with CSV Export Feature (dregad)
0029144: [attachments] Adding an attachment with a long filename causes "Data too long for column 'filename'" application error (dregad)
0029181: [bugtracker] 'format_issue_summary' custom function not called from View Issue Details page (dregad)
0029416: [ui] Missing closing div tag causes incorrect page footer display (dregad)
0029462: [installation] Unable to install (dregad)
0029413: [custom fields] APPLICATION ERROR 1300 Custom field not found with case-sensitive database (dregad)
0029688: [security] CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php (dregad)

Security and maintenance release, fixes a couple of vulnerabilities in PHPMailer and Chart.js libraries, as well as a few other minor issues.

0028106: [administration] Error removing project (dregad)
0028530: [security] Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) (dregad)
0028084: [ui] Labels for email notifications in User Prefs page appear in bold (dregad)
0028082: [ui] Project Edit Page does not display check boxes (dregad)
0028076: [plug-ins] Bundled plugins 2.25.0: incorrect Mantis requirement (dregad)
0028080: [ui] Unsightly vertical offset of the "Update Prefs" and "Reset Prefs" buttons. (dregad)
0028112: [ui] Incorrect spacing between icon and text on manage_user_edit_page.php (dregad)

This feature and maintenance release contains over 100 fixes and enhancements; among many other things, it improves PHP 8 compatibility, LDAP authentication and invalid plugins management. It also includes a schema change, so do not forget to upgrade the database as documented in the Admin Guide.

Please note that this will be the last release supporting PHP 5; starting with MantisBT 2.26.0, the minimum PHP version will be 7.0 - read the official announcement at https://mantisbt.org/blog/archives/mantisbt/678.

0015361: [ldap] Add STARTTLS Support to LDAP (community)
0026142: [plug-ins] Improve handling of invalid / incorrectly installed plugins (dregad)
0017487: [plug-ins] Validate plugin folder name and name match during setup (dregad)
0026143: [plug-ins] Admin checks should detect invalid / incorrectly installed plugins (dregad)
0025981: [other] Custom Field doesn't complete with {today} when closing or resolving (dregad)
0026920: [authorization] reporter allowed to close (vboctor)
0027144: [code cleanup] Data integrity: ensure users' default_project preference is a valid project (dregad)
0027574: [ui] Manage users edit page: inconsistent spacing between sections (dregad)
0027827: [attachments] Improve pop-up description for file icons (dregad)
0027118: [security] Update PHPMailer to 6.3.0 (dregad)
0027828: [html] Standardize the way fontawesome icons are printed (dregad)
0026811: [authentication] Username regex is too strict by default (community)
0026617: [documentation] Admin Guide has various broken links, obsolete info, etc. (dregad)
0026798: [administration] PHP warning in config_get_global (dregad)
0026822: [ldap] LDAP configuration options can be set in database (atrol)
0026821: [code cleanup] Standardize access of option database_version (atrol)
0026839: [printing] Viewer does not get Selection column in View Issues or Print Reports lists (atrol)
0026823: [ui] Upgrade to fontawesome version 4.7.0 (syncguru)
0026840: [preferences] Non existing field name os_version used where os_build should be used (atrol)
0026861: [ui] "Move" functionality offered for users that have just access to a single project (atrol)
0026884: [administration] Misleading e-mail notification following password reset by admin (dregad)
0026887: [sub-projects] Project Menu Bar does not indent subprojects properly (dregad)
0026889: [code cleanup] Implement ConfigsGetCommand and use from REST API (vboctor)
0026890: [code cleanup] Implement LocalizedStringsGetCommand and use from REST API (vboctor)
0026891: [api rest] /config REST API endpoint reports users as not found when they exist (vboctor)
0026892: [administration] Attachment settings not available on "Workflow Thresholds" page (atrol)
0026919: [api rest] Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 (dregad)
0026930: [code cleanup] Use user_is_login_request_allowed() instead of duplicating the logic (dregad)
0026963: [ui] Username field in Monitor box triggers password managers (vboctor)
0026964: [bugtracker] Admin check always has "WARN" for magic_quotes checks (PHP 7.4) (atrol)
0027005: [time tracking] User list in time tracking summary is not sorted (dregad)
0027117: [administration] SQL syntax error on manage_user_page (atrol)
0027122: [plug-ins] 3rd-party plugins cannot use chart.js library bundled with MantisGraph (dregad)
0027123: [javascript] MantisGraph: stop using chart.js bundled build (dregad)
0027124: [plug-ins] MantisGraph: update Chart.js library to v2.9.3 (dregad)
0027129: [filters] Preserving filters does not work correctly on sub-sub-projects (dregad)
0027155: [bugtracker] Update securimage to 3.6.8 (dregad)
0011463: [localization] Confusing message when selecting a project to enter an issue (dregad)
0026888: [code cleanup] Refactor printing of project selection menus (dregad)
0026962: [code cleanup] Remove unused bug_monitor_list_view_inc.php file (vboctor)
0026974: [installation] Required PHP json extension not documented and checked (atrol)
0026988: [preferences] issue report TOO_MANY_REDIRECTS (dregad)
0027145: [code cleanup] Convert Project and User Pref APIs to use DbQuery class (dregad)
0027160: [ui] Wrong page position after bugnote add/edit (atrol)
0027808: [ui] Questionable UI / button on "Edit Project Category" page (atrol)
0027217: [bugtracker] bugnote_clear_cache() does not work properly (dregad)
0027241: [localization] Improve handling of missing language strings (dregad)
0027242: [bugtracker] Allow printing of standard confirmation alerts without buttons (dregad)
0027256: [bugtracker] Refactor Profiles management pages to display a list of records (dregad)
0027257: [bugtracker] It is not possible to clear the Default Profile (dregad)
0027259: [bugtracker] Profile-related operations lack confirmations (dregad)
0027260: [ui] Confusing redirection when editing profiles (dregad)
0027258: [code cleanup] Code cleanup around User/Global Profiles (dregad)
0027300: [documentation] Fix discrepancies in documentation for $g_display_errors (dregad)
0027302: [plug-ins] Force-installed plugins are not registered in order of priority (dregad)
0027375: [filters] search field at project-selection is not working anymore (dregad)
0027387: [administration] Manage user page table footer is displayed even when empty (dregad)
0027384: [other] Upgrade release build scripts to Python3 (dregad)
0027463: [administration] Sticky setting not available on "Workflow Thresholds" page (atrol)
0027576: [custom fields] Incorrect error message when reporting issue with a custom field failing validation (dregad)
0027575: [code cleanup] Remove obsolete 'posted' form param when reporting new issue (dregad)
0027573: [code cleanup] PHP notice in manage_user_edit_page.php when given invalid user id (dregad)
0027584: [documentation] Out of the box Mantis does not display either a Dependancy or Relationship Graph (dregad)
0027700: [bugtracker] Standardize on IEEE 1541 units (KiB, MiB) for file sizes (dregad)
0027701: [code cleanup] System notice in lang_error_handler (atrol)
0027703: [code cleanup] Error handlers use deprecated context parameter (atrol)
0027768: [administration] When deleting a project, there should be information of how many (if any) issues are affected (dregad)
0027802: [code cleanup] Remove Project Info page (atrol)
0008066: [bugtracker] clickable summaries in view issues page (community)
0012961: [plug-ins] Plugin_force_uninstall is not declared (dregad)
0025764: [email] Enable S/MIME signed e-mail notifications (dregad)
0026481: [api rest] Errors in API documentation (vboctor)
0027113: [sql] Error in bug_api.php when UPDATEing a bug (dregad)
0027150: [performance] Non visible image previews are transferred from server to client (atrol)
0027362: [installation] Sourceforge [admin/test_langs.php] File missing from installation packages ( mantisbt-2.24.3.zip & mantisbt-2.24.3.tar.gz) (dregad)
0027796: [installation] Using an empty timezone causes PHP notice on PHP 8 (dregad)
0027817: [administration] Issue revision settings not available on "Workflow Thresholds" page (atrol)
0027829: [tools] TravisCI: add PHP 8.0 to tests, and switch to bionic build environment (dregad)
0027830: [db postgresql] PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize() function (dregad)
0026837: [db mssql] Update ADOdb to 5.20.20 (dregad)
0027833: [code cleanup] Unneeded code for option display_project_padding (atrol)
0027839: [change log] No hyperlinks in Changelog and Roadmap release notes (dregad)
0027848: [ldap] Changed default $g_ldap_protocol_version from 0 to 3. (community)
0027849: [ldap] LDAP server must be specified as an URI (community)
0027853: [security] Printing unsanitized user input in account_prof_edit_page.php (atrol)
0027881: [plug-ins] Tag attach group action doesn't trigger EVENT_TAG_ATTACHED (vboctor)
0027882: [plug-ins] Create cronjob script and plugin event (vboctor)
0027884: [administration] Some config options can be set in database, but should be configurable just in config_inc.php (atrol)
0027914: [custom fields] Custom date field with default value left blank even when field is required (dregad)
0027958: [ui] Inconsistent form input labels' font size when HTML label element is used (dregad)
0027969: [api rest] Incorrect documentation for tags (vboctor)
0027972: [ui] Left-align the Send Reminder textarea (dregad)
0027973: [api rest] REST API update issue triggers errors if payload is empty (dregad)
0027978: [ui] Horizontal rules (<hr> tag) are nearly invisible (dregad)
0027981: [api soap] mc_issue_update() throws system warning when Project not specified in IssueData (dregad)
0027982: [db schema] Email field in mantis_email_table is shorter than user email in mantis_user_table (vboctor)
0026665: [custom fields] Custom fields with comma can't be used in Manage Config Columns page (dregad)
0026903: [code cleanup] Move release scripts to main repository (vboctor)
0027298: [code cleanup] Remove unused and regroup duplicated language strings (dregad)
0027950: [custom fields] Validate date custom fields default value format (dregad)
0027956: [custom fields] Remove need to use {} for dynamic dates in custom fields default value (dregad)
0027983: [documentation] Improve Custom Fields documentation (dregad)
0027992: [documentation] Remove helper_alternate_class() calls from Developers Guide and document alternative (dregad)
0027993: [documentation] Host the Example Plugin from the Developers Guide in a repository in mantisbt-plugins organization (dregad)
0027994: [administration] "Add Version" without entering a version number outputs "Operation successful" though no version has actually been added (dregad)
0028002: [code cleanup] New API function to get User Id by cookie string (dregad)
0025998: [documentation] REST API documentation (vboctor)

Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues' contents. All installations are strongly advised to upgrade as soon as possible.

Many thanks to randomdhiraj, ethicalhcop and d3vpoo1 (https://gitlab.com/jrckmcsb), for identifying and responsibly reporting these security issues.

This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.

0027361: [security] Private category can be access/used by a non member of a private project (IDOR) (dregad)
0027357: [security] Attacker can leak private information via different functionality (dregad)
0027728: [security] CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments (dregad)
0027726: [security] CVE-2020-29603: Disclosure of private project name (dregad)
0027727: [security] CVE-2020-29605: Disclosure of private issue summary (dregad)
0027779: [security] CVE-2020-35571: XSS in helper_ensure_confirmed() calls (dregad)
0026794: [security] User Account - Takeover (dregad)
0027363: [security] Fixed in version can be changed to a version that doesn't exist (dregad)
0027350: [security] When updating an issue, a Viewer user can be set as Reporter (dregad)
0027370: [security] CVE-2020-35849: Revisions allow viewing private bugnotes id and summary (dregad)
0027495: [security] CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP. (dregad)
0027806: [bugtracker] Impossible to edit issues with PHP8 (dregad)
0020690: [bugtracker] inconsistent UI for view bugnote revision (dregad)
0027799: [bugtracker] Adapt Error handler to PHP 8 (dregad)
0027704: [javascript] Javascript error in View Issues page (dregad)
0027465: [code cleanup] Declaring a required parameter after an optional one is deprecated in PHP 8 (atrol)
0027464: [printing] print_manage_user_sort_link Function Parameter Required after Optional (atrol)
0027444: [security] Printing unsanitized user input in install.php (atrol)

Security release including 3 CVEs. Many thanks to d3vpoo1 (https://gitlab.com/jrckmcsb) for identifying most of the issues.

0027268: [security] Admin can get issues assigned to users not allowed to handle them (dregad)
0027039: [security] CVE-2020-25781: Access to private bug note attachments (dregad)
0027275: [security] CVE-2020-25288: HTML Injection on bug_update_page.php (dregad)
0027276: [security] Send reminder to viewer (dregad)
0027283: [security] Admin can set viewer as a tag creator (dregad)
0027284: [plug-ins] Priority can override to any positive integer (dregad)
0027299: [code cleanup] Remove code duplication in File API (dregad)
0027303: [code cleanup] When processing categories, it is not necessary to know the project id (dregad)
0027304: [security] CVE-2020-25830: HTML Injection in bug_actiongroup_page.php (dregad)

Security and maintenance release

0026631: [security] file_get_visible_attachments shows private files that should be invisible to the user (vboctor)
0026893: [security] APIs expose private attachments to users who has access to issue but not private notes (vboctor)
0026781: [bugtracker] changed project order / sequence (dregad)
0026805: [attachments] Attachments box is invisible when notes are private by default (vboctor)
0026835: [attachments] Database Server error while adding file to project (atrol)
0026838: [bugtracker] OS build field not filled in viewing mode (atrol)
0026880: [administration] Impossible to reset user's password (dregad)
0026881: [documentation] Documentation for REST API /users/{id}/reset missing (vboctor)
0026885: [api rest] Resetting password for protected user via REST API should fail (dregad)
0026921: [bugtracker] View Issue page does not show "Product Build" (wrong key names in code) (atrol)

0026686: [bugtracker] Make category on bug_report_page a required field when $g_allow_no_category = OFF; (dregad)
0026475: [email] Update phpmailer/phpmailer from 6.1.3 to 6.1.4 (dregad)
0026632: [api rest] Support user password reset via REST API (community)
0026598: [db mssql] Update ADOdb to 5.20.16 (dregad)
0026439: [ui] Issue list throws warning on every issue without bug notes. (dregad)
0026441: [api rest] Update GuzzleHttp from 6.4.1 to 6.5.2 (dregad)
0026473: [ui] Incorrect CSS rules get applied if a word in custom field name matches an existing CSS class (atrol)
0026567: [code cleanup] Code Cleanup (atrol)
0022142: [ui] on mantisbt.org Roadmap progress bar 'data-percent' class could stand out better (syncguru)
0026555: [reports] Wrong number of displayed rows on summary page (atrol)
0026572: [code cleanup] Remove $g_log_destination 'firebug' option, as the project is dead since 2017 (dregad)
0026589: [documentation] Admin Guide: remove doc for long-deprecated $g_ldap_port config (dregad)
0026636: [installation] Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail (dregad)
0026612: [plug-ins] Improve MantisColumn sort capability to allow sorting by more complex expressions (cproensa)
0026621: [filters] Wrong filtering by none-relationship (cproensa)
0026623: [ui] Generate token with empty name and APPLICATION ERROR #11 (dregad)
0009534: [feature] Limit reporter's access to their own issues (cproensa)
0026164: [relationships] Relationship Graph page is missing legend (dregad)
0026163: [relationships] Relationship Graph page UI lacks MantisBT 2.x layout (dregad)
0024600: [filters] BugFilterQuery - issue? - trying to add join & where conditions (cproensa)
0011365: [plug-ins] New Event: EVENT_MENU_ISSUE_RELATIONSHIP (dregad)
0011381: [relationships] Dependency Graph crash on circular parent child relationships (dregad)
0026165: [relationships] Relationship Graph - inconsistency between button label and title (dregad)
0021133: [rss] Access of non existent image in RSS feeds (dregad)
0017594: [reports] Display issue Summary inside relation graph nodes (dregad)
0026661: [installation] Add informational comments to SQL script generated by installer (dregad)
0026778: [customization] Retire bug_change_status_page_fields config option (vboctor)
0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
0026765: [bugtracker] Inheritance of sub project not read correctly from database (dregad)
0026747: [plug-ins] No equivalent to lang_get_defaulted() in plugin_api() (dregad)
0026662: [installation] Final statement to set database version not logged in SQL script (dregad)
0026712: [ui] Provide a way to 'show content' for all complex items on Manage Configuration Report page (dregad)
0026663: [installation] improve installer messages when generating SQL script (dregad)
0026690: [bugtracker] Mass update does not allow setting an empty category (dregad)
0026687: [bugtracker] Required fields when reporting an issue, should also be when updating it (dregad)
0026664: [installation] Allow admin to reset table pre/suffix to their default values (dregad)
0026541: [api rest] Passing invalid id to rest api custom field update causes program crash (dregad)
0026540: [api rest] Passing unsanitized data to type hinted function causes program crash (dregad)
0026542: [api rest] Passing out of range custom field id causes multiple PHP warnings / incorrect response (dregad)
0026568: [installation] Use appropriate statement to update DB schema when generating SQL (dregad)
0026438: [bugtracker] Allow multiple, customizable due date levels (dregad)
0016869: [bugtracker] Change of due date background color (dregad)
0009155: [time tracking] Cell coloring for due date indicates "overdue" when not overdue yet. (dregad)
0025115: [roadmap] User can't see in roadmap a private issue that they reported (cproensa)
0025097: [authentication] login username is not trimmed (dregad)
0023570: [bugtracker] Implement limit_reporters as a threshold (cproensa)
0021201: [localization] lang_get_defaulted does not search for fallback language (dregad)
0016869: [bugtracker] Change of due date background color (dregad)
0015466: [bugtracker] Reporter can't see an issue they have been made a monitor of (cproensa)
0010831: [administration] how can I allow user to view only the issue that assigned to them (cproensa)

0026570: [bugtracker] Assigning bug from group action creates empty bugnote (atrol)
0026622: [ldap] LDAP API does not cache realname information (dregad)
0026600: [performance] Performance loss after update from 2.20.0 to 2.23.0 (dregad)
0026482: [ui] 'View Issue' page fails to populate some fields (ex 'ID') for some projects (but not others) (atrol)
0026470: [localization] Issue values on bug view page are not localized. (atrol)
0026596: [installation] Wrong defaults for db (plugin) table prefix/suffix (dregad)
0026610: [ui] Option history_default_visible does not work (atrol)
0026575: [plug-ins] When calling bug_assign function it auto creates empty note (atrol)
0026629: [ldap] LDAP API throws PHP warning when ldap_connect() fails (dregad)
0026757: [bugtracker] Bugnote from reminder is always public - ignoring private checkbox state (community)

This feature and maintenance release includes a schema change. Do not forget to upgrade the database as documented in the Admin Guide.

0026358: [security] Vulnerability from library Moment.js 2.15.2 (dregad)
0026125: [ui] "Users monitoring this issue" section not shown if nobody is monitoring the issue (dregad)
0025902: [api rest] Implement IssueViewPageCommand to separate logic from rendering of issue view page (vboctor)
0009802: [attachments] Support attachments associated with private notes (vboctor)
0025972: [custom fields] Use custom field regular expression in the html input (cproensa)
0021733: [attachments] Attachments should be linkable to notes in db (vboctor)
0010107: [feature] Allow setting reminder bugnotes' view status (dregad)
0026388: [security] Update ADOdb to 5.20.15 (dregad)
0026150: [bugtracker] Closing issues via group action with empty note creates a bugnote record (vboctor)
0024113: [attachments] Attaching files to a note creates a second note with only the attachments (vboctor)
0026265: [email] Bump phpmailer/phpmailer from 6.0.7 to 6.1.3 (dregad)
0026139: [reports] Move MantisGraph pages to their own tab (dregad)
0026374: [api rest] Update GuzzleHttp from 6.3.3 to 6.4.1 (dregad)
0024577: [attachments] Deleting a note, should delete associated attachments (vboctor)
0026083: [auditing] Link attachments issue history events to attachments to determine visibility (vboctor)
0026081: [attachments] Switching note to private/public, should impact associated attachments (vboctor)
0025975: [custom fields] Manage custom fields page does not show fields in order (cproensa)
0022817: [attachments] "private bugnotes" as default setting prevents uploading further attachments (vboctor)
0025960: [attachments] Add files information to EVENT_BUGNOTE_ADD event (vboctor)
0025935: [attachments] Warning for users when making public notes with attachments private (vboctor)
0026134: [time tracking] Bugnotes time spent info is always shown even if time tracking is disabled (dregad)
0021799: [documentation] Wrong data types in ERD (dregad)
0026132: [time tracking] Application Error 401 when clicking Time Tracking at the bottom of a bug notes page (dregad)
0026098: [documentation] Update ERD diagram to reflect new field in bug_file table (dregad)
0026094: [bugtracker] PHP notice in bug view page when viewing issue without category (dregad)
0026093: [plug-ins] Content Security Policy directive 'frame-ancestors' contains an invalid source when http_csp_add is called for it (dregad)
0026092: [documentation] Invalid URL for GraphViz home page (dregad)
0021712: [filters] No way to filter "negative" for checkbox custom fields (cproensa)
0026062: [filters] Filter for a date custom field fails when no values for this field exists (cproensa)
0025905: [ui] Inline actions user experience is inconsistent between different features (syncguru)
0026128: [ui] Attachments displayed with empty user (dregad)
0026167: [performance] Issue view history api repeated calls to bug_get_attachments database query (cproensa)
0026166: [performance] Issue view api uses many custom field database queries (cproensa)
0026295: [ui] Clone button is not displayed correctly (cproensa)
0026141: [custom fields] Use max length property of custom field in inputs (cproensa)
0009363: [attachments] Comments on attachments (vboctor)
0026195: [api rest] Error requesting issues using saved filter (cproensa)
0026109: [db postgresql] check_pgsql_bool_columns: check wrongly suggests that the redirect_delay should be in boolean format (dregad)
0026102: [attachments] Support inline playing of video attachments (vboctor)
0026096: [documentation] preview_*_extensions config options not documented (vboctor)
0026095: [attachments] Support inline playing of audio attachments (vboctor)
0026082: [attachments] Create a place holder note when submitting attachments without text (vboctor)
0026123: [ui] Both "monitor" and "end monitoring" buttons are displayed (dregad)
0026002: [email] "Email on monitoring" not configurable in manage_config_email_page (cproensa)
0026326: [bugtracker] Tags are not copied from master issue when cloning (community)
0026368: [administration] Custom fields selector in manage project page are not ordered by name (cproensa)
0026353: [tagging] Tag attachments list includes tags already attached to the bug (dregad)
0026030: [custom fields] Filter value "none" is not available for multiselection list custom fields (cproensa)
0026367: [administration] Use empty value as default project in "manage project" subproject section (cproensa)
0026294: [ui] Attachments without note text are not displayed (cproensa)
0026086: [api rest] Update Slim Framework to 3.12.3 (dregad)
0026382: [javascript] Update corejs-typeahead.js library to 1.3.0 (dregad)
0026119: [tagging] Add $g_tag_create_threshold to Workflow Thresholds in the GUI (dregad)

Feature and maintenance release.

0029198: [installation] End of Internet Explorer 11 support (dregad)
0025784: [html] Invalid HTML in manage_config_workflow_page.php (dregad)
0024189: [bugtracker] Status color squares become black (cproensa)
0025850: [bugtracker] PHP Notices in User API (dregad)
0025961: [tools] PHPUnit tests as run by Travis CI builds do not execute all defined suites (dregad)
0025951: [plug-ins] MantisGraph: update Chart.js library to v2.8.0 (dregad)
0025910: [administration] Simplify displaying of complex values in adm_config_report page (cproensa)
0025969: [other] bug_report_page is forced to be cached (cproensa)
0025839: [html] Leading newlines disappear when editing data in textarea elements (dregad)
0022518: [reports] Graph too large to fit in browser viewport (cproensa)
0021797: [attachments] Add support for pasting images as attachments (syncguru)
0025749: [bugtracker] error_string() does not allow HTML tags inside of error messages (dregad)
0006128: [bugtracker] Ability to add monitors to a bug when the bug is first reported (dregad)
0025851: [printing] Remove hyperlinks on usernames in Word export (dregad)
0025162: [plug-ins] Improve plugin schema upgrade error message (dregad)
0025849: [code cleanup] New prepare_mailto_url() API function (dregad)
0025848: [code cleanup] Remove get_email_link() API function (dregad)
0025826: [administration] Impossible to set add/remove monitors thresholds from manage page (dregad)
0025815: [bugtracker] Users can't add monitors if access < show_monitor_list_threshold and >= monitor_add_others_bug_threshold (dregad)
0025470: [api soap] SOAP API return value does not match definition in WSDL (dregad)
0025774: [installation] Reflect PHP requirements in Composer config (dregad)
0025827: [documentation] Improve documentation for monitors-related configs (dregad)
0025953: [plug-ins] Missing an API function to check if a plugin event has been declared (dregad)
0025686: [bugtracker] Replace mailto: by link to user profile page in view.php (dregad)
0026077: [api rest] IssueAddCommand should create tag specified by name if they do not exist (dregad)
0026076: [api rest] Adding issue via REST API should fail if requested tags can't be attached (dregad)
0026075: [tagging] Tag-related error messages should reference the tag's name (dregad)
0026074: [tagging] Creating an invalid tag should fail with an error (dregad)
0026066: [plug-ins] Gravatar Plugin Description (atrol)
0026063: [code cleanup] Glue after String Array is being Deprecated (dregad)
0025997: [api rest] Invalid JSON response when creating issue with tag by name via REST API (dregad)
0025996: [api rest] Missing tag name in error message when creating issue via REST API (dregad)
0022898: [security] Email for a new private bugnote was send to a non authorized reporter (dregad)
0025963: [ui] Gravatar plugin should always use https (vboctor)
0025962: [bugtracker] IssueAddCommand does not create history entries identical to the code it replaced (vboctor)
0023725: [time tracking] Time tracking box rendering is broken (syncguru)
0025952: [code cleanup] MantisGraph: define Chart.js-related constants in the plugin (dregad)
0024441: [tagging] Report issue doesn't support multiple new tags (dregad)
0025914: [plug-ins] EVENT_BUGNOTE_DATA event not documented in developer manual (dregad)
0025911: [javascript] Improve client-side sortable tables script (cproensa)
0024590: [plug-ins] Add EVENT_MENU_MAIN_FILTER to allow complete customisation of main menu (dregad)
0025904: [documentation] Admin guide: remove reference to unmaintained Firefox add-on (dregad)
0025894: [code cleanup] Remove unused $p_can_report_only parameter in layout_navbar_projects_list() (dregad)
0025362: [api rest] REST API support for multiple authorization headers (community)

Maintenance release for 2.21.x series.

0025734: [administration] LOGFILE_NOT_WRITABLE error triggered if file does not exist (dregad)
0025722: [administration] Wrong access_level settings when updating rights in the project admin page (cproensa)
0025742: [other] Summary "By Date (days)" gets wrong number (cproensa)
0025763: [attachments] File upload timeout (atrol)
0025781: [reports] Summary statistics db error message (cproensa)
0025783: [administration] Button label truncated on manage_config_workflow_page (dregad)

0019642: [administration] If log file is not writable, log_event() fails silently (dregad)
0025703: [api rest] Update Slim Framework to 3.12.1 (vboctor)
0023694: [plug-ins] View Issue page menu links from EVENT MENU_ISSUE event are wrapped with "[", "]" characters (dregad)
0025695: [bugtracker] Redirect to the new issue's page after reporting it (community)
0025614: [installation] Missing file (api/rest/web.config) in installer (dregad)
0025682: [ui] Show Invite button for users with manage users access level, not just administrators (community)
0025679: [ui] Uneven distribution of boxes on My View page when Timeline is OFF (dregad)
0025664: [ldap] LDAP documentation - Remove invalid 'hostname:port' example (dregad)
0025651: [performance] Update color when new Status is selected in Bug Update Page (dregad)
0025650: [ui] Show status with a color square instead of background color on Bug Update Page (dregad)
0025631: [administration] PHP Notice or incorrect file+line number when displaying DEPRECATED error (dregad)
0025629: [administration] E_USER_DEPRECATED errors are no longer displayed inline (dregad)
0023550: [customization] Modification to status colors css (dregad)
0023418: [ui] Plugin tab in Summary section not highlighted when selected (community)
0023333: [filters] sub-project assignments missing from project-specific My View page (cproensa)
0022972: [documentation] Upgrade guide does not mention plugins (dregad)
0022143: [documentation] Encoding of custom files not documented (dregad)
0022104: [ui] My View Page layout misses some boxes (dregad)
0022096: [timeline] My View page without timeline does not respect the $g_my_view_boxes_fixed_position setting (dregad)
0025594: [ui] Projects menu search box should be hidden when having a small number of projects (cproensa)
0023037: [ui] Focus on project search (cproensa)
0025688: [api rest] Inconsistent naming of username field in REST API (community)
0025693: [performance] Improve performance of Summary Page queries (cproensa)

Feature release

0005151: [administration] Can't update user's project-specific access level (dregad)
0025390: [tools] Travis CI builds fail for PHP 7.3 (dregad)
0025368: [administration] Manage project, copy from/to forms are easy to click accidentally and don't ask for confirmation (cproensa)
0025436: [email] Bump phpmailer/phpmailer from 6.0.6 to 6.0.7 (dregad)
0024672: [security] Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042) (atrol)
0025213: [rss] RSS feeds broken when using PHP >= 7.0 (atrol)
0025523: [plug-ins] MantisGraph: improve handling of colors in Pie charts (dregad)
0025488: [reports] Update Chart.js to 2.7.3 (atrol)
0025437: [api rest] Update Slim Framework to 3.12.0 (dregad)
0025130: [administration] "Check Installation" is missing from Admin menu (dregad)
0025386: [ui] Incorrect spacing between submenu and main div for some MantisGraph screens (dregad)
0025385: [ui] Summary page submenu not aligned when screen narrower than buttons (dregad)
0025381: [api rest] Get project doesn't return all versions (atrol)
0025387: [ui] MantisGraph: redundant subtitle on Issue Trends page (dregad)
0014656: [reports] Filter by dates in Summary Graphs (cproensa)
0017304: [documentation] Manual does not describe variable "g_from_name" (atrol)
0025210: [reports] Script error in graphs (cproensa)
0025174: [excel] Float custom field saved as String in XML-Excel export (atrol)
0025168: [reports] MantisGraph. Reporter graph does not fit width of page (dregad)
0025403: [documentation] $g_notify_new_user_created_threshold_min is ignored on new account creation (atrol)
0025164: [reports] MantisGraph, implement filtered summary for graphs (cproensa)
0025408: [documentation] Minor documentation fixes (atrol)
0025429: [api rest] Undefined variable t_show_detailed_errors in API REST (dregad)
0025109: [html] Filter widget does not hide botton bar when collapsed (cproensa)
0025466: [reports] SYSTEM NOTICE on graph pages (atrol)
0025442: [db mssql] Wrong/duplicate bugnote_text_id in mantis_bugnote_table (cproensa)
0024776: [filters] Switching simple/advanced for a temporary filter loses the filter (cproensa)
0024775: [filters] Improve presentation of temporary filters (cproensa)
0020069: [code cleanup] default_email_on_status, misleading comments in config_defaults (atrol)
0024549: [filters] Permalink - Filter lose information after click on view issues (cproensa)
0024347: [security] web.config file is missing in api/rest (community)
0023904: [performance] Massive queries to user table in edit project (cproensa)
0004624: [feature] Add filtered summary (cproensa)
0023045: [feature] Usability suggestion at Report Issue screen (atrol)
0025572: [attachments] Redesign Dropzone file previews (cproensa)
0025446: [ui] 'show_queries_count' is a global setting, but 'show_memory_usage', 'show_timer' are not (atrol)
0025533: [relationships] When adding multiple relationships, ignore source issue and empty issue ids (dregad)
0025524: [plug-ins] MantisGraph: improve display of By Category Bar chart (dregad)
0025454: [ui] Page adm_config_report does not cache users and generate many database queries (cproensa)
0025455: [ui] Page adm_config_report, users in filter list are not correctly ordered (cproensa)
0025456: [sql] Page adm_config_report has queries missing db_param_push() (cproensa)
0025463: [attachments] Dropzone max-filesize option is not correct (cproensa)
0025464: [attachments] Enforce max-filesize in dropzone to alert and drop big files before form submission (cproensa)
0025465: [attachments] Dropzone preview does not work (cproensa)
0025532: [relationships] Error when adding a relationship if bug id contains whitespace as prefix or suffix (dregad)
0025515: [api rest] Simple and Advanced filters are not consistent for handling sub-project issues (cproensa)
0025522: [plug-ins] MantisGraph: limit number of slices in By Category pie chart (dregad)
0025110: [authentication] Token error when login with a newly created user (cproensa)
0009757: [reports] View Issues - Select a Filter - Graph are not linked on this choice (cproensa)
0012261: [filters] Cannot filter by versions of parent project when child project selected (cproensa)
0020054: [administration] Cant modify configuration for All projects if only one project exists (cproensa)
0021931: [reports] Filtered Summary (cproensa)
0022099: [reports] Missing pie chart in "By Category Graphs" (cproensa)
0022100: [code cleanup] Take care of released/obsolete flag when accessing version_cache_array_rows() cache (cproensa)
0023245: [performance] project versions are not cached efficiently (cproensa)
0024821: [code cleanup] Wrong caching in version API (cproensa)
0025434: [email] check all/ uncheck all checkbox for email notifcation (cproensa)
0025102: [api rest] /api/rest/issues endpoint supposedly returns all issues, but doesn't (community)
0025133: [ui] Project selection is shown even if the user has no accesible projects (cproensa)
0025163: [reports] MantisGraph summary links don't hghlight current graph page (cproensa)
0025165: [reports] Summary doesn't honour issue access (dregad)
0025217: [ui] Enable selection of a range in checkboxes lists. (cproensa)
0025378: [ui] Provide sortable functionality to simple tables (cproensa)
0025400: [api rest] Allow adding/updating/deleting subprojects via REST API (community)

0024986: [api rest] Update Guzzle to 6.3.3 (dregad)
0024990: [email] Update PHPMailer to 6.0.6 (dregad)
0024987: [api rest] Update Slim Framework to 3.11.0 (dregad)
0024931: [signup] PHP warnings and errors when trying to signup existing user (atrol)
0024989: [bugtracker] Update ADOdb to 5.20.13 (dregad)
0025112: [other] Link to create new user is a form and prevents reloading (cproensa)
0021284: [installation] memory_limit test fails when memory_limit is set to -1 (atrol)
0025116: [roadmap] Manage workflow thresholds does not have the option for "view roadmap" (cproensa)
0025099: [authentication] Auth plugins can't control session expiry time and disable perm login (vboctor)
0025061: [authentication] Generic error is triggered when anonymous login is not defined (dregad)
0025072: [filters] Could not use the FilterBugList filter with "Permalink" (community)
0025059: [administration] View User Page: hide footer at bottom of User Info table when not needed (dregad)
0025100: [plug-ins] Display header fails when no user is authentication and anonymous login is off (vboctor)
0025043: [code cleanup] Code Cleanup (atrol)
0025042: [administration] Add some more information to view_user_page (atrol)
0025033: [installation] Warning with PHP 7.3: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? (atrol)
0025016: [bugtracker] Default projection is ignored (atrol)
0025002: [custom fields] Error when updating content in a custom field of type "Text Area" ("Textbereich"): History cannot be stored (atrol)
0024988: [email] Update Disposable Email Checker to 3.1.0 (dregad)
0024976: [ui] Sidebar's collapsed state is not preserved (dregad)
0024932: [preferences] "Manage" menuitem visible even though no access (atrol)
0024925: [administration] Misleading Message in the creation of user (atrol)
0024896: [authentication] Password managers don't work with password login page (cproensa)
0024882: [relationships] relationship_can_resolve_bug function problem (atrol)
0024877: [bugtracker] IssueNoteAddCommand: reassign_on_feedback doesn't work if reporter is not specified (vboctor)
0023712: [authentication] auth_get_current_user_id can return strings while that is not expected (vboctor)

Feature release

0024774: [tagging] Error Creating Issue with new TAG (vboctor)
0024822: [code cleanup] Code Cleanup (atrol)
0024741: [plug-ins] Plugin Columns - Export CSV or Excel - PHP 7.2.7 - crash error 500 - Reason missing 2 argument in call (dregad)
0010411: [bugtracker] Changes to project_view_state and view_state to create only private projects (vboctor)
0024520: [html] Missing fallback for "Open Sans" font (community)
0024823: [performance] Performance enhancements of string processing (atrol)

Feature release

0012677: [administration] Please change a search option to manage users (atrol)
0024632: [tagging] Tag cannot be selected if a tag containing the text of that tag has already been selected (atrol)
0024616: [relationships] relationship visibility in different project permission (atrol)
0024633: [bugtracker] Late error message when trying to resolve issues (atrol)
0024635: [authorization] Wrong box visibility on My View page (atrol)
0024719: [administration] Impersonate User is offered for disabled users (atrol)
0024717: [api soap] Add filter for the “last updated“ date in the soap api (community)
0024696: [authorization] Custom fields can be changed without having update_bug_threshold access rights (atrol)
0024644: [ui] Footer displays behind sidebar on bug_actiongroup.php (dregad)
0024643: [ui] bug_actiongroup and custom bug_actiongroup don't provide the same user experience when displaying error message (dregad)
0024636: [api rest] Add function to delete a project via REST API (vboctor)
0024624: [api rest] Add function for updating a project via REST (community)
0024622: [api rest] Add function for creating a new project via REST (community)
0023915: [administration] Search for a part of (Real Name - Username - Email) (atrol)
0023336: [html] Inline image attachments should have their own container to prevent scrolling (atrol)
0020101: [api soap] mc_filter_search_issues can't filter by date (community)

Feature release

0024416: [upgrade] Improve handling of unserialize errors when upgrading (dregad)
0022083: [ui] Local copy of Open Sans font does not include Latin-ext characters (atrol)
0023978: [ui] Fonts are not rendered correctly in Windows clients (atrol)
0023992: [ui] Font = Times News Roman after Upgrade from v2.7.0 (atrol)
0024501: [installation] MantisBT on Windows - Check for php_fileinfo.dll enabled on php.ini (atrol)
0024523: [performance] Unneeded information in Change Log and Roadmap (atrol)
0024552: [code cleanup] Code Cleanup (atrol)
0024553: [performance] Performance enhancement of config_get_global function (atrol)
0024564: [timeline] Missing display of events in Timeline if All Projects is selected (atrol)
0024578: [documentation] Documentation: PHP documentation link: "installation.php" -> "install.php" (dregad)
0024579: [documentation] Documentation: Admin Guide: Installation: Broken Link "Microsoft IIS", is now https://docs.microsoft.com/en-us/iis (dregad)
0021376: [upgrade] Error in upgrade process 1.2.17 --> 1.3.0 (dregad)

0024437: [filters] Cannot save private filter if not allowed to save shared filter (community)
0024496: [wiki] URL encoding precludes reasonable wiki root_namespace values (community)
0024242: [bugtracker] Incorrect issue status setting when changing status (vboctor)
0024388: [api rest] Support create project versions via REST API (vboctor)
0024398: [tagging] Exception Missing Class (atrol)
0024432: [security] Update-Blocker:User-ID instead of Realname 0024139 as due to security policy requirements which prohibit IDs in mails and masks (atrol)
0024435: [filters] show_user_realname_threshold is not considered when sorting by reporter or handler (atrol)
0024436: [ui] Selecting users is not easy if show_realname is set to ON (atrol)
0024470: [other] System warning if $g_log_destination = 'page' when using PHP 7.2 (atrol)
0024462: [api soap] Error while querying for issue header with PHP 7.2 (atrol)
0024476: [performance] Unneeded <meta> tag in <head> section (atrol)
0024139: [ui] $g_show_realname for making usernames private (atrol)

0024336: [administration] Plugin priority changed without being changed by user interaction (atrol)
0024192: [bugtracker] Update ADOdb to 5.20.12 (dregad)
0024236: [code cleanup] IssueAddCommand Prevents API Folder Removal (atrol)
0024174: [code cleanup] E_DEPRECATED error on php7.2: each() function (dregad)
0024196: [api rest] Update Slim Framework from 3.8.1 to 3.9.2 (vboctor)
0024197: [api rest] Update GuzzleHttp from 6.3.0 to 6.3.2 (vboctor)
0024220: [documentation] Wrong documentation of datetime_picker_format in Admin Guide (atrol)
0024325: [code cleanup] Code Cleanup (atrol)
0024326: [documentation] Wrong documentation of my_view_boxes in Admin Guide (atrol)
0024333: [api rest] Support getting a single project via REST API (vboctor)

Maintenance release for 2.13.x series.

0024221: [security] CVE-2018-9839: Private issues accessible to unauthorized users using the "Clone" functionality (dregad)
0024233: [markdown] Markdown quoting rendered with broken HTML (atrol)
0024239: [email] Inconsistent realname display (atrol)
0024335: [api rest] Get all filter or specific filter returns incorrect information (vboctor)
0024343: [api rest] REST API returns too much info for default category handler (vboctor)
0024346: [api rest] Don't show category default handler for users that can't manage the project (vboctor)
0024349: [api soap] API method mc_filter_get does not work (vboctor)
0024353: [code cleanup] mb_internal_encoding no longer being set because of removal utf8 library (atrol)
0024355: [bugtracker] SYSTEM WARNING 'count(): Parameter must be an array or an object that implements Countable' in 'IssueNoteAddCommand.php (atrol)

Feature release

0023998: [code cleanup] Implement IssueAddCommand and use it from SOAP, REST and Web UI (vboctor)
0023161: [timeline] Show File Attachment events in Timeline (dregad)
0024128: [administration] Unable to start system check or installation with wrong PHP version (atrol)
0024056: [custom fields] Custom Fields of type "Textarea" cannot contain more than 255 chars due to bug_history table (atrol)
0010853: [filters] In View Issues list, several columns are sorted by Id instead of display value (cproensa)
0021404: [filters] System Error on changing filters (dregad)
0016070: [email] Delay due to Mantis trying sending emails to non existent address (vboctor)
0023498: [filters] Filtering "note by" with "none" does not return any result (cproensa)
0024009: [api soap] Add Issue SOAP API doesn't add the issue to recent list (vboctor)
0024008: [api rest] Add Issue REST API doesn't add the issue to recent list (vboctor)
0024007: [api soap] Add Issue SOAP API doesn't trigger EVENT_REPORT_BUG plugin event (vboctor)
0024006: [api rest] Add Issue REST API doesn't trigger EVENT_REPORT_BUG plugin event (vboctor)
0024005: [api soap] Add Issue SOAP API doesn't trigger issue_create_notify custom function (vboctor)
0024004: [api rest] Add Issue REST API doesn't trigger issue_create_notify custom function (vboctor)
0024003: [api soap] Add Issue SOAP API doesn't trigger issue_create_validate custom function (vboctor)
0024002: [api rest] Add Issue REST API doesn't trigger issue_create_validate custom function (vboctor)
0024001: [api soap] Add Issue SOAP API doesn't trigger EVENT_REPORT_BUG_DATA plugin event (vboctor)
0024000: [api rest] Add Issue REST API doesn't trigger EVENT_REPORT_BUG_DATA plugin event (vboctor)
0023999: [code cleanup] Implement IssueDeleteCommand and use it from SOAP, REST, and Web UI (vboctor)
0008167: [filters] Filter settings saved when using Anonymous account (cproensa)
0007264: [filters] Not able to filter issues that have no relationship assigned (cproensa)
0008204: [filters] Filters not remembered when clicking through from "My View" (cproensa)
0023214: [performance] Remove usage of outdated phputf8 library (atrol)
0022785: [api rest] Support adding attachments when reporting issues (vboctor)
0023549: [db mysql] Entering Emojis in comments with a user mention crashes with an error (atrol)
0024140: [filters] Application error 401: "ORDER BY clause is not in SELECT list" when sorting by category or project (cproensa)
0024089: [authentication] POST request to login_password_page.php return 405 when admin folder is deleted or access restricted (atrol)
0013177: [filters] On ‘View Issues’ Page the filter does not allow user to select ‘blank’ ('No Category') Category (cproensa)
0024042: [filters] filter on relationships mistuned by switching sort order (cproensa)
0021865: [filters] Filter out duplicated issues (cproensa)
0021867: [filters] Filter filed "relationships" resets its value when "duplicate of" is selected (cproensa)
0023476: [bugtracker] Can't login if admin directory has restricted access (atrol)
0023499: [filters] Filtering with "note by" shows results from private notes for unprivileged users (cproensa)
0023500: [filters] Search filter returns matches in private notes for unprivileged users (cproensa)
0023501: [filters] Filter "monitored by" does not have option for "none" (cproensa)
0023502: [filters] Filter "assigned to" does not account for configuration "view_handler_threshold" (cproensa)
0023504: [filters] Filter "monitored by" does not account for configuration "show_monitor_list_threshold" (cproensa)
0023506: [filters] Filter tags inconsitent with OR filter operator (cproensa)
0023538: [filters] Filter field for relationship bug id is set to -1 by default (cproensa)
0022376: [documentation] Wrong documentation of string customization (atrol)
0024158: [bugtracker] Support providing a default value for issue description (vboctor)
0024159: [documentation] $g_default_bug_steps_to_reproduce not documented (vboctor)
0024160: [documentation] $g_default_bug_additional_info not documented (vboctor)

Maintenance release for 2.12.x

0024077: [timeline] Hyperlink usernames in timeline to user page (vboctor)
0024090: [ui] Username (Realnames) format not showing on timeline (my_view_page) (vboctor)
0024186: [security] CVE-2018-1000162: XSS vulnerability in Parsedown library (dregad)
0024297: [security] Update Parsedown library to 1.7.1 (dregad)
0024167: [bugtracker] History entries display realname instead of username (atrol)
0024097: [ui] Account page required change password on any field modification (atrol)
0024161: [timeline] Wrong color of username in timeline (atrol)

Feature release

0023966: [code cleanup] Option session_handler not implemented (atrol)
0023375: [mentions] It is hard to @ mention users when show realnames is enabled (vboctor)
0010493: [code cleanup] Non-existent duplicate_realname column is updated by various functions in user_api.php (vboctor)
0022509: [mentions] users with dashes in their name will not work when @mentioned (example @r-frank) (community)
0023960: [plug-ins] EVENT_AUTH_USER_FLAGS should always be passed username rather than name (vboctor)
0023961: [timeline] Identify Timeline tags operations with a specific icon (dregad)
0023969: [performance] Minor performance and code enhancements of config functions (atrol)
0024020: [localization] Update supported languages (siebrand)
0024043: [ldap] $g_ldap_realname_field generates WARNING: field 'givenName' does not exist. (community)

Feature release

0023706: [administration] trigger_error() with errors must terminate scripts rather than being config based (vboctor)
0023876: [installation] Running admin/check fails (dregad)
0023838: [api rest] Create user via REST API (vboctor)
0023942: [bugtracker] Remove deprecated "errcontext" parameter from standard error handler (dregad)
0023925: [security] Site path leakage in error handler (vboctor)
0023837: [code cleanup] Implement UserCreateCommand to create users (vboctor)
0023754: [code cleanup] Remove unused function print_bracket_link and code cleanup (atrol)
0023758: [ui] Allow users to select font family that fits them best (syncguru)
0023900: [administration] Unable to update user access level, due to check on 'Realname' returning KO (APPLICATION ERROR #807) (vboctor)
0023776: [attachments] Support adding attachments that were not uploaded via the browser (vboctor)
0023899: [api rest] Relationship type was localized in GET issue API (vboctor)
0023780: [api rest] Return status code 429 when hitting spam check limits (vboctor)
0023830: [security] Update PHPMailer to 5.2.26 (dregad)
0023787: [administration] Protected admin users can't be unprotected (atrol)
0023786: [code cleanup] Implement IssueNoteDeleteCommand for deleting notes (vboctor)
0023785: [api rest] Adding notes via SOAP and REST API with time tracking uses incorrect access check (vboctor)
0023784: [api rest] REST and SOAP API send two email notifications for mentioned users (vboctor)
0023773: [api rest] Support time tracking when adding notes via REST API (vboctor)
0023772: [api rest] Support attachments when adding notes via REST API (vboctor)
0023762: [api rest] Support adding users to monitor an issue via REST API (vboctor)
0023714: [api rest] Failing REST API requests should include Mantis error code and localized message (vboctor)
0012978: [code cleanup] Summary - Time Stats For Resolved Issues (days) (dregad)
0023898: [api rest] Some relationships are not formatted correctly in GET issue rest API (vboctor)
0023868: [api rest] Support deleting issue relationships via REST API (vboctor)
0023867: [code cleanup] Implement IssueRelationshipDeleteCommand (vboctor)
0023866: [api rest] Support adding relationships via REST API (vboctor)
0023865: [code cleanup] Implement IssueRelationshipAddCommand to add relationships (vboctor)
0023863: [reports] Summary: Reporter and Developer by Resolution miss a Total column (dregad)
0023858: [api rest] Add REST API to detach a tag (vboctor)
0023856: [code cleanup] Implement TagDetachCommand to detach tags (vboctor)
0023855: [code cleanup] Implement TagAttachCommand for attaching tags (vboctor)
0023854: [reports] Summary: always show the "By Project" box (dregad)
0023840: [api rest] Delete user via REST API (vboctor)
0023839: [code cleanup] Implement UserDeleteCommand for deleting users (vboctor)
0023828: [api rest] Support adding attachments to existing issues via REST API (vboctor)
0023796: [reports] Filter links for resolved/closed custom statuses in Summary By Status report are incorrect (dregad)
0023857: [api rest] Add REST API to attach a tag (vboctor)
0023774: [code cleanup] Implement IssueNoteAddCommand to share code for adding notes (vboctor)
0023627: [feature] Summary page enhancement with bugs ratio support (dregad)
0011327: [reports] "Developer By Resolution" is the only box in the Summary page not ordered (at least it doesn't seem to be any logic behind it) (dregad)
0022792: [api rest] Support downloading issue attachments (vboctor)
0023943: [bugtracker] Improve detailed error page layout (dregad)
0023944: [bugtracker] The stack trace on detailed error page should not include the error handler itself (dregad)
0023930: [installation] Make Fileinfo a mandatory PHP extension (atrol)
0023926: [ui] Footer displayed under sidebar on error page when $g_show_detailed_errors = ON (dregad)
0023775: [attachments] Remove obsolete code that checks if PHP file info API is defined (vboctor)

Feature release

0023710: [code cleanup] Remove usage of deprecated function __autoload (vboctor)
0022789: [api rest] Support retrieving user defined filters (vboctor)
0009007: [time tracking] Billing summary does not include sub-projects (community)
0022790: [api rest] Support standard filters defined by the system when retrieving issues (vboctor)
0023679: [administration] Limit change of impersonation threshold to global config (atrol)
0023690: [api rest] Support deleting filters (vboctor)
0023722: [time tracking] Don't print time tracking buttons and export links (community)
0023723: [time tracking] Support configurable default billing rate (community)
0023724: [time tracking] Removed useless collapse icon with duplicated title in billing report (community)
0023742: [html] Broken url for MantisBT logo in admin section (community)
0023753: [ui] UI of Update Produkt Build page broken (atrol)

Feature release

0012602: [custom fields] Default value for a date don't work (vboctor)
0023573: [code cleanup] Unneeded code for option meta_include_file (atrol)
0023640: [code cleanup] Usage of deprecated each() function (atrol)
0023639: [code cleanup] Unneeded code for non supported old PHP versions (atrol)
0023654: [api rest] Don't validate handler when updating issues without updating handler (vboctor)
0023658: [plug-ins] UI for protected plugins broken (atrol)
0023577: [api rest] REST APIs don't enforce required custom fields when reporting issues (vboctor)
0023578: [documentation] Document need for consistency between "normal" and "datepicker" date formats (dregad)
0019482: [custom fields] Using custom fields (date) with default value and required on resolve displays an error (vboctor)
0023657: [api soap] mc_issue_update returns bug is read only on status update (atrol)
0023653: [api rest] Leverage If-Match when updating issues (vboctor)
0023650: [api rest] Leverage If-Match when deleting issues (vboctor)
0023648: [api rest] Leverage ETag headers when getting issues (vboctor)
0023645: [other] No preview of ANSI encoded text files that contain German Umlauts (atrol)
0023630: [administration] Some check boxes on Manage Configuration > Workflow Threshold page are not centered (community)
0023626: [performance] Unneeded code executed when retrieving global settings (atrol)
0023625: [code cleanup] Function require_lib contains code to search in vendor folder (atrol)
0023620: [api rest] PHP error on getting issues when user doesn't have access (vboctor)
0023616: [api rest] Support exporting issue history (vboctor)
0023594: [custom fields] Reporting an issue with default date {now} that is not visible doesn't work (vboctor)
0023579: [api rest] Internal Server Error 500 when category doesn't exist (vboctor)
0023575: [api rest] Category lookup is case sensitive (vboctor)
0023572: [code cleanup] Unneeded code for unsupported database types (atrol)
0023466: [db mysql] database is not supported by PHP. Check that it has been compiled into your server. (atrol)
0023576: [api rest] Issues created via REST API with date custom fields fail (vboctor)
0023692: [authentication] Token API does not work with config show show_realname (dregad)

Feature release including fixes and new features including REST API issue updates and DKIM support for email signing. This release is the first to have REST API enabled by default.

0023446: [performance] Unneeded files delivered if Mantis Graphs plugin is enabled (atrol)
0023474: [custom fields] Empty numeric fields should be display as empty rather than 0 (community)
0023555: [ui] Bugnote text area not styled correctly when private by default (vboctor)
0023560: [bugtracker] Notes added via change status / edit always market private when private by default (vboctor)
0023396: [api rest] REST API Issue update support (vboctor)
0023488: [code cleanup] Usage of deprecated constant (atrol)
0023517: [administration] Remove unused config option inline_file_exts (community)
0023494: [html] Wrong class name for tags output (atrol)
0023483: [bugtracker] Auto-refresh shouldn't update last visited (atrol)
0023477: [api soap] Updating issues via APIs should trigger email notifications (vboctor)
0023475: [custom fields] Empty float fields should be displayed as empty rather than 0 (community)
0023460: [ui] Useless UI element on manage_proj_page (atrol)
0023451: [performance] Unneeded code delivered to support unsupported IE9 (atrol)
0013126: [plug-ins] Add plugin event EVENT_BUG_ACTIONGROUP_FORM (cproensa)
0023493: [email] DomainKeys Identified Mail (DKIM) Signatures (community)
0022842: [code cleanup] Remove php_version_at_least() function from PHP API (dregad)
0023503: [bugtracker] Handler user is visible even if view_handler_threshold is configured to not allow (cproensa)
0023516: [api rest] Enable REST API by default (vboctor)
0022441: [bugtracker] Notes are not in the correct order after cloning an issue (cproensa)
0023518: [bugtracker] "show_assigned_names" configuration is not applied correctly in view_all_bug_page (cproensa)
0023528: [filters] Filter "advanced" mode is reset after sorting through column headers (cproensa)
0023537: [api rest] Facilitate troubleshooting REST API by displaying detailed errors (dregad)
0023543: [email] Update PHPMailer to v5.2.25 (vboctor)
0023542: [code cleanup] Force composer to honor PHP compatibility advertised for MantisBT (vboctor)
0021225: [bugtracker] resolving parent issues inconsistency (community)
0016133: [custom fields] Numeric field accepts floats and displays them as numeric (vboctor)

A feature release that includes both functional and performance improvements.

0023378: [installation] Installation fails when using old but still allowed PHP version 5.3 (atrol)
0022310: [html] Use HTML5 "required" attribute for required form fields (community)
0023395: [db oracle] Performance issue reading config table with oracle database (cproensa)
0009120: [custom fields] Numeric Custom fields on View All don't sort correctly (atrol)
0023324: [performance] Generated css, js code should be cached by browser (cproensa)
0023323: [reports] Wrong filter links on summary page (atrol)
0023381: [code cleanup] Unneeded code for unsupported PHP versions (atrol)
0023420: [relationships] Resolving as duplicate adds reporter and handler to monitoring list (atrol)
0023225: [authentication] Token API does not work with config show show_realname (dregad)
0022872: [ui] Make some buttons visible only when hovering on relevant container (cproensa)
0023251: [timeline] Timeline in view user page resets the user id after dates navigation (cproensa)
0023310: [performance] Unused CSS delivered (atrol)
0023248: [ui] Project selection dropdown focus on current selection (cproensa)
0023331: [code cleanup] New user_get_username() API function (dregad)
0023242: [code cleanup] Function project_get_local_user_access_level() is redundant (cproensa)
0023216: [tagging] Make tag view threshold work at project level (cproensa)
0022871: [ui] print_form_button() does not render inline buttons (cproensa)
0022870: [ui] buttons without separation (cproensa)
0023267: [ui] Misplaced "Reset Prefs" button in user prefs with narrow screen (dregad)
0021654: [code cleanup] Deprecate access_has_any_project() (cproensa)
0023301: [api rest] Request an issue in the REST API fail without warning if an enumeration is missing. (community)
0023264: [api rest] Custom fields not been saved when adding issue through the Rest API (community)
0023311: [filters] "View issues" on changelog page does not show closed issues (atrol)
0023268: [db oracle] Error filtering custom fields of type date (cproensa)
0023382: [customization] Login logo image not configurable by css (cproensa)
0023367: [plug-ins] Add no-op upgrade step in plugin_upgrade() (dregad)
0022492: [ui] Regression: Resolved/Closed issues are not shown with a line-through (strike-through) (community)
0023393: [administration] Provide some basic operating environment information on manage_overview_page (atrol)
0022182: [ui] Burger menu is sometimes visible without functionality (cproensa)
0023411: [performance] Unneeded string copies in general text processing (atrol)
0023425: [reports] PHP errors and warnings when running Issue Trend report (atrol)
0023377: [other] Textarea custom field entry missing from email (atrol)
0023249: [feature] When logging the caller function, also print the class name if it's a class method (cproensa)
0023436: [filters] Editing a stored filter can't update projects property (cproensa)
0023443: [custom fields] Fixes related to custom fields on filters, columns and visibility (cproensa)
0023266: [custom fields] Filter selection for numeric custom fields show values not coherent with custom field type (cproensa)
0023265: [custom fields] Filter selection for numeric custom fields aren't sorted correctly on distinct values list (cproensa)
0023260: [custom fields] Custom fields of type date are not sorted correctly (cproensa)
0005713: [custom fields] Custom fields of subprojects are shown in filter for "All projects" but not in parent project. (cproensa)
0023233: [custom fields] Issues returned by filter has linked custom fields that are not available as columns (cproensa)
0023232: [filters] Custom field is showed in filter when the user has not view access (cproensa)
0023223: [filters] Custom fields filter does not account for read access at project level (cproensa)
0019385: [filters] Filtering custom field show bugs from projects where this custom field has been removed (cproensa)
0016359: [filters] Custom field filters does not take user access rights into account (cproensa)
0016358: [filters] Custom field filter does not recusrively read all items from sub-projects (cproensa)
0006872: [custom fields] Sort of custom fields does not use data type (cproensa)
0023243: [ui] Narrow space between checkbox/radio button and label (dregad)
0023241: [filters] Error when changing sort order in filters, due date field only (cproensa)
0022245: [ui] Collapsed menu entry no clickable in complete visible area (atrol)
0022053: [plug-ins] Implement logging functionality for plugins (cproensa)
0021913: [tagging] Unprivileged user can see related tags from private issues (cproensa)

A feature release that includes both functional and performance improvements.

0023202: [ui] Questionable order and functionality of top buttons on "View Issue" page (atrol)
0022984: [ui] Calendar doesn't show the correct date the first time it opens (dregad)
0023141: [html] Unused CSS delivered (atrol)
0023116: [html] Due date field not displayed correctly when editing ticket (community)
0023061: [ui] print_manage_menu() does not highlight active plugin pages (dregad)
0022730: [ui] 'Manage Configuration' tab usually does not highlight (dregad)
0022813: [customization] Field is appearing in email notification but not used in UI. (joel)
0022987: [code cleanup] Replace hardcoded language strings by translatable ones (dregad)
0022981: [ui] Display of hardcoded string on view_user_page if e-mail address is empty (atrol)
0022967: [ui] Questionable display of "Access Denied" on view_user_page (atrol)
0022940: [code cleanup] Update PHPMailer from 5.2.22 to 5.2.24 and use Composer (dregad)
0023150: [html] Unused code and unused CSS delivered for obsoleted functionality (atrol)
0023159: [ui] Graph display is too faint and blurred (atrol)
0023087: [filters] Removing "Report an issue" permission removes user from Monitoring filter dropdown (atrol)
0022939: [code cleanup] Use Parsedown library v1.6.2 via Composer (vboctor)
0022913: [email] Update disposable-email-checker to v3.0.1 using Composer (vboctor)
0012313: [attachments] Can't open image attachments in browser windows (dregad)
0023237: [performance] Project cache is not efficient with navbar project selection. (cproensa)
0023188: [bugtracker] Update GuzzleHttp from 6.2.3 to 6.3.0 (vboctor)
0023189: [markdown] Update Parsedown 1.6.2 to 1.6.3 (vboctor)
0023190: [code cleanup] Update PhpUnit from 4.8.35 to 4.8.36 (vboctor)
0023191: [time tracking] Unable to access time tracking reports (atrol)
0023187: [email] Update PHPMailer v5.2.23 to v5.2.24 (vboctor)
0023184: [bugtracker] AJAX calls with invalid endpoints fail with syntax error (dregad)
0023204: [performance] Unused and inefficient code in function layout_print_sidebar (atrol)
0023227: [ui] When specifiying top_buttons display, the button on update screen has no styling. (atrol)
0023145: [api rest] Support deleting notes via REST API (vboctor)
0023144: [api rest] Support issue id as part of the path for REST API (vboctor)
0023139: [api rest] Notes returned by /issues REST API have incorrect timestamps (vboctor)
0023131: [api rest] /api/rest/projects doesn't return child projects (vboctor)
0023112: [custom fields] Custom fields badly filtered when multi-projects (cproensa)
0022919: [time tracking] Time Tracking "auto count" is giving the wrong elapsed time (dregad)
0022158: [time tracking] Time tracking report excludes issues with no category assigned (cproensa)
0023143: [api rest] Support adding notes via REST API (vboctor)
0021807: [ui] The required fields are not explicitly visible when updating, resolving or closing an issue (community)
0022469: [time tracking] Enabling Time Tracking distorts View Issue Details page layout. (cproensa)
0022291: [time tracking] Issue history box is narrower than other boxes above it on View Issue page (cproensa)
0021695: [ui] "notify user" check should be moved outside the form (cproensa)
0012444: [bugtracker] bug_actiongroup_page, on copy, & move, poject combo lists projects wich the user has no rights (cproensa)

Security fixes release for 2.5.x series.

0023146: [security] CVE-2017-12061: XSS in /admin/install.php script (dregad)
0023166: [security] CVE-2017-12062: XSS in manage_user_page.php (atrol)
0023179: [security] Login page no longer warns about 'admin' directory being present (dregad)
0023181: [administration] Checks on login page are never executed if "admin" dir does not exist (dregad)
0023185: [security] Improve doc and notifications when admin dir is present (CVE-2017-12419) (dregad)

Feature release with main focus on REST API improvements, some of the fixes also applies to the SOAP API.

0022765: [api rest] Implement a test framework for REST API (vboctor)
0022850: [ui] Installation page layout and style issues (dregad)
0022774: [api rest] Some access denied errors don't show user info correctly (vboctor)
0022808: [api rest] Use GuzzleHttp for http requests (vboctor)
0022788: [api rest] Support retrieving projects accessible to users (vboctor)
0022783: [api rest] Return 400 instead of server side error if summary, description or project fields are missing (vboctor)
0022782: [api rest] Don't return target_version if user doesn't have access to view roadmap (vboctor)
0022780: [api rest] Don't return platform, os, and os_build if disabled (vboctor)
0022779: [api rest] Don't return profile information if feature disabled (vboctor)
0022778: [api rest] Don't allow setting version to an undefined version (vboctor)
0022777: [api rest] Don't return sponsorship_total (vboctor)
0022776: [api rest] Sticky flag should be a boolean rather than a string (vboctor)
0022775: [api rest] Rename date_submitted to created_at and last_updated to updated_at (vboctor)
0022773: [api rest] Don't return projection info if feature is disabled (vboctor)
0022772: [api rest] Don't return eta info if feature is disabled (vboctor)
0022771: [api rest] Due date access check should be based on project access level rather than global one (vboctor)
0022770: [api rest] Change version from string to an object (vboctor)
0022769: [api rest] Note type should be note instead of timelog if time tracking is not accessible to user (vboctor)
0022768: [api rest] Support retrieving issues based on filter or a project (vboctor)
0022767: [api rest] Include status color in status enum value for issues (vboctor)
0022766: [api rest] Enum name should reflect non-localized enum name and label for localized name (vboctor)
0022905: [code cleanup] The URL of the return button in breadcrumbs div has a trailing '?' (dregad)
0022868: [other] PHP variable misspelt in html_api.php (dregad)
0022904: [db mssql] database_api: db_insert_id returns string not int (mssql) (dregad)
0022933: [timeline] Confusing entry in timeline when removing other users from monitoring list (atrol)
0022925: [time tracking] Time Tracking - issue (atrol)
0022928: [administration] $g_anonymous_account is case sensitive, preventing normal users from logging in (vboctor)
0021871: [performance] Improve db_fetch_array performance (cproensa)
0022864: [code cleanup] phpdoc for 'print_link_button' has incorrect order of parameters (cproensa)
0022865: [code cleanup] Login page displays a PHP system notice when using BASIC_AUTH (dregad)
0022852: [localization] [de] Incorrect label in German "Change status" form (atrol)
0022851: [installation] Installer should display sample table names based on table prefix/suffix settings (dregad)
0022809: [api rest] Upgrade Slim Framework from 3.7.0 to latest (3.8.1) (vboctor)
0021994: [attachments] issue with attachments cannot be moved between projects with different upload directories (uploads saved in file system) (dregad)

0022635: [time tracking] Empty notes with time tracking show as empty notes for users that can't view time tracking (vboctor)
0022452: [ui] Create new project button (community)
0021558: [ui] log destination for page produces messed output (syncguru)
0022665: [documentation] Wrong documentation of option bug_resolution_fixed_threshold (atrol)
0022689: [bugtracker] HTTP_X_FORWARDED_PROTO is not honored when loading Gravatar (vboctor)
0022744: [signup] Signup is not working on mantisbt.org/bugs (vboctor)
0022740: [performance] Allowed memory size of 268435456 bytes exhausted (vboctor)
0004235: [authentication] Support Generic Authentication through Plug-ins (vboctor)
0022140: [administration] Getting error dialog when reporting issues and file upload is disabled (cproensa)
0022673: [attachments] Dropzone uploads files when submitting other forms (cproensa)
0022762: [api rest] Bug in error handling when user doesn't have access level to handle issue (vboctor)

Feature release including security fixes and our brand new experimental REST API. The REST API can be extended by plugins and power web UI ajax features. In this release the REST API is disabled by default (expect for calls from within the web UI using cookie authentication) – see 0022598 for more details.

0022583: [attachments] Open PDFs in the browser rather than downloading them (vboctor)
0022582: [relationships] Relationships box layout is not right for reporters (vboctor)
0022585: [timeline] Show timeline for specific user (cproensa)
0022507: [ui] On Edit Filter page, 'Filter name' input field is too narrow (dregad)
0022445: [ui] Manage users page does not show filters '0'-'9' as selected (atrol)
0022474: [administration] "Obsolete configuration" warnings when running admin checks (atrol)
0022499: [documentation] Document reuse of language strings (dregad)
0022501: [ui] Enhance layout of "View Issue Details" page (atrol)
0022505: [ui] Enhance layout of "Updating Issue Information" (atrol)
0022506: [attachments] Error updating project document (atrol)
0022423: [html] ID attribute for bugnote_text (community)
0022571: [html] Add ID attribute for bugnote_text textarea (community)
0022548: [ui] Remove unnecessary 'center' class from textarea in bugnote edit page (community)
0022541: [localization] Enhance wording in manage_config_email_page.php and manage_config_work_threshold_page.php pages (atrol)
0022572: [documentation] Wrong default value in documentation of "g_show_version" (atrol)
0022543: [ui] Open images in the browser rather than download them (vboctor)
0021552: [ui] My account preferences: move project list outside the form (cproensa)
0022473: [plug-ins] Avatars should respect image aspect ratio (community)
0022590: [ui] Broken javascript and missing footer in My View Page (cproensa)
0022593: [plug-ins] Broken Snippet plugin (vboctor)
0022598: [api rest] REST API Framework (vboctor)
0022599: [code cleanup] Use composer to pull in dependencies (vboctor)
0022600: [api rest] Enable plugins to publish their own REST APIs (vboctor)
0022601: [api rest] Support using REST API from Web UI Javascript (vboctor)
0022602: [api rest] Provide a sandbox for interacting with REST API using Swagger UI (vboctor)
0022617: [code cleanup] Unneeded CSS file calendar-blue.css (atrol)

Security fixes and maintenance release

0022555: [filters] Regression in custom field sorting (cproensa)
0022545: [markdown] Markdown still converting '& amp;' to & and '& lt;' to < (dregad)
0022392: [filters] Sorting all bugs list using a column header after applying a filter resets the filter (cproensa)
0022496: [filters] Permalink does not work with "Note By" (cproensa)
0022566: [filters] Filter error due to "view status" having an array value (cproensa)
0022613: [security] CVE-2017-7309: XSS in adm_config_report.php (dregad)
0022615: [security] CVE-2017-7241: XSS in move_attachments_page.php (dregad)
0022333: [markdown] Markdown starts heading in the middle of a line (joel)

Maintenance release for 2.2 series including security fixes.

0022246: [markdown] Markdown is converting '&' signs to (ampersand[amp;]) inside code block or backtick as well (joel)
0022497: [security] CVE-2017-6799: XSS in view_filters_page.php (dregad)
0022561: [security] CVE-2017-6797: XSS in bug_change_status_page.php (dregad)
0022442: [printing] System error when opening Print reports (dregad)
0022479: [administration] Can't edit a project's name changing only accents a on MySQL (dregad)
0022510: [installation] Attempting to connect to database as admin BAD despite valid userid and password (dregad)

A feature release that includes all fixes from 2.1.1 release listed above, some setup fixes, status colors visibility improvements, shed some unnecessary js/css and multiple improvements for relationships feature.

0022363: [relationships] Setting a duplicate id should update relationship with target issue if already exists (vboctor)
0021724: [ui] Improve visibility of status colors (syncguru)
0021881: [javascript] Remove jquery-ui is not longer used in Modern UI (syncguru)
0022256: [javascript] Unbundle JS libraris from Ace theme files (syncguru)
0022401: [installation] Installer displays horizontal blue line under "Checking installation" section header (dregad)
0022361: [relationships] Trigger notifications on related issues when an issue is deleted (vboctor)
0022400: [installation] Installer does not show "GOOD" status for DB connections (dregad)
0021796: [ui] inline attachments should be directly visible (dregad)
0022273: [javascript] Enable CDN support for dropzone.js (syncguru)
0022362: [relationships] Use bin icon instead of 'delete' button to delete relationships (vboctor)
0022360: [relationships] relationship_add() doesn't return bug relationship information (vboctor)
0022316: [code cleanup] Duplicate code to display the filter view type toggle menu item (dregad)
0022296: [code cleanup] Options in $g_public_config_names are not sorted (atrol)
0008313: [relationships] More work needs to move to Relationship APIs (vboctor)
0021897: [ui] Unaligned color coding of status (syncguru)
0021619: [code cleanup] Use constants instead of hardcoded values for filter view types (dregad)
0016933: [relationships] Deleting relationship should set target bug's last updated (vboctor)

A maintenance release for 2.1.x series

0022302: [filters] Permalink does not work with tags (cproensa)
0022266: [security] CVE-2017-7222: Sanitize window title (vboctor)
0022288: [bugtracker] Due date current value doesn't show in change status form (syncguru)
0022326: [time tracking] g_time_tracking_without_note has no effect (vboctor)
0022347: [filters] Filter allows to sort on non sortable fields (cproensa)
0022359: [ui] Enhance filter box UI (syncguru)
0022369: [filters] Recently Modified box on View Issues page does not display closed issues (cproensa)

MantisBT 2.1.0 feature release

0021935: [filters] Filter api refactoring, manage stored filters (cproensa)
0006823: [filters] Date filter should work with "last update", too (community)
0021618: [code cleanup] Duplicate code to determine the default view type (cproensa)
0017852: [filters] Tags is showing on its own row in filter box (cproensa)
0006732: [administration] Sorting issue lists isn't stable (each sort scrambles previous sort) (cproensa)
0021827: [filters] Displaying date filter values : month always displayed in text (english) (community)
0008626: [filters] Filter forgets custom date filtering (cproensa)
0021592: [filters] Unknown column 'mantis_bug_table.tags' (cproensa)
0021031: [filters] Rewrite the filter box form (cproensa)
0021032: [filters] Setting $g_filter_custom_fields_per_row to other than default can cause empty cells in filter box (cproensa)
0021044: [performance] my view page, $t_hide_status_default consitency (cproensa)
0006551: [customization] Manage custom filters (cproensa)
0021811: [filters] Advanced filter shows icorrect fields (cproensa)
0007708: [feature] Feature: multiple sorting of problem informations (cproensa)
0003803: [filters] Provide a way to update a saved filter (cproensa)
0021029: [bugtracker] Trigering a DEPRECATED error from the page body fails (cproensa)
0020882: [filters] Filter by date inputs are shown disabled (cproensa)
0020624: [filters] Filter shown inconsistent after changing from advanced to simple (cproensa)
0020493: [filters] Wrong hide_status value on column sorting (cproensa)
0006042: [filters] Switching to "Advanced Filters" hides "Hide Status" and ignores setting (cproensa)
0011007: [filters] After setting $g_view_filters = ADVANCED_ONLY in config_inc.php can still end up in simple filter mode. (cproensa)
0021814: [filters] plugin filter fields dont work with dynamic input (cproensa)
0019700: [filters] Filters table on the view_all_bug_page.php shows empty lines when $g_enable_profiles is set to OFF (cproensa)
0018045: [ui] Changed ordering of fields on View Issues page (cproensa)
0009301: [filters] Add support for updating a current filter (cproensa)
0009213: [filters] manage filter (cproensa)
0022175: [markdown] Markdown converting '<' within backticks to & lt; (joel)
0005731: [feature] search function for projects (vboctor)
0021551: [administration] Manage Users pagination loses filter letter (community)
0022209: [bugtracker] Adding a custom field to a project makes the filter for this project unusable (atrol)
0022172: [markdown] Markdown not displaying single line breaks (joel)
0022164: [markdown] Font for quoted string in markdown is too large (joel)
0011604: [change log] Versions marked as obsolete appear on change log page (vboctor)
0022221: [documentation] Documentation: update 'Database tables' section (dregad)
0022232: [email] Email verbose notifications should be OFF by default (vboctor)
0022206: [plug-ins] Improve documentation for plugins (dregad)
0022205: [plug-ins] Specifying plugin authors as array triggers 'Array to string conversion' (dregad)
0022204: [markdown] News headlines are parsed with markdown, though they should not be (vboctor)
0022179: [markdown] Markdown is eating apostrophe / single quote (joel)
0022237: [code cleanup] Remove references to 'register_globals' (dregad)
0022239: [ui] checkbox for personal setting "E-mail Full Issue Details" still using old style (dregad)
0022171: [plug-ins] Redefine plugin version requirements (dregad)
0022169: [attachments] File upload not working when $g_allowed_files is set (atrol)
0022113: [localization] translatewiki.net integration updates (dregad)
0022131: [timeline] Remove yellow background in timeline date range (dregad)
0017920: [markdown] Native markdown support (joel)

0021841: [installation] Minimum requirements for 2.x releases (dregad)
0020040: [security] Replace jscalendar by a newer widget (syncguru)
0022059: [ui] Missing leading zeroes in due date display (dregad)
0021927: [administration] System utilities page for moving attachments should support move all attachments (joel)
0021925: [ui] Incorrect text for the remove file button in the file upload dropzone (dregad)
0021965: [documentation] Section 2.2.2.1 Admin Guide: Misaligned row in Table (dregad)
0022064: [javascript] datetime picker does not work if 'cdn_enabled' is ON (community)
0021962: [ui] Due Date calendar icon wraps below the field (syncguru)

The second release candidate for 2.0.0 release. This release includes all the fixes in 1.3.4 release.

0021758: [administration] System utilities page for moving attachments not styled correctly in modern ui (joel)
0021840: [html] Add missing closing <div> in layout_api.php (syncguru)
0021854: [authentication] Re-authenticating when visiting manage page should re-use login page (vboctor)
0021861: [ui] Remove black bar from login page when it is empty (vboctor)
0021815: [code cleanup] print_button() has changed definition from v1.3 (cproensa)

We are excited to share with you a milestone for the 2.0.0 release by releasing the first release candidate. We encourage users to try out and give us feedback. Since 2.0.0-rc.1 and 1.3.3 share the same database schema, it should be easy to try them out side by side. Download it now or check it out at https://www.mantishub.com

0021727: [attachments] Show attachments inline with notes (vboctor)
0021651: [security] Dropzone has inline scripts in View Issue page (syncguru)
0021806: [attachments] Attachment dropzone missing from notes when user doesn't have access to set view state (vboctor)
0021829: [email] Fix $g_mail_priority disabling and default to disabled (vboctor)
0021669: [security] Charts have inline scripts (syncguru)
0021715: [mobile] Menu and buttons missing for mid size browser window (syncguru)
0021722: [attachments] Issues with '+' button to view attachments inline (dregad)
0021736: [ui] Display real name in breadcrumb div (atrol)
0021743: [attachments] Attach files dropzone is not working (vboctor)
0021754: [mobile] Main navigation has no action / does not expand when clicked on (syncguru)
0021794: [mobile] Hide 'View Issues' buttons on small screens (syncguru)
0021805: [javascript] Javascript errors on login page (community)

0020102: [ui] Support switching saved filters and free text search when filter box is collapsed (syncguru)
0021697: [ui] Clearer distinction between private and public notes (joel)
0021684: [ui] Account verify page layout broken (joel)
0021121: [ui] Project selection not usable with large number of projects (syncguru)
0021681: [ui] Breadcrumbs bar does not respect $g_show_realname (dregad)
0021603: [code cleanup] Publish full source code of ACE template (syncguru)
0021653: [reports] Graphs broken (vboctor)
0021682: [ui] "Operation successful" confirmation message partially hidden (dregad)
0021683: [ui] Standardize "operation successful" messages (dregad)
0021689: [code cleanup] Obsolete icon_path configuration (atrol)
0021710: [ui] Incorrect display on Bug report confirmation page (dregad)
0021704: [ui] Report Stay checkbox shows broken layout on action page (dregad)
0021721: [ui] Missing tooltips on issue id (dregad)
0021723: [bugtracker] Redirect to report page when creating a new issue with "report stay" checked (dregad)
0021726: [ui] Page bottom displayed behind Sidebar in API Tokens page (community)
0021728: [performance] Unneeded tooltip information on Summary page (dregad)

0021642: [ui] Highlight due date when the date has passed (syncguru)
0021112: [performance] Unneeded tooltip information on "My View" page (syncguru)
0021650: [security] Content-Security-Policy is disabled in 2.0.0-beta.1 (vboctor)
0021414: [customization] Config menu options don't show in main menu (vboctor)
0021111: [localization] Language strings contain double quotes (syncguru)
0021647: [filters] New to restyle 'filter deleted' page (vboctor)
0021644: [ui] Don't offer "My Account" in menu when being logged in as protected user (dregad)
0021114: [ui] Manage users page action buttons appears on 2 rows when showing 'Unused' (syncguru)
0021638: [ui] Tables in Workflow Transitions page seems deformed (syncguru)
0021622: [administration] Alert messages are not styled correctly (syncguru)
0021609: [news] Page broken after updating news (atrol)
0021602: [administration] Admin: "Upgrade your installation" shown even when schema is up-to-date (syncguru)
0021599: [ui] The test results in Admin Check results are no longer colored (dregad)
0021575: [reports] Graphs for enums (e.g. status) can break when an enum has 0 occurences (vboctor)
0021117: [ui] Plugin dependencies are no longer color-coded (syncguru)
0021405: [wiki] Wiki integration broken (vboctor)
0021400: [ui] Collapse settings are not saved by modern UI (syncguru)
0021398: [ui] My Account - Manage Columns actions page broken (syncguru)
0021397: [plug-ins] Plugin menu options don't show in main menu (vboctor)
0021224: [ui] Login and Signup buttons in top header don't work for anonymous users (vboctor)
0021223: [ui] "Report Issue" button on top toolbar should be hidden for VIEWER/anonymous users (vboctor)
0021139: [ui] Display of file type icon broken on print_bug_page (syncguru)
0021137: [ui] Questionable display of sub-projects in project menu bar (syncguru)
0021123: [ui] Waste of vertical space on "My View" page (syncguru)
0021119: [ui] Wrong alignment of field on "Summary" page (syncguru)

MantisBT 2.0.0 release focuses on improvements to the UI compared to 1.3.x release. As of this release, the db schema is the same between 1.3.x and 2.0.0-beta.1, enabling users to easily try 2.0.0-beta.1 and provide feedback.

0021214: [bugtracker] Update jQuery to 2.2.4 (community)
0020240: [ui] Footer issue: problem + solution (syncguru)
0008503: [feature] Have "send reminder" as a button rather than a not so visible link at the top of the issue (atrol)
0021115: [ui] Manage users page always shows filter '0' as selected (dregad)
0021140: [db schema] Remove DB2 support (atrol)
0020907: [ui] Report stay doesn't work in modern UI (vboctor)
0013879: [reports] Graph plugin uses hard coded font list; ignores any other (vboctor)
0021177: [reports] Jpgraph doesn't work (vboctor)
0021134: [relationships] Use of undefined constant when displaying relationship graphics (atrol)
0005851: [reports] X-Labels truncated in by Category Graph (vboctor)
0017493: [reports] Graphs are not working out of the box (vboctor)
0015246: [reports] JPGraph 3.5.x anti aliasing error in Ubuntu (vboctor)
0014232: [reports] Advanced summary bad display (vboctor)
0013160: [reports] Labels on x-axis in summary graphs too small and cropped (ezcLibrary) (vboctor)
0012967: [reports] Category jpGraph not displayed (vboctor)
0006663: [reports] I'm seeing three JPGraph-related problems (vboctor)
0007342: [reports] synthesis graphs by category: many "big" categories hide pie by legend (vboctor)
0007343: [reports] synthesis graphs by category: page not long enough for legend with a lot of categories (vboctor)
0007991: [reports] Graphs not centered (vboctor)
0010403: [reports] The legend on JPGraph graphs overlays the graph (vboctor)
0012159: [reports] By Developer, By Reporter and By date graph problems (vboctor)
0012384: [reports] Graph text being truncated (vboctor)
0012483: [reports] Jp graph not dispalying (vboctor)
0012725: [reports] Solution to "font file not readable/does not exist" seems not to work for JPGraph (vboctor)
0012825: [reports] Modern graphs using javascript graphing library (vboctor)
0013097: [reports] Graphs not working (vboctor)
0021220: [ui] Lost password form doesn't have labels or placeholder text (vboctor)
0021221: [ui] Fully localize drag and drop to attach (community)
0021217: [bugtracker] Use cross origin anonymous and check integrity when loading form CDN (community)
0021216: [bugtracker] Upgrade Bootstrap to 3.3.6 (community)
0021222: [ui] Drag and drop should honor 'allowed_files' config option (community)
0021215: [bugtracker] Update FontAwesome to 4.6.3 (community)
0017919: [ui] Modernize Mantis UI (syncguru)
0021131: [signup] Usage of undefined functions in verify.php (vboctor)
0021130: [tagging] Usage of undefined function html_page_bottom (syncguru)
0020182: [custom fields] wrong field name for custom field parameter (syncguru)
0020118: [ui] pen icon ancient (syncguru)
0020286: [javascript] Missing JavaScript libraries (syncguru)
0011671: [reports] 3 graphs couldnot display in the page of 'summary_jpgraph_page.php' (vboctor)
0019590: [attachments] Attach via drag-and-drop (syncguru)
0021279: [administration] Fix error when going to Manage - Workflow Transitions and clicking update (vboctor)

mantisbt - Change Log

mantisbt - 2.26.0

mantisbt - 2.25.5

mantisbt - 2.25.4

mantisbt - 2.25.3

mantisbt - 2.25.2

mantisbt - 2.25.1

mantisbt - 2.25.0

mantisbt - 2.24.5

mantisbt - 2.24.4

mantisbt - 2.24.3

mantisbt - 2.24.2

mantisbt - 2.24.1

mantisbt - 2.24.0

mantisbt - 2.23.1

mantisbt - 2.23.0

mantisbt - 2.22.2

mantisbt - 1.3.20

mantisbt - 2.22.1

mantisbt - 2.21.3

mantisbt - 1.3.19

mantisbt - 2.22.0

mantisbt - 2.21.2

mantisbt - 2.21.1

mantisbt - 2.21.0

mantisbt - 2.20.1

mantisbt - 2.20.0

mantisbt - 2.19.1

mantisbt - 1.3.18

mantisbt - 2.19.0

mantisbt - 2.18.1

mantisbt - 1.3.17

mantisbt - 2.18.0

mantisbt - 2.17.2

mantisbt - 2.17.1

mantisbt - 2.17.0

mantisbt - 2.16.1

mantisbt - 1.3.16

mantisbt - 2.16.0

mantisbt - 2.15.1

mantisbt - 2.15.0

mantisbt - 2.14.0

mantisbt - 2.13.2

mantisbt - 1.3.15

mantisbt - 2.13.1

mantisbt - 2.12.2

mantisbt - 2.13.0

mantisbt - 2.12.1

mantisbt - 2.12.0

mantisbt - 2.11.1

mantisbt - 2.11.0

mantisbt - 2.10.1

mantisbt - 1.3.14

mantisbt - 2.10.0

mantisbt - 2.9.1

mantisbt - 2.9.0

mantisbt - 2.8.1

mantisbt - 1.3.13

mantisbt - 2.8.0

mantisbt - 2.7.1

mantisbt - 2.7.0

mantisbt - 2.6.0

mantisbt - 2.5.2

mantisbt - 1.3.12

mantisbt - 2.5.1

mantisbt - 2.5.0

mantisbt - 2.4.2

mantisbt - 2.4.1

mantisbt - 2.3.3

mantisbt - 1.3.11

mantisbt - 2.4.0

mantisbt - 2.3.2

mantisbt - 2.3.1

mantisbt - 2.2.4

mantisbt - 1.3.10

mantisbt - 2.3.0

mantisbt - 2.2.3

mantisbt - 1.3.9

mantisbt - 2.1.3

mantisbt - 2.2.2