Flyspray

Yes, but please keep dokuwiki syntax here.

And please look how the secure session cookies on bugs.flyspray.org were implemented as this is currently not in github dev.
(hope Jordon or Psycho reached the guy who did it)

Do you mean that there's something very important missing from our codebase?

Don't we want to wait until beta at least for update? I'll ask access to update, or Jordan will do it. @peterdd We'll send you a copy of this FS if that's ok for you?

Yes, I can take a look. Send at my email please.

@jouni: bugs.flyspray.org uses the secure cookie feature, but there isn't anything for that in github code yet. So this install here is a customized version.

I just added the possibility for that setting in github code (well, its just a wrapper around a builtin php function) and set only the httponly option.
So we cannot just take the github version here until secure cookie feature usage/setting is also implemented in github dev code.
It can be a bit tricky to test, because server needs SSL/TLS certificate, http server settings.. .

Further todos for going https:

• selfhosting the font files and its css (font-awesome)
• check that there aren't mixed contents https/http on pages.

Lowered severity and priority after seeing quirks with new user registrations and email receivings.

This must be addressed first.

Actually I tested on my install, and weirdly, If I disallow task viewing for visitors, they see only certain tasks that have certain states. Must test further

And another bug at upload avatar image on bugs.flyspray.org:

Warning: move_uploaded_file(/srv/www/vhosts/*/avatars/69b5b4bf6c.jpg): failed to open stream: Permission denied in /srv/www/vhosts/*/includes/modify.inc.php on line 1243

Warning: move_uploaded_file(): Unable to move '/tmp/phpBtgmH6' to '/srv/www/vhosts/*/avatars/69b5b4bf6c.jpg' in /srv/www/vhosts/*/includes/modify.inc.php on line 1243

Warning: getimagesize(/srv/www/vhosts/*/avatars/69b5b4bf6c.jpg): failed to open stream: No such file or directory in /srv/www/vhosts/*/includes/modify.inc.php on line 36

Warning: Division by zero in /srv/www/vhosts/***/includes/modify.inc.php on line 38

...more warnings...

Can someone check that an anonymous group actually exists and is global, ie. belongs to project 0? Otherwise, now that rights check is done with SQL, the following assumption in the query might not hold true:

– Global group always exists
JOIN ({groups} gpg

  JOIN {users_in_groups} gpuig ON gpg.group_id = gpuig.group_id AND gpuig.user_id = ?		

) ON gpg.project_id = 0

I'll update my installation here at work as soon as possible and do some testing.

I can say that in my installation it doesn't exist. Needs checking here

Pull request already made for temporary fix. Have to think those anonymous users a bit more.

Added securecookies config option.

https://github.com/Flyspray/flyspray/pull/323

Please test if that works for your https server / hosting environment / php version combo.

The last 10% are the problem of admins/maintainer of the server bugs.flyspray.org because of handmade modifications. Edit: Just change parameter passwdcrypt in flyspray.conf.php .