All Projects

ID Project Category  asc Task Type Severity Summary Status Opened by Opened Progress
 2159 FlysprayBackend/CoreTODOHigh fresh registered user accounts created spam tasks Closedpeterdd04.07.2016
100%
2 Task Description

Today it was first time I see real spam on bugs.flyspray.org

The 2 spam accounts registered today and started creating spam posts as new tasks.

What is the reason? Was it by real humans or bots?

So what can we do to reduce this in future?

Ideas for making it harder and unattractive for spammers:

  • Users who never opened a nonspam-task or contributed a useful comment should solve a captcha
  • Limit the amount of creating tasks for new registered users or a user groups, like limiting to 2 tasks or 1 task per user per day.
  • Settings for a more moderated task creation process? Like a quarantine dbtable for tasks?
  • If we closed such spam tasks with WTF? reason, it will still be listed by search engines like google at the moment:
  1. Move spam tasks to a ‘dumpster project’, that is not visible for guests (search engines!) too.
  2. Or make spamming to visible flyspray projects unattractive, lets set noindex for: closed task for some special reason id?
  3. Delete spam tasks from database if allowed by your organization

Update: another and this time more aggressive phone number spammer.

 2195 FlysprayBackend/CoreTODOHigh Release Flyspray 1.0-rc2/rc3/rc4 Closedpeterdd15.08.2016
80%
Task Description
  1. Edit includes/class.flyspray.php on github.com and set the correct version for the release there (remove the ' dev’ from the version string), commit as new branch e.g. 1.0-rc2
  2. Prepare a new release on https://github.com/Flyspray/flyspray/releases , write a summary of changes since last release, choose the branch you created in the previous step, save as “draft”.
  3. “Release” the Flyspray source on github when satified with layout
  1. Run buildscripts for different php versions (see comments at FS#2040)
  2. Upload the created .zip and .tgz files to https://github.com/Flyspray/flyspray/releases
  3. Edit the https://github.com/Flyspray/flyspray.github.io/blob/master/_docs/download.md and link the source and packaged .zip and .tgz files
  4. Write a new article with a summary of highlights of changes since last release for the www.flyspray.org frontpage on https://github.com/Flyspray/flyspray.github.io/tree/master/_posts/News
  5. Important: If all is nice and shiny: Update the version string on www.flyspray.org https://github.com/Flyspray/flyspray.github.io/blob/master/version.txt so admins of flyspray get informed a new Flyspray release is available now. For instance change from 1.0-rc1 to 1.0-rc4 if you are releasing Flyspray 1.0-rc4. Must be the exact version you set in includes/class.flyspray.php .
 2452 FlysprayBackend/CoreBug ReportHigh deprecated functions since PHP7.2 Closedpeterdd13.12.2017
100%
1 Task Description

Well, as everybody can see at the moment, someone (who? @floele ?) updated the server hosting bugs.flyspray.org to PHP7.2.x and now some ‘deprecated’-warnings are shown.
Edit: For example not working Flyspray 1.0-rc6 and older with the brand new PHP7.2:

  • shows deprecated info on top
  • shows deprecated info at every comment
  • tells task in work by other user when you want to save a task.
  • Uploaded files aren’t downloaded correct (open a downloaded image with a hexeditor for example to see)
  • probably also scheduler (cronjob/schedule.php and sending emails effected)
 2594 FlysprayBackend/CoreTODOHigh pagination of user list Closedpeterdd23.02.2020
100%
1 Task Description

For Flyspray installations with many users (several thousands) a pagination of the user list in the admin area is required.

2000 users no problem to display (aside the PHP max_input_vars limit which is only 1000 by default, so maybe not all checked checkboxes are handled.)

More users might send your mysql to long running blocking queries creating temp tables … bad!

(I killed them by watching show processlist; and kill id; on mysql console.)

 2624 FlysprayBackend/CoreBug ReportHigh fatal error with PHP8 and syntax_plugin html (ckeditor) Closedpeterdd10.02.2021
100%
Task Description

The used get_class_methods($classname) function now throws exception in PHP8 when the class does not exists (or couldn’t be found).

grep -rin4 get_class_methods 
class.tpl.php-1006-	public static function render($text, $type = null, $id = null, $instructions = null)
class.tpl.php-1007-	{
class.tpl.php-1008-		global $conf;
class.tpl.php-1009-
class.tpl.php:1010:		$methods = get_class_methods($conf['general']['syntax_plugin'] . '_TextFormatter');
class.tpl.php-1011-		$methods = is_array($methods) ? $methods : array();
class.tpl.php-1012-
class.tpl.php-1013-		if (in_array('render', $methods)) {
class.tpl.php-1014-			return call_user_func(array($conf['general']['syntax_plugin'] . '_TextFormatter', 'render'),
--
class.tpl.php-1036-    public static function textarea($name, $rows, $cols, $attrs = null, $content = null)
class.tpl.php-1037-    {
class.tpl.php-1038-        global $conf;
class.tpl.php-1039-
class.tpl.php:1040:        if (@in_array('textarea', get_class_methods($conf['general']['syntax_plugin'] . '_TextFormatter'))) {
class.tpl.php-1041-            return call_user_func(array($conf['general']['syntax_plugin'] . '_TextFormatter', 'textarea'),
class.tpl.php-1042-                                  $name, $rows, $cols, $attrs, $content);
class.tpl.php-1043-        }
class.tpl.php-1044-

Previously it just returned null as also documented on php.net! :-/
https://www.php.net/manual/en/function.get-class-methods :

In case of an error, it returns null.

So either php guys update their source code or documentation. Netherless a workaround is needed.

 1952 FlysprayBackend/CoreBug ReportMedium Funniest bug ever - shooting in the foot Closedpeterdd07.03.2015
100%
Task Description

Well, it sounds stupid, but testing also the stupiest things can show flaws..

Ok: If you are admin - even id 1 - you can change your own group from "Admin" to "Basic".

Imaging what happens after you saved the form. :-D

1960FlysprayBackend/CoreBug ReportMediumforeign key relations between versions and tasksNewpeterdd09.03.2015
0%
2 Task Description

It seem that when deleting a version entry in a project, that tasks that have this version assigned are still connected to this deleted version. For example FS#1222 (on 2015-03-09).

There are several options to solve such things:

  • Deny deletion of version as long as tasks assigned to this project version.
    • Either by doing a testing SQL query to check this case coded in PHP. Take care to keep this centralized, must also be respected by an eventually later added Flyspray API (XMLRPC or whatever).
    • add SQL foreign key constraints with ON DELETE RESTRICT
      • Pro: some business logic can be directly enforced by SQL.
      • Cons: higher requirements for hosting, if using mysql innodb tables must be available on the hosting
  • Move the tasks of this version to a default fallback version before deleting the version tag.
    • Either doing one transaction doing : 1. move the tasks to its fallback version, 2. delete the version
    • add SQL foreing key constraint with ON DELETE SET $fallbackversionid. Some pros & cons like on the the denying option.

The same for other assignments for tasks.

This issue is similiar to the massop issue: (https://github.com/Flyspray/flyspray/issues/130)

2012FlysprayBackend/CoreFeature RequestMediumManaging TagsPlannedpeterdd18.07.2015
70%
8 Task Description

Tags can only be added on the “new task” page, not managed on the “edit task”-page. done

  • The information when a tag is added or removed and by whom logged through flyspray_history table is still TODO.
  • The information when a tag is added by whom is visible when hovering over it in the task details view
  • Tags are now also searched by the submitted search string when doing a task search.
  • In addition to the project level ‘free tagging’ which allows users create new tag names there exists also a use_tags permission per project. This is currently only used on some of the appropriate locations.
 2021 FlysprayBackend/CoreTODOMedium guest performance task list bugs.flyspray.org Closedpeterdd02.08.2015
100%
51 Task Description

I see a big difference on viewing the task list on bugs.flyspray.org
as guest and logged in user(my project developer account):

guest: ~ 4-5 sec until first answers comes back (measured with browser builtin dev tools/firebug)
user: ~ 1 sec

Both test done repeatly and different days, same result. So it is not database "warmup" related nor high load on the system.

Vage assumptions:

  • There are some builtin "caching" options (in filesystem and db table) in flyspray. But maybe it is not as efficient then no caching?
    1. > Different caching options must be compared with similiar datas as bugs.flyspray.org has.
  • Some underestimated index key issues for the data of bugs.flyspray.org. For instance there is no problems with a 20000+ task db, but only 1 user.
  • bugs.flyspray.org uses mariadb instead of mysql. (as I know, must ask if still after upgrade) performance test/measurement needed.
 2026 FlysprayBackend/CoreBug ReportMedium 'add a link' on comment broken Closedpeterdd12.08.2015
100%
1 Task Description

An added link in a comment seems to not be saved or shown after edit.

2089FlysprayBackend/CoreBug ReportMediumadding same taskid as subtask or related task should be...Newpeterdd07.11.2015
50%
21 Task Description

Both is a bit illogical, but both is currently possible! ;-)

1 ←- 1

So when setting the parent task id checked for creating loops is needed:

Loop with 2 tasks: 1 ←- 2 ←- 1

Loop with 3 tasks: 1 ←- 2 ←- 3 ←- 1
Loop with n tasks: 1 ←- ... ←- n < – 1

As I think there are currently no recursive reads that could lead to an endless loop, but should be kept in mind when someone wants to programm rendering a gantt chart.
E.g. by limiting the depth of subtasks for example.

 2102 FlysprayBackend/CoreBug ReportMedium strict ordering of tags required  Closedpeterdd19.02.2016
100%
2 Task Description

When saving the tag list at admin and project area, the ordering of the tags must be recalculated.

So it is not more legal to have a list ordering like (0,0,0,1,3,4,7)

That should be recalculated and stored as (1,2,3,4,5,6, 7) (or 0,1,2,3,4,5,6)
currently in file includes/modify.inc.php

Why?

The SQL for the tasklist uses currently GROUP_CONCAT (and a equivalent syntax for postgres) that groups by list_tag.list_position.
Well, we could just ‘group by’ the tag_id too, but with list_position value we can show the most important tags first.

3 times, and that 3 result fields must be in the same order. (tag id, tag name, tag class field)

Also that sql-query part there needs a little modification, but first fix that strict ordering.

Alternative

Don’t use group_concat() or similiar for list_tag.tag_name or list_tag.class. Instead load an indexed array once per http request and only when needed.

For instance as function within class.flyspray.inc.php:

        /**
         * load all tags into array
         *
         * compared to listTags of class project, this preloads all tags in flyspray database
         * ideally maximal called once per http request, then using the array index for getting info
         *
         * @return array
         */
        public static function getAllTags()
        {
                global $db;
                $at=array();
                $res = $db->query('SELECT tag_id, project_id, list_position, tag_name, class, show_in_list FROM {list_tag}');
                while ($t = $db->fetchRow($res)){
                        $at[$t['tag_id']]=array(
                                'project_id'=>$t['project_id'],
                                'list_position'=>$t['list_position'],
                                'tag_name'=>$t['tag_name'],
                                'class'=>$t['class'],
                                'show_in_list'=>$t['show_in_list']
                        );
                }
                return $at;
        }

in scripts/index.php in function tpl_draw_cell():

function tpl_draw_cell($task, $colname, $format = "<td class='%s'>%s</td>") {
  global $fs, $db, $proj, $page, $user, $alltags;
...
  case 'summary':
...
    if($task['tagids']!=''){
                        # if global $alltags are yet undefined, preload the tags now.
                        if(!is_array($alltags)) {
                                $alltags=$fs->getAllTags();
...
 foreach($tagids as $tagid){
                                $tgs.='<i class="tag t'.$tagid
                                        .(isset($alltags[$tagid]['class']) ? ' ' .htmlspecialchars($alltags[$tagid]['class'], ENT_QUOTES, 'utf-8') : '').'" title="'.htmlspecialchars($alltags[$tagid]['tag_name'], ENT_QUOTES, 'utf-8').'"></i>';
                        }
2119FlysprayBackend/CoreBug ReportMediumfunction filter_input not always availableResearchingpeterdd15.04.2016
0%
Task Description

filter_input() is in extension “Filter”.

It is enabled by default since PHP5.2, see http://php.net/manual/en/migration52.new-extensions.php but not “always”, see https://groups.google.com/forum/?hl=de#!topic/flyspray/QM75BvwPqGM

filter_input() is only used at 1 section in Flyspray (since 2014 up to v1.0rc1) in includes/fix.inc.php
This is the commit https://github.com/Flyspray/flyspray/commit/40861911260812c99682fe3456350cb63bb243a9

How do we solve it? Several possibilities:

 2120 FlysprayBackend/CoreBug ReportMedium anonymous task creation in restricted project not possi ...Closedpeterdd19.04.2016
100%
2 Task Description

with this general project settings for everyone (users and anon):

Project is active ('project_is_active'): yes
Allow anyone to view tasks of this project ('others_view'): no
Allow anyone to view roadmap of this project: no 
Allow anonymous users to open tasks: yes
  1. Project is not selectable from Project drop down list with this settings, but should.
  2. The can_view_project permission is currently a calculated value, currently using ‘others_view’ permission for guests.
  3. Review where can_view_project() permission is used to limit access.
  1. Evaluate if “Allow anonymous users to open tasks”- perm make can_view_project()-permission true is sufficient.
  2. Or just use the “Allow anonymous users to open tasks”- perm at the relevant places. (I tend to prefer this, because of very limited places.)
  1. TODO: Maybe move
Allow anyone to view tasks of this project: no
Allow anyone to view roadmap of this project: no 
Allow anonymous users to open tasks: yes

from ‘Preferences’ project settings tab to the ‘User Groups’ project settings tab. So everything permission related is at one place.

I think the problem is within index.php, put in with commit https://github.com/Flyspray/flyspray/commit/651f09801a35533205971cf322483a0e52ad0a1d

A anon user cannot pass behind this code lines:

// make sure people are not attempting to manually fiddle with projects they are not allowed to play with
if (Req::has('project') && Req::val('project') != 0 && !$user->can_view_project(Req::val('project'))) {
    Flyspray::show_error( L('nopermission') );
    exit;
}

But before just removing removing the “exit;” here, needs too review if anon users cannot trigger bad actions.

2121FlysprayBackend/CoreBug ReportMedium'my assigned tasks' uses like %?% search instead of use...Confirmedpeterdd19.04.2016
90%
32 Task Description

Problem: https://github.com/Flyspray/flyspray/pull/552

The button ‘My assigned tasks’ should search only by userid, not in username or realname with the LIKE ‘%...%’ operator.

Currently the button is using the same as doing an advanced search filling the ‘Assigned To’ input field. (currently ‘dev’ param) But that search param searches in userid, username and realname.

Edit: Implemented simpler solution: if param is digitsonly, then search by userid, otherwise by username and realname if that param exists.

 2213 FlysprayBackend/CoreBug ReportMedium fix warnings with PHP7 Closedpeterdd17.10.2016
100%
Task Description

There are still some warnings about deprecated constructors when Flyspray runs with php7.

 2313 FlysprayBackend/CoreInformationMedium different composer.json for different php versions? Closedpeterdd17.11.2016
100%
Task Description

I still struggle with composer.json for doing Flyspray builds with included 3rd party libs for different PHP versions.

It is annoying composer.json is just an array, no comments, no conditionals
- and I’m still noob with composer and phpunit stuff.

Main source of problem: oauth2-client and guzzle breaking compatibility with PHP5.3 and PHP5.4

PHP5.3 oauth2-client 0.3 with additional patches (peterdd), guzzle 3.*
PHP5.4 oauth2-client 0.12.1, guzzlehttp ???
PHP5.5 oauth2-client 1.*, guzzlehttp &gt;=6.2.1
PHP5.6 oauth2-client @stable, guzzlehttp &gt;=6.2.1
PHP7 oauth2-client @stable, guzzlehttp &gt;=6.2.1

Any suggestions how to solve this?

Do we really have to maintain different flyspray source trees just with different composer.json files???
Or backport auth2-client to PHP5.3 and PHP5.4 and use our versions in composer.json (no manpower for this)

Also the oauth2 stuff is not tested at the moment, so OAuth2 for Flyspay could be broken for some PHP versions.

2332FlysprayBackend/CoreBug ReportMediumCSV export filename filteringNewpeterdd24.01.2017
0%
2 Task Description

The filename for the csv export is build based on project name and current date.

Due different handling of web browsers, the appropriate http header should send the filename in ascii and also provide them as utf-8 for web browsers who can handle that.

Related RFC5987

2441FlysprayBackend/CoreBug ReportMediumrefactor dokuwiki image tagsNewpeterdd15.09.2017
0%
Task Description
I’ve tried inserting an image in the intro message but it doesn’t show. Is there something broken in the formattext.inc file? Seems unlikley because it’s so old but can’t work out why nothing shows.
Alan

I had to disable some parts last year within dokuwiki quickly due sever reported security issues in that area.

As tradeoff embedding images currently don’t work within dokuwiki textareas in Flyspray.

As I too wish that feature reappear working for my projects, this is on my personal list. But requires focused free time because must be made secure.

Maybe instead of using fetch.php of dokuwiki, we can use Flypsray’s ?getfile=id , which also checks permissions.
But must check also securly file types and maybe resize images to fit into the desired page (thumbnails).

2453FlysprayBackend/CoreBug ReportMediumvalidate category before storing a new taskNewpeterdd14.12.2017
0%
Task Description

Currently the category_id is not checked if the value is legal for the project when a new task is created.

  • must be unsigned int
  • must be an active category_id of the project or global category.
  • setting a category_id must be allowed - see project settings.

If invalid category_id is sent, deny creating task and show error message and show filled form again.

If no category_id is sent (or empty string) and category select is enabled:

  • either choose a default category

or

  • implement feature request FS#2451 and show that user should select a category.
 2532 FlysprayBackend/CoreBug ReportMedium spaces before or after a single word search gives too m ...Closedpeterdd11.01.2019
100%
1 Task Description

Spaces before or after a task search string gives too many results in the tasklist.

Example search strings:

test (space after word test)
 test
 test (space after word test)

Found this on bugs.archlinux.org, but also current 1.0-rc7 has this problem.

2536FlysprayBackend/CoreFeature RequestMediumstore session in Flyspray databaseNewpeterdd21.01.2019
0%
2 Task Description

Currently the sessions are stored by the webservers default settings.

Having this sessions under control by Flyspray by storing it in the database has following advantages:

  1. Allows handling of all sessions of a user by Flyspray.
  2. Providing a session management for each user. The user can see on which devices he is currently logged in and could also force a logout on selective devices.
  3. A forced logoff of all or some user sessions is easy implementable for admins.
  4. Statistics about how many users and who is logged in. (user status: hide always, online, offline, do not disturb, ..)
  5. Could make onpage-notifications easier to implement.
  6. .. ?

Disadvantages:

  1. A potential unknown security bug in Flyspray that could lead to reading a session db table could leak informations like who is currently online/active and make further attacks more focused or makes session takeover easier.
  2. .. ?
2620FlysprayBackend/CoreTODOMediumPHP8 compatibilityNewpeterdd26.11.2020
50%
2 Task Description

PHP 8.0 is now released (2020-11-26) and Flyspray should be made compatible with it.

  • Replace removed and deprecated functions with alternatives in our source code.
  • Upgrade used libraries or make used libraries compatible:
    • post github issue or pull requests for ADODB
    • upgrade used dokuwiki or make changes in our integration (probably just review our as official dokuwiki project contains too much stuff we do not need and changed much)
    • review used geshi
    • upgrade our swiftmailer version to PHP8 compatible version
    • upgrade our oauth2-client stuff to PHP8 compatible version
  • The @ operator no longer silences fatal errors. Some checks in installer or other areas might not work anymore as expected when the @-operator was used as silencer for previous PHP versions.
2644FlysprayBackend/CoreFeature RequestMediummark specific task as spam and punish user account who ...Newpeterdd08.07.2021
0%
Task Description

For users with administrative permissions, a moderation UI for spam tasks could be useful.

For other normal users a “mark as spam”-button (similiar to voting for a task) could help moderators to identify spam tasks.

  1. Modify the spam task: Move to a hidden “Trash” project, replace summary and description with a default spam summary text end empty description.
  2. The decision which kind of punishment of the account who created the spam depends on several things:
    • Is it a previously normal used account who got captured by a bad guy and suddenly started spamming?
    • Is it a fresh bot created account who tried creating many spam task to promote bad websites or do search ranking manipulation?
    • Is it a sneaky smart account who waits for the opportunity to offload spam in a subtile manner?

I think this is not so easy to automate without producing false positives, especially for a project without commercial interest and funding and no huge meta informations like Google or similiar data collecting corporation who have the ability to identify spam waves across the internet.

 1869 FlysprayBackend/CoreBug ReportLow personal language settings Closedpeterdd04.07.2013
100%
1 Task Description

It should be possible to switch the User Interface language for users. Just connect it with the current session of users.

And the prefered language should be an option in the profile details of registered users.

 1953 FlysprayBackend/CoreBug ReportLow do form actions first, then build the anwser page Closedpeterdd07.03.2015
100%
2
1962FlysprayBackend/CoreFeature RequestLowSMS notification - sending notifications via sms same a...Newpeterdd11.03.2015
0%
2
 1963 FlysprayBackend/CoreTODOLow Review/Test current source for 1.0 with .htaccess Rewr ...Closedpeterdd11.03.2015
100%
3
1971FlysprayBackend/CoreFeature RequestLowa field like challenge level or doom levelNewpeterdd12.03.2015
0%
1982FlysprayBackend/CoreBug ReportLowdouble entries in assignees listNewpeterdd20.03.2015
80%
3
2005FlysprayBackend/CoreFeature RequestLowone account, several authenticationsNewpeterdd18.07.2015
0%
2007FlysprayBackend/CoreBug ReportLowtime on project overview activity timelinesNewpeterdd18.07.2015
0%
 2011 FlysprayBackend/CoreFeature RequestLow last modified table sorting Closedpeterdd18.07.2015
100%
2022FlysprayBackend/CoreFeature RequestLowdefault or auto options for some settingsNewpeterdd03.08.2015
0%
1
2029FlysprayBackend/CoreFeature RequestLowpossibility to let a user describe himselfNewpeterdd12.08.2015
0%
1
 2037 FlysprayBackend/CoreBug ReportLow Task closing reason not mouse selectable Closedpeterdd21.08.2015
100%
51
 2050 FlysprayBackend/CoreBug ReportLow тестовая задача Closedpeterdd10.09.2015
100%
2053FlysprayBackend/CoreBug ReportLowambiguous user name display username / realnameNewpeterdd17.09.2015
0%
2
2054FlysprayBackend/CoreFeature RequestLowFields for csv export choosable like for task listNewpeterdd17.09.2015
0%
1
2055FlysprayBackend/CoreBug ReportLowMake the csv export table fields respect the user permi...Newpeterdd17.09.2015
0%
 2056 FlysprayBackend/CoreFeature RequestLow Do not do pagination on csv export  Closedpeterdd17.09.2015
100%
2057FlysprayBackend/CoreBug ReportLowDo not resubmit forms on browser reload button or F5Newpeterdd22.09.2015
0%
1
2058FlysprayBackend/CoreBug ReportLowClosing of github.com 'Issues' featureNewpeterdd24.09.2015
0%
2059FlysprayBackend/CoreFeature RequestLowusage of github automated/webhook notificationsNewpeterdd24.09.2015
0%
2073FlysprayBackend/CoreBug ReportLowCouldn't edit comment of anonymous reporterNewpeterdd17.10.2015
0%
 2090 FlysprayBackend/CoreBug ReportLow dokuwiki code /e modifer deprecated .. Closedpeterdd10.11.2015
100%
2104FlysprayBackend/CoreBug ReportLowfiltering by one user on tasks with multiple assignees ...Newpeterdd26.02.2016
0%
2
2137FlysprayBackend/CoreBug ReportLowfeature accesskey bad implemented by web browsersNewpeterdd15.06.2016
0%
2190FlysprayBackend/CoreFeature RequestLowenable move of a closed clask to other project without ...Researchingpeterdd06.08.2016
0%
2436FlysprayBackend/CoreBug ReportLowdokuwiki renderer creates nonunique html-id for h1,h2,h...Newpeterdd02.08.2017
0%
21
Showing tasks 1 - 50 of 136 Page 1 of 3

Available keyboard shortcuts

Tasklist

Task Details

Task Editing