Flyspray

Got "wrong token" on creating a task whose form were open for a while in browser tab.

That means probably the session timed out on bugs.flyspray.org, so the anti csrf token doesn't existed anymore on the webserver.

It would'nt be a big problem if the browser backbutton works showing the ready written form again, but it was empty.

One solution would be temporarly storing it offline in the browser storages which are available with html5. But open for other simpler solutions..

It's old. There has been a newer version 2.0. Even that one is not supported anymore, although some documents still remain available. The calendar component relies on its language translations files to be complete, or it breaks. Unfortunately, as I found out a few weeks ago, they are not, after switching the default language from english to my native one. Without having a good replacement for it, some of the translations for flyspray itself we've been getting lately are half-way unusable. Not for an ordinary user, but for anyone actually having to edit a task and its due date.

public static function absoluteURI($url = null, $protocol = null, $port = null)
in
class Flyspray

not using basedir and force_basedir from configuration file

its problem because my web-server inside have port 7777 and outside 80 (nginx and PHP-FPM)

please fix it

this one is somehow tricky, it doesn't happens always but sometimes when fields or filenames contain national characters (I'm in Spain) flyspray returns an error looking like this one:

Query {INSERT INTO `flyspray_attachments` ( task_id, comment_id, file_name, file_type, file_size, orig_name, added_by, date_added) VALUES (?, ?, ?, ?, ?, ?, ?, ?)} with params {189,711,189_9c5d837bb10b7e0989a3c8be8d,application/pdf; charset=binary,736986,Guia de aplicación medidas difusicón y publicidad.pdf,4,1441827828} Failed! (Incorrect string value: '\xCC\x81n me...' for column 'orig_name' at row 1)

here we have a pdf named "Guia de aplicación medidas difusicón y publicidad.pdf" but I had this error also with titles or descriptions containing spanish letters...

Currently, if there are no public project, the anonymous users gets a blank page not very useful. It will be a good idea to have a global configuration parameter to display some customizable-page or maybe the login form instead.

With the existence of now two peoples named “Peter” on bugs.flyspray.org (I - peterdd , and PeterTheOne)
there are several places where the full names are display instead of usernames and the user can’t know who is which “Peter” until he visits the users profile page.

Different solutions possible:

• more profile image/gravatar usage where user names are shown, on mouseover link title attribute shows username and realname
• display user name (username) instead of full name (realname)
• display full name and username (where much space available and precision needed)
• …

When adding the mention feature, the username will be probably the prefered setting as the username is unique but the realname not.

Currently the task list columns are used, which are choosed by admin or project manager for the task list view.

Just moved issue #110 from https://github.com/Flyspray/flyspray/issues/110 to here for centralized task tracking.

Maybe just needs testing with current github master.

On some forms, when the user presses the reload button of this browser, the POST submit can be resubmitted.

Browsers can warn about this (Chromium, Firefox, Konqueror tested and they show a warning dialog) before executing the second POST.
But people on Flyspray mailing list wrote they experienced double comments.

Simple solution is just HTTP GET redirects after a successful POST. (HTTP 303 or HTTP 302)
But maybe there is a better method than a second roundtrip always needed?

Success, Error, or Warn-messages to the user are stored in the $_SESSION variable for displaying on the second GET request.
But I think that this is a bit ... mmh... not perfect.

For example, I would like to have in the direct response at which position in a form an input error is, not just the message bar in the top center as it is currently that just dissappear after a few seconds.

Also take care the browser back button still works as expected for the user.

As discussed with the team some time ago, a consolidation of places where issues are discussed is wanted.

One of the results was, that we do not want people post issues to github.com Issues and instead use our own bugs.flyspray.org
and to prefer "to eat our own dogfood" and a have central place to handle tasks.

As a result we tried to reduce the open issueas on github.com. I was in the process of moving 2 of still 7 open issues there to bugs.flyspray.org when suddenly the Issues on github.com were closed. Now the last 5 issues there are lost at the moment for me and the audience, which where mostly informations to interested users, not bugs.

I think just closing it without an easy accessible alternative is not the best solution.

At least we should wait until the oauth2 authentication for github users should be implemented and setup on bugs.flyspray.org , so people browsing github.com, finding Flyspray project just can
"Login with github"-feature on bugs.flyspray.org.

The blocker to do this: Currently there is missing an option to "connect" an oauth "Login with github"- Login with an existend flyspray userlogin.

So that one userid in flyspray can:

• login with username and password
• login with one or more of his social accounts (github, facebook, microsoft, g+) if they are enabled (would it restrict to github.com accounts for bugs.flyspray.org)

We have no API yet for Flyspray.

But someone could write a simple php-file that can be called by a github.com auto notification, whenever:

• a commit on github.com for Flyspray/flyspray is made

Github.com provides the configuration of such notification for a possible target like

https://bugs.flyspray.org/api/github.php

or

https://bugs.flyspray.org/api/github.php?project=1

in the settings of a project.

What the file needs:

• import some of the existing Flyspray classes from includes/
• config or load the secrets that are provided by github.com in the setup for the automatic notification
• check that secrets and more for authentication and authorization of requests coming from github.com
• parse the messages for Flyspray identifiers like ' FS#1234 ' or 'fix  FS#1234 ' or 'related to  FS#1234 '
• take actions on the results of that message parsing like making adding comment or modifying a task status

My version of PHP still shows deprecation warnings with flyspray.

Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /var/www/flyspray.itiab.co.nz/htdocs/adodb/drivers/adodb-mysql.inc.php on line 353

Have all mysql.connect instances been removed? The connect will be removed from PHP soon and will cause problems.

I wanted edit/fix the comment of an anonymous reporter, but the edit shows empty content on editing..

(here on closed, but non yet implemented  FS#218 )

Hi,

I can’t see the Editor when I make new task. Also when I editing a exciting task.

See nothing to put any HTML code in it. Can you help me!?

I use this version: Flyspray 0.9.9.7

Can you add an option to force HTTPS ?

Thx.

If you have a tasklist with tasks that have multiple assignees in a task and you search just by one of the assignees, the resulting tasklist shows only this user in the assignees column.

Expected: all assignees of the tasks are shown.

Today I got first SPAM on bugtracker.

Question: Is it possible to enable CAPTCHA for anonymus task add?

Question 2: Is it possible to delete SPAM tasks.

filter_input() is in extension “Filter”.

It is enabled by default since PHP5.2, see http://php.net/manual/en/migration52.new-extensions.php but not “always”, see https://groups.google.com/forum/?hl=de#!topic/flyspray/QM75BvwPqGM

filter_input() is only used at 1 section in Flyspray (since 2014 up to v1.0rc1) in includes/fix.inc.php
This is the commit https://github.com/Flyspray/flyspray/commit/40861911260812c99682fe3456350cb63bb243a9

How do we solve it? Several possibilities:

• Do we really need this calls here? What “bad input” is filtered here?
• Test if the extension is enabled at install/update tests/screens.
• use function_exists() test at every request ( similiar to the source code before https://github.com/Flyspray/flyspray/commit/40861911260812c99682fe3456350cb63bb243a9 )

Edit by peterdd: renamed task summary

Affected versions: at least Flyspray 0.9.9(.7/*?) up to Flyspray 1.0 RC1

Original report: Title ‘Problem regarding 0.9.7 (1.0) to 1.0 RC-1 update’

I tried to update BT from modified version (database in original state) 0.9.7 to 1.0 RC-1 but I got strange error.

PHP is 5.6.

I try to use:
Precompiled with 3rd party libs for PHP5.6

and was doing as was written on upgrade procedure.

Strange is that “D:\SShopBT\includes\class.flyspray.php” there are errors regarding writtable path... Because the path is correct and all other Joomla and Wordpress web sites are working correctly..

After upgrade web site do not work att all. Login not working - just get error. So I must reverse (use backup) database and files.

Server is Windows Server and IIS (Internet Information Services)..

Complete error was (also seen in screenshot):

Warning: is_writable(): open_basedir restriction in effect. File(C:\PHP-temp) is not within the allowed path(s): (D:\) in D:\SShopBT\includes\class.flyspray.php on line 1162 
Warning: is_writable(): open_basedir restriction in effect. File(C:\PHP-temp) is not within the allowed path(s): (D:\) in D:\SShopBT\includes\class.flyspray.php on line 1164 
Warning: is_dir(): open_basedir restriction in effect. File(C:\Windows\TEMP\e865fa2fdfc11dbb32cc6262d247e766) is not within the allowed path(s): (D:\) in D:\SShopBT\includes\constants.inc.php on line 82 
Warning: Cannot modify header information - headers already sent by (output started at D:\SShopBT\includes\class.flyspray.php:1162) in D:\SShopBT\header.php on line 14 
Warning: Cannot modify header information - headers already sent by (output started at D:\SShopBT\includes\class.flyspray.php:1162) in D:\SShopBT\header.php on line 15 
Warning: Cannot modify header information - headers already sent by (output started at D:\SShopBT\includes\class.flyspray.php:1162) in D:\SShopBT\header.php on line 16 
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at D:\SShopBT\includes\class.flyspray.php:1162) in D:\SShopBT\includes\class.flyspray.php on line 893 
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at D:\SShopBT\includes\class.flyspray.php:1162) in D:\SShopBT\includes\class.flyspray.php on line 893 
Warning: Cannot modify header information - headers already sent by (output started at D:\SShopBT\includes\class.flyspray.php:1162) in D:\SShopBT\index.php on line 93 
Warning: Cannot modify header information - headers already sent by (output started at D:\SShopBT\includes\class.flyspray.php:1162) in D:\SShopBT\index.php on line 94 Headers are already sent, this should not have happened. Please inform Flyspray developers.

Moving task to another project seems to require fields updated to target project options. This operation is not possible on the task category field and possibly others. Attempting to submit changes gives error:

“Oh, there are some incompatible properties set that must be resolved before moving this task to a different project.”

However, you cannot select a new value (from the target list) for the properties in question.

My tests showed that the html accesskey feature is not well and consistent supported by current web browsers and is quite cumbersome to use.
And it seems it will not be better in future..

The only solution I see dropping that feature or replacing them with simple single-key-event javascript listeners, like it is currently done with keys o, j, k, n, and p.

accesskeys in Flyspray I talk about:

• l (current SHIFT+ALT+l Firefox) login dialog / logout
• a (current SHIFT+ALT+a Firefox) add new task
• m (current SHIFT+ALT+m Firefox) my searches
• t (current SHIFT+ALT+t Firefox) focus taskid search
• e (current SHIFT+ALT+e + Enter Firefox) edit task
• x or y? (current SHIFT+ALT+y Firefox) close task
• s (current SHIFT+ALT+s Firefox) save task

Also related to Keyboard navigation: tabindex

I run flyspray behind a reverse proxy with the front end url being https and with the actual back end server not being on a standard port and not using https.

Setting force_baseurl seems to sort most areas with flyspray’s url generation using that instead of picking up from $_SERVER, however post-authentication redirection does not do that it just processes redirect_to as is (which in my case means it picks up the protocol, name and port for the back end server rather than what’s set in force_baseurl).

./themes/CleanFS/templates/loginbox.tpl puts out $_SERVER[’REQUEST_URI‘] into a hidden redirect_to input field - on my setup on the front page that’s e.g. “/” or for a ticket url it would be “/index.php?do=details&task_id=999” so no protocol or hostname.

scripts/authenticate.php picks up that redirect_to value and just passes it to Flyspray::Redirect, which in turn calls FlySpray::absoluteURI on what it’s passed, and FlySpray::absoluteURI doesn’t use $baseurl to qualify the url.

Not sure what the best fix is - my suggestion would be that Redirect detects urls that aren’t fully qualified and adds the $baseurl on to the front of them, rather than calling absoluteURI (absoluteURI is used to set $baseurl if force_baseurl is unset, so that’s not appropriate to modify). Alternatively scripts/authenticate.php could check redirect_to and add $baseurl if needed.

If a task creator requested closure, and someone (developer) closes the task explicitly, the PM request cannot be later ‘accepted’ and the PM request remains in the queue.

Workaround - Deny request and queue item is removed OK.

It looks like the PM request button invoked details.close which returns early if task is already closed.

Flyspray should show a warning, and maybe set the focus back to the field (only when it is a this-one-field-only-form.)

Problem: By replacing just the project_id of the closed task it is possible the task then has invalid field values within the target project.

Possible scenarios:

1. Ignore invalid values within the target project
   • Pro: Easy to do, an immidiatly revert back to the old project would “heal” the task properties.
   • Contra: may effect accuracy and reliability of other parts like searching, listing, statistic calculations
2. Silent change task field values to valid field values of the target project if necessary
   • Pro: relative easy to do
   • Contra: a bit loss of information, little side effects
3. allow user to modify the fields that must be changed so that every field of the task has valid values within the target project
   • Pro: accuracy
   • Contra: a bit loss of information(fallback to default values) if there are no similiar field values selectable within the project
4. allow user to modify the fields, fields or field select values that do not exists in target project will be automatically created.
   • Pro: accuracy
   • Contra: target project may be cluttered with too many fields/field values
5. ???