Flyspray

We must teach browsers not to use some input fields in the admin prefs area to offer to store it in their password manager.

Steps to reproduce:

1. Login with Firefox as admin into Flyspray. (Maybe other browsers behave same)
2. Go to admin prefs area (top right gear icon)
3. Click link somewhere else (so leaving admin prefs page)
4. Firefox browser pops up password manager as it detected some password input fields on admim prefs setting page. But in this case this is not wanted.

Either by using different input field names where the browser does not assume it is a login password field or find input field attribute to tell them.

auto-complete="off"

is not working anymore in browsers for password fields.

webbrowser: Firefox 85.0.2

Popup probably triggered by the password fields for configuring Email and XMPP notification: smtp_pass and jabber_password input fields. Firefox heuristic is too stupid to detect that these are for server configuration, not user login fields!

Neither

autocomplete="new-password"

nor

autocomplete="one-time-code"

attribute helped.

Stubborn Firefox ..

The last build is very old, it is possible to create a new build?
- The last RC: 2 years soon
- The last stable: 9 years soon

GitHub Releases section:
- https://github.com/Flyspray/flyspray/releases

Latest release
v1.0-rc9
136c339

Flyspray 1.0-rc9

@peterdd peterdd released this Apr 22, 2019

Stable: http://www.flyspray.org/docs/download/

Flyspray 0.9.9.7 - 28 May 2012

FS version: 1.0-rc9
PHP version: 7.4.15
database: mysql
php.ini: error_reporting = E_ALL | E_STRICT

Steps done to create the problem:
- Login as Admin or User, with name “Admin”, not with email.

Experienced behavior:
PHP Notice: Trying to access array offset on value of type bool in …/flyspray-1.0-rc9/includes/class.flyspray.php on line 812

A possible fix is attached as patch.

Think, it is this line in currend code:
https://github.com/Flyspray/flyspray/blob/5b0a3d80fc9612ca8e8743450fbf2c8243b5bf47/includes/class.flyspray.php#L836

There should be only one request to

js/callbacks/gethistory.php when activating the History tab

The request is made:

• on mousedown event
• on click event

So holding down the tab sends the first request and releasing sends the second request.

Integrate the selectpure javascript to the new task and edit task form.

By default there is a text field where tag names are separated by ‘;’ character.

Selectpure could instead show the tags with their visual layout with a little ‘x’ inside on the right side for removing a tag and autocomplete when typing a tag name to show existing tags from the flyspray_list_tag-table as possible selections.

Instead implemented a CSS and raw javascript solution with a single taghelper.js without any dependancies.

A button beside the tag input text field toggles a list of available tags for the current task, depending on the project and settings.

Still TODO

I administer a moderate-sized (~14K ticket) 1.0-rc9 instance running on a Fedora 32 host (php 7.4.16, mariadb 10.4.18) Following the upgrade instructions (ie transfer attachments, avatars, flyspray.conf.php) the setup/upgrade tool loads, and prompts me to upgrade.

It churns a while before refreshing the screen, claiming a successful 1.0-rc10 upgrade. However, the upgrade seems to not actually “stick”, because clicking on the “return” button I’m dropped back into the upgrader, which is once again claiming I’m running 1.0-rc9 and prompting me to perform the -rc10 upgrade.

According to Flyspray’s admin ‘checks’ tab:

* PHP 7.4.16
* MariaDB 10.4.18
* default_charset: utf8mb4
* default_collation: utf8mb4_unicode_ci
* All tables are ‘InnoDB’

There are no errors logged that I can find, but the upgrade is clearly not working. If I revert to the -rc9 php files, everything continues along as if nothing was done.

Any suggestions?

I administer a small personal (<1K ticket) 1.0-rc9 instance running on a Fedora 32 host (php 7.4.16, postgresql 12.6) Following the upgrade instructions (ie transfer attachments, avatars, flyspray.conf.php) the setup/upgrade tool loads, and prompts me to upgrade.

Unfortunately, the upgrade fails spectacularly, with a reported SQL error that belies what’s actually wrong. Here’s a snippet from the postgresql logs where the upgrade is failing:

2021-04-28 10:33:07.190 EDT [2032049] ERROR: column “attachment_id” of relation “flyspray_attachments” already exists
2021-04-28 10:33:07.190 EDT [2032049] STATEMENT: ALTER TABLE flyspray_attachments ADD COLUMN attachment_id SERIAL
2021-04-28 10:33:07.194 EDT [2032049] ERROR: current transaction is aborted, commands ignored until end of transaction block
2021-04-28 10:33:07.194 EDT [2032049] STATEMENT: ALTER TABLE flyspray_attachments ADD COLUMN task_id INTEGER
[…and everything else fails because the transaction aborted…]

It appears that the upgrade script is blindly trying to create columns that already exist in the -rc9 database, and postgresql is treating this as a failure. Because the entire upgrade happens within one transaction, this means the entire upgrade fails at the outset and won’t ever succeed.

The way past this specific problem is to make these ALTER TABLE operations conditional (eg “ALTER TABLE flyspray_attachments ADD COLUMN IF NOT EXISTS task_id INTEGER”).

My project has 37 pending requests. Each has a set of Accept / Deny buttons next to it.

If I click on Deny, a textbox pops up for me to enter “Reason for denial” but the entire page immediately regreshes/reloads back to the task list before I have a chance to enter the reason and submit it.

I can always “Accept” the request implicitly by going to the appropriate task and closing/re-opening it, but there’s no way to “deny” something without going through this UI path.

Today I received a Spam into my Flyspray, I wanted to ban the user and to delete the task, to my surprise I didn’t see an option to -delete- a created task, so I don’t want to keep this spammy content into my DB or even worse, publically viewable to other users / or google (which will impact in seo and also make their spamming successful forever), I just wanted to simply remove the task entirely from the DB

So my only option was to restore the 2-days before database backup in order to remove it, then I upgraded to the last git checkout but I didn’t see that option existing

I think flyspray needs to have that option included

Thank you

For users with administrative permissions, a moderation UI for spam tasks could be useful.

For other normal users a “mark as spam”-button (similiar to voting for a task) could help moderators to identify spam tasks.

1. Modify the spam task: Move to a hidden “Trash” project, replace summary and description with a default spam summary text end empty description.
2. The decision which kind of punishment of the account who created the spam depends on several things:
   • Is it a previously normal used account who got captured by a bad guy and suddenly started spamming?
   • Is it a fresh bot created account who tried creating many spam task to promote bad websites or do search ranking manipulation?
   • Is it a sneaky smart account who waits for the opportunity to offload spam in a subtile manner?

I think this is not so easy to automate without producing false positives, especially for a project without commercial interest and funding and no huge meta informations like Google or similiar data collecting corporation who have the ability to identify spam waves across the internet.

Hi, in my free time of the last few days I begun developping a Docker container: https://github.com/blu-base/flyspray-docker. I derived it from a nextcloud docker container… For now, I limited my focus on an apache/debian buster container. I’d be happy to contribute the project to the official placeholder when it is ready.

Anyhow, in the entrypoint script, I use some environment variables to create the flyspray.conf.php from scratch. and would now need to populate the database. I understand i have to use the respective xml scheme as the setup/index.php does.

I am not experienced with php and database applications and would like to ask you for advice how to proceed efficiently.

Since the current setup is indented to be interactive in the browser, i would need to use a cli tool or a purposely-build php script to do the same task on the command line/on container startup. But this seems to me this would be code duplication and introduce more maintenance work.

• Is it possible to hook into only some of the functions of the setup/index.php?
• What could be the next best approach to populate the db on first start?
• Would it be a viable solution in trying to further modularize the setup - allowing to run parts on cli, like nextcloud’s occ tool?

From mailing list:

Hello,

I could not find if this was already posted before. We have this basic profile where customers only can create new tasks and receive some notifications when the status or details change. The idea is that they do not see the comments, we want to use them for internal communication.
The think is that we just realized that they can not see the comments when they login but they receive them as notifications by email!

We want this notification for the admin users involved in the task but not for the customers. Is there a way to correct this behavior?

Thanks,
Manu

[ ] ADOdb xmlschema03 issues
[ ] other warnings/notices

When there is a link to the new task action from another site to a Flyspray installation and the user is not yet logged in, there is a redirect to the Flyspray start page losing the GET parameters.

Example:

https://bugs.flyspray.org/index.php?do=newtask&project=1&item_summary=blablabla%product_category=1

Or short example (nicer urls using .htaccess rules)

https://bugs.flyspray.org.de/newtask/proj1?item_summary=blablabla&product_category=1

After login the user should see the form with the original link parameters (if the user is allowed to and parameters are valid)

Currently the user must navigate to the correct project (if there are several) and the parameters from the origin link are lost.

Regardless if a gmail.com or other address (tested with my gmail and also other email address)

So this is probably a mail server problem. I try to reach server admin.

I can see my “unfinished registrations” tests in the admin→checks area, but received no emails (waited and checking spam folders too)