Flyspray - The bug killer!

I’ve tried inserting an image in the intro message but it doesn’t show. Is there something broken in the formattext.inc file? Seems unlikley because it’s so old but can’t work out why nothing shows.

Alan

I had to disable some parts last year within dokuwiki quickly due sever reported security issues in that area.

As tradeoff embedding images currently don’t work within dokuwiki textareas in Flyspray.

As I too wish that feature reappear working for my projects, this is on my personal list. But requires focused free time because must be made secure.

Maybe instead of using fetch.php of dokuwiki, we can use Flypsray’s ?getfile=id , which also checks permissions.
But must check also securly file types and maybe resize images to fit into the desired page (thumbnails).

Quick anwser: enable swap partition on your server.

Tried upgrading a rc4-dev to rc5-dev/rc6/flyspray-master on a virtual server with 500MB RAM and php5.6.30 on the commandline (debian)

After file upgrade, I wanted also update the vendor stuff according to composer.json changes.

But surprisingly this failed:

php composer.phar update

and also after

php composer.phar selfupdate

to version Composer version 1.5.2 2017-09-11 the memory limit bug exists:

The following exception is caused by a lack of memory or swap, or not having swap configured
Check https://getcomposer.org/doc/articles/troubleshooting.md#proc-open-fork-failed-errors for details

PHP Warning:  proc_open(): fork failed - Cannot allocate memory in phar:///var/www/***/composer.phar/vendor/symfony/console/Application.php on line 979

Warning: proc_open(): fork failed - Cannot allocate memory in phar:///var/www/***/composer.phar/vendor/symfony/console/Application.php on line 979

  [ErrorException]
  proc_open(): fork failed - Cannot allocate memory

Also doing a more fresh vendor install like

rm composer.lock
rm vendor/*
(keeps the .htaccess there)
php composer.phar install

300 MB not enough for a handful of php package installations? wtf, but didn’t dig deeper..

I temporarly solved the problem by making a swap partition on this vServer like suggested at
https://getcomposer.org/doc/articles/troubleshooting.md#proc-open-fork-failed-errors

/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=1024
/sbin/mkswap /var/swap.1
chmod 600 /var/swap.1
/sbin/swapon /var/swap.1

free
             total       used       free     shared    buffers     cached
Mem:        506300     374920     131380      30628      21904     143872
-/+ buffers/cache:     209144     297156
Swap:      1048572          0    1048572

This is just documentation and is for the people who prefer a Flyspray development version from github.com

Full Flyspray release download files do not needs to fiddle with composer.

Maybe an entry for the FAQ

Currently the category_id is not checked if the value is legal for the project when a new task is created.

• must be unsigned int
• must be an active category_id of the project or global category.
• setting a category_id must be allowed - see project settings.

If invalid category_id is sent, deny creating task and show error message and show filled form again.

If no category_id is sent (or empty string) and category select is enabled:

• either choose a default category

or

• implement feature request FS#2451 and show that user should select a category.

Since PHP7.2 shows a warning in admin area ?do=admin&area=users&user_id=1234567890, when user_id is set, but no alternative user_name parameter.

Probably related to scripts/admin.php

$id = Flyspray::UserNameToId(Req::val('user_name'));
if (!$id) {
  $id = Req::val('user_id');
}

When a user has project manager permissions, but not admin permissions, then on the ‘edit group’ pages like index.php?do=pm&area=editgroup&id=8
the links in the list of users of that group are

index.php?do=admin&area=users&user_id=12345

instead of linking to the users page

index.php?do=user&area=users&id=12345

and a redirect follows with Error #4: You don’t have administrative rights.

Some translation keywords of Flyspray are used at more than one code location.

To help translators doing the correct translations, it would help to show in what context a translation keyword is used.
Especially when a keyword is used more than once.

As we have our own translation helper integrated into Flyspray, we could show a ‘translation keyword usage counter’ there and maybe show on request in which file
a translation keyword is used.

It would also help to identify ‘abandoned’ translation keywords that are not used anymore by Flyspray source.

Also it would help to identify when a translation is used at more than one location with maybe different context.

I think we can use a regular expression and scan the whole Flyspray source for that.
(and maybe database entries if there are places that have translation keywords stored - I don’t think so, but better check that too first than forget that case)

The regular expression should match that examples case insensitive for the translation keyword report:

L('report' 
L("report"
eL('report'
eL("report"

but also ugly cases like
l(    'report'
or 
El ( "report"

case insensitive.

But not for example

createURL('report'

When a Flyspray installation allows user self registration and has public but also more private projects, this feature could make the required configuration more clear:

In this case, keep the number of global user groups as low as possible and the global user group for basic or just registered users has only the ‘can login’ permission and nothing more.
Because that only would be useless for new registered users, adding them also to a basic user group of a public project could be useful.

So my suggestion is:

A new optional global setting: Something like ‘default project user group’ (store 2 values: a project_id and a group_id). Validity of that setting must be checked during any user registration, so that project must exists now and at later time as also that project user group within that project. (’Checks’ of admin prefs)

So it would be like this for a new registered userA:

1. userA is in a basic default global user group: only login permission to handle his account registration (login, logout, user preferences, password forgotten)
2. userA is in project X default user group: some basic permissions you want allow for every (new) registered user in project X
3. project Y: all ‘allow anyone ...’-settings are unchecked, userA not in any user group of project Y

The setting is probably best put below the ‘Default global group for new users’ setting in the global admin prefs tab #userregistration as

Either: A dropdown list with all public projects with an existing user group and dependend on the selection the available basic project groups are loaded by ajax as a select list too.

Or: Only one dropdown list that contains a list of public projects with possible project user groups. Would not require extra ajax calls and is maybe enough because we could exclude project groups that have project manager permission or such configuration nobody would allow new registered users.

no default project user group
public projectA - simple user groupA1
public projectA - simple user groupA2
public projectB - simple user groupB
public projectC - simple user groupC

This idea could be enhanced further (put the new user to multiple public projects when he registers or let user choose from public allowed projects during registration process), but lets start simple.

Currently the sessions are stored by the webservers default settings.

Having this sessions under control by Flyspray by storing it in the database has following advantages:

1. Allows handling of all sessions of a user by Flyspray.
2. Providing a session management for each user. The user can see on which devices he is currently logged in and could also force a logout on selective devices.
3. A forced logoff of all or some user sessions is easy implementable for admins.
4. Statistics about how many users and who is logged in. (user status: hide always, online, offline, do not disturb, ..)
5. Could make onpage-notifications easier to implement.
6. .. ?

Disadvantages:

1. A potential unknown security bug in Flyspray that could lead to reading a session db table could leak informations like who is currently online/active and make further attacks more focused or makes session takeover easier.
2. .. ?

Layouts from 320 pixel mobile portrait, tablet sizes and up to 4k monitor landscape mode using

@media queries

Mockups required not only for different sizes, but also different project configurations, user permissions, and task relations.

Should look ok whatever project configuration is done or how weird a task description is.

On wider screens the comments could be beside the task description for instance.
Or some tabs or menus could be shown directly instead of grouping in the tabs.

The HTML accesskey attribute feature is differently accessible dependent of operating system, web browser and web browser configuration, and users keyboard layout and user language.

By taking advantage of the User-Agent HTTP header value provided by default by web browsers, Flyspray could better know of what kind of keyboard and browser the user sits in front off and show the key combinations for the accesskey feature that best fits the users environment.

The shortcuts help infobox should adapt to the current page type.

So when in editing a task for instance, the n (next task) and p (previous task) shortcuts are not available for a good reason. Listing them there with same priority as other keys then is not helpful.

The simpliest solution is probably putting some if-statements depending on the $do variable into CleanFS/templates/shortcuts.tpl ..

no task description

Motivation

Proposal

When a user is deleted from Flyspray, their opened tasks, closed task and task comments are then shown as Anonymous Submitter, the same way as anonymous reporters (not really anonymous, just that user does not have login account, but usually their email address is stored within that task data).

Currently just the entry from users table are deleted when a user is deleted. Their internal user_id integer is still within tasks and comments fields, and maybe some other tables too. So there is not a ON DELETE SET NULL rule or something like that applied. As it is just an autoincremented number by the system, this is not personal data imho and should be no problem for GDPR, but gives Flyspray the ability to distinguish between anon reporters and deleted users. Well, we could also look if there is an email address within task table entry for notification of anonymous reporter, but there are also tasks possible that have no user_id nor an email address.

It might by useful to present that information differently like deleted user or showing the info differently like icon + title-tooltip with explanation.

Also interesting what happens with mentions of a deleted username in a comment or task description. (see FS#2322)

The user isn’t in database, but deleting that now gone user should not modify tasks or comment where that username was mentioned I think.
But what if another user registers under that now gone username? In that case that new user would inherit that mentions. Probably we can ignore that edge case as there will be not much things will happen with an old mention in old tasks/comments.

I played with adding a dark mode color theme to the default CleanFS theme.

To make the dark theme just simple exchange some colors, the bitmap icons should be replaced with alternatives.

Easiest would be using the fontawesome font icons as Flyspray still uses them and they can simply get a css color assigned.

Examples

Navigation and Forms

Editors

When a tasklist contains the duedate column and the user sorts by duedate ascending, the tasks that do not have a duedate set should not be listed first. Instead they should be listed after the tasks with duedates.

This way a user can see the task with the earliest duedate first instead of seeing a bunch of probably not so important tasks without duedates set.

It would be terrific to have a small pop-up window that appears when you click to start tracking of an item. In the window could be:

• the task name
• a timer
• a button to close the timer pop-up and jump to the effort tracking screen, or even to stop the effort timer in FlySpray if possible.

This would help tremendously to remind a developer that he has one or more timers going in FlySpray.

If multiple timers are started, there could be multiple timer windows, each identified by the task name showing as part of the window (title bar or some text near the timer).

At several places it could be useful to let the user view available tags:

1. When editing a task a toggle popup could show a list of selectable and existing tags.

I found several nice vanilla-js-multiselect-with-autocompletion scripts, but none yet that still works at a basic level when javascript is turned off.

My plan is now:

• Keep the current basic input text field for input tags and show current assigned tags like exampletag1;exampletag2;exampletag3 separated by ‘;’ that is sent to the server when saving the task and server handles evaluation of that string (validation, duplicates, removed, added, creating new tags if allowed for current user)
• A CSS only toggle that shows available tags that can be assigned (works even with js turned off), similiar to other places within Flyspray like advanced search toggle.
• If js turned off, the user must type the tag - not as fancy, but at least works. (I thought also about using a html select with multiple=”multiple” attribute, but was not convinced due styling not possible in modern browsers without js)
• If js is enabled, more fancier stuff is possible:
  • The input text field is hidden by display:none and instead the styled tags are shown.
  • The current added tags also get a little x to remove a tag by clicking it. The content of the hidden input text field is updated to reflect the current editing status. (click eventlistener)
  • A generated text input field for typing with autocompletion list shown of matching availbale tags. An unknown tag is added to the list if user is allowed to create tags. Clicking a item in the autocompletion list adds the tag and resets the autocompletion input text field for the next autocompletion action.
  • The tags within the toggle list with all available tags get also a click event listener, so clicking it adds them to the hidden text input.
  • Not sure yet if an added tag should be removed from the all available tags list or just make an CSS indication that a tag is still added, currently I tend to keep the list untouched, just highlight used tags of the task.

• Optionally make the all available tags sortable by:
  • list_position (default)
  • alphabetic
  • global or project level
  • popularity (count of tasks using a tag (n + unnumbered private)), requires adding a data attribute.
  • group by detected prefix like shape:triangle shape:circle shape:rectangle could show a group of tags as: shape: triangle circle rectangle

1. Make the list of tags searchable for the advanced search. added with FS1.0-rc10 by just using search key words also for searching list_tags table.

I understand this is likely due to some sort of XSS CSRF protection, but the delay doesn’t appear to be long enough to be useful for a lengthy comment to be posted. I’ve now lost two detailed comments in our tracker because the software threw everything out and generated a meaningless error.

Further, attempting to do the normal thing and making the browser resubmit the page results in Flyspray throwing “Error #3” something something repeated action and causing a redirect to the homepage.

Surely there has to be a better way to handle this that doesn’t incur data loss?

For Flyspray installations with many users (several thousands) a pagination of the user list in the admin area is required.

2000 users no problem to display (aside the PHP max_input_vars limit which is only 1000 by default, so maybe not all checked checkboxes are handled.)

More users might send your mysql to long running blocking queries creating temp tables … bad!

(I killed them by watching show processlist; and kill id; on mysql console.)

Trying to add a new user having the same email address as an another user in the do=admin&area=newuser section results in

“That username is already taken. You will need to choose another one.”

instead of

“Email address has already been taken”

(I’ve stumbled on this issue because I have an older disabled user with the same email address)

From: https://groups.google.com/forum/?hl=en#!topic/flyspray/rAnks5y_uLk

19-04-09 // More one year ago.

There are not http → https redirections.

Only one example:
- http://www.flyspray.org/docs/download/ is not redirected to https://www.flyspray.org/docs/download/

Note: It is better to have the main website in https://flyspray.org/.

http://www.flyspray.org/ + https://www.flyspray.org/ + http://www.flyspray.org/ must be redirected to https://flyspray.org/

With all informations on flyspray, it's possible to generate a gantt chart.
For this, some php code exists :
- http://www.aditus.nu/jpgraph/
- http://www.graphviz.org/
- http://www.phpclasses.org/browse/package/2737.html

Hello,
when selecting timezone in user profile, it only offers offset based timezones. It should offer timezones like "Europe/Prague", instead, because in summer it is UTC+2 and in the winter UTC+1. Also UTC is the same as GMT.

Using offsets will cause invalid future and past times when crossing daylight saving or when something other changes.

Adding daylight checkbox is not enough and will cause additional troubles. Just use names and store them as ENUM in database, not offset. This problem is pretty complicated and the only solution is to use names and let libraries to solve it for you.

Thank you.

Hello,
when I wanted to use Flyspray to manage request from non-technical customer, I found one missing feature:

I have "report a problem" link on devel version of web site. But to submit new task, it is necessary to login into Flyspray.

It would be nice if there was an URL with login form if user is not logged in and "add new task" form if he is logged in.

Example scenario:
- Customer visits devel site after some time and finds some problem. He wants to report it.
- Customer clicks "report a problem" on the devel site and Flyspray is opened.
- Customer now see some wierd error message and has no idea what is wrong. If anonymous reports are allowed, he sees the form, but cannot upload screenshots and he must enter his e-mail address.

How it should be:
- Customer visits devel site after some time and finds some problem. He wants to report it.
- Customer clicks "report a problem" on the devel site and Flyspray is opened.
- Customer sees login form and (if anonymous reports are allowed) there is also "add new task" form below the login form.
- Customer clicks "login" (password is saved in browser).
- Customer now can fill report with all the comfort.