Flyspray - The bug killer!

I understand this is likely due to some sort of XSS CSRF protection, but the delay doesn’t appear to be long enough to be useful for a lengthy comment to be posted. I’ve now lost two detailed comments in our tracker because the software threw everything out and generated a meaningless error.

Further, attempting to do the normal thing and making the browser resubmit the page results in Flyspray throwing “Error #3” something something repeated action and causing a redirect to the homepage.

Surely there has to be a better way to handle this that doesn’t incur data loss?

Closing a task with selected close reason duplicate should warn when there is no comment or FS # id is given in the close comment text field.

The task is closed as duplicate without any further notice. The information to which task it is duplicate or a description (if the problem is logged/handled outside Flyspray) is lost.

Possible solutions

Frontend hints

Backend deny

So closing a task

FS#1

with

reason: duplicate

and close comment

FS#1

referencing to self should be detected to avoid such user mistakes.

Hello,
my notification eMails have invalid links.

I use a different port. See below for the partial eMail source text:

DIES IST EINE AUTOMATISCH ERSTELLTE NACHRICHT, BITTE NICHT ANTWORTEN.<br>
… <br>Mehr Informationen k=C3=B6nnen unter=
der folgenden URL abgerufen werden: <br><a href=3D”https://pp.cobru.de“>pp=
.cobru.de</a>:444/bug/index.php?do=3Ddetails&task_id=3D309<br><br>Sie erhal=
ten diese Nachricht, weil Sie in Flyspray Benachrichtigungen aktiviert habe=
…

Debian GNU/Linux 10 (buster)
MySQL 10.3.22
PHP version: 7.3.14-1~deb10u1
Flyspray 1.0-rc9

Steps done to create the problem:
-Use a different Webserver Port
-Enable eMail notifications
-Create or modify an task

Expected behavior:
-Valid link

Experienced behavior:
-Invalid link

BR
Wörsty

Trying to add a new user having the same email address as an another user in the do=admin&area=newuser section results in

“That username is already taken. You will need to choose another one.”

instead of

“Email address has already been taken”

(I’ve stumbled on this issue because I have an older disabled user with the same email address)

At several places it could be useful to let the user view available tags:

1. When editing a task a toggle popup could show a list of selectable and existing tags.

I found several nice vanilla-js-multiselect-with-autocompletion scripts, but none yet that still works at a basic level when javascript is turned off.

My plan is now:

• Keep the current basic input text field for input tags and show current assigned tags like exampletag1;exampletag2;exampletag3 separated by ‘;’ that is sent to the server when saving the task and server handles evaluation of that string (validation, duplicates, removed, added, creating new tags if allowed for current user)
• A CSS only toggle that shows available tags that can be assigned (works even with js turned off), similiar to other places within Flyspray like advanced search toggle.
• If js turned off, the user must type the tag - not as fancy, but at least works. (I thought also about using a html select with multiple=”multiple” attribute, but was not convinced due styling not possible in modern browsers without js)
• If js is enabled, more fancier stuff is possible:
  • The input text field is hidden by display:none and instead the styled tags are shown.
  • The current added tags also get a little x to remove a tag by clicking it. The content of the hidden input text field is updated to reflect the current editing status. (click eventlistener)
  • A generated text input field for typing with autocompletion list shown of matching availbale tags. An unknown tag is added to the list if user is allowed to create tags. Clicking a item in the autocompletion list adds the tag and resets the autocompletion input text field for the next autocompletion action.
  • The tags within the toggle list with all available tags get also a click event listener, so clicking it adds them to the hidden text input.
  • Not sure yet if an added tag should be removed from the all available tags list or just make an CSS indication that a tag is still added, currently I tend to keep the list untouched, just highlight used tags of the task.

• Optionally make the all available tags sortable by:
  • list_position (default)
  • alphabetic
  • global or project level
  • popularity (count of tasks using a tag (n + unnumbered private)), requires adding a data attribute.
  • group by detected prefix like shape:triangle shape:circle shape:rectangle could show a group of tags as: shape: triangle circle rectangle

1. Make the list of tags searchable for the advanced search. added with FS1.0-rc10 by just using search key words also for searching list_tags table.

1. Find a good configuration name just reuse relnofollow as used by dokuwiki
2. Find a good translation keyword for that config relnofollow
3. Find a good translation keyword for config description (title attribute)

Goes into prefs table as it is sitewide configuration.

As first implementation a simple checkbox should be ok. Should be on the tab with other spam handling stuff like captcha configuration.

Is enabled by default (1).
Adapt setup xml files, upgrade procedure.

To fix some other open tasks, an update of the CKEditor4 files is probably the best way.

Starting with CKEditor4 ‘Basic’ preset, evaluate every additional Plugin before adding them to the config.

Because the selection of plugins starts with the ‘Basic’ preset, some configs are disabled in the resulting config.sys like the ‘Strike’ button or the Copy/Paste functionality.

I am also evaluating the possibilities to make some of the options configurable within the Flyspray configuration. It is probably required to analyze if a setting applies to only CKEditor syntax or would be also by used for installs using dokuwiki syntax/engine.

I can also imagine enable/disable features based on Flyspray user permissions. (but that requires not only CKEditor config, but also server side changes like HTMLpurifier settings.)

Languages

Theme selection

Plugins

Mentions

Auto Grow

Auto Link

Baloon Toolbar

Blockquote

Code Snippet

Format

Remove Format

Show Blocks

Source Editing Area

PHP 7.4 is out now and a few things should be done to make Flyspray work well with it.
Nothing really breaks, but a view deprecation warnings should be fixed.

Flyspray source itself: Just a few new notices, most are yet fixed in the master branch.

Watching the PHP7.4 compatibility of dependencies defined by composer.json:

• ADOdb/ADODb: 5.20.15 should be OK for Flyspray
• swiftmailer/swiftmailer: We still use 5.* branch, so either do quickfix for a notice in a fork or upgrade/rewrite our integration to the 6.* branch.
• ezyang/htmlpurifier: 4.12 OK
• thephpleague/oauth2-client: unknown, we still use 0.13, last real source change was Nov 2018, to upgrade requires rewrite of integration into Flyspray and there is low demand for OAuth2.
• dapphp/securimage: seems to be OK
• jamiebicknell/sparkline: OK, but probably obsolete for us in future due
  • still annoying problems with our github/travis tests (problem of travis, not sparkline itself)
  • better solution (interactive hover infos, scales, screen size adaptive) by Flyspray source planned

For Flyspray installations with many users (several thousands) a pagination of the user list in the admin area is required.

2000 users no problem to display (aside the PHP max_input_vars limit which is only 1000 by default, so maybe not all checked checkboxes are handled.)

More users might send your mysql to long running blocking queries creating temp tables … bad!

(I killed them by watching show processlist; and kill id; on mysql console.)

If you define an inactivity-close value in hours/days (haven't tried weeks) the bug is still open when the time expires.

the installer does not check for reserved characters when writing to flyspray.conf.php, causing parse_ini_file() to return an invalid database password.

After I upgraded to version 1.0 (the upgrade was successful), flyspray only shows a white page (and the source in firefox shows, that the page is completely white).

Please help us finding the roots of these bugs!

Please report what you were exactly doing before this happend, report us your steps made, the used php version, used OS version, and such information.

Add Timezone Selection to Admin Panel

Any form should have its submit button directly below and to the right of the form.

This is most egregious on the New Task page where you have to scroll back up to the top right to submit.

Hello,
when selecting timezone in user profile, it only offers offset based timezones. It should offer timezones like "Europe/Prague", instead, because in summer it is UTC+2 and in the winter UTC+1. Also UTC is the same as GMT.

Using offsets will cause invalid future and past times when crossing daylight saving or when something other changes.

Adding daylight checkbox is not enough and will cause additional troubles. Just use names and store them as ENUM in database, not offset. This problem is pretty complicated and the only solution is to use names and let libraries to solve it for you.

Thank you.

When some url to a bug is redirected to the login page, because the user does not have the right to see the bug without login, the user should be redirected after the login to the url he wanted to see.

Maybe redirect to /login/?next=/task/X and put the next-url in a hidden field in the login-form, so flyspray can redirect to the correct page after login.
Even preserving anchor-urls (#comment-YYYY) would be cool, but i guess this needs Javascript to work.

Hello,

First of all, thanks for this great tool, very user friendly.
I'm informing you as requested ("This should never happend, please inform Flyspray Developers" :)) because I'm getting this error message:

[Completely unexpected exception: Connection could not be established with host http://ssl0.ovh.net/ [php_network_getaddresses: getaddrinfo failed: Name or service not known #0]
This should never happend, please inform Flyspray Developers]

I set up the SMTP configuration (SSL) with information provided.

Enclosed in PHPinfo configuration, if it helps.

Thanks

Ability to click field to edit ticket

TODO: return handler if request ok or fail.

TODO: also clicks on label should trigger show form.

Maybe the whole “click to active for editing this field” to one click too much.
So if the user has the rights to edit the value the form input or action button should be shown when viewing a task.
All other people just see the value if they have the right to view the value.

When entering the wrong SMTP information and then adding a user through Multiple New Users page, the error message is bad. It just says 'this should never happen'. Instead, we need to detect that it is an SMTP authentication error and report that issue to the user more clearly.

It seem that when deleting a version entry in a project, that tasks that have this version assigned are still connected to this deleted version. For example FS#1222 (on 2015-03-09).

There are several options to solve such things:

• Deny deletion of version as long as tasks assigned to this project version.
  • Either by doing a testing SQL query to check this case coded in PHP. Take care to keep this centralized, must also be respected by an eventually later added Flyspray API (XMLRPC or whatever).
  • add SQL foreign key constraints with ON DELETE RESTRICT
    • Pro: some business logic can be directly enforced by SQL.
    • Cons: higher requirements for hosting, if using mysql innodb tables must be available on the hosting

• Move the tasks of this version to a default fallback version before deleting the version tag.
  • Either doing one transaction doing : 1. move the tasks to its fallback version, 2. delete the version
  • add SQL foreing key constraint with ON DELETE SET $fallbackversionid. Some pros & cons like on the the denying option.

The same for other assignments for tasks.

This issue is similiar to the massop issue: (https://github.com/Flyspray/flyspray/issues/130)

Summary of TODO I found on the net:

• There is a very old project site of flyspray on sf.net . The info there should be updated or removed.

• Update info and keep an eye on http://alternativeto.net/software/flyspray/ from time to time.

• Keep an eye and update Flyspray info on wikipedia for example:
  • http://en.wikipedia.org/wiki/Bug_tracking_system
  • http://en.wikipedia.org/wiki/Comparison_of_issue-tracking_systems
  • http://en.wikipedia.org/wiki/Comparison_of_project_management_software
  • http://en.wikipedia.org/wiki/Comparison_of_help_desk_issue_tracking_software
  • http://de.wikipedia.org/wiki/Issue-Tracking-System

When I scroll down the page to see more of the task list and then click on one of the column headings to sot by this heading, the answer page doesn't scroll down to the table.

I think there are 2 technical solutions for that:

1. set an name/id a-anchor on top of the table and on each column heading link add for example '#tasklist'.

2. add a js-sorter with complete extra search and sort ajax-backend with e.g. libs from http://datatables.net/ This requires aleso writing a server side handler for taking the ajax requests (respecting user permissions!) and is only usable if js in enabled in browser. So this second solution can only be a luxury comfort function.

On Mac OS Safari:

I just closed a task and wrote the following into the comment for closing:

"See also F.S.#.14" (of course without the points). When I then click the link in the comment box (below the task details) I'm redirected to:
"http:/flyspray.stefan-herz%0Aog.tld/index.php?do=details&task_id=%0A14". No matter if #14 is closed or not.
It worked with Firefox.

Any suggestions?

Due to the needed implementation of an anti csrf system into Flyspray 1.0,
this are a side effect issues we need to address:

Due the required replacement of action links to form buttons:

• The user cannot just see anymore the target url of the action by hovering over the link. We can compensate that in the simpliest case by using the title-tag as additional info to the user. Trust not full reestabilished that way, but better than nothing and user has fear to click a form button.

Javascriptless CSS3-toggles:

• Some clickable labels don’t show pointer icon when :hover. CSS issue, easy fix.