Flyspray - The bug killer!

This is the Bug Tracking System for the Flyspray project. This is not a demo!

2019-04-22: Flyspray 1.0-rc9 released See

ID Category Task Type Severity Summary Status Progress Assigned To Due In Version   desc Opened Last Edited
2481Backend/CoreInformationLowMove to MVCUnconfirmed
10.08.201810.08.2018 Task Description

That way you can just protect the setup routes after installation, etc.

And have a much less cumbersome .htaccess file.

And take sensitive files outside of the server path and not risk letting them get out in the public

2484Backend/CoreInformationLowIncrease min. version of PHP requirementUnconfirmed
10.08.201810.08.2018 Task Description

Then you can gracefully drop support of old MySQL extension AND drop the need for password compat, since BCRYPT and password_hash are built into PHP from version 5.5 onwards

2491Backend/CoreBug ReportLowgroup member links if project manager but not adminNew
0% Task Description

When a user has project manager permissions, but not admin permissions, then on the ‘edit group’ pages like index.php?do=pm&area=editgroup&id=8
the links in the list of users of that group are


instead of linking to the users page


and a redirect follows with Error #4: You don’t have administrative rights.

2524EmailInformationLowSMTP Mailer doesn't accept custom portsUnconfirmed
05.11.201827.11.2018 Task Description

Did you installed an official release or did you used an inoffical docker?!
MySQL 8.0.12, 7.2.9 on debian buster

Steps done to create the problem:
Enter server:port at Mail-Settings

Expected behavior: would make use of the custom port

Experienced behavior:
TLS Errors

          if ($fs->prefs['email_tls']) {
              $swiftconn = Swift_SmtpTransport::newInstance($fs->prefs['smtp_server'], 587, 'tls');
          } else if ($fs->prefs['email_ssl']) {
              $swiftconn = Swift_SmtpTransport::newInstance($fs->prefs['smtp_server'], 465, 'ssl');
          } else {
              $swiftconn = Swift_SmtpTransport::newInstance($fs->prefs['smtp_server']);

Should be changed to

          $someTemporaryVariable = explode(':',$fs->prefs['smtp_server']);
          if ($fs->prefs['email_tls']) {
              $swiftconn = Swift_SmtpTransport::newInstance($someTemporaryVariable[0], $someTemporaryVariable[1] || 587, 'tls');
          } else if ($fs->prefs['email_ssl']) {
              $swiftconn = Swift_SmtpTransport::newInstance($someTemporaryVariable[0], $someTemporaryVariable[1] || 465, 'ssl');
          } else {
              $swiftconn = Swift_SmtpTransport::newInstance($someTemporaryVariable[0], $someTemporaryVariable[1] || 25);
2548User InterfaceFeature RequestLowCSS grid layout for task details page typeNew
05.05.201905.05.2019 Task Description

Layouts from 320 pixel mobile portrait, tablet sizes and up to 4k monitor landscape mode using

@media queries

Mockups required not only for different sizes, but also different project configurations, user permissions, and task relations.

Should look ok whatever project configuration is done or how weird a task description is.

On wider screens the comments could be beside the task description for instance.
Or some tabs or menus could be shown directly instead of grouping in the tabs.

2549User InterfaceBug ReportLowOauth register template always shows "Username already ...Unconfirmed
06.05.201906.05.2019 Task Description

RC9 running on CentOS LAMP stack

Steps done to create the problem:
Set up google as an oauth provider.
Have a user click “Sign in with Google” in the login box.
User connects their account with Flyspray.
Google redirects the user back to Flyspray
The return screen (on flyspray) asks for a username.

Expected behavior:
No warning about duplicate username should be shown on initial page load since no username was entered yet

Experienced behavior:
A warning about the username being already taken is shown.

It appears there is no logic for showing or hiding that warning in register.oauth.tpl

(It would be great if flyspray was able to just use the email as a username to make the UX even better/simpler.)

2550EmailBug ReportLowException handling sending email notificationUnconfirmed
06.05.201906.05.2019 Task Description

Someone reported this:

Today i tried to report an issue about xxx on the xxx (namely xxx) and the following error message has been displayed:
Completely unexpected exception: Expected response code 250 but got code “451”, with message “451 Error in writing spool file "
This should never happend, please inform Flyspray Developers
The issue itself has been created though.
2554User InterfaceTODOLowkeyboard shortcuts help box should adapt to current pag...New
06.06.201906.06.2019 Task Description

The shortcuts help infobox should adapt to the current page type.

So when in editing a task for instance, the n (next task) and p (previous task) shortcuts are not available for a good reason. Listing them there with same priority as other keys then is not helpful.

The simpliest solution is probably putting some if-statements depending on the $do variable into CleanFS/templates/shortcuts.tpl ..

2559Backend/CoreBug ReportLowa duplicate close accepted even when missing comment/ r...New
peterdd29.07.201929.07.2019 Task Description

Closing a task with selected close reason duplicate should warn when there is no comment or FS # id is given in the close comment text field.

The task is closed as duplicate without any further notice. The information to which task it is duplicate or a description (if the problem is logged/handled outside Flyspray) is lost.

Possible solutions

Frontend hints

  • variant F1 (soft): When duplicate as close reason is selected, a placeholder attribute in the close comment text field could be shown/updated. (maybe as ‘css only’ possible)
  • variant F2 (harder): Deny sending the form if duplicate selected, but comment text field is empty. and shows warning info. (javascript required, nojs browsers still send form.)
  • variant F3 (hard): Deny sending the form if duplicate selected and no task id detected in comment text field. and shows warning info. (javascript required)

Backend deny

  • variant B1 (soft): When request wants close a task with duplicate reason and (cleaned) comment string is empty, deny closing the task and give feedback to user why it was denied.
  • variant B2 (hard): It requires detecting a task id in the comment field and the first detected task id is taken for referencing as ‘is duplicate of’. Limitation of this is that the duplicate could be also a ticket or something of a complete other system.
2560Backend/CoreBug ReportLowdo not allow close task with reason duplicate referenci...New
peterdd29.07.201929.07.2019 Task Description

So closing a task



reason: duplicate

and close comment


referencing to self should be detected to avoid such user mistakes.

2572User InterfaceTODOLowadd link attributes ugc and nofollow to user generated ...New
13.09.201913.09.2019 Task Description

no task description

2575Backend/CoreFeature RequestLowability to view and reset Flyspray default settingsNew
19.09.201919.09.2019 Task Description


Over the years the count of possible Flyspray configuration options has grown. Meanwhile there are ~60 global Flyspray settings stored in the prefs database table in contrast to only 14 entries of the 0.9.7 (not!) version from around 2005. But each configuration setting might add a little to the feeling of overwhelming when there are too much switches, buttons, checkboxes and probability of a misconfiguration raises due misunderstood or overseen settings.

But Flyspray still aims to be easy to use and work with while being accurate and customizable.


Having a way to view the description and default value of each option would probably give people administrating a Flyspray installation a better understanding of each setting and confidence in making good decisions for their use case.

With the flyspray-install.xml file within the setup folder we yet have an elegant solution that is waiting to unlock its power!

Unfortunately the setup/ folder requires (until now at least) to be removed after install or upgrade. So we need a way to keep the flyspray-install.xml of the installed version. A trivial way would be to copy it to the include/ directory after any install or upgrade, but also other solutions could be.

Keeping the flyspray-install.xml could making following features easier:

  • Reading default value of prefs setting. That could be shown for example as css title attribute /tooltip for each setting in the matching admin forms.
  • Reading default value and field description of any table field using the descr feature of ADOdb xmlschema03.
  • Comparing the real database structure with the table structures in flyspray-install.xml . This could be useful if someone extended or fiddled with database/tables to compare with official Flyspray releases. Or for developers to compare if an database upgrade went well and as intended.
  • Having the description of a setting or database field contained within the flyspray-install.xml is good at one place and the information is not spread around like in an external manual/wiki that maybe get unmaintained, not in sync with the application or get even lost over the years.
  • Using the xml format makes a migration easier (in a broader context, to Flyspray or away from Flyspray)
  • Using the descr tag could be used to hold information which field(s) of a database table is/are foreign key field(s) pointing to primary key field(s) of another table, even if ADODB xmlschema03 does not support it yet. Would generating database schema diagram directly from flyspray-install.xml possible. (instead of manually painting it that gets outdated when structure changes)

Things to take care:

  • ADOdb and xmlschema03 does not handle table comments and field comments yet. The descr tag so is there only used when looking into the .xml file, but it does not appear in the real database schema. To make this happen, there is a good portion of contribution to the ADOdB project required (making pull request, but also get them reviewed, tested, accepted and released with a ADOdb stable release)
  • ADOdb xmlschema03 does not define or handle foreign key constraints. Adding that would require a substantial amount of constribution to get it working reliable for all supported databases that could use foreign key constraints.
  • limits of table comment length, field comment length depend on database type and database version
2577User InterfaceFeature RequestVery Lowdistinguish between anonymous reporter and deleted userNew
18.10.201918.10.2019 Task Description

When a user is deleted from Flyspray, their opened tasks, closed task and task comments are then shown as Anonymous Submitter, the same way as anonymous reporters (not really anonymous, just that user does not have login account, but usually their email address is stored within that task data).

Currently just the entry from users table are deleted when a user is deleted. Their internal user_id integer is still within tasks and comments fields, and maybe some other tables too. So there is not a ON DELETE SET NULL rule or something like that applied. As it is just an autoincremented number by the system, this is not personal data imho and should be no problem for GDPR, but gives Flyspray the ability to distinguish between anon reporters and deleted users. Well, we could also look if there is an email address within task table entry for notification of anonymous reporter, but there are also tasks possible that have no user_id nor an email address.

It might by useful to present that information differently like deleted user or showing the info differently like icon + title-tooltip with explanation.

Also interesting what happens with mentions of a deleted username in a comment or task description. (see FS#2322)

The user isn’t in database, but deleting that now gone user should not modify tasks or comment where that username was mentioned I think.
But what if another user registers under that now gone username? In that case that new user would inherit that mentions. Probably we can ignore that edge case as there will be not much things will happen with an old mention in old tasks/comments.

2581User InterfaceFeature RequestLowreplace bitmap icons of default themeNew
31.10.201907.12.2019 Task Description

I played with adding a dark mode color theme to the default CleanFS theme.

To make the dark theme just simple exchange some colors, the bitmap icons should be replaced with alternatives.

Easiest would be using the fontawesome font icons as Flyspray still uses them and they can simply get a css color assigned.


  • caret of tasklist
  • the ‘select all’ icon of tasklist, but also used at some more locations.
  • some icons in the Flyspray main toolbar (Overview, Tasklist, Event log, ..)
  • the black calendar icons for date selects
  • maybe the file type icons for attachments


  • Dokuwiki toolbar
  • CKEditor: some modern CKEditor themes support color/dark mode, I will probably choose the moona-lisa theme as default.
2585User InterfaceTODOMediumUpgrade CKEditor to 4.13New
peterdd02.12.201917.02.2020 Task Description

To fix some other open tasks, an update of the CKEditor4 files is probably the best way.

Starting with CKEditor4 ‘Basic’ preset, evaluate every additional Plugin before adding them to the config.

Because the selection of plugins starts with the ‘Basic’ preset, some configs are disabled in the resulting config.sys like the ‘Strike’ button or the Copy/Paste functionality.

I am also evaluating the possibilities to make some of the options configurable within the Flyspray configuration. It is probably required to analyze if a setting applies to only CKEditor syntax or would be also by used for installs using dokuwiki syntax/engine.

I can also imagine enable/disable features based on Flyspray user permissions. (but that requires not only CKEditor config, but also server side changes like HTMLpurifier settings.)


Just choose all languages available in the CKBuilder.

Probably we need to adjust the CKEditor to use the users Flyspray language settings too. I changed my language to french in a test install but the CKEditor still shows german user interface. (probably detected by browser http request headers)

Compare that the used language abbreviations work together between files in lang/ of Flyspray and that of CKEditors. (Flyspray: lang/pt_br.php vs. CKEditor: js/ckeditor/lang/pt-br.js)

Theme selection

Probably use a CKEditor source maintained Moona-Lisa or Moona as these are easier to modify their color themes like auto light/dark mode browser detection or base colors that match the theme.

Moona Color currently has issues and not maintained by CKEditor guys.


The previous contained CKEditor 4.4.7 probably hat the standard preset used.

Following I keep track of plugins we should add to the basic preset. This list is growing/edited until the final config that ships with Flyspray is found.


This would enable choosing a user by their username, like @peterdd.

Requires writing an extra php file for retrieving a matching list of users, that respects current user permissions and status of users (like not fetch disabled users).
This extra php file could be also used for the editor textareas with a dokuwiki toolbar.

Auto Grow

This is just a promising usability improvement. No scrollbars needed when writing longer texts.

Turns just typed urls like into real links (like dokuwiki does it when rendered on page.)

Baloon Toolbar

This just sound like a promising usability improvement. Not tried yet. Only add when there is use case (other plugins usability profit from it) for Flyspray.


Probably required because existing Flyspray installs had it too and citing a comment/text snippet should be also able.

Code Snippet

Probably requires deeper look how secure integrate with server side cleanup (HTMLpurifier).


h1-h6 and other tags. Probably required as previous Flyspray versions used that too. (TODO: What happens to old content with h1-h6 tags when editing with a CKEditor without the Format plugin?)

Also configure it to accept only tags useful for within Flyspray. (see also server side configuration of HTMLPurifier)

Remove Format

Existing Flysprays had this too and probably a good thing when the user can cleanup their word/whateverwhere pasted stuff cleaned before HTMLpurifier does it server side too with maybe surprises to the end user.

Show Blocks

Gives the user some confidence on command if his current editing has the right/intended structure.

Well, that missing is one of the reasons why I hated WYSIWYG or wannabe WYSIWYG editors in the past. Uncertainty by the end user, and pain for the admin/webmaster when he sees the garbage stored in the database (endless spans and other garbage tags partly wrong nested by just pasting from Word documents.)
(little bug in CKEditor 4.13.0: doesn’t expand the area with plugin Auto Grow enabled)

Source Editing Area

Useful for people that can read HTML or are responsible to fix things.

2587Backend/CoreTODOMediumdisplay_errors=1 should not set in release candidateUnconfirmed
18.12.201918.12.2019 Task Description

display_errors = 1 should not set in include/ for releases or releases candidate, because with this it is not possibele to disable the error reporting globaly.

The problem is, if I want to enable full error reporting to logfile via “error_log=…” in php.ini, then the error will also full reported to user. Full error reporting is a hig risk for security.

Did you installed an official release or did you used an inoffical docker?!

Steps done to create the problem:
Create a file in base directory with follow contens:
error_reporting = E_ALL | E_STRICT
log_errors = On
display_errors = Off
error_log = /var/log/php-flyspray-errors.log

Expected behavior:
Errors only to log file

Experienced behavior:
All errors goes also to user.
The option “display_errors = Off” has no effect.

2599Backend/CoreInformationLowad post request on new task creationUnconfirmed
30.03.202030.03.2020 Task Description

I’m currently using flyspray

I want to make a little integration of our flyspray installation into slack.
I want make a POST request when a “new task is created”

Any experiment guy can help here ?
1. Where is the best place to achieve this quickly as “hack hardcode” 2. Im not php developer, is there any php lib in flyspray todo quick POST request without installing any additional lib.

2600Backend/CoreInformationLowError #17 when selecting a projectUnconfirmed
31.03.202031.03.2020 Task Description

When I am at the global projects page at index.php?do=admin&area=editallusers and now select a project from the dropdown menu at the top right, I get an error

FEHLER #17: Ungültiger Projektmanager-Bereich!

(according to the the translation area this is key 813: error17 Invalid PM area.)

If I select the project again, the projects start page will be shown correctly.

2606Database QueriesFeature RequestLowduedate column sort asc in tasklist should put unset du...New
02.05.202002.05.2020 Task Description

When a tasklist contains the duedate column and the user sorts by duedate ascending, the tasks that do not have a duedate set should not be listed first. Instead they should be listed after the tasks with duedates.

This way a user can see the task with the earliest duedate first instead of seeing a bunch of probably not so important tasks without duedates set.

2607AuthenticationBug ReportLowWhitespaces in email address fieldUnconfirmed
03.05.202003.05.2020 Task Description

When I try to register at flyspray and add a space before the email address, registering does not work, I get the error message: “You did not enter a valid email address”. But my email progam ignores the space when I do the same there.

2613Public RelationsInformationVery LowEmail ist SignupUnconfirmed
116.09.202016.09.2020 Task Description

My School has blocked me from signing up for the Mailing list, how do I sign up or can you add me?

2614EmailBug ReportCriticalConnection timed out #110Unconfirmed
16.09.202016.09.2020 Task Description

If you are reporting a bug please provide as much information as possible to help understand and reproduce the problem:

Did you installed an official release or did you used an inoffical docker?!

database type and version, php version and OS version/linux distribution flavour, global or project settings you used that could be relevant for reproducing the problem

Steps done to create the problem: Deleate a Task

Expected behavior: Send a email

Experienced behavior:
Completely unexpected exception: Connection could not be established with host [Connection timed out #110]
This should never happend, please inform Flyspray Developers

2621Backend/CoreBug ReportMediumphp notice/warning when reopening in some circumstancesNew
peterdd1.027.11.202027.11.2020 Task Description

Reopening a task triggers a PHP notice with PHP7.4 under some circumstances.
Reopening a task triggers a PHP warning with PHP8.0 under some circumstances.


  1. Create task
  2. Close task directly without setting a completion percentage
  3. Reopen the task
Notice: Trying to access array offset on value of type bool in /***/includes/ on line 684
Notice: Trying to access array offset on value of type bool in /***/includes/ on line 686
Notice: Trying to access array offset on value of type bool in /***/includes/ on line 686
Showing tasks 301 - 323 of 323 Page 7 of 7

Available keyboard shortcuts


Task Details

Task Editing