Spammers have found a way to bypass the block on user registration and cause entries to be inserted into the registrations table in the database. I have 30+ of them in there right now, all inserted within the last 2 days. I’ve had user registrations disabled for 2 weeks now because of an onslaught of spammers who won’t leave us alone. Flyspray has insufficient safeguards against them so when this happens I have little choice.

I don’t have any idea how, but these entries in the registrations table are resulting in emails being sent out to these accounts that are bouncing because the spammers are on domain blocklists for forging their DNS responses.

Something needs to be done about this, because if they can insert phantom entries into this database table via the code, what else could they be doing that we haven’t spotted yet?

The dokuwiki renderer automatic creates for each h(1-6) tag an html id attribute, but doesn’t ensure that this:

• is not used by Flyspray templates
• is unique across all tasks (tasklist summary/description mouseover!), id must be unique on a webpage.

Example: id=”footer” and id=”title” are used by the default CleanFS template for example.

footer

title

title

title

Possible solution

Hello,

Can you tell me which file to modify to increase the size of the attachments? Currently limited to 2mb. I would like to authorize 4mb

Thank you

Julia LECLERC

When saving the tag list at admin and project area, the ordering of the tags must be recalculated.

So it is not more legal to have a list ordering like (0,0,0,1,3,4,7)

That should be recalculated and stored as (1,2,3,4,5,6, 7) (or 0,1,2,3,4,5,6)
currently in file includes/modify.inc.php

Why?

Alternative

        /**
         * load all tags into array
         *
         * compared to listTags of class project, this preloads all tags in flyspray database
         * ideally maximal called once per http request, then using the array index for getting info
         *
         * @return array
         */
        public static function getAllTags()
        {
                global $db;
                $at=array();
                $res = $db->Query('SELECT tag_id,project_id,list_position,tag_name,class,show_in_list FROM {list_tag} ORDER BY list_position ASC');
                while ($t = $db->FetchRow($res)){
                        $at[$t['tag_id']]=array(
                                'project_id'=>$t['project_id'],
                                'list_position'=>$t['list_position'],
                                'tag_name'=>$t['tag_name'],
                                'class'=>$t['class'],
                                'show_in_list'=>$t['show_in_list']
                        );
                }
                return $at;
        }

function tpl_draw_cell($task, $colname, $format = "<td class='%s'>%s</td>") {
  global $fs, $db, $proj, $page, $user, $alltags;
...
  case 'summary':
...
    if($task['tagids']!=''){
                        # if global $alltags are yet undefined, preload the tags now.
                        if(!is_array($alltags)) {
                                $alltags=$fs->getAllTags();
...
 foreach($tagids as $tagid){
                                $tgs.='<i class="tag t'.$tagid
                                        .(isset($alltags[$tagid]['class']) ? ' ' .htmlspecialchars($alltags[$tagid]['class'], ENT_QUOTES, 'utf-8') : '').'" title="'.htmlspecialchars($alltags[$tagid]['tag_name'], ENT_QUOTES, 'utf-8').'"></i>';
                        }

See attachment.

Is there any “ready” SQL query file to delete all tasks and start again ? (without deleting projects, project settings, categories, task types, tags, task statuses etc...)

/index.php?do=admin&area=prefs

There’s a checkbox on this menu to toggle whether admins get notices for new user registrations or not. Ours is off, but I’m still getting those notices.

Correct or wrong code return false!

The results of Securimage Test Script on my server

This script will test your PHP installation to see if Securimage will run on your server.

Session Functionality: Yes!
GD Support: Yes!
GD Version: bundled (2.1.0 compatible)
imageftbbox function: Yes!
TTF Support (FreeType): Yes!
JPEG Support: Yes!
PNG Support: Yes!
GIF Read Support: Yes!
GIF Create Support: Yes!
SQLite Support: Yes!
SQLite is available. If you choose to use it, Securimage can support users who do not accept cookies.
MySQL Support: Yes!
MySQL is available. If you choose to use it, Securimage can support users who do not accept cookies by storing codes in MySQL.
PostgreSQL Support: No
No PostgreSQL support.
LAME MP3 Support: No
LAME was not found, audio will work in WAV format, but not MP3. See Securimage HTML5 audio documentation for info.
Your server meets the requirements for using Securimage!

on modify.inc.php line:754 got

if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {

if( true == false || false == false ) {

So, there would be great option if we can set permission to users to see and post only in specific opened projects in bug tracker.

Idea is, that user has all right to all projects, but in some cases we want that user can see only projects which is allowed and also to publish new tasks to only allowed projects.

In that case tasks overiew is locked and user must be logged in to see opened tasks.

Problem: https://github.com/Flyspray/flyspray/pull/552

The button ‘My assigned tasks’ should search only by userid, not in username or realname with the LIKE ‘%...%’ operator.

Currently the button is using the same as doing an advanced search filling the ‘Assigned To’ input field. (currently ‘dev’ param) But that search param searches in userid, username and realname.

There are several solutions possible:

• We do not use the dev-urlparam ?do=index&project=1&dev=123 that would list also assignees with username dude123 or dude123blabla. Instead use for instance ?do=index&project=1&mytasks or ?do=index&project=1&devid=123
• ...

Needs some planning, thinking to keep it simple/solid.

Hey peterdd,

I was wondering: is there a standard URL for “My tasks”? I have an internal website and I would like to create a menu with a few submenus (Add task and My tasks) that link to FlySpray. However if I place the URL for My Tasks (being logged in with my user account), and copy this link to the menu, all others that click the submenu My Tasks, are seeing the tasks that where opened by me or where I am assigned, not that user that is connected on Flyspray with his account on his PC.

So that’s why I am asking for a generic URL of My Tasks, so I can place it on this middle-site?

Thanks

Currently all attached files get renamed (like “screenshot331.png” → “attachments/14_72a4ca580abcdef69f60b1f”) and they could be downloaded only throught the php script (”/index.php?getfile=1234”) which requires that user must be logged in to view the file.
It is not very convenient when you need to show a file to some person who is on mobile phone at the moment or using not a work computer. Also sometimes you might need to share a file with anyone without having them to register at your bug tracker.

I suggest you to add a checkbox like “create a direct link” when uploading a file, which will save the file with original name and extension but adding some random generated prefix (like “screenshot331.png” → “attachments/14_72a4ca580abcdef69f60b1f.screenshot331.png”).

However this poses a high security risk so there should be a list of allowed file extensions (e.g. “jpg,png,txt,pdf,doc,zip”) - only these files could be saved with the original extension. This list should be accessible by the main administrator only, thus the safest option would be storing it inside the “flyspray.conf.php”.

I prepared Slovenian translation.
File is in attachment.
You can freely add to release.

Hello together,

in php >= 5.6.0 you get a notice if you dont use a salt param.
(see: http://php.net/manual/en/function.crypt.php)

we need to fix the else case in the function Flyspray::cryptPassword()

see the attached image for the error in the frontend.

If i set up a custom css in the main FS settings the style doesn’t get applied to all nested projects. I have to set the css to all projects explicitly to get the stylings work on all project pages.
Wouldn’t it be a good idea to first load the css set in the main dialog and after that load an additional css specified in the sub project? Then it would be possible to specify general stylings for all projects and project based stylings also.

Because the hr tag is allowed in the new html comment editor it should be also allowed to display it in the ticket description.
class.tpl.php:875 –> just add it here

• Flyspray 1.0 includes 1 default theme CleanFS. That decision was made to reduce maintainance effort and the old blue theme was dropped. Also the CleanFS contains UI-logic implemented in HTML/CSS and tries to be usable even for the people who turned off javascript in their web browsers for security reasons. (and reduces spam on many other websites too without an adblocker)

• Current Flyspray source and the theme CleanFS provides several methods to customize the layout without touching the .tpl files. These are:
  1. custom_*.css files that extend or overwrite properties of CleanFS/theme.css
  2. 2 fields in admin area where to put code

     ?do=admin&area=prefs#lookandfeel

     For instance a corporate footer menu or something like that.

• Latest change in Flyspray’s github master enables a fallback to default CleanFS .tpl files if the .tpl file doesn’t exists in another theme-folder. https://github.com/Flyspray/flyspray/commit/baca7c441dbde9644b6cad73b93296a3977bf999 . This enables something like ‘sub themes’ if the wanted customization cannot be achieved by editing a custom_*.css file or the 2 admin pref fields mentioned above.

• Peoples are encouraged to improve the default CleanFS theme by discussing on https://bugs.flyspray.org or submitting pull requests on https://github.com/Flyspray/flyspray , even it is harder at first. (discussion, should work for everybody, every configuration, ..)

Advantages of CleanFS instead running your own

Good Morning,

I have this message error when I want configure SMTP Server :
Completely unexpected exception: Connection could not be established with host 192.168.0.10 [Permission denied #13]
This should never happend, please inform Flyspray Developers

My flyspray installs on CentOS v7. Postfix installs on the server but I don’t configure anymore.

Can you help me please

Julia LECLERC

You cannot select the fields for export to csv. This means that the commentfield is always exported too. As this commentfield could contain quotes, comma’s etc (like people inserting copies of emails on an issue) it corrupts the output file and the file cannot be read by excel.

The register spam by probably bots in 2016 is annoying.

I ticked the setting, that an admin must accept a new registration. It helps to reduce spam task, but now admin must decide if the registrations are ok or just spam bots.

Beside the need of antispam-plugins, the management of users can be improved:

• column sorting of user list, similiar to the tasklist
• filtering user list, similiar to the tasklist
• pagination of user list (25,50,100,200,all?)
• more columns like ‘last login’, ‘last activity/tasks/comments created/votes/edit’ that may help to decide what status or settings a user should have in future.
• show time zone setting and language setting of users implemented in userlist now

• mass accept/deny of a list of user registrations waiting for admin approval.

There should be some help at the configuration sections for setting up jabber/xmpp notifications.

How someone can test it?

Must the admin setup his own jabber/xmpp server or are there recommended servers?

I registered with psi+ instant messager as peterdd@ubuntu-jabber.de at ubuntu-jabber.de for testing
and configured it here in my account too, but got no jabber messages.

Email notifications works and I set up both sending.

I understand this is likely due to some sort of XSS protection, but the delay doesn’t appear to be long enough to be useful for a lengthy comment to be posted. I’ve now lost two detailed comments in our tracker because the software threw everything out and generated a meaningless error.

Further, attempting to do the normal thing and making the browser resubmit the page results in Flyspray throwing “Error #3” something something repeated action and causing a redirect to the homepage.

Surely there has to be a better way to handle this that doesn’t incur data loss?

Sometimes the emailing fails for a while with the message:

Completely unexpected exception: Expected response code 250 but got code “550”, with message “550 Bad HELO - Host impersonating domain name [mysite.nl] "
This should never happend, please inform Flyspray Developers

It useually simply works so actually I don’t know if it’s a flyspray issue or a hosting issue...

Adding key support for each project instead of using the prefix FS#<task_id>

Let the administrator choose the key for project.

What’s a project key?
It prefixes each task in the project

Pretty minor, but seems to show up regularly enough in our logs. The line in question:

$outfile = str_replace(' ', '_', $tasks[0]['project_title']).'_'.date("Y-m-d").'.csv';

I can’t see an option to set the default view after login. It always defaults to tasklist view when it would be useful to show the overview by default on login.

if a pdf is attached with commentit needs either be forced as download or open target _blank

Since Update to Flyspray 1.0 Beta2 all users can see every task in every project.

The rights were set up correctly in Flyspray 1.0 Alpha and worked just fine.

At first I thought month names were controled by jscalendar. But after restoring functionality of jscalendar ( FS#2226 ) I realized that month names are probably a native feature of Flyspray.

So month names need translation. Moreover, in Greek there should be grammatical cases used. For example October in Greek is Οκτώβριος (nominative case). But when you say “October 2” in Greek is “2 Οκτωβρίου” (genitive case). So month translation would require at least two strings for each month.

The filename for the csv export is build based on project name and current date.

Due different handling of web browsers, the appropriate http header should send the filename in ascii and also provide them as utf-8 for web browsers who can handle that.

Related RFC5987

I setup the default page to “roadmap” for a project, logged out, and it’s not possible to access the base url anymore. I chased the bug throughoutt the code and it seems that:

index.php calls scripts/roadmap.php at line 200:

if (!defined('NO_DO')) {
    require_once(BASEDIR . "/scripts/$do.php");
} 

and:

in scripts/roadmap.php, lines 11-13 redirect to base url:

if (!$proj->id) {
    Flyspray::show_error(25);
}

Just a minor thing, but it’s showing up regularly in the server logs. The code in the affected area is this:

	# FIXME what if we move to different project, but tag(s) is/are defined for the old project only (not global)?
	# FIXME what if we move to different project and tag input field is deactivated/not shown in edit task page?
	#   - Create new tag(s) in target project if user has permission to create new tags but what with the users who have not the permission?
	# update tags
        $tagList = explode(';', Post::val('tags'));  
        $tagList = array_map('strip_tags', $tagList);
        $tagList = array_map('trim', $tagList);
        $tagList = array_unique($tagList); # avoid duplicates for inputs like: "tag1;tag1" or "tag1; tag1<p></p>"
        $tags_changed = count(array_diff($task['tags'], $tagList)) + count(array_diff($tagList, $task['tags']));

We have some private Tasks in our FS-bugtracker to hide them from normal reporters. But we also have some external beta-testers in a betatesters-group and they should be able to see (and check) the private tasks without giving them a project manager status. So it would be good, if there is a switch in the group option to give specific groups the right to see private tasks.

On the user page

/index.php?do=user&area=users&id=*
or
/index.php?do=user&area=users&id=*&project=1
or
/index.php?do=user&area=users&id=*&switch=1 (project switch select)

an info could be shown how many votes a user has given.

Maybe show the tasks on mouse hover (:hover) if permission to view them exists.

Needs to be considered:

• Show count only for current project or all projects? (project param is optional on user page)
• counts of hidden, closed or restricted projects (user permission)
• How to handle votes of private tasks?
• Show votes of closed tasks too? (votes on closed tasks should don’t count for max votes per project)
• When personal “max votes per project” (open tasks) is active, this is of more value.

For example, say I no longer want 1.1, 0.9.9.8, 1.0.0, etc. So want to merge them all into one version 1.0. Same goes for OS, and others

Maybe this is not an issue, but my problem is: upload images approximately 3000 px x 2000 px and this image appears larger than the monitor
is it possible that the image is automatically resized to 800 px x xxx px size

(reported by Ivan Cilic)

Steps:

- Attach an image to a task.
- It shows as a link in your task (cf. screenshot “Screenshot from 2016-01-29 18-34-31.png”).
- Click on the link.

Result: it opens a “popup” with the image displayed in it. If the image is big, the popup is just so huge the image is not visible without boring horizontal and vertical scrolling (see “Screenshot from 2016-01-30 15-07-26.png” which shows what I see when I click the image link on my task).
I can’t even right click to download from the menu since I see no “Save Image As” item. (see Screenshot-no-save-image-in-menu.png).

My workaround was that if I drag and drop the attachment link in the address bar, I finally get the expected image, which I can finally save as! This workaround was hard to find, and I expect most people will just get frustrated of being able to view an image attachment, yet not save it locally.

I proposes the following:
- a small “download” icon next to the image link in the task for direct download (without preview).
- a “download” link/icon on the top-left of the image display popup (to download while previewing).

And as a side feature (maybe I should make a separate report?), I suggest that by default the image display popup constrains the image to the screen size, with a “see real size” link, so that you don’t get the popup with huge scrolling when opening a big image on a smaller screen.

Note: of course this issue does not appear with non displayable attachment. If I have a zip or a document, it proposes me to download it directly.

...
symfony/event-dispatcher suggests installing symfony/dependency-injection ()
symfony/event-dispatcher suggests installing symfony/http-kernel ()
guzzle/guzzle suggests installing guzzlehttp/guzzle (Guzzle 5 has moved to a new package name. The package you have installed, Guzzle 3, is deprecated.)
Package guzzle/guzzle is abandoned, you should avoid using it. Use guzzlehttp/guzzle instead.

we should show the category tree in the task list.
in the task we show the tree.

e.g. “Parent → Sub” instead of “Sub”

E.g. actual version, dueVersion, ...

Edit by peterdd: Topic was discussed earlier on https://github.com/Flyspray/flyspray/issues/130 (edit:It seems Jordan turned “issues” on github.com off in favor of bugs.flyspray.org)

The feature still exists but it is turned off until finished in a secure way. The possibility of sub and parent tasks requires many checks.

I’m trying to upgrade from 0.9.9.7 to 1.0-rc4 but the Upgrader stops with this message:

Query {UPDATE "tasks" SET detailed_desc = ?WHERE task_id = ?} with params {,400} Failed! (ERROR: invalid byte sequence for encoding "UTF8": 0xc3 0x3c)

Ubuntu 14.04.5 LTS
PostgreSQL 9.3.10

Hello together,

it would be nice, if you could mention user in your ticket or comment which are not following the task.
for example when i will type @nickname, the user “nickname” should be get a e-mail that he is mentioned in the ticket.

(if we are “fancy” then we can print a automcomplete after the @-sign ist typed)

When choosing HTML/CKEditor on the setup screen you are presented with an error stating that syntax plugin cannot be empty.

This is due to the option value being empty:

<select name="syntax_plugin">
			<option value="dokuwiki">Text/Dokuwiki</option>
			<option value="">HTML/CKEditor</option>
			</select>

A suggested fix is to remove the requirement to select an option (since you have to select one or the other anyway).

I am seeing some noticed on the front page of our tracker install that were not present prior to updating to 1.0rc3.

Notice: Undefined offset: 1 in <redacted>/scripts/index.php on line 202 Notice: Undefined offset: 2 in <redacted>/scripts/index.php on line 202

It’s displaying the full path to the files on the page.

There are effectively 2 issues here. One is that some kind of error is kicking up. Second is that it’s being shown to anyone who visits the site.

Short dates in Greek are represented in the majority of cases with slashes (24/10/2016). Very seldom some people may use the dash form (24-10-2016) and hardly ever the dot form (24.10.2016).

So it would be much appreciated if the slash form were a (working) option because as it is dates are a bit confusing to us, especially in a date-time combination (too many numbers in a not-so-obvious format - brain needs extra time to decode it).

In some parts of the world (primarily the US), the date is viewed as Month/Day/Year. However, all options in the current rc4 build are listed as Day/Month/Year aside from one, which goes ShortWrittenMonth/Day#/Year#.

This is poor from a customer perspective, and can be highly confusing. I can change the date globally to a correct format in the database, but this doesn’t help much as every user can select their own date which has all incorrect formats.

When filing a task, it’s possible to submit the task without any information at all being added to the main body of the ticket. This leads to reports that are of no value because the user can simply add some vague title, hit submit, and then wonder why nothing happens other than someone closing it later as invalid.

The main body of the ticket should be considered a required field and should throw an error if nothing is in the box.

Updated to the new security release today and anytime someone tries to add a comment, the following error is thrown:

Notice: Undefined variable: conf in /includes/class.backend.php on line 312 Fatal error: Class ‘HTMLPurifier_Config’ not found in /includes/class.backend.php on line 313

This is the offending code:

if($conf['general']['syntax_plugin'] != 'dokuwiki'){
	$purifierconfig = HTMLPurifier_Config::createDefault();
	$purifier = new HTMLPurifier($purifierconfig);
	$comment_text = $purifier->purify($comment_text);
}

After commenting this block of code out, comments can again be posted.

Both is a bit illogical, but both is currently possible!

1 ←- 1

So when setting the parent task id checked for creating loops is needed:

Loop with 2 tasks: 1 ←- 2 ←- 1

Loop with 3 tasks: 1 ←- 2 ←- 3 ←- 1
Loop with n tasks: 1 ←- ... ←- n < – 1

As I think there are currently no recursive reads that could lead to an endless loop, but should be kept in mind when someone wants to programm rendering a gantt chart.
E.g. by limiting the depth of subtasks for example.

I still struggle with composer.json for doing Flyspray builds with included 3rd party libs for different PHP versions.

It is annoying composer.json is just an array, no comments, no conditionals
- and I’m still noob with composer and phpunit stuff.

Main source of problem: oauth2-client and guzzle breaking compatibility with PHP5.3 and PHP5.4

PHP5.3 oauth2-client 0.3 with additional patches (peterdd), guzzle 3.*
PHP5.4 oauth2-client 0.12.1, guzzlehttp ???
PHP5.5 oauth2-client 1.*, guzzlehttp &gt;=6.2.1
PHP5.6 oauth2-client @stable, guzzlehttp &gt;=6.2.1
PHP7 oauth2-client @stable, guzzlehttp &gt;=6.2.1

Any suggestions how to solve this?

Do we really have to maintain different flyspray source trees just with different composer.json files???
Or backport auth2-client to PHP5.3 and PHP5.4 and use our versions in composer.json (no manpower for this)

Also the oauth2 stuff is not tested at the moment, so OAuth2 for Flyspay could be broken for some PHP versions.