If you have a tasklist with tasks that have multiple assignees in a task and you search just by one of the assignees, the resulting tasklist shows only this user in the assignees column.

Expected: all assignees of the tasks are shown.

My tests showed that the html accesskey feature is not well and consistent supported by current web browsers and is quite cumbersome to use.
And it seems it will not be better in future..

The only solution I see dropping that feature or replacing them with simple single-key-event javascript listeners, like it is currently done with keys o, j, k, n, and p.

accesskeys in Flyspray I talk about:

• l (current SHIFT+ALT+l Firefox) login dialog / logout
• a (current SHIFT+ALT+a Firefox) add new task
• m (current SHIFT+ALT+m Firefox) my searches
• t (current SHIFT+ALT+t Firefox) focus taskid search
• e (current SHIFT+ALT+e + Enter Firefox) edit task
• x or y? (current SHIFT+ALT+y Firefox) close task
• s (current SHIFT+ALT+s Firefox) save task

Also related to Keyboard navigation: tabindex

Flyspray should show a warning, and maybe set the focus back to the field (only when it is a this-one-field-only-form.)

Geshi 1.0.8.17 from https://github.com/easybook/geshi is quite slow at the current integration of Flyspray v1.0-rc3 on the first run. (But any further read uses the cache.)

But it produces garbled output for xml code highlighting:

Example without xml, just format as preformatted code:

<table>blabla</table>

Or as php syntax highlighting (even if it doesn’t contain a real php-tag ):

<table>blabla</table>

Example with xml choosen as language:

blabla

The table tag is stripped away instead of converting the tag for output inside code/pre tags (by converting the < and > chars). Maybe just a configuration issue?

The filename for the csv export is build based on project name and current date.

Due different handling of web browsers, the appropriate http header should send the filename in ascii and also provide them as utf-8 for web browsers who can handle that.

Related RFC5987

The dokuwiki renderer automatic creates for each h(1-6) tag an html id attribute, but doesn’t ensure that this:

• is not used by Flyspray templates
• is unique across all tasks (tasklist summary/description mouseover!), id must be unique on a webpage.

Example: id=”footer” and id=”title” are used by the default CleanFS template for example.

footer

title

title

title

Possible solution

I’ve tried inserting an image in the intro message but it doesn’t show. Is there something broken in the formattext.inc file? Seems unlikley because it’s so old but can’t work out why nothing shows.

Alan

I had to disable some parts last year within dokuwiki quickly due sever reported security issues in that area.

As tradeoff embedding images currently don’t work within dokuwiki textareas in Flyspray.

As I too wish that feature reappear working for my projects, this is on my personal list. But requires focused free time because must be made secure.

Maybe instead of using fetch.php of dokuwiki, we can use Flypsray’s ?getfile=id , which also checks permissions.
But must check also securly file types and maybe resize images to fit into the desired page (thumbnails).

Currently the category_id is not checked if the value is legal for the project when a new task is created.

• must be unsigned int
• must be an active category_id of the project or global category.
• setting a category_id must be allowed - see project settings.

If invalid category_id is sent, deny creating task and show error message and show filled form again.

If no category_id is sent (or empty string) and category select is enabled:

• either choose a default category

or

• implement feature request FS#2451 and show that user should select a category.

Since PHP7.2 shows a warning in admin area ?do=admin&area=users&user_id=1234567890, when user_id is set, but no alternative user_name parameter.

Probably related to scripts/admin.php

$id = Flyspray::UserNameToId(Req::val('user_name'));
if (!$id) {
  $id = Req::val('user_id');
}

When a user has project manager permissions, but not admin permissions, then on the ‘edit group’ pages like index.php?do=pm&area=editgroup&id=8
the links in the list of users of that group are

index.php?do=admin&area=users&user_id=12345

instead of linking to the users page

index.php?do=user&area=users&id=12345

and a redirect follows with Error #4: You don’t have administrative rights.

Closing a task with selected close reason duplicate should warn when there is no comment or FS # id is given in the close comment text field.

The task is closed as duplicate without any further notice. The information to which task it is duplicate or a description (if the problem is logged/handled outside Flyspray) is lost.

Possible solutions

Frontend hints

Backend deny

So closing a task

FS#1

with

reason: duplicate

and close comment

FS#1

referencing to self should be detected to avoid such user mistakes.

the installer does not check for reserved characters when writing to flyspray.conf.php, causing parse_ini_file() to return an invalid database password.

Any form should have its submit button directly below and to the right of the form.

This is most egregious on the New Task page where you have to scroll back up to the top right to submit.

On Mac OS Safari:

I just closed a task and wrote the following into the comment for closing:

"See also F.S.#.14" (of course without the points). When I then click the link in the comment box (below the task details) I'm redirected to:
"http:/flyspray.stefan-herz%0Aog.tld/index.php?do=details&task_id=%0A14". No matter if #14 is closed or not.
It worked with Firefox.

Any suggestions?

The installer requests a password for the admin account, and provides a default one.

Because this field is not type=”password”, the browser caches this data for any field named “admin_password”

This also applies to future installations of the software.

I have marked this as critical as this can pose a security hazard. A different implementation would be allowing entry of password, or in the case of wanting to provide a default one, have two password fields prepopulated, and a text one prepopulated so that it can be viewed by the end user.

public static function absoluteURI($url = null, $protocol = null, $port = null)
in
class Flyspray

not using basedir and force_basedir from configuration file

its problem because my web-server inside have port 7777 and outside 80 (nginx and PHP-FPM)

please fix it

this one is somehow tricky, it doesn't happens always but sometimes when fields or filenames contain national characters (I'm in Spain) flyspray returns an error looking like this one:

Query {INSERT INTO `flyspray_attachments` ( task_id, comment_id, file_name, file_type, file_size, orig_name, added_by, date_added) VALUES (?, ?, ?, ?, ?, ?, ?, ?)} with params {189,711,189_9c5d837bb10b7e0989a3c8be8d,application/pdf; charset=binary,736986,Guia de aplicación medidas difusicón y publicidad.pdf,4,1441827828} Failed! (Incorrect string value: '\xCC\x81n me...' for column 'orig_name' at row 1)

here we have a pdf named "Guia de aplicación medidas difusicón y publicidad.pdf" but I had this error also with titles or descriptions containing spanish letters...

Since Update to Flyspray 1.0 Beta2 all users can see every task in every project.

The rights were set up correctly in Flyspray 1.0 Alpha and worked just fine.

I upgraded from 0.9.9 to 1.0-beta2 a few hours ago. I received an error about oauth during the upgrade (didn’t think to take a screenshot). In any case, the upgrade otherwise seemed to go smoothly. When I subsequently closed a few tasks people who weren’t assigned to receive notifications for those tasks, even old consultants whose account I had disabled years ago, received the email notification. I also received lots of bounced emails from accounts whose email addresses were no longer existant.

Has anyone else experienced this? I’ve gone into the database and null’d out the email addresses of old accounts to prevent further spam. Not only did it notify everyone who had an account (active or disabled) but it put their email address in the To: field for all to see.

I’m using URL rewriting…

If I click on the link, the picture doesn’t appear.

https://flyspray.xxx.fr/task/27?getfile=8

It’s ok in task history. The right URL is

https://flyspray.xxx.fr/?getfile=8

.

An assigned ticket can't be edited by a lower privileged user.

I have a major problem. At the first I thought that problem is on my server - Windows OS, IIS. But now when I have second bug tracker site on Apache server and error is the same I know that this is not server error but bug tracker error.

How can I help that we resolve this problem?

If e-mail need’s to be sent I got blank white page and nothing happens.

In attachment is my bug tracker with installer (setup) folder. If this somehow helps it?

Version which is used is 1.0 (latest on web) (edit by peterdd: was a mix of older Flyspray versions). The problem is that nothing works because e-mails are not working..

I run flyspray behind a reverse proxy with the front end url being https and with the actual back end server not being on a standard port and not using https.

Setting force_baseurl seems to sort most areas with flyspray’s url generation using that instead of picking up from $_SERVER, however post-authentication redirection does not do that it just processes redirect_to as is (which in my case means it picks up the protocol, name and port for the back end server rather than what’s set in force_baseurl).

./themes/CleanFS/templates/loginbox.tpl puts out $_SERVER[’REQUEST_URI‘] into a hidden redirect_to input field - on my setup on the front page that’s e.g. “/” or for a ticket url it would be “/index.php?do=details&task_id=999” so no protocol or hostname.

scripts/authenticate.php picks up that redirect_to value and just passes it to Flyspray::Redirect, which in turn calls FlySpray::absoluteURI on what it’s passed, and FlySpray::absoluteURI doesn’t use $baseurl to qualify the url.

Not sure what the best fix is - my suggestion would be that Redirect detects urls that aren’t fully qualified and adds the $baseurl on to the front of them, rather than calling absoluteURI (absoluteURI is used to set $baseurl if force_baseurl is unset, so that’s not appropriate to modify). Alternatively scripts/authenticate.php could check redirect_to and add $baseurl if needed.

If a task creator requested closure, and someone (developer) closes the task explicitly, the PM request cannot be later ‘accepted’ and the PM request remains in the queue.

Workaround - Deny request and queue item is removed OK.

It looks like the PM request button invoked details.close which returns early if task is already closed.