Flyspray - The bug killer!

Hello!

Today i was installed flyspray from git master and found some error.

Any user interface missing any fields to set parent task. Show parent field options was added in “fields when add/edit/view task” field at preferences page for project, but no affect.

Screenshots:

http://joxi.ru/vAWVOKGS9Y812W http://joxi.ru/D2P6dY7h0MnKr3 http://joxi.ru/1A5RGxwSVoM0rE

Flyspray version: Github master branch

The dokuwiki plugin uses a very old version of geshi for syntax highlighting which uses the deprecated /e modifier in preg_replace in two places rather than preg_replace_callback.

This can trigger warnings such as the following when initially parsing content which uses dokuwiki syntax and includes code:

PHP message: PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/phpapps/flyspray/plugins/dokuwiki/inc/geshi.php on line 2058

PHP message: PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/phpapps/flyspray/plugins/dokuwiki/inc/geshi.php on line 2067

This affects bugs.flyspray.org as well. Several hits came up on google when I search for the following due to the warnings having been displayed ahead of the page content (seen screenshot): flyspray preg_replace_callback

Because flyspray caches the results of processing dokuwiki content then the warnings don’t get emitted if the content has already been cached (so you may find that when you access the url in the screenshot that it doesn’t show the warnings unless you clear the cache entry for that task). Previews can get the warnings spat out as well if there are tagged code sections in the content.

I had a look at a more recent version of geshi (1.0.8.11 from sourceforge) and they had fixed that issue in it (presumably along with a lot of other stuff) so I tried replacing plugins/dokuwiki/inc/geshi.php and plugins/dokuwiki/inc/geshi/* with the 1.0.8.11 versions and that stopped the warnings. I haven’t extensively tested it, but it was processing stuff in code blocks correctly still on the couple of samples I tried.

I guess it’s a separate issue but the new flyspray theme doesn’t have any css styles to apply to the syntax highlighting (if you look at  FS#1107  you can see that, and in fact you can see it with the css bit below - if you inspect them with a browser dom inspector you can see that the genshi plugin has parsed and tagged the bits, but no styles are applied so its all just in the default colour). I can raise that as a separate task if worth doing? The following section in bluey stylesheet covered it I think:

.code .br0 {color:#6c6;}
.code .es0 {color:#009;font-weight:700;}
.code .kw1 {color:#b1b100;}
.code .kw2 {color:#000;font-weight:700;}
.code .kw3 {color:#006;}
.code .kw4 {color:#933;}
.code .me0 {color:#060;}
.code .nu0 {color:#c6c;}
.code .re4 {color:#099;}
.code .sc0 {color:#0bd;}
.code .sc1 {color:#db0;}
.code .sc2 {color:#090;}
.code .st0 {color:red;}
.code .co1,.code .co2,.code .coMULTI {color:gray;font-style:italic;}
.code .kw5,.code .re0,.code .re1,.code .re2 {color:#00f;}

When viewing a project via the tasklist, there are a series of checkboxes available. If a user in a group with “modify own tasks” checks a box on a ticket - no matter who actually owns it - they are given a list of options to change it with.

This should not happen. The checkboxes should only be available from the tasklist if the user can actually edit the tickets they’d be next to.

//imgur.com/a/JwORB

Hi,
Where i can change severity and priority by default?
I want change severity to “Medium” by default for group Basic
I cant find this option in the Flyspray settings.

It would be great to be able to configure a slack webhook that would post to a channel any task creation/deletion/modification.

My company maybe changes to a MS SQL Server backed ERP.

In this case it could be nice to have Flyspray customized as CRM working on the same database for integration with ERP.

Well, currently just an idea.

Got "wrong token" on creating a task whose form were open for a while in browser tab.

That means probably the session timed out on bugs.flyspray.org, so the anti csrf token doesn't existed anymore on the webserver.

It would'nt be a big problem if the browser backbutton works showing the ready written form again, but it was empty.

One solution would be temporarly storing it offline in the browser storages which are available with html5. But open for other simpler solutions..

There is a conflict in meaning in some words. In English past tense (”he closed the task”) and past participle (”List of closed tasks”) is the same word. But in Greek they are two different words (past tense of close: έκλεισε, past participle of close: κλεισμένος/κλεισμένη/κλεισμένο/.../etc → (actually, past participle has 3 genders (male/female/neutral) x 2 grammatical numbers (singular/plural) x 4 grammatical cases (nominative/genitive/accusative/vocative)) = 24 combinations but we’ll deal with this later if needed).

So, strings that now are used both as past tense and past participle, or used both for singular and plural, must split and use a different string when past tense and a different string when past participle or singular/plural.

These strings are:

The symbol “;” in Greek is the question mark. So a list of semicolon-separated values looks like a series of questions in Greek. (looks like this: “cat? dog? rabbit?” )

I suggest replacing semicolons with commas as list separators.

In email lists space is good choice too.

At first I thought month names were controled by jscalendar. But after restoring functionality of jscalendar ( FS#2226 ) I realized that month names are probably a native feature of Flyspray.

So month names need translation. Moreover, in Greek there should be grammatical cases used. For example October in Greek is Οκτώβριος (nominative case). But when you say “October 2” in Greek is “2 Οκτωβρίου” (genitive case). So month translation would require at least two strings for each month.

Spammers have found a way to bypass the block on user registration and cause entries to be inserted into the registrations table in the database. I have 30+ of them in there right now, all inserted within the last 2 days. I’ve had user registrations disabled for 2 weeks now because of an onslaught of spammers who won’t leave us alone. Flyspray has insufficient safeguards against them so when this happens I have little choice.

I don’t have any idea how, but these entries in the registrations table are resulting in emails being sent out to these accounts that are bouncing because the spammers are on domain blocklists for forging their DNS responses.

Something needs to be done about this, because if they can insert phantom entries into this database table via the code, what else could they be doing that we haven’t spotted yet?

The application installer needs an overhaul, all strict notices fixed and the associated dependant tasks resolved.

Summary of TODO I found on the net:

• There is a very old project site of flyspray on sf.net . The info there should be updated or removed.

• Update info and keep an eye on http://alternativeto.net/software/flyspray/ from time to time.

• Keep an eye and update Flyspray info on wikipedia for example:
  • http://en.wikipedia.org/wiki/Bug_tracking_system
  • http://en.wikipedia.org/wiki/Comparison_of_issue-tracking_systems
  • http://en.wikipedia.org/wiki/Comparison_of_project_management_software
  • http://en.wikipedia.org/wiki/Comparison_of_help_desk_issue_tracking_software
  • http://de.wikipedia.org/wiki/Issue-Tracking-System

danoh on github wants to work on patch. Couldn’t find him here..

Since Update to Flyspray 1.0 Beta2 all users can see every task in every project.

The rights were set up correctly in Flyspray 1.0 Alpha and worked just fine.

Today it was first time I see real spam on bugs.flyspray.org

The 2 spam accounts registered today and started creating spam posts as new tasks.

What is the reason? Was it by real humans or bots?

So what can we do to reduce this in future?

Ideas for making it harder and unattractive for spammers:

• Users who never opened a nonspam-task or contributed a useful comment should solve a captcha
• Limit the amount of creating tasks for new registered users or a user groups, like limiting to 2 tasks or 1 task per user per day.
• Settings for a more moderated task creation process? Like a quarantine dbtable for tasks?

• If we closed such spam tasks with WTF? reason, it will still be listed by search engines like google at the moment:

1. Move spam tasks to a ‘dumpster project’, that is not visible for guests (search engines!) too.
2. Or make spamming to visible flyspray projects unattractive, lets set noindex for: closed task for some special reason id?
3. Delete spam tasks from database if allowed by your organization

Update: another and this time more aggressive phone number spammer.

Flyspray does not recover the time set in php.ini. On display, the system has two hour delay.

Fatal error: Class 'League\OAuth2\Client\Provider\Github' not found in /html/bugs/includes/GithubProvider.php on line 11

I have downloaded this:
Precompiled with 3rd party libs for PHP5.6: flyspray-1.0-rc1_php56.tgz
and the file seems really dont exist.

I tried to upgrade from 0.9.9.7 to 1-0-rc1 but I end in an infinite redirection loop

I tried to use the github version, to change the domain name (hosted in dreamhost), to use/not-use the .htaccess, upgraded the version of php from 5.5 to 5.6, to change all the settings in the flyspray.conf.php file, but still having the error after to perform the Upgrade task and removing the setup dir

Used the prepacked dependencies since i cannot install them in this server

Thanks
Thanatermesis

When a anonymous user tries to display a ticket of a non public project (for example by entering a random ticket id), Flyspray exposes the title of the non public project in the header bar.

Edit by peterdd: also applies to project description

I’m trying to upgrade from 0.9.9.7 to 1.0-rc4 but the Upgrader stops with this message:

Query {UPDATE "tasks" SET detailed_desc = ?WHERE task_id = ?} with params {,400} Failed! (ERROR: invalid byte sequence for encoding "UTF8": 0xc3 0x3c)

Ubuntu 14.04.5 LTS
PostgreSQL 9.3.10

Correct or wrong code return false!

The results of Securimage Test Script on my server

This script will test your PHP installation to see if Securimage will run on your server.

Session Functionality: Yes!
GD Support: Yes!
GD Version: bundled (2.1.0 compatible)
imageftbbox function: Yes!
TTF Support (FreeType): Yes!
JPEG Support: Yes!
PNG Support: Yes!
GIF Read Support: Yes!
GIF Create Support: Yes!
SQLite Support: Yes!
SQLite is available. If you choose to use it, Securimage can support users who do not accept cookies.
MySQL Support: Yes!
MySQL is available. If you choose to use it, Securimage can support users who do not accept cookies by storing codes in MySQL.
PostgreSQL Support: No
No PostgreSQL support.
LAME MP3 Support: No
LAME was not found, audio will work in WAV format, but not MP3. See Securimage HTML5 audio documentation for info.
Your server meets the requirements for using Securimage!

on modify.inc.php line:754 got

if( !Post::isAlnum('captcha_code') || !$image->check(Post::val('captcha_code'))) {

if( true == false || false == false ) {

After updating from “1.0-rc6” to “1.0-rc7 dev” there is missing controls menu on writer. Look attachment.
How to solve this?

Is there any settings to enable this or I’m missing something...

The issue with many servers now and the reason that recaptcha does not work is because it requires servers to enable allow_url_fopen which is a huge security risk. That is why you get the warning message when you try to run recaptcha that file_get_contents failed to connect.

So the solution is to use Curl to do that job.

Here is the fixed file, excuse my mess i had not cleaned up my code yet... but recaptcha now works.

this file goes in the includes dir... you can clean up the file if you like again sorry about that.

Hi there,

I was looking for some issue management tool for the company I work for and Flyspray turned out to be almost perfect solution. I installed it easily and it works GREAT!
As I said, this turned out to be almost perfect solution, and this is because it lacks some features that my company needs.

• Due Date with Hour/Minute part - to choose till what time during that day should task be done (ie. 27-12-2012, 17:27)
• FS#2064
• FS#1962

Away with needs of my company, I believe that these features will make Flyspray very interesting and more suitable for many small/medium companies.

Best regards,

Milan Vlajnic

Hi, is there function in FS (0.9.9.7) wchich allow unregistered user automatically create account? FS is accessible only for our workers.

It would be sth like that:
1. Non-logged user creates ticket.
2. He type his e-mail (user_name@company.pl).
3. FS creates account for that user:
a. user's login: user_name
b. user's password: <generated by FS>
4. User's login and password'll be send on e-mail which was typed in e-mail field.

Is is possible to do it?

Hello,

First of all, thanks for this great tool, very user friendly.
I'm informing you as requested ("This should never happend, please inform Flyspray Developers" :)) because I'm getting this error message:

[Completely unexpected exception: Connection could not be established with host http://ssl0.ovh.net/ [php_network_getaddresses: getaddrinfo failed: Name or service not known #0]
This should never happend, please inform Flyspray Developers]

I set up the SMTP configuration (SSL) with information provided.

Enclosed in PHPinfo configuration, if it helps.

Thanks

This is taken from FS#1753:

The second reason being there is no way that I know of to automatically set a project usergroup to new members. I only have 1 project, but it seems the Global groups aren’t working (can still see tasks if “View Tasks” is unchecked) and I don’t know how to fix that.

And what I have to say - it is hard to tell if you are on the Flyspray admin settings area or on the admin settings of a project.

Cheapest way is adding some CSS to distinguish this for the user.

But there is in fact more to do to make it user friendly.

• TODO: list configurations for project(task types, categories, ..) in Manage Project should also show the system wide list values as hint to avoid duplication.
• TODO: project user groups overview should show system wide user group infos as info for project managers to avoid unnecessary complicated configuration settings.
• TODO: visualize related permissions that can overrule eachother like ‘view_task’ overrules ‘view_own_tasks’ to avoid misconfigurations

It seem that when deleting a version entry in a project, that tasks that have this version assigned are still connected to this deleted version. For example FS#1222 (on 2015-03-09).

There are several options to solve such things:

• Deny deletion of version as long as tasks assigned to this project version.
  • Either by doing a testing SQL query to check this case coded in PHP. Take care to keep this centralized, must also be respected by an eventually later added Flyspray API (XMLRPC or whatever).
  • add SQL foreign key constraints with ON DELETE RESTRICT
    • Pro: some business logic can be directly enforced by SQL.
    • Cons: higher requirements for hosting, if using mysql innodb tables must be available on the hosting

• Move the tasks of this version to a default fallback version before deleting the version tag.
  • Either doing one transaction doing : 1. move the tasks to its fallback version, 2. delete the version
  • add SQL foreing key constraint with ON DELETE SET $fallbackversionid. Some pros & cons like on the the denying option.

The same for other assignments for tasks.

This issue is similiar to the massop issue: (https://github.com/Flyspray/flyspray/issues/130)

Hello,

First of all, thanks for this great tool.
Can you please add also PDF export for Tasklist?

Thank You.

I need metrics for flyspray projects about a rest api. For example the count of issues for status, priority. I want use this values for my code analysis system http://www.sonarqube.org/ and other internal tools. It is possible to create a rest api with user authorization and only for metrics data?

The installer requests a password for the admin account, and provides a default one.

Because this field is not type=”password”, the browser caches this data for any field named “admin_password”

This also applies to future installations of the software.

I have marked this as critical as this can pose a security hazard. A different implementation would be allowing entry of password, or in the case of wanting to provide a default one, have two password fields prepopulated, and a text one prepopulated so that it can be viewed by the end user.

From the overview view for a project the progress charts should be large and show dates so can have a better sense for absolute progress and then when click it should see it full size going back to start of project and showing dates.

Tags can only be added on the "new task" page, not managed on the "edit task"-page.

We should change the document logic a bit here. For public projects search engines like well structured pages more then others. And we get a consistent structure too in future for Flyspray.

This I have in mind

Project area name ("All Projects" or "Project name")

Admin setting / Project setting pages, title of the sub pages

Section names in these pages

Task view page

Toplevel project overview /dashboard

New Task page

Reports page

Roadmap page

MyProfile page

I vote for removing $fs->prefs['page_title'] from title-tag.

flyspray> grep -r 'setTitle' *
includes/class.tpl.php:    public function setTitle($title)
index.php:$page->setTitle($fs->prefs['page_title'] . $proj->prefs['project_title']);
scripts/lostpw.php:$page->setTitle($fs->prefs['page_title'] . L('lostpw'));
scripts/newtask.php:$page->setTitle($fs->prefs['page_title'] . $proj->prefs['project_title'] . ': ' . L('newtask'));
scripts/register.php:$page->setTitle($fs->prefs['page_title'] . L('registernewuser'));
scripts/details.php:$page->setTitle(sprintf('FS#%d : %s', $task_details['task_id'], $task_details['item_summary']));
scripts/depends.php:$page->setTitle(sprintf('FS#%d : %s', $id, L('dependencygraph')));
scripts/index.php:$page->setTitle($fs->prefs['page_title'] . $proj->prefs['project_title'] . ': ' . L('tasklist'));
scripts/admin.php:        $page->setTitle($fs->prefs['page_title'] . L('admintoolboxlong'));
scripts/gantt.php:$page->setTitle($fs->prefs['page_title'] . $proj->prefs['project_title'] . ': ' . L('gantt'));
scripts/roadmap.php:$page->setTitle($fs->prefs['page_title'] . L('roadmap'));
scripts/pm.php:        $page->setTitle($fs->prefs['page_title'] . L('pmtoolbox'));
scripts/reports.php:$page->setTitle($fs->prefs['page_title'] . L('reports'));
scripts/myprofile.php:$page->setTitle($fs->prefs['page_title'] . L('editmydetails'));
scripts/toplevel.php:$page->setTitle($fs->prefs['page_title'] . $proj->prefs['project_title'] . ': ' . L('toplevel'));
scripts/newmultitasks.php:$page->setTitle($fs->prefs['page_title'] . $proj->prefs['project_title'] . ': ' . L('newtask'));
scripts/user.php:$page->setTitle($fs->prefs['page_title'] . L('viewprofile'));

I see php deprecation notices with php 5.6+ from the geshi syntax highlighter plugin of dokuwiki plugin sometimes. (seems to be go away on the second view, so probably not seen on cached views)

It can't be found easy with

grep -r preg_replace | grep '/e'

Because the preg_replace modifiers are added dynamic depending on the target programming language. At least in the version we have in flyspray.

• Use github releases for the release? peterdd: Yes, currently only source releases without 3rd party vendors.

The Flyspray 1.0alpha1 .zip file release unzips directly to the current directory.

.zip files from github unzip to it’s own directory (flyspray-master.zip unzips to flyspray-master/ ). This is a bit safer, because you cannot accidently mess your directory structure with it.

• The release should contain the binary fontawesome files instead of linking to the external CDN. Removes one dependency/singlepointoffailure. How this can be configured for automation? included in Flyspray source now.

• document how a release is exactly created. (consistency, reliability, automation, knowledge sharing for maintainers see below )

• Get in contact with os distributions, that could add Flyspray releases to their repositories (*BSD, Linux distributions, ..) This repositories could add the dependencies like ADODB within the packages (.rpm, .deb,..)

• Get in contact with web hosting providers who provide integreated 1-click installs of software for their web hossting customers.

• Get in contact with container builders (docker, ..)

Steps how to do a Flyspray release (since Flyspray 1.0 RC)

Currently, if there are no public project, the anonymous users gets a blank page not very useful. It will be a good idea to have a global configuration parameter to display some customizable-page or maybe the login form instead.

Removing table on row click made it impossible to open a task’ details if you do not display the task id and summary on the task list, because now those two cells are the only clickable items to open a task, instead of the entire line being the hyperlink

currently absolute positioning overlapping deny button and not full visible

Possible better solution:

• cssbased toggle

• left:50%; width:300px;margin-left:-150px;margin-top:50px;

Hi

So I figured out that there are no color coding options (to set text color and background color) for text in the CKEDITOR. I did some changes to CKEDITOR to add those, however, once I submit the text, it does not retain the changes.

Is there a particular reason why these are not enabled in the first place?

I am thinking it would be good add these, so that we can make the important text pop-out to the users.

- Raju

Both is a bit illogical, but both is currently possible!

1 ←- 1

So when setting the parent task id checked for creating loops is needed:

Loop with 2 tasks: 1 ←- 2 ←- 1

Loop with 3 tasks: 1 ←- 2 ←- 3 ←- 1
Loop with n tasks: 1 ←- ... ←- n < – 1

As I think there are currently no recursive reads that could lead to an endless loop, but should be kept in mind when someone wants to programm rendering a gantt chart.
E.g. by limiting the depth of subtasks for example.

Steps:

- Attach an image to a task.
- It shows as a link in your task (cf. screenshot “Screenshot from 2016-01-29 18-34-31.png”).
- Click on the link.

Result: it opens a “popup” with the image displayed in it. If the image is big, the popup is just so huge the image is not visible without boring horizontal and vertical scrolling (see “Screenshot from 2016-01-30 15-07-26.png” which shows what I see when I click the image link on my task).
I can’t even right click to download from the menu since I see no “Save Image As” item. (see Screenshot-no-save-image-in-menu.png).

My workaround was that if I drag and drop the attachment link in the address bar, I finally get the expected image, which I can finally save as! This workaround was hard to find, and I expect most people will just get frustrated of being able to view an image attachment, yet not save it locally.

I proposes the following:
- a small “download” icon next to the image link in the task for direct download (without preview).
- a “download” link/icon on the top-left of the image display popup (to download while previewing).

And as a side feature (maybe I should make a separate report?), I suggest that by default the image display popup constrains the image to the screen size, with a “see real size” link, so that you don’t get the popup with huge scrolling when opening a big image on a smaller screen.

Note: of course this issue does not appear with non displayable attachment. If I have a zip or a document, it proposes me to download it directly.

Today I got first SPAM on bugtracker.

Question: Is it possible to enable CAPTCHA for anonymus task add?

Question 2: Is it possible to delete SPAM tasks.

When I tried to install a instance of flyspray that is a release, I am greeted with a screen that says that I am trying to install a development version of flyspray. Due to me using shared hosting, I am unable to run any composer commands.

My version of flyspray was downloaded from flyspray.org, so why would this be happening? Thanks

An assigned ticket can't be edited by a lower privileged user.

Standardize the priority meaning across flyspray translations.

Idea:

0 - priority unset (database field default value)

1 - defer (or very low priority, often results the task is defered, see “Eisenhower principle”)
2 - low
3 - normal
4 - high
5 - very high

6 - flash (house burns, catastrophic event, website down, “boss” decision)

Some other software (other task planers/ email programs) use a 1-5 step priority. So an export feature to other software may merge priority 6 to priority 5 for such software.

In 2012 meaning was changed only in english translation.

Before normal was priority 2 in a 1-6 range, after it is priority 4 in a 1-6 range.
It should be IMHO 3 in that 1-6 range.

I have a major problem. At the first I thought that problem is on my server - Windows OS, IIS. But now when I have second bug tracker site on Apache server and error is the same I know that this is not server error but bug tracker error.

How can I help that we resolve this problem?

If e-mail need’s to be sent I got blank white page and nothing happens.

In attachment is my bug tracker with installer (setup) folder. If this somehow helps it?

Version which is used is 1.0 (latest on web) (edit by peterdd: was a mix of older Flyspray versions). The problem is that nothing works because e-mails are not working..

filter_input() is in extension “Filter”.

It is enabled by default since PHP5.2, see http://php.net/manual/en/migration52.new-extensions.php but not “always”, see https://groups.google.com/forum/?hl=de#!topic/flyspray/QM75BvwPqGM

filter_input() is only used at 1 section in Flyspray (since 2014 up to v1.0rc1) in includes/fix.inc.php
This is the commit https://github.com/Flyspray/flyspray/commit/40861911260812c99682fe3456350cb63bb243a9

How do we solve it? Several possibilities:

• Do we really need this calls here? What “bad input” is filtered here?
• Test if the extension is enabled at install/update tests/screens.
• use function_exists() test at every request ( similiar to the source code before https://github.com/Flyspray/flyspray/commit/40861911260812c99682fe3456350cb63bb243a9 )