Agile Dashboard / Scrum goes Burning Parrot

Demo of new planning view

Big step forward in the Tuleap UX with the upgrade of "Overview" and "Planning" views to Burning Parrot.

On Overview, both graphs are now rendered with D3js so they get the same look and feel.

Milestone overview with burning parrot

In addition to a fresher look, homogeneous with dashboards and project administration, we made a lot of small usability changes to make your life easier: direct access to parent from cards, more consistent cards between expanded / condensed views, milestone info "scrolls" when content is huge.

Milestone planning with burning parrot

It’s also possible to create backlog parents (eg. epics for user stories) directly from the backlog planning view

Add a parent in planning view

Project administration

Tuleap has a very large number of permissions and they goes very fine grained. Until now it was a bit tedious to see exact permissions that were set to each groups. With 9.18, you now get a single screen with all permissions granted across your project.

Display permissions per group in project admin


  • story #10325: search in artifact comments from classic view

The feature was already there for TQL users since a couple of months. It’s now accessible in classic search as well.

Cross tracker search (Tuleap Enterprise only)

3 new pseudo-fields are now accessible in Cross tracker search TQL: @status, @last_update_date and @submitted_on.

It means that you can for instance gather all the open tickets in all your support trackers of your platform that got an update last week with a query like @status = OPEN() AND @last_update_date >= NOW() - 1w

Cross tracker search widget with status and dates fields


PHP 5.6 is there, it’s now time to think to PHP 7. While the switch to PHP 5.6 was mostly an architecture change due to the introduction of nginx & fpm PHP7 will require mostly work on internal to get rid of a bunch of legacy and deprecation.

We already have a Continous Integration job that help us to identify were are the incompatibilities. But there are 2 big underlying changes we need to start with. First, change our database access layer (ext_mysql being removed from PHP7). This will be done via and upgrade to PDO and EasyDB. Then, work around our unit test framework (SimpleTest) limitation with PHP7. Our current version is not compatible and the latest versions of the framework that are compatible broke Mock usage. While we are working to get rid of this dependency all new unit tests must be written with phpunit

Releases stats

  • 1089 files changed, 59329 insertions(+), 21802 deletions(-)
  • They made the release (number of commits, author, company)
    • 145 Nicolas Terray (Enalean)
    • 127 Marie Ange Garnier (Enalean)
    • 125 Thomas Gerbet (Enalean)
    • 106 Joris Masson (Enalean)
    • 102 Yannis ROSSETTO (Enalean)
    • 49 Manuel VACELET (Enalean)
    • 25 Thomas Gorka (Enalean)
    • 8 Matthieu Monnier (Enalean)
    • 4 Benjamin Dauton (Enalean)
    • 1 Thomas Cottier (Enalean)

Validation scores

9.18 validation scores

Bug fix


  • request #11192: Filters set in tracker reports are vulnerable to SQL injections
  • request #11217: Account takeover due to a missing CSRF protection on email address change functionnality
  • request #11061: XSS through wiki attachment
  • request #11136: Open redirect vulnerability on /my/redirect.php
  • request #11171: Downloading a file of the FRS from the webdav web browser plugin can lead to XSS
  • request #10521: Improper handling of group related permissions in tracker report
  • request #10979: Implement Same-Site cookie and cookie prefixes protections

Installation & system administration

  • request #10782: Disable usage of unix users and groups (not enabled by default)
  • request #11067: Captcha configuration is not accessible with nginx
  • request #11115: Include tuleap username in request headers
  • request #11116: Remove codendi path for rhel7 support
  • request #11131: nginx should try to redirect the user to the Tuleap virtualhost if needed
  • request #11168: nginx timeout for reading a response from PHP-FPM should be aligned with the code expectations

Site admin

  • request #11048: Missing user status values in user details page
  • request #11174: Duplicated dynamic ugroups for legacy default template 100
  • request #11193: Resending activation emails does not work when users also need to be approved by a site administrator

Email management (cross service)

  • request #11084: Email deduplication doesn’t take empty emails into account
  • request #11112: Characters outside the ASCII range are not well interpreted in mail notifications by some clients
  • request #11127: SVN plugin notifications should not be sent as the user doing the action
  • request #11155: Notifications should not be sent as the user doing the action

Site home page


  • request #11177: Slow SQL queries due to a missing primary key on the ugroup_user table


  • request #11089: Selectbox Static Values Empty Name Defect
  • request #11103: Move "Done" semantic close to "Status"
  • request #11114: Artifact CSV import does not properly deal with typed artifact link entries
  • request #11118: Required selectbox field not open in edit mode when value is no more valid
  • request #11121: Tracker’s "Manage Semantic" fields editing broken
  • request #11132: Open List field causes a javascript error in artifact modal
  • request #11158: Computed field value might not be visible in the tracker artifact view



SVN plugin


  • request #11130: Broken regexes in Git fine grained permissions can block any Git administrative operations

Pull requests

Continuous integration




Document manager

  • request #11113: Only writers can lock documents
  • request #11138: Project administrator can be locked from document manager global administration service
  • request #11183: Dates might not be displayed in the document manager when browsing it in French


  • request #11154: Files added to the FRS from the webdav interface are always empty


  • request #11166: Project administrators don’t always have global access for PHPWiki


Project admin

  • request #11169: Ugroups administration is not accessible when TV3 tracker admin group is present