Problem

Sometime (always?), when you Drag & Drop an Image from your computer to a Workboard Task, the File is not visible to other people.

I sincerely don't remember from what moment this happened, but I'm quite sure that this is not a new thing from Phorge.

Proposed solution

There is an "attach" system. So we can attach the File to the Task. So, the File inherits the visibility permissions of the Task. So, the File is visible to persons who can see the Task.

Workarounds

Since the author of the file is usually the only one who can see that image:

1. people usually comment in the Task like "Hey I don't see the cover image. Can you please change the File permissions to make it public? uh?" and then the file author tries to understand how to fulfill this request digging into the /files/ page. Premising that newcomers usually need extra instructions to fulfill this; this is also not something super-easy for experienced users: the Task may be semi-private, so you have to be careful and keep the two permissions in sync, manually.
2. another workaround: other installations just change File defaults. So, new files are public and everything works for them. But this has sense only if all your teams works in a public way and nobody has frequent little secrets. (May, changing this default, create nuclear problems for Security teams? Probably Yes).

Feature context:

• https://secure.phabricator.com/D15202

Downstream considerations

Affects-Wikimedia: The Cover Image already works as expected in Wikimedia Phabricator, but mainly because they probably changed the default File permissions (workaround n. 2), so that new Files are always visible as default, instead of private as default.

For Wikimedia, they know what they are doing and they are probably already happy as-is.

But, it's probably still very OK to proceed with this Task, since the only side-effect is that we can create little additional entropy. Example, the Task history already had this line:

jimbo updated the cover image to F4784: Screenshot_Wikipedia_offline

And, after this Task, it may have the second additional line:

jimbo attached 1 file(s): F4784: Screenshot_Wikipedia_offline.png. (Show Details)

We sincerely hope that this additional line will not create any nuclear confusion. So, we just hope that this explicit attach system will improve the Cover image feature to just work out of the box. So, Wikimedia may decide to restore File defaults, to have a more simplified Phorge installation with minimum default changes in the future.

Security considerations

Base case with new files:

If you attach your Image from your computer to a Task, it's indeed OK to consider that Image as "Visible to persons who can see that Task".

Case with already-existing files:

Attaching an already-existing file is currently not supported by the user interface so we ignore this in this Task. The proposed implementation needs to be somehow strict, to avoid to create mistakes / security implications (so, to leave no possibility to make an other-people private file, a public one, through this feature).

Proposed implementation

The PhabricatorProjectCoverController is the controller responsible for the file PHID receiver:

https://we.phorge.it/source/phorge/browse/master/src/applications/project/controller/PhabricatorProjectCoverController.php

Possibilities from the Controller:

1. If the Viewer can see the file, we attach that to the to the Task.
2. Extra check: the Viewer should also be the author of the File (this is just to be strict, to cover the root problem, and don't leave space to other unclear workflows).

Other possibilities:

2. ...