Problem
Take a fresh new Phorge.
Unless you changed the default File permissions...
When you Drag & Drop an Image from your computer to a Workboard Task, the File is not visible to other Task participants.
I sincerely don't remember from what moment this happened, but I'm quite sure that this is not a new thing from Phorge.
Proposed solution
There is an "attach" system. So we can attach the File to the Task. So, the File inherits the visibility permissions of the Task. So, the File is visible to persons who can see the Task.
Anyway, even attaching does not completely resolve, because the original file is not related to the "Cover Image Transform", so, if you tune permissions of the first, you still don't see the second. See the sub-task.
T15703: Workboard Cover Image: the cropped "Transform" is orphan
Workarounds
Since the author of the file is usually the only one who can see that image:
- people usually comment in the Task like "Hey I don't see the cover image. Can you please change the File permissions to make it public? uh?" and then the file author tries to understand how to fulfill this request digging into the /files/ page. Premising that newcomers usually need extra instructions to fulfill this; this is also not something super-easy for experienced users: the Task may be semi-private, so you have to be careful and keep the two permissions in sync, manually.
- another workaround: other installations just change File defaults. So, new files are public and everything works for them. But this has sense only if all your teams works in a public way and nobody has frequent little secrets. (May, changing this default, create nuclear problems for Security teams? Probably Yes).
Feature context:
Downstream considerations
Affects-Wikimedia: The Cover Image already works as expected in Wikimedia Phabricator, but mainly because they probably changed the default File permissions (workaround n. 2), so that new Files are always visible as default, instead of private as default.
For Wikimedia, they know what they are doing and they are probably already happy as-is.
But, it's probably still very OK to proceed with this Task, since the only side-effect is that we can create little additional entropy. Example, the Task history already had this line:
jimbo updated the cover image to F4784: Screenshot_Wikipedia_offline
And, after this Task, it may have the second additional line:
jimbo attached 1 file(s): F4784: Screenshot_Wikipedia_offline.png. (Show Details)
We sincerely hope that this additional line will not create any nuclear confusion. So, we just hope that this explicit attach system will improve the Cover image feature to just work out of the box. So, Wikimedia may decide to restore File defaults, to have a more simplified Phorge installation with minimum default changes in the future.
Security considerations
Base case with new files:
If you attach your Image from your computer to a Task, it's indeed OK to consider that Image as "Visible to persons who can see that Task".
Case with already-existing files:
Attaching an already-existing file is currently not supported by the user interface so we ignore this in this Task. The proposed implementation needs to be somehow strict, to avoid to create mistakes / security implications (so, to leave no possibility to make an other-people private file, a public one, through this feature).
Proposed implementation
The PhabricatorProjectCoverController is the controller responsible for the file PHID receiver:
Possibilities from the Controller:
- If the Viewer can see the file, we attach that to the to the Task. Anyway, we should fix the Attach system for Cover Image transforms. See Sub-Task.
- Extra check: the Viewer should also be the author of the File (this is just to be strict, to cover the root problem, and don't leave space to other unclear workflows).
Other possibilities:
- ...