Page MenuHomePhorge
Create Task
Maniphest T15407

People: uploaded thumbnails should be editable by their author (not by "No one")
Open, HighPublic
Actions

Description

Steps:

  • Visit ProfileManageEdit Profile Picture
  • Upload a Picture
  • Turn back to ProfileManage
  • Visit the filename of that new Picture (but also any old picture) (pictures are mentioned from the right sidebar)

What happens:

  • File is not editable: «No one can take this action»
  • File cannot be deleted: «No one can take this action»
  • (File can only be detached)

What should happen instead:

  • File should be Editable by the Author (to update its quality for example)
  • File should be Deletable by the Author (to fix a huge mistake for example)

Event Timeline

albertoleoncio created this task.Sat, May 20, 14:23
Herald added subscribers: Cigaryno, Matthew, chris and 2 others. · View Herald TranscriptSat, May 20, 14:23
valerio.bozzolan awarded a token.Sat, May 20, 14:23
valerio.bozzolan added a comment.Sat, May 20, 14:34

Thanks for this patch

I have not a clear big picture of this situation but probably most of the business logic that could be debugged to understand that is here:

https://we.phorge.it/source/phorge/browse/master/src/applications/people/controller/PhabricatorPeopleProfilePictureController.php

avivey added a subscriber: avivey.Sat, May 27, 07:51

The text says "The user who uploaded a file can always view and edit it.". I checked the DB, and the author field for the relevant file is null.
That implies that this upload code is bypassing some security checks...

avivey triaged this task as High priority.Sat, May 27, 07:52

(Raising to "HIGH", until we figure out if there's a security concern).