Page MenuHomePhorge

People: uploaded thumbnails should be editable by their author (not by "No one")
Open, NormalPublic



  • Visit ProfileManageEdit Profile Picture
  • Upload a Picture
  • Turn back to ProfileManage
  • Visit the filename of that new Picture (but also any old picture) (pictures are mentioned from the right sidebar)

What happens:

  • File is not editable: «No one can take this action»
  • File cannot be deleted: «No one can take this action»
  • (File can only be detached)

What should happen instead:

  • File should be Editable by the Author (to update its quality for example)
  • File should be Deletable by the Author (to fix a huge mistake for example)

Event Timeline

Thanks for this patch

I have not a clear big picture of this situation but probably most of the business logic that could be debugged to understand that is here:

The text says "The user who uploaded a file can always view and edit it.". I checked the DB, and the author field for the relevant file is null.
That implies that this upload code is bypassing some security checks...

avivey triaged this task as High priority.May 27 2023, 07:52

(Raising to "HIGH", until we figure out if there's a security concern).

valerio.bozzolan lowered the priority of this task from High to Normal.Nov 20 2023, 16:58