People: uploaded thumbnails should be editable by their author (not by "No one")
Open, NormalPublic
Actions

Assigned To

None

Authored By

	• albertoleoncio
	May 20 2023, 14:23

Description

Steps:

Visit Profile → Manage → Edit Profile Picture
Upload a Picture
Turn back to Profile → Manage
Visit the filename of that new Picture (but also any old picture) (pictures are mentioned from the right sidebar)

What happens:

File is not editable: «No one can take this action»
File cannot be deleted: «No one can take this action»
(File can only be detached)

What should happen instead:

File should be Editable by the Author (to update its quality for example)
File should be Deletable by the Author (to fix a huge mistake for example)

Event Timeline

• albertoleoncio created this task.May 20 2023, 14:23

Herald added subscribers: Cigaryno, Matthew, chris and 2 others. · View Herald TranscriptMay 20 2023, 14:23

valerio.bozzolan awarded a token.May 20 2023, 14:23

Thanks for this patch

I have not a clear big picture of this situation but probably most of the business logic that could be debugged to understand that is here:

https://we.phorge.it/source/phorge/browse/master/src/applications/people/controller/PhabricatorPeopleProfilePictureController.php

The text says "The user who uploaded a file can always view and edit it.". I checked the DB, and the author field for the relevant file is null.
That implies that this upload code is bypassing some security checks...

(Raising to "HIGH", until we figure out if there's a security concern).

waldyrious subscribed.Nov 14 2023, 14:42

valerio.bozzolan lowered the priority of this task from High to Normal.Nov 20 2023, 16:58

valerio.bozzolan added a project: User-valerio.bozzolan.

People: uploaded thumbnails should be editable by their author (not by "No one")Open, NormalPublicActions

Description

Event Timeline

People: uploaded thumbnails should be editable by their author (not by "No one")
Open, NormalPublic
Actions