Page MenuHomePhorge

People: Profile Pictures should be Editable and Deletable by their Authors (not by "No one")
Open, HighPublic

Description

Steps:

  • Visit ProfileManageEdit Profile Picture
  • Upload a picture
  • Turn back to ProfileManage and visit the filename of that new picture (but also any old picture) (pictures are mentioned from the right sidebar)

What happens:

File cannot be Edited or Removed.png (246×300 px, 13 KB)

  • file is not editable e.g. you cannot set a name: «No one can take this action»
  • file cannot be deleted: «No one can take this action»
  • (File can only be detached, also from their profile - and it's unclear why people should be able to do it, but this is an unrelated task)

What should happen instead:

  • File should be Deletable by the Author (to fix a huge mistake for example, or to remove that picture of you in high school where you had pimples, but now you have even more pimples and you want to only expose the most recent photo)
  • File should be Editable by the Author (to update its title for example, from "profile")

Reasons why this is important:

  • manually uploaded files can be removed by users (from the web, without command line interaction), so we can do the same for profile pictures, especially about obsolete profile pictures
  • this kind of deletion requests are now processed by root users from the command line interface, and this is an extra risk (since every singe damn profile picture is called "profile", so it's not difficult for an admin to do a mistake while trying to help an end-user in their cleanup), but Phorge could be able to allow end-users to cleanup their own sh*t, without involving root access requests (again, just like manually uploaded files)

Possible pitfalls:

  • we know that we cannot revert time, and we cannot revert emails, and we cannot revert a CDN, but users should be able to delete their profile pictures, just like they can already delete their manually uploaded files
  • there is a known problem about the destruction of profile pictures in general: they cause broken profile pictures (404 errors). So it's a problem if users will be allowed to Remove their own profile pictures. To improve the profile image destroy workflow in general, look at the sub-task T16074: Profile picture destroy workflow: it should not cause 404 errors (it should set the builtin image), that can be processed first, and it would be immediately useful to CLI admins, even without working here on this parent task (so admins following destroy requests don't need anymore to contact that user to explain how to restore their builtin picture, to avoid a consequent 404 error).

So, in short, profile images are shown here forever, and cannot be deleted by their own users:

Screenshot_20240505_151934.png (706×1 px, 172 KB)

What happens

Little exploration of the table phabricator_file.file, about a profile picture. See the original file and the derived file named "profile".

See that the file named "profile" has not authorPHID. That is one of the reasons the author cannot edit/remove it.

*************************** 42. row ***************************
              id: 43
            phid: PHID-FILE-wzbdm6d76sa3bqpvgf23
            name: Screenshot_20240204_101538.png
        mimeType: image/png
        byteSize: 389182
   storageEngine: blob
   storageFormat: raw
   storageHandle: 31
     dateCreated: 1714856499
    dateModified: 1714856499
      authorPHID: PHID-USER-mutepdoozum2ey2pm7of
       secretKey: jkdb3d3xoo5xyvmo2dhd
     contentHash: fe2a9511cb1ab4ac2eedff6e32aff01fd96778e680005f5741e8b9c2758f81ad
        metadata: {"storage":[],"width":1920,"height":1080,"canCDN":1}
             ttl: NULL
isExplicitUpload: 0
         mailKey: fqgie335f3qu2jc3t2es
      viewPolicy: users
       isPartial: 0
      builtinKey: NULL
       isDeleted: 0
*************************** 43. row ***************************
              id: 44
            phid: PHID-FILE-anvsulbhvqsxguk65tid
            name: profile
        mimeType: image/png
        byteSize: 59341
   storageEngine: blob
   storageFormat: raw
   storageHandle: 32
     dateCreated: 1714856499
    dateModified: 1714856499
      authorPHID: NULL                                                                ← ← ← ← ←
       secretKey: dzvuzmanku2aayk3x36v
     contentHash: 9de9a20b98478c40fa94b52c2aea3e4db5736994bb88766ce3021f0caa4b49d6
        metadata: {"storage":[],"width":400,"height":400,"canCDN":1,"profile":true}
             ttl: NULL
isExplicitUpload: 0
         mailKey: du26qw5527bwxnttww4k
      viewPolicy: users
       isPartial: 0
      builtinKey: NULL
       isDeleted: 0
SELECT * FROM file_transformedfile WHERE originalPHID = 'PHID-FILE-wzbdm6d76sa3bqpvgf23';
Empty set (0,001 sec)

Workaround for Deletion

If your original intention was to delete the file, you can do it, having shell access in the Phorge server and run the destroy workflow from the phorge/ directory:

./bin/remove destroy F43

P.S. For historical details about this beautiful workflow, see here:

https://we.phorge.it/rP985eb26c7e32cdc19536769def6ab037645100fb

But note that if you destroy your current profile picture you cause 404 errors, as described in this sub-task: T16074: Profile picture destroy workflow: it should not cause 404 errors (it should set the builtin image)

Event Timeline

Thanks for this Task

I have not a clear big picture of this situation but probably most of the business logic that could be debugged to understand that is here:

https://we.phorge.it/source/phorge/browse/master/src/applications/people/controller/PhabricatorPeopleProfilePictureController.php

The text says "The user who uploaded a file can always view and edit it.". I checked the DB, and the author field for the relevant file is null.
That implies that this upload code is bypassing some security checks...

(Raising to "HIGH", until we figure out if there's a security concern).

valerio.bozzolan lowered the priority of this task from High to Normal.Nov 20 2023, 16:58

Indeed reported from a Wikimedia user about Wikimedia Phabricator.

Even if I'm unaware of any downstream task.

I do not (yet?) understand the use case of this task.

Why should thumbnails be manually editable instead of automatically generated when they are just small versions of some other files?

Visit the filename of that new Picture (but also any old picture) (pictures are mentioned from the right sidebar)

I cannot follow. Which page are we on? It does not seem to be ProfileManage. What are clear steps to reproduce?

File should be Editable by the Author (to update its quality for example)

Why if you could just upload a new image with improved quality? (And why care about some thumbnail of your file in this case?)

File should be Deletable by the Author (to fix a huge mistake for example)

Files are manually deletable by the author. Thumbnails of such files should not be manually deleteable - code should handle that, in my opinion.

Edit: Uh wait, maybe "user avatar" or "user profile picture" was meant instead of "thumbnail"?

valerio.bozzolan renamed this task from People: uploaded thumbnails should be editable by their author (not by "No one") to People: profile picture should be editable by their author (not by "No one").May 2 2024, 17:34
valerio.bozzolan raised the priority of this task from Normal to High.May 2 2024, 17:41

(Oh sorry avivey, I have not noticed your priority action - I agree)

valerio.bozzolan updated the task description. (Show Details)

After a small database inspection, it seems that uploading the picture causes:

  1. ✅ the original file, uploaded with the correct authorPHID
  2. the transform, orphan, and without authorPHID

If we allow authors to destroy their images, we should also avoid 404 errors on them. So, the new subtask T16074.

Plus, making the file editable by the author is the cure of T15814, so, moving that as parent task.

valerio.bozzolan renamed this task from People: profile picture should be editable by their author (not by "No one") to People: Profile Pictures should be Editable and Deletable by their Authors (not by "No one").Mon, May 19, 23:06
valerio.bozzolan updated the task description. (Show Details)