It seems it's necessary to be able to "get the user from a profile picture". This is not easy, since the user seems not mentioned in any obvious way from the file object, as already stated in T15407.

Plus, making the file editable by the author is the cure of T15814, so, moving that as parent task.

If we allow authors to destroy their images, we should also avoid 404 errors on them. So, the new subtask T16074.

In T15998#21086, @Cigaryno wrote:

Did anyone think of showing two separate queries on Tasks

What is Tasks? Could you share an URI? By default http://phorge.localhost/maniphest/ already offers Assigned, Authored, etc. saved queries in the sidebar.

As a general rule, I prefer the have the abstractions as much as possible, to allow extensions to do things.
In this case, an abstraction would also make this feature easier to enable/disable, which I think is desired.

Chris has asked me to pick this up as he'd like to see this implemented.

This is a great proposal. Did anyone think of showing two separate queries on Tasks: Assigned and Authored. In my opinion, it just makes it harder to scroll down to authored tasks which is why it makes more sense to have separate Assigned Tasks and Authored Tasks views on the profile menu.

I proposed two related patches in D25683 and D25685, both of them obsoleted by: D25687.

After a small database inspection, it seems that uploading the picture causes:

(Oh sorry avivey, I have not noticed your priority action - I agree)

I do not (yet?) understand the use case of this task.

Indeed reported from a Wikimedia user about Wikimedia Phabricator.

In T15671#14420, @avivey wrote:

The feature was removed for performance and private concerns. I thought Gravatar was alread dead.

Maybe this can be done as an extension:

• Abstract the "profile picture provider"
• Allow an extension to write a Gravatar one

There are currently 2-3 sources, so maybe there is some abstraction:

• pokemon-style silhouette
• Character with background (generated from username)
• Upload Picture

The feature was removed for performance and private concerns. I thought Gravatar was alread dead.

We can continue the discussion in Task T15556 - thanks for reporting

Is there a Task about this? if not, feel free to open that in Diffusion at least. I'm interested in seeing this fixed.

Ouch sorry renamed again since I forgot the discussion. Still an annoying bug and found your question.

Yes. The trade off would be user experience. I have absolutely spent 15+ minutes waiting for a reset email on sites after having either typo’d or put in a different email address from the one I signed up with.

If I've understood correctly,

In T15091#9775, @RhinosF1 wrote:

Can this be made public?

Can this be made public?

Closing for now as "we're ok with this", and there was no interaction on this ticket for a while.

I wonder if this is related to not being able to use the Diffusion repository file auto-complete when not logged in even though the repo is publicly accessible.

(Raising to "HIGH", until we figure out if there's a security concern).

The text says "The user who uploaded a file can always view and edit it.". I checked the DB, and the author field for the relevant file is null.
That implies that this upload code is bypassing some security checks...

Thanks for this Task

Hi @Cigaryno thanks for this bug report. Please attach more details than feel free to reopen