| • Mattflaschen-WMF | |
| Nov 12 2014, 12:40 AM |
| F783: 640px-Noun_project_6396.svg.png | |
| Nov 12 2014, 8:20 AM |
Upstream: https://secure.phabricator.com/T6564
The default visibility for files created at https://phabricator.wikimedia.org/file/upload/ should be "Public (No Login Required)". This is the same behavior as Bugzilla. Currently, the default is "All Users" which requires a login.
If possible, creating non-public files (or changing visibility of an existing file to non-public) should be limited to the Security group,
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Aklapper | T1248 Default upload visibility should be "Public (No Login Required)" | |||
| Resolved | • chasemp | T77082 update phabricator on 2014-12-10 |
/me wondering why this is set to high priority?
(or changing visibility of an existing file to non-public)
For the records, https://www.mediawiki.org/wiki/Phabricator/Help#Uploading_file_attachments states:
Note that you cannot upload a file and then decrease the access level to the file (e.g linking it to a restricted security ticket). You would have to delete the file and reupload it with stricter access permissions. It is recommended to upload files which should have restricted access together with the creation of a restricted (security) ticket.
First I wanted to check whether the files created via drag&drop are public, and they are. Then I checked the files at bugzillapreview, and they are also public. Therefore, this problem affects exclusively files uploaded via https://phabricator.wikimedia.org/file/upload/. Still a problem, but not high priority.
I could not find in phab-01 any configuration to set the default to Public. It would make sense for new uploads to have the same default Can View policy as "Can Use Application" (which is set to Public).
I couldn't find either a policy to limit who can set the Can View policy of files uploaded (just like Maniphest has one, and this is why regular users only have the option of public/private.
@Mattflaschen , since you have experience reporting problems upstream, would you like to report these two (separate or together, your choice).
Because it's important that users (simply using the default setting without thinking about it) don't create a huge mess of incorrectly-permissioned files. However, it's true that on further review it's not that bad since most people probably won't even know about the upload file page (the drag and drop message when you click the upload icon does not currently mention it).
Note that you cannot upload a file and then decrease the access level to the file (e.g linking it to a restricted security ticket). You would have to delete the file and reupload it with stricter access permissions. It is recommended to upload files which should have restricted access together with the creation of a restricted (security) ticket.
Thanks.
Filed as https://secure.phabricator.com/T6564 ("Set default permissions for file uploads to same as File application")
I couldn't find either a policy to limit who can set the Can View policy of files uploaded (just like Maniphest has one, and this is why regular users only have the option of public/private.
Filed as https://secure.phabricator.com/T6565 ("Allow limiting which "Can View" settings can be used for files").
Upstream has resolved its part (creating the policy). https://secure.phabricator.com/applications/view/PhabricatorFilesApplication/ now specifies
Default View Policy: All Users
After upgrading Wikimedia Phabricator, we need to set this policy as "Public (No Login Required".
This is the case now.
https://phabricator.wikimedia.org/applications/view/PhabricatorFilesApplication/ states
Default View Policy: Public (No Login Required)
and going to https://phabricator.wikimedia.org/file/upload/ shows "Public" as default.
