Page MenuHomePhabricator

Custom Policy for a file doesn't work as expected
Closed, DeclinedPublic

Description

I want to protect this file F8679640 that can contain private information for an user.
But even if I set a Custom Policy, I can see this file by entering its URL in a Private Browsing tab of my browser. https://phabricator.wikimedia.org/F8679640
Is it normal ?

Event Timeline

Uploaders can always see the files they uploaded.

Argh, "Private Browsing tab". Sorry!
What is the "Custom Policy" set to exactly? Is it a view or an editr policy? Clear steps to reproduce welcome. :)

Ok, I'll try to explain this strange problem.

  • Copy the link which is present on the description of the task
  • Disconnect you from phabricator (in the menu of your avatar on the to right of the page)
  • Go to the link present from your clipboard

I still can see the picture after having done these steeps.

Here is the Custom Policy of this file:

Allow members of projectsMediaWiki-extensions-CentralAuth
Allow members of projectsAntiSpoof
Allow users subscribed to T170078: On GlobalRenameQueue, Antispoof shows strange propositions
If no rules match, deny all other users.

So I don't see any reason that explain why someone that is not connected can see this file.

Files attached to objects are visible to users who can view those objects.

Maybe because of that?

Aklapper renamed this task from Custom Policy doesn't work as expected to Custom Policy for a file doesn't work as expected.Nov 3 2017, 3:40 PM
mmodell subscribed.

yes this is the expected behavior for files - they don't have their own custom security when attached to other objects.