Page MenuHomePhabricator

File remains 'attached' to a ticket even once removed from any current comment
Closed, WontfixPublic

Description

I uploaded a file to a security ticket; the file's permissions were "author or subscribers of attached objects" (a screenshot of some sensitive information exhibiting a security bug).

I then wanted to 'declassify' the security ticket and make it available to all, but as the file contained sensitive information I edited my comment to remove it. I expected that no one other than myself should've been able to see it after I edited the comment. In practice, the file was still visible in the history (even though not visible on first look), and I had to delete the image from the system to avoid a leak.

Event Timeline

epriestley closed this task as Wontfix.Jan 28 2016, 10:45 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

This is intentional. The file is visible in the UI in the edit history of the comment, and still part of the object in that sense.

If we detached files as soon as they were edited out of comments, this would generally break comment edit histories for all comments which include files.

Should the user be warned that invisible files are still attached when they remove them?