Page MenuHomePhabricator
Create Task
Maniphest T10238

File remains 'attached' to a ticket even once removed from any current comment
Closed, WontfixPublic
Actions

Description

I uploaded a file to a security ticket; the file's permissions were "author or subscribers of attached objects" (a screenshot of some sensitive information exhibiting a security bug).

I then wanted to 'declassify' the security ticket and make it available to all, but as the file contained sensitive information I edited my comment to remove it. I expected that no one other than myself should've been able to see it after I edited the comment. In practice, the file was still visible in the history (even though not visible on first look), and I had to delete the image from the system to avoid a leak.

Event Timeline

jdforrester created this task.Jan 28 2016, 10:20 PM
Krenair added a subscriber: Krenair.Jan 28 2016, 10:24 PM
epriestley closed this task as Wontfix.Jan 28 2016, 10:45 PM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

This is intentional. The file is visible in the UI in the edit history of the comment, and still part of the object in that sense.

If we detached files as soon as they were edited out of comments, this would generally break comment edit histories for all comments which include files.

jdforrester added a comment.Jan 29 2016, 1:10 AM

Should the user be warned that invisible files are still attached when they remove them?

Phabricator · Built by Phacility