Page MenuHomePhabricator
Create Task
Maniphest T4270

Temporary files do not inherit permissions from their parents
Closed, ResolvedPublic
Actions

Description

Problem: Temporary files created by Diffusion a la "View Raw File" link are exempt from any permissions imposed on their originating repository.

Expected: Viewing a file should not expose it to all users of the system until manually deleted.

Proposal: At the time of creation, temporary files should retain a reference to the permission rules set on their parent repository where applicable, so that Phabricator may beckon thee away as it would if the user were trying to browse the repository that they are unauthorized to view.

Kudos: Kudos may be sprinkled on every other facet of Phabricator from front-end to rear. This is one marvelous project.

Revisions and Commits

rP Phabricator
D7849rP591df78361a7 Bind patches, file content and raw diffs bind policies to their originating…

Related Objects

Event Timeline

bezeek created this task.Dec 27 2013, 11:16 PM
bezeek raised the priority of this task from to Needs Triage.
bezeek updated the task description. (Show Details)
bezeek added a project: Files.
bezeek added a subscriber: bezeek.
epriestley claimed this task.Dec 28 2013, 12:02 AM
epriestley triaged this task as Normal priority.

Ah, thanks. The policy system supports this already, it just needs to be hooked up.

epriestley edited this Maniphest Task.Dec 28 2013, 12:26 AM
bezeek added a comment.Dec 28 2013, 2:16 PM

The patch is working just swimmingly so far. Thanks!

epriestley edited this Maniphest Task.Dec 30 2013, 7:27 PM
epriestley closed this task as Resolved.Dec 30 2013, 7:27 PM

Closed by commit rP591df78361a7.

epriestley mentioned this in T12408: Security: "Show Raw File" in Differential generated files with overbroad permissions.Mar 16 2017, 5:35 PM
Herald added a subscriber: eadler. · View Herald TranscriptSep 15 2017, 5:25 PM
Phabricator · Built by Phacility