Page MenuHomePhabricator

Default view policy isn't being followed for administrator drag-and-drop file uploads
Closed, InvalidPublic


In the files application policies section the Default View Policy on my version of phabricator is set to All Users as it is here, but whenever I upload a file using the very convenient drag and drop feature it's always set to only viewable by myself.

My account is an administrator's account, I saw this happen for another admin, and it didn't happen for a regular user. Our phabricator version should be very up to date.

I can't find any helpful settings in my own account, nor in the config for the files application.

Thanks for your time!

Event Timeline

e-m-albright raised the priority of this task from to Needs Triage.
e-m-albright updated the task description. (Show Details)
e-m-albright added a subscriber: e-m-albright.

Admins aren't privledged users in Phabricator, they must adhere to the same policies you've set for any normal user.

Where are you drag and dropping an image onto, specifically?

Hey Chad, thanks for the response.

I'm dragging the images + files onto the text editing boxes, exactly like this comment section here.

Just to clarify the first comment of yours, that's exactly the issue. I was hoping setting the policy would let me not have to manually set files to visible for all users, but it doesn't affect admin accounts I see.

Could this possibly be related to the intended punch through nature of edge policy relationships between files and tasks. I believe when a file is dropped on an issue as the upload mechanism it is a non-default case, and the intended relationship is that policy is more or less inherited from the task. As an example, I upload file.jpg to a task about sensitive things. It will be set as viewable by me, but the file association tab in files app shows the task association and anyone who can view the task can view the file. It is slightly implicit but quite sane for managing policy relationships between applications. In contrast, if I go to the files app and upload a file directly it inherets the default policy of that application only. This is my understanding of the process :). So if you drag a file onto an issue and the issue is set to all users it is essentially available to all users by association.

As @chasemp discusses, this is intended behavior:

  • Uploading a file by dropping it onto the home page, or via FilesUpload File will respect the default policy (drag-and-drop) or default to the default policy (file upload).
  • Uploading a file by dropping it into an object's comment box (like a task) will make it visible to users who can see the object and to the uploader, but not to users who can not see the object.
  • Other file uploads (like profile pictures, Pholio, macros) have special rules which generally make sense in context (for example: all users can see profile pictures).

In particular, if you go to the file page (/Fxxxx) and click "Attached", you can see all the objects a file is attached to. Any user who can see at least one of these objects can see the file. If you click the policy descriptor in the header (under the file name), you'll get an explanation, which includes this:

Files attached to objects are visible to users who can view those objects.

Are you seeing behavior other than what is described above?

Generally, what actual problem are you encountering? That is, what are you trying to do that isn't working?

e-m-albright claimed this task.

Ah, I'll have to double check on Monday when I can look again. My understanding from what you guys have said is even though the file I dropped onto the task's comment box says it's only visible to me, other users with access to that task can see it regardless?

The first encounter was in writing a Wiki page, I put in some image files and when I went to show another user the same Wiki page they were only seeing the text {Fxxx} rather than the image that loaded properly for me alone. Another user did something similar who wasn't an admin, and everyone was able to see their images.

Again, thanks for the help, I'll double check on monday and if I'm not mistaken, bring back more information on the issue.

Wiki pages had been broken for a while. So if you haven't updated in the past month or maybe two there might have been a old issue you were seeing.