Are phabricator files visible without login?

Is phabricator supposed to allow access to a resource in the Files app if you know the unique URL? Even without requiring log in at all?

Example on secure.phabricator.com:
https://p.phcdn.net/file/data/@secure/nxuyuhhlajy4kvutd24n/PHID-FILE-iiydjxr7mvvxn4q3eibn/overlay.png

The file visibility settings in the File app are a bit confusing since they allude to this being only visible to me.

Yes. See https://secure.phabricator.com/T10262.

Short answer: the common practice in showing private files is to create a secret URI and require no authentication; This is how most large websites handle it. This allows caching of files and matches some user-expectations about forwarding emails, etc.
The secret URI is updated once in a while.

1 Like

Sorry to revive this old thread but I need your clarifications please:

So, to my understanding private files on Phabricator are not really private as they could be accessible for people without permissions. In fact files are just obscured behind some random URLs. Is that right?

Then, how can we make sure that private files uploaded on Phabricator can not be leaked to outside of the organization / company? Is there any setting or any other option?

I have uploaded a file as an admin user, changed visibility to “no one” and then tried to view the file from an incognito browser (not logged in) and I am able to view the file. So, users with accounts in our internal phabricator installation can not have access to the file but anybody (even without an account) can view it just by knowing the link?
What am i missing here?

So, to my understanding private files on Phabricator are not really private as they could be accessible for people without permissions. In fact files are just obscured behind some random URLs. Is that right?

Yes.

Then, how can we make sure that private files uploaded on Phabricator can not be leaked to outside of the organization / company? Is there any setting or any other option?

There is no other setting or option.

I have uploaded a file as an admin user, changed visibility to “no one” and then tried to view the file from an incognito browser (not logged in) and I am able to view the file. So, users with accounts in our internal phabricator installation can not have access to the file but anybody (even without an account) can view it just by knowing the link?

Yes.

What am i missing here?

Phabricator’s login system just obscures sessions behind some random cookies. SSH just obscures host access behind some random numbers in a text file.