If same file uploaded twice with different name, second name is not present in list

[samsonbek]

Since Kurjun identifies files by their md5 hash, it doesn't allow uploading same file twice, it adds new owner to existing file, as I understand. But there is case, when two users may upload same file with different name, and second user will not find his file by second name, because it is showed in list with first name.
Files should be displayed with respective name for each uploaded user.

[akarasulu]

This is a dangerous situation with security implications. Let's up this to critical level.

[soffokl]

It's well known problem.
We are using md5 hash as a ID for files. Even if we will add new filename to the artifact when it's uploaded, we can't use it for downloading.
If user request download by ID and we have several name for this artifact, which filename should we provide for downloaded file?

To solve this problem we need to change ID to some unique value and migrate hashes to the separate field. But it is significant changes that will require changes in all other products.

@akarasulu btw, why did you marked it as critical and security? There is nothing about security here.

[akarasulu]

The problem here is that we did NOT design this to be multi-tenant and consider the potential collisions. This is left over craptoxiticity (just made up the word :D ) from Kurjun shit. We can fix this I am sure. Let me respond to your comments:

It's well known problem.

We still need to fix it.

We are using md5 hash as a ID for files. Even if we will add new filename to the artifact when it's uploaded, we can't use it for downloading.

We should not be using an identifier that cannot clash across users. I would use treat each upload as unique. So all artifacts uploaded in the system, even same files, should be linked to a unique primary key: UUID of the uploaded artifact. The md5 should still be used but as a secondary key which will produce duplicates.

Even the same thing uploaded twice by other people will be treated differently this way.

If user request download by ID and we have several name for this artifact, which filename should we provide for downloaded file? To solve this problem we need to change ID to some unique value and migrate hashes to the separate field. But it is significant changes that will require changes in all other products.

BTW I agree 100% with you.

YES unfortunately. This is the cost of early mistakes in the design.

@akarasulu btw, why did you marked it as critical and security? There is nothing about security here.

Sure let me explain. When one user can interfere with another users' shit in the system this falls under a security concern for me. It has security implications.

[akarasulu]

Is there currently any documentation on Gorjun?

If not can we get some basic information up here on the wiki?

Would also be nice to have a list of all the REST API endpoints.

I want to start working on how we can specify it properly going forward.