From 10ebcbcf450f3fa4457b335d91abba8c8f12237d Mon Sep 17 00:00:00 2001
From: Peter Argany <petetheheat@fb.com>
Date: Mon, 16 Jul 2018 13:13:03 -0700
Subject: [PATCH] Added ImageEditor comment to clarify image access policy.

Summary:
ImageEditor.cropImage creates a temporary file when downloading images https://fburl.com/07r68w9s

This temporary file can be stored on external storage on android. External storage is accessible to any other application on the device, which could possibly leak images.

Using external storage may be unavoidable. I've voiced my opinion and solicited others on T31548988. Once a good policy is agreed upon, we can implement it.

For now, I'm adding this comment to make it explicit how images are cached.

Reviewed By: achen1

Differential Revision: D8837808

fbshipit-source-id: 02341bc94a1c95340390a713b76fe85603fd8f1b
---
 Libraries/Image/ImageEditor.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Libraries/Image/ImageEditor.js b/Libraries/Image/ImageEditor.js
index 66504b5012..65edcccf12 100644
--- a/Libraries/Image/ImageEditor.js
+++ b/Libraries/Image/ImageEditor.js
@@ -50,7 +50,9 @@ class ImageEditor {
   /**
    * Crop the image specified by the URI param. If URI points to a remote
    * image, it will be downloaded automatically. If the image cannot be
-   * loaded/downloaded, the failure callback will be called.
+   * loaded/downloaded, the failure callback will be called. On Android, a
+   * downloaded image may be cached in external storage, a publicly accessible
+   * location, if it has more available space than internal storage.
    *
    * If the cropping process is successful, the resultant cropped image
    * will be stored in the ImageStore, and the URI returned in the success