Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Posts still federate after setting blog to "Private" or "Password-protected" #403

Open
dariusk opened this issue Oct 13, 2020 · 1 comment
Open
Milestone

Comments

@dariusk
Copy link
Contributor

@dariusk dariusk commented Oct 13, 2020

Observed behavior

I am running an instance with federation enabled for posts. If someone has a blog that is Unlisted, and someone subscribes to that blog via ActivityPub, and then they set the blog to Private, posts that are made from then on will still be federated to other people.

This is also true for "Password-Protected". The full text of the article federates out to any subscribers.

Expected behavior

I would expect that federation would halt while Private, similar to how the RSS feed returns a 404 after you switch to Private.

Application configuration

  • Multi-user mode
  • sqlite
  • Open registration
  • Federation enabled
  • Disabled http auth
  • Multiple blogs per user

Version or last commit: latest develop as of 3493921

@dariusk dariusk changed the title Posts still federate after setting blog to "Private" Posts still federate after setting blog to "Private" or "Password-protected" Oct 13, 2020
@thebaer thebaer added this to the 0.13 milestone Oct 14, 2020
@thebaer
Copy link
Member

@thebaer thebaer commented Oct 14, 2020

Thanks for catching this! Definitely a bug we need to fix.

There's a short-term and a long-term fix here. In the short-term, we can simply prevent federation in the federatePost() func. We'd simply return early in the func if the post shouldn't federate (in these cases):

  • Config: app.cfg.App.Private
  • Blog visibility: p.Collection.Visibility == CollPrivate || p.Collection.Visibility == CollProtected

The long-term / permanent fix would be: switching a blog to Private or Password-protected should probably delete the Actor and all Articles from the fediverse. This is something we need for account deletion too (open PRs: #203 and #204), so it'd be great to address those core tasks (T720 and T721) -- and we'd really appreciate help here from anyone in the community!

For now, if anyone would like to address the short-term fix here, please feel free to claim this issue and submit a PR. Otherwise I'll work on a fix sometime before the v0.13 release.

@thebaer thebaer added the help wanted label Oct 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.