pinned posts are fetched by instance.actor with no local-user attached #407

New issue

Closed

opened 2024-10-16 22:52:20 +00:00 by limepotato · 1 comment

limepotato commented

2024-10-16 22:52:20 +00:00

Originally thought this was an iceshrimp.net issue (seen here).

as described in that issue, if a remote user has a pinned post that is followers only, all pins from that user will be dropped.

I no longer have an example of this, so it would have to be recreated

this has since been fixed by iceshrimp

https://iceshrimp.dev/iceshrimp/iceshrimp/pulls/573
34823aa7b8

to quote mia of void rehab: "the resolver used for resolving pinned posts has no local user attached to it, so it requests the followers only post using the instance actor, which isn't following the account"

Originally thought this was an iceshrimp.net issue (seen [here](https://issues.iceshrimp.dev/issue/ISH-469/Pinned-posts-dont-federate-with-key/)). as described in that issue, if a remote user has a pinned post that is followers only, all pins from that user will be dropped. I no longer have an example of this, so it would have to be recreated this has since been fixed by iceshrimp https://iceshrimp.dev/iceshrimp/iceshrimp/pulls/573 https://iceshrimp.dev/iceshrimp/iceshrimp/commit/34823aa7b88913c2018cf2fde11718f326a8b87d to quote mia of void rehab: "the resolver used for resolving pinned posts has no local user attached to it, so it requests the followers only post using the instance actor, which isn't following the account"

Johann150 commented

2024-10-18 15:38:17 +00:00

Owner

When a user is fetched for the first time, it is impossible for someone to be following them, so I think a pinned follower only Note could never be loaded then.

There are also several different ways in which refreshing an actor could happen and Foundkey does not keep track of who or what caused the request, thus the instance actor will always be used. While the follower-only visibility is pretty common, this is not a general solution, since remote instances could arbitrarily set permissions on notes. What if someone pins a direct message? Philosophically this does not make sense to me.

What I think should be fixed is that when one post cannot be resolved, the other pinned posts should be kept, if possible. There seems to have been a provision for this by filtering out null later in the code in the last for loop in updatePerson, however the function used for requesting the posts probably throws an exception instead.

When a user is fetched for the first time, it is impossible for someone to be following them, so I think a pinned follower only Note could never be loaded then. There are also several different ways in which refreshing an actor could happen and Foundkey does not keep track of who or what caused the request, thus the instance actor will always be used. While the follower-only visibility is pretty common, this is not a general solution, since remote instances could arbitrarily set permissions on notes. What if someone pins a direct message? Philosophically this does not make sense to me. What I think should be fixed is that when one post cannot be resolved, the other pinned posts should be kept, if possible. There seems to have been a provision for this by filtering out `null` later in the code in the last `for` loop in `updatePerson`, however the function used for requesting the posts probably throws an exception instead.