HUBy.infozoo.de

Mon, 09 May 2022 21:13:28 +0200

Hans wrote the following post Mon, 09 May 2022 21:05:22 +0200

I noticed something weird. I have users in groups. I posted to a group called Diaspora and attached a picture to it. The photo is uploaded with rights for that group (nice) but the users are not able to see it. Did anyone else notice?

show all 20 comments

Mario Vavti

Mon, 09 May 2022 21:21:05 +0200

Diaspora does not support OpenWebAuth and hence we can not authenticate them and check if they are allowed to see the photo.

Chris

Tue, 10 May 2022 08:44:36 +0200

@Hans set the access rights for the photo to public and the Diaspora group will see it also

Hans

Tue, 10 May 2022 08:56:33 +0200

@Mario Vavti Ah, good to know, but maybe we can generate a warning or document this somewhere? I already said it to public since most of my pictures are but I wasn't aware of them not authenticated. Is this also a problem with other content like as an example a pdf file? Suppose it is...

@Chris Yes, that was my thought too once they started to complain.

Chris

Tue, 10 May 2022 09:08:22 +0200

@Hans OpenWebAuth ist just working with ZOT Sites so any not public shared content to other Servers does not work.

Witcraft 🇺🇦

Tue, 10 May 2022 10:08:01 +0200

@Chris Just to make sure: it does not work as an attachment to a post (also not in AP?) but it does when accessing content on the specific site? So I can have set ACL (e.g. Blog commenting / Wiki access) for local content e.g for AP connections? Or is this purely a Diaspora issue?

Hans

Tue, 10 May 2022 10:12:23 +0200

@Witcraft 🇺🇦 From what I read I now understand it only works between Zot sites due to OpenWebAuth

Chris

Tue, 10 May 2022 10:43:14 +0200 last edited: Tue, 10 May 2022 10:57:37 +0200

@Witcraft 🇺🇦

but it does when accessing content on the specific site

How could that work without OpenWebAuth or something like a login?

@Hans you are all right now

Witcraft 🇺🇦

Tue, 10 May 2022 10:47:06 +0200

Oh - I was not aware of that... If AP contacts cannot access stuff when visiting my site anyway, the respective ACL settings and channel limits ("anybody authenticated") do not seem to make much sense...

Witcraft 🇺🇦

Tue, 10 May 2022 11:03:22 +0200

@Chris

How could that work without OpenWebAuth or something linke an login?

@Hans you are all right now

Yeah, I guess, me too... I thought there is some Fediverse magic happening in the background...

So, I understand Access control (and limits) is either "Fediverse = Internet" or "as specified by ACL for everybody individually - as long as "everybody individually" is on ZOT...

That somewhat dims my enthusiasm (about the Fediverse - not about Zot...). No offense meant, but: The more I learn, the less I understand why you would want to use any Fedi-ware other than Zot-ware... My respect for Mike's life's work grows day by day (And it started out high, in the first place)...

Aksel Kies Linc @Hz

Tue, 10 May 2022 11:20:26 +0200

Does AP have multiple levels of Access Control or just "All"/Fediverse?

Mario Vavti

Tue, 10 May 2022 11:32:13 +0200

AFAIK none of the other fedi projects implement accesscontrol for files so far. If you know the URL you can access it without being authenticated.

This is an image shared privately with Mastodon: https://files.mastodon.social/media_attachments/files/108/276/925/307/177/263/original/9bb0feff3a7bdfb0.png

The same image shared privately with Hubzilla: https://zotsite.net/photo/1b7d46ac-c9b1-4f59-9978-bcf35c9a64d1-0.png

Chris

Tue, 10 May 2022 11:53:47 +0200

Peertube and Funkwhal have also no working access control for media files so @Mario Vavti is it a question of implementation? Does AP provide any tools for access control in the first place ?

Hans

Tue, 10 May 2022 12:06:01 +0200

@Mario Vavti

To be honest, it can be done but it makes it very hard for shared hosting and it needs a giant shift to how it is done now. The Store directory should in that case be above the document root and the files should be parsed from there with readfile. This is however tricky. In the past I found it was possible to simply attach php code and upload a file, once it is parsed the php code will be executed. I showed this to Rasmus Lerdorf a long time ago and he confirmed it. At that point he did not see any solution for it.

Hans

Tue, 10 May 2022 12:09:06 +0200

Ow, and someone played such a trick on a Moodle server a customer used. We had monitoring so it was noticed.

mike

Tue, 10 May 2022 12:31:37 +0200

Zap has OCAP support so private photos are visible over ActivityPub. and private groups. You're welcome to steal the code. It's not much different than creating a guest access token - and you could also just do that.

Hans

Tue, 10 May 2022 12:44:48 +0200

@mike Isn't Zap at the EOL this year? Seen a posting about it by you if I remember correctly

RockyIII

Tue, 10 May 2022 13:58:36 +0200 last edited: Tue, 10 May 2022 14:08:02 +0200

Zap has OCAP support so private photos are visible over ActivityPub. and private groups. You're welcome to steal the code. It's not much different than creating a guest access token - and you could also just do that.

@mike just gave this a try on my zap test account on https://zap.dog

So i uploaded an image and set the access control rights to "only me"
Than i shared this image in a post to the privat group called "friends" ,with also AP contacts included.
The AP contacts can see the image and get an URL of this image which can be opened in any Browser independently of the AP contact - so it is like an public image now. Actually it is a URL of a copy of the image on the AP Server.

If i look at the access control setting of the image in my zap account i see that they changed. Now it shows access right also for the group "friends":

Is this behavior intended ?

RockyIII

Tue, 10 May 2022 18:23:57 +0200 last edited: Tue, 10 May 2022 18:24:40 +0200

and get an URL of this image which can be opened in any Browser independently of the AP contact - so it is like an public image now. Actually it is a URL of a copy of the image on the AP Server.

this is not all true - the "mouse over" over the image shows the URL of the ZAP server with a token!! - if I click the image and say open in a new tab i get the URL with the copy of the image on the AP server.

RockyIII

Wed, 11 May 2022 08:16:42 +0200

did some more testing:

the copy of the file on the AP server is removed when the Post/image is removes by zap - so this woks fine - the image is NOT public!

Sharing files in Zap seams to be done always with a token. This ensures that if a file is selected in a post for sharing it will always reach the recipient even so the access control might be not set "right" for this recipient or group.

So the access control setting of a file does manage the right if a contact looks by OpenWebAuth at the filefolders - is does not manage the right to see the file when it is shared in a post.

Whoo... @mike this is an other magic improvement - fantastic ... hope HZ can adopt this too soon

RockyIII

Wed, 11 May 2022 10:46:33 +0200

but as I see token are now also used for direct messages from and to ZOT/Nomad servers not just groups.

So the access control setting of a file does manage the right if a contact looks by OpenWebAuth at the filefolders - is does not manage the right to see the file when it is shared in a post.

if this is the way it is intended to work - why do set access rights change ? It would be even better they stay always as set.