search

LemmyNet / lemmy-docs

Documentation for Lemmy
https://join-lemmy.org/docs/en/index.html
GNU Affero General Public License v3.0
75 stars 89 forks source link

Document how to delete images (pict-rs) #293

Open maltfield opened 9 months ago

maltfield commented 9 months ago

We should document how user-uploaded images can be deleted from lemmy (by instance admins)

Problem

Currently there is no way for users to be able to delete images that they've uploaded to a lemmy instance from the WUI.

Moreover, even if a user deletes there entire account from the lemmy instance, their uploaded files are not deleted.

It has been mentioned that it's possible to do this via the API, but [a] there's a bug in lemmy that prevents DELETE queries from being sent to pict-rs and [b] a user would first need to get the image's delete_token, which doesn't appear to be possible unless they were logging the server's responses to the background ajax upload POST to /pictrs/image.

As users cannot delete images that they've uploaded, admins will need to do it on user's behalf.

Unfortunately, I recently uploaded a very sensitive image to lemmy and--when I reached out to the lemmy admin--they didn't know how to delete the image. And, of course, it's not documented anywhere how they can do it.

This lack-of-documentation is a legal risk to lemmy instane admins.

Legally, instance admins must respond to "GDPR Erasure Requests" from their users. That is, if a user sends them a request to delete some content (eg a photo), then they must delete it from their website within a reasonable timeframe. This law applies to any website operating anywhere in the world (not just to websites or businesses located in the EU) that has users who are residents of the EU (so it likely affects >90% of public lemmy instances with >100 active users).

The fines for this violation are commonly millions of euros or a percent of of revenue, whichever is higher.

Solution

A new section should be added to the documentation's moderation section that clearly explains to admins how they can delete an image

The documentation should:

  1. provide the commands to query the postgres DB (to fetch the image's delete_token for a given image URL)
  2. provide the command to execute the image deletion API call
maltfield commented 9 months ago

Please assign this ticket to me; I've already started working on the documentation.

Unfortunately I burned an entire day trying to get a local test lemmy instance running (lots of work is needed on those docs -- the downloaded config files should "just work" without any modifications). After several hours I got the lemmy container to connect & configure the postgres db, but the UI only gave errors and the docker compose logs didn't output anything.

Anyway, I got far enough to write the documentation, but I do need an instance admin to help me confirm the backend commands are functional. If anyone is willing to work with me on this (I'll just pass you commands to execute on your instance and you send me the output), please let me know :)

maltfield commented 9 months ago

Remarkably, the Contributing page of the documentation enumerates a lot of repos, but it doesn't enumerate this repo. I'll try to fix that in this PR as well

dessalines commented 9 months ago

Thx for taking this on.

maltfield commented 8 months ago

For additional context of this issue, please see Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)

Nightmare on Lemmy St - A GDPR Horror Story