Closed maltfield closed 8 months ago
The request should look like GET https://lemmy.ml/pictrs/image/delete/3d47ffc0-8dc2-440d-aa28-0ac9047c035d/e9e9e35c-6a49-4016-bb6b-ae299ce0d784.png
. Not sure why its get...
https://github.com/LemmyNet/lemmy/blob/main/crates/routes/src/images.rs#L43
Thanks, I tried GET this but now I get a 401 error
user@disp3837:~$ curl -i "https://lemmy.ml/pictrs/image/delete/677b9c8e-56ac-4242-b14c-e3c64d145277/74e1afa2-27c8-4fad-ace0-884cac79d1b4.png"
HTTP/2 401
server: nginx
date: Fri, 09 Feb 2024 15:34:03 GMT
content-type: application/json
content-length: 27
access-control-expose-headers: content-type
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
cache-control: public, max-age=60
{"error":"incorrect_login"}user@disp3837:~$
Perhaps the reason for this bug is that your lemmy installs are blocking DELETE requests? The server's response includes a header allow: GET
that makes me think this.
user@disp9140:~/lemmy$ curl -iX DELETE "https://lemmy.ml/pictrs/image/delete/6ac4d09b-e812-460e-8088-4a7c8410d7c8/5dc960cb-fb6b-4f2f-a756-8c651ded184b.png"
...
allow: GET
user@disp9140:~/lemmy$
Is nginx or some other component configured to restrict request types?
@Nutomic is there any way for a non-admin lemmy user to get the delete_token
for a given image out of pict-rs after they've uploaded it? Or is it only possible if they monitored the initial upload POST to /pictrs/image
You can upload an image on lemmy-ui, then delete it and monitor via browser developer tools the exact request it makes. As this works without any issues I dont think there is any bug here. Though it might be worth changing the method to DELETE as part of https://github.com/LemmyNet/lemmy/issues/4428.
The delete token is only returned when you upload the image.
I don't think it's reasonable to say that users can currently delete their images, if they can't fetch the delete token. But I'll consider this new ticket to be a replacement that addresses this bug.
Just a note that it'll probably be a while till I can work on that, so if someone else could handle that'd be appreciated.
For additional context of this issue, please see Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)
Requirements
Summary
Bug: Given a pictrs
alias
(fileaname) and adelete_token
, users cannot delete image that they've uploaded to lemmy.Problem
Currently there is no way for users to be able to delete images that they've uploaded to a lemmy instance from the WUI.
Moreover, even if a user deletes there entire account from the lemmy instance, their uploaded files are not deleted.
It has been mentioned that it's possible to do this via the API, but--due to this bug--that's actually not true.
Example
For example, let's consider the following image that I've uploaded to
lemmy.ml
(following theSteps to Reproduce
below)When my browser uploaded the file, I got the following JSON response
I attempt to delete it at the
/image/delete
endpoint per the pict-rs reference documentation, but I get a 404 errorJust in-case lemmy puts this at a subdir endpoint for proxying between multiple services (since this isn't documented anywhere), I also tried the
pictrs/image/delete
endpoint, but I get a 405 errorSteps to Reproduce
Create Post
at the top (to visit/create_post
)F12
on linux)Network
tab of the debug consoleBrowse
button on the webpage next to theImage
labelOpen
to upload it to the lemmy server'spictrs
servicePOST
request sent topictrs/image
Response
tabRaw
togglefile
anddelete_token
values from the JSONimage/delete/<delete_token>/<file>
endpoint, get 404 error from serverpictrs/image/delete/<delete_token>/<file>
endpoint, get 405 error from serverTechnical Details
tested on lemmy.ml running v0.19.3
Version
0.19.3
Lemmy Instance URL
lemmy.ml