`Delete` should not result in the target server fetching the Actor/Object if it does not already know about it

fediverse-devnet / feditest-tests-fediverse

The tests for the fediverse testsuite

MIT License

6 stars 4 forks source link

`Delete` should not result in the target server fetching the Actor/Object if it does not already know about it #31

Open ThisIsMissEm opened 6 months ago

ThisIsMissEm commented 6 months ago

As the action is to be deleting the data, the object shouldn't be first requested, but you do need to verify that the object is "owned" in some way (i.e., don't allow Delete(Object) where the Object.id is a different server to the Delete activity's origin.

This came up from a discussion with @dansup around how deletes work in pixelfed, where he wasn't sure if it was safe to send a Delete in certain cases due to the remote server potentially first fetching the object it's being told to delete.

jernst commented 5 months ago

I'm a little confused here. If a@a.example receives a Delete(X), presumably the software at a.example first checks whether it has a copy of X.

If it doesn't have a copy of X, nothing happens because there is nothing to delete. If it does have a copy of X, it doesn't need to fetch X because it already has it.

What am I misunderstanding?

ThisIsMissEm commented 5 months ago

Yup, but there's some fediverse software where receiving a Delete(X) actually triggers a fetch on X, which should be treated as an error (fediverse software should fetch something when receiving a Delete, if it doesn't know of that thing)