Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricting q=source based on scopes #31

Open
jamietanna opened this issue Jul 15, 2020 · 6 comments
Open

Restricting q=source based on scopes #31

jamietanna opened this issue Jul 15, 2020 · 6 comments

Comments

@jamietanna
Copy link

Within my own Micropub server, I have implemented a restriction on q=source to only allow clients with undelete access to view/list deleted posts.

I wonder how others feel about having this restriction in their own implementations, or if anyone does similar?
@jalcine
Copy link

jalcine commented Jul 16, 2020

I do this for Koype but I haven’t had a client to try this out on.

(Originally published at: https://v2.jacky.wtf/post/b4a35724-778b-4def-9b60-88b9fafd0fa7)

@jamietanna
Copy link
Author

Micropublish should work, I think? Maybe trying to edit a deleted post?

(Originally published at: https://www.jvt.me/mf2/2020/07/hppmx/)

@barryf
Copy link

barryf commented Jul 16, 2020

When you log in to Micropublish there are two scope presets for authorisation: post or create update delete undelete. If you choose the first option (intended for backwards compatibility of servers) then you'll only see the create actions. The second option will unlock the editing/delete/undelete controls.

So as things stand I'm not sure Micropublish would help testing this scenario. It wouldn't be too hard to make this a bit more granular, at least for testing.

@jamietanna
Copy link
Author

Sorry, I should've added a bit more context on how I would use Micropublish to verify this.

Using the deleted post https://www.jvt.me/mf2/2020/04/dd338/, which returns 400 when performing q=source:

  • Log into Micropublish with the undelete scope present
  • Edit the deleted post
  • See the post's metadata present

(Originally published at: https://www.jvt.me/mf2/2020/07/s65rh/)

@vikanezrimaya
Copy link

vikanezrimaya commented Jul 16, 2020
edited
Loading

TIL there's an undelete scope, I think my server used delete for undeletion too.

I might want to build something like this, even though my frontend that uses ?q=source actively checks for dt-deleted on posts and shows a tombstone if a post is deleted. We don't have any rogue clients that could read these posts and leak them somewhere though, do we?...

@barryf
Copy link

barryf commented Jul 24, 2020

I like this restricted approach based on scope. I'm currently building a new headless Micropub server for my website with a separate front-end as a client. The website uses the read scope to fetch all content via ?q=source requests.

My new server will restrict results based on the scope and visibility / post-status properties:

  • Requesting a list (e.g. ?q=source&post-status=article) will only return public and published articles.
  • Requesting a specific post (e.g. ?q=source&url=...) returns any public/unlisted and published/draft posts.

Neither will return a private post on my new website. However, when using a client like Quill/Micropublish with the update, delete or undelete scopes I always return all posts.

I'm working on some matching improvements to Micropublish to add post-status and visibility to help test this. https://mpubl-br-v3.herokuapp.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@barryf @jalcine @jamietanna @vikanezrimaya