This is deeply weird behaviour!
-
This is deeply weird behaviour!
-
The Fedilore Otter 🦦replied to The Fedilore Otter 🦦 last edited by
Can anybody explain to me the absolute security disaster where I was able to boost and like that post, just using the native Mastodon API?
Does being suspended by an instance not operate like a block, where you can't see or interact with things?
That seems like a fairly serious issue if people don't understand how that works.
-
@fedilore
>absolute security disaster
It's called "ActivityPub". Blocks are pretty much voluntary here; a server gets a "Block" message and prevents you from interacting with remote content. IDK why isn't it working on Mastosoc, probably a bug. But there's nothing stopping anyone from setting up a server and converting blocks into public posts for example, and several of these exist in the wild. -
@mold Yeah. I get the instance-level vulnerability, but I'm using the flagship instance with an unmodified app.
If somebody blocks me, that works as expected. WelshPixie hasn't blocked me, but lots of people have.
It's just that user suspends don't seem to work like I thought. Or I am not suspended?
-
-
@fedilore @mold Probably if you’re going to federate blocks at all (and there are good reasons not to, c.f. the many shitty instances running BlockBot MRFs which publically announce any blocks to the whole world for More Dogpiling) you should fire off a
local_user Block(remote_user)
activity whenver a suspende remote user interacts with a post. But Mastodon doesn’t do that