[Bug]: Removed comments are publically visible through the api. · Issue #3652 · LemmyNet/lemmy
github.com
Requirements Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support Did you check to see if this issue already exists? Is this only a single bug? Do not put multipl...

Requirements

  • [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • [X] Did you check to see if this issue already exists?
  • [X] Is this only a single bug? Do not put multiple bugs in one issue.
  • [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

When calling api/v3/comment/list you get a list of all comments on that post. Including any removed ones. The only change removed ones have is that the “removed” field is set to true. This is a massive problem because it delegates the obscuring of removed content to the front end. You can view these despite not being being logged in. When I used a mobile app that didn’t take into account this removed flag, I was met with some disgusting NSFL imagery I’d rather not have seen.

I strongly recommend obscuring the content of removed comments from the API if the user is not logged in or if the user is not a mod of the community/ not an instance owner. I understand the need to keep this information in the case of reversing moderation decisions and the modlog, but there is zero reason for non-mods and non-admins to have access to it in the normal endpoints. Furthermore, the baton should not be passed to front end developers either. The source of truth should be the backend, and the backend should enforce it.

Finally this should happen with other places where comments are listed and posts are viewed. Comments deleted by the user should not be visible to anyone in the API besides the user and maybe mods/admins. I’m not sure what other endpoints it’ll apply to, but in my opinion this is paramount.

Steps to Reproduce

  1. Create a post in a community you moderate
  2. Create a comment on that post
  3. Remove that comment
  4. Open up dev tools
  5. Go to that post again
  6. Look at the http response.

The JSON response has all identifying info removed, and the “removed” flag circled.

image

Technical Details

n/a

Version

0.18.2

Lemmy Instance URL

No response

  • issue_tracking_bot@lemm.eeOPB
    1·
    1 year ago

    Hm, while this would be a breaking change, I think it should be possible to tell the API to have it with removed: true. The reasoning is that for deleted comments especially, this is likely going to be the first way for someone to know things were deleted and check if they want to know why in the modlog.

    That said, I do think the default should be to not include it in the API responses. This way, clients which don’t handle this don’t expose people to all the awfulness and clients which do handle it also don’t in a more transparent way.

    Originally posted by lionirdeadman in #3652