Users and ActivityPub
-
Hello Alex,
I have read the Friends description and also this GitHub post https://github.com/Automattic/wordpress-activitypub/pull/172. But need a little help understanding. I like the concept of the Friends plugin, but don’t want any other users in my WordPress installation, which seems like the original way this worked. But then reading that post on GitHub I am wondering if adding the ActivityPub parser will in some way let me follow someone of Mastodon without having to add them as a user through the Friends plugin? Is it possible to follow without the users being added no matter the situation? But especially a Mastodon user?
Thank you!
Michelle
-
Hi Michelle,
this is a thing that people frequently seem to dislike about the plugin. Could you enlighten me about your reasons?
For context, when you follow a user or become friends with another WordPress, that friend or follower is represented as a WordPress user that the Friends plugin creates. When they post something elsewhere, their post is cached in a custom post type and as a post_author that user is set. Thus, the posts are segmented per user. The users have very low privileges (read) and a throw-away long password.
but don’t want any other users in my WordPress installation
I am curious why this is? Is it of cosmetic nature or security reasons?
On your WordPress users list you can filter users with a certain role so that you don’t see the friend users in the list.
Each user has a throw-away long password, so it’s impossible to login with them. Thus not a security risk.
The positive sides are that the cached custom posts are assigned to the right sources. If we didn’t use WordPress users or virtual users, all posts would be assigned to the same user, thus showing just the posts for a certain user would be more expensive.
For the friendship aspect, if you, through a friendship request+confirmation, establish a trusted connection to another WordPress, you can login to your friend’s blog through that connection (similar to IndieAuth). But only in that case.
I am considering changing the creating-user because I hear this a lot. But I also have to say: it is just a user. A line in a the users table.
Curious about your reasons, thank you.
Hello @akirk, I thought about this question and wrote out my answer in a blog post and have pasted below. Thank you for the dialog and consideration!
Hello Alex,
Thank you for your reply to my question regarding the Friends plugin.
First just let me say that you have created an awesome plugin. I am sure that my lack of knowledge regarding historical site to site communications clouds my judgement on having a user created. In response to your reply and question back to me of: “this is a thing that people frequently seem to dislike about the plugin. Could you enlighten me about your reasons?”
My site, which is a combination of a personal blog and eventually commercial blog, hopefully one day to sell my photography, has only ever had one user me. At the most two, a test user, me.
Concerns
I think to sum it up, I want to follow you but don’t want to be your partner for life. Adding a user is like a partner for life.
Website to Website Communication: I use the Webmention plugin to communicate with other websites. I use this to comment on or reply to other websites.
Attribution: When I want to share a post from another person’s website, I will type the author’s name and URL into the post and attribute it properly. So I don’t need features like that.
Quantity/Maintenance: I follow to many people and websites at the moment, I wouldn’t want to have that number of users in my User list. I love the idea of the /friends/ page with the feed of what I am following. On the surface this looks like a lot of maintenance to have all of these followed people as users, though I understand that we don’t do a lot with the Users in our websites daily. Understood that the maintenance would be done in the Friends plugin.
Performance: I am assuming there is no performance degradation with the content of all of those users coming in, but if so, I wouldn’t want any performance degradation.
Privacy: In one of your videos I saw that the Friend, which is a user, could with the correct permissions, see your private posts. I am sure this is a setting, but I don’t want anyone to see a post that I have marked as private. In essence as soon as you allow this, that post is public anyway because the other person could copy or screenshot that post. This would not be a common use case for me. (Though I do have a custom post type that I use to share things with my family that I don’t want in my regular post types.) Additionally, I would just add a password to the post if it was private.
Alex, as I read a little more about your Friends plugin, I am thinking it was definitely ahead of its time. Providing the capability to let your friends read your private posts, if allowed, and providing the interaction features, is awesome!
Security: Understanding that the users don’t have elevated privilege, what if something goes wrong and they do? Recently the Advanced Custom Fields plugin vulnerability “allows any unauthenticated user to steal sensitive information for, in this case, privilege escalation on the WordPress site tricking a privileged user to visit the crafted URL path.” https://wptavern.com/advanced-custom-fields-plugin-patches-reflected-xss-vulnerability I don’t know what that is exactly :-), but the words user and escalated privilege stand out. To me, every user that I add to my website, adds a risk that someone out there can exploit.
Misc: I am sure that someone with a more technical background can provide additional reasons for not wanting the added users.
Thoughts:
How can you make the Friends plugin, combined with the Mastodon Access plugin, and ActivityPub plugin act like a true Mastodon or other ActivityPub site with following, replies, mobile posting, mobile likes, boosts, and follows?
I have read that Friends uses the common WordPress infrastructure. Could you possibly have a Friends plugin that gives an option to have the users in a customer table for Friends plugin users that don’t want to add actual WordPress Users?
The Setup I Would Want
- My site viewable on Mastodon or other ActivityPub sites. [Done – Available with the ActivityPub plugin.]
- To be able to use my site to communicate with other sites. [Done – Available with the Webmention plugin.]
- To be able to use a mobile app to create post and follow others. [Experimenting with the Enable Mastodon Apps plugin without success, but let’s consider this almost done. I just need to submit a ticket to see what I am doing incorrectly.]
- To be able to follow other ActivityPub users, in my case Mastodon users and sites with ActivityPub support, and see the follower number increase in my profile on the platform. [Can’t do this.]
- Feedreader: I like the implemented feedreader and would want to use this in my RSS reader. [I can probably do this, but haven’t gotten that far yet.]
- This reply was modified 1 year, 6 months ago by Jan Dembowski. Reason: Removed link, please keep the conversation here instead and not your blog
Thank you, Michelle, for giving me some insight into your perspective! This is very helpful.
I think to sum it up, I want to follow you but don’t want to be your partner for life. Adding a user is like a partner for life.
I am curious about this statement and why you believe that? I think we need to make a distinction between a user who is able to log in to your site, and one that doesn’t.
The users that the friends plugin creates have a long unknown password. They don’t have an e-mail address through which a password could be retrieved.
If you follow a site, such a user is created (with the role “Subscription” and no other priviledges) and merely used for the following things:
- Attribute posts to that user in the caching post (i.e. the post_author is the id of that user).
- Store metadata such as profile picture, website, description.
- Make it easy to delete all posts and metadata associated with that folllowed site when you decide to delete/unfriend the user.
If you befriend a site, such a user can get a role where they have some priviledges. A “friend” will indeed be able to read private posts. An “acquaintance” will not. Both can use the friends plugin on their site to log in to your site with this user in order to make comments on your posts. This is only true if the friend user has one of those roles. There is an issue on Github to discuss ideas around potentially preventing priviledge escalation.
Users with a Subscription role (thus not having a “friend” capability) cannot log in to your site.
You never get into the territory of someone having more priviledges on your site if you don’t send or accept any friend requests. You can prevent receiving friend requests by setting a passphrase in settings.
Recently the Advanced Custom Fields plugin vulnerability “allows any unauthenticated user to steal sensitive information for, in this case, privilege escalation on the WordPress site tricking a privileged user to visit the crafted URL path.”
An unauthenticated user is someone who doesn’t have an account on a site. So in such a scenario any Friends users would have been irrelevant.
To me, every user that I add to my website, adds a risk that someone out there can exploit.
I hear you but I’d argue that this is only the case when there is a chance that they can log in.
There has been a similar discussion on Github already and this system has been compared with Unix/Linux. Often services have their own user in the system that cannot be used for logging in and this is not considered a security problem.
I have read that Friends uses the common WordPress infrastructure. Could you possibly have a Friends plugin that gives an option to have the users in a customer table for Friends plugin users that don’t want to add actual WordPress Users?
Exactly using “common WordPress infrastructure” means not creating custom tables. So this is not an option. I could not attribute the posts to users in that table since the ids in that table could clash with real users in the system.
Summary
I hear your concerns and I have seen in other discussions that technical arguments do not help the perception that people don’t like its usage of users for post attribution.
Thus, I am investigating if I could replace subscription users with a taxonomy. I cannot give a timeframe but the code design has some potential to allow this.
I believe taxnomies have much worse visibility and it is much easier to lose overview of them, but “out of sight” might just be what people would like.
Thank you @akirk for your reply. I do understand what you are saying about the users having a special password or that the users that are Friends are the ones that have can see what you all them to. It still just adds a risk to my site. Here is another popular plugin that provides a risk https://www.bleepingcomputer.com/news/security/wordpress-elementor-plugin-bug-let-attackers-hijack-accounts-on-1m-sites/.
Again, I do like your plugin and appreciate the skill it took to dream up the concept and realize the vision. Please take this as the suggestion that it is.
I have to admit that I still don’t see how adding a user should increase the risk for when your own account username is already exposed through many other means (e.g. an author page, REST API, etc.). The exploits you mentioned have been all for unauthenticated users, thus having more users would not increase the risk.
Despite this and because I respect your opinion and I believe that there is value in perceived security as well, I have worked on removing the need for users when you just subscribe to someone else:
You can follow this Pull Request “Don’t create a user when only following someone” to get notified when I merged it. It is already usable, I just need to personally test it for a while.
Thank you @akirk! I appreciate it! I will follow the pull request. Thank you!
Alex, hello. I think I misunderstood what Friends does, because I was hoping to have an “instance” to the fediverse using various plugins, yours includes. This list by Michelle is the exact same for my needs:
The Setup I Would Want
- My site viewable on Mastodon or other ActivityPub sites. [Done – Available with the ActivityPub plugin.]
- To be able to use my site to communicate with other sites. [Done – Available with the Webmention plugin.]
- To be able to use a mobile app to create post and follow others. [Experimenting with the Enable Mastodon Apps plugin without success, but let’s consider this almost done. I just need to submit a ticket to see what I am doing incorrectly.]
- To be able to follow other ActivityPub users, in my case Mastodon users and sites with ActivityPub support, and see the follower number increase in my profile on the platform. [Can’t do this.]
The last point is my problem here. I was able to have a fediverse user on my own domain, let’s call it A. When I add a user from, say, mastodon.social, let’s call it B, I can see the posts of B on Friends just fine. However, if user B from Mastodon see my WordPress user A in a Mastodon app, the posts from B shows in the A timeline as if they were made by A, which is… not good.
Is this a bug? A feature? Something I should configure so B can only see things that are actually posted by A?Hi @fabioromeo,
What you write sounds right to me. My solution for the third item is Enable Mastodon Apps, an for the fourth, the Friends plugin.
The last point is my problem here. I was able to have a fediverse user on my own domain, let’s call it A. When I add a user from, say, mastodon.social, let’s call it B, I can see the posts of B on Friends just fine. However, if user B from Mastodon see my WordPress user A in a Mastodon app, the posts from B shows in the A timeline as if they were made by A, which is… not good.
Could it be that you have added the second Mastodon user through this UI?
If you use the above, then the different users appear in the same account. The idea is that you can subscribe to multiple feeds per person (maybe into the same, maybe into different post formats).
If you have two different people, you will rather want to use “Add new Friends”:
Does this help?
- The topic ‘Users and ActivityPub’ is closed to new replies.