Today I had a quick go at working out how Hubzilla handles permissions for media files.

I've been meaning to do this for a while, to work out how it relates to OpenWebAuth authentication (as described in FEP-61cf), but unless I'm missing something (very possible), it's an entirely separate mechanism.

Summary: it's based on bearer tokens / capability URLs. Each post gets given a random token, and that token grants access to any media files which are attached to it. If you're allowed to view the post, the URLs that it contains grant you the capability to download the attachments, too.

When a post is created:

• Generate a random token for it.
• Record that the token grants permission to access any attached media files.
• Store the token to the DB as part of the post.

When a post is encoded to ActivityPub:

• Find the associated token and append it to any URLs referring to attached media files
• Also do the same for any attachment objects

Presumably this happens when it's rendered to HTML, too, but I couldn't find that bit.

When a media file is requested:

• Extract the token from the request.
• Check that the requester has permission to view the file, including checking whether the token grants permission.

Pretty simple really, though it took a bit of grepping and guesswork to find all these pieces, and I'm not sure I've found all of it.

#ActivityPubDev