

ActivityPub is a half-assed unfinished mess.
tried working on my own service and figured this one out very fast.
It’s amazing that it works at all. 98% of the stuff is not documented at all. and the stuff that is, can hardly be called documentation.
Abolutely necessarily.
it works like this:
@privateuser@mastodon.example.com
has a “followers only account”.@someuser@pixelfed.example.com
is a friend of above account, requested access and was granted. This now causesmastodon.example.com
to push all messages of@privateuser
topixelfed.example.com
.@anotheruser@pixelfed.example.com
requests access, but gets ignored. But the pixelfed instance marks the user as “follows@privateuser
”@someuser
, the messages are shown as expected.@anotheruser
, they are also shown. Because PF basically does a database “select messages of users that the user follows”, without checking if the access was ever granted.Important to note, that this would not happen, if the messages weren’t already pushed to the server due to the “allowed” user