This release fixes a security vulnerability which allows an attacker to delete images uploaded by other users. You can read the details in the security advisory. Thanks to @Nothing4You for discovering and fixing it.
A new donation dialog is shown to users once per year, to help fund Lemmy development.
There are also various backports from the development branch. Importantly the “Private instance” setting can now be used with federation enabled. This way only logged-in users can browse posts and comments, which stops AI crawlers from overloading the server. Also moderators can now view votes in the post/comment options.
The ability to see votes from the default UI for mods is a big change!
What’s the benefit of seeing how people vote? Feels a bit invasive to me. It also feels like it has the potential for abuse in the wrong hands.
There has been some vote manipulation recently: https://lemmy.dbzer0.com/post/41724398
Giving mods the option to see votes allows them to help the admins in this kind of scenarios.
You can already see votes if you’re using different software anyways, check how it looks on my mbin instance, I can click “Activity” and see it already.
That only works for upvotes, Mbin doesn’t show downvotes.
Yes, but Kbin used to show downvotes too. I don’t think there should be an illusion that they’re private, while they can be exposed.
God I remember the debates about this back around the API exodus when Kbin still existed. Even though anyone can technically access vote information by spinning up their own instance that barrier is sufficient for most users. I don’t think making voter info completely publicly visible is a good reaction to the fact that it’s “technically public anyway”. I don’t think being able to see exactly who voted what on your posts and comments leads to anything good, neither for the environment as a whole nor for you as an individual.
EDIT: This is for regular users, I obviously don’t have a problem with mods and admins having access to this data as it’s probably a necessary moderation tool.
That’s a good question.
@melroy@kbin.melroy.org and @BentiGorlich@gehirneimer.de, are the downvotes potentially available but just hidden, or are they not even accessible via API for a standard user?
They are just hidden, but I think no one has access to them via UI. We also have a discussion issue going about respecting the visibility a like activity specifies.
I am torn on this issue. Just because you theoretically can always spin up an instance and just collect the info that way one should not make it as easy as it is today (imo)… But the community seems to be heavily leaning towards @Fitik@fedia.io 's view
I’m okay with the way Lemmy implemented it in this version:
- admins can see votes, but they can see everything anyway
- mods can see votes, to help with brigading
- users can’t see votes
But I’m not an Mbin user, so that should probably be discussed with your users
That’s where I am as well, but if Mbin ever takes off we’ll see if our reservations about completely public votes were baseless fears.
