Retweeting does not honour send permissions.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Gwibber |
Confirmed
|
Undecided
|
Unassigned | ||
| gwibber (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
I've set up an "official" account and a "personal" account on Twitter. Gwibber is set up to follow both, but only to post to the personal account. However, the following retweet was sent from my official account, contrary to the permissions setup (i.e. permission to send to physihacker is not allowed):
http://
It's either because both accounts are subscribed to the NAPress, or only physihacker. Both cases should be checked.
In addition, the purpose of the retweet is to notify my friends who might be interested and who're following my personal accounts on identi.ca, twitter, and facebook, so even limiting the posting to my very-limited offiical account wasn't what was intended.
Marking security, because this is likely to leak information at some point due to this surprising behavior (although the information is technically public).
| visibility: | private → public |
| Changed in gwibber: | |
| status: | New → Confirmed |
| etali (etali) wrote | #1 |
| summary: |
- Retweeting ignores posting permissions + Retweeting does not require send permissions. |
| Changed in gwibber (Ubuntu): | |
| status: | New → Confirmed |
| Changed in gwibber (Ubuntu): | |
| importance: | Undecided → Medium |
| status: | Confirmed → Triaged |
| summary: |
- Retweeting does not require send permissions. + Retweeting does not honour send permissions. |
| security vulnerability: | yes → no |
Just tested this, and can confirm that retweets do ignore posting permissions. I tried it with tweets were bot accounts were subscribed, and ones where only the restricted account subscribed. It happened in both cases.