LemmyNet · dessalines · Jan 15, 2025 · Dec 12, 2024 · Dec 12, 2024 · Dec 13, 2024
@@ -28,7 +28,7 @@
     "eslint": "^9.18.0",
     "eslint-plugin-prettier": "^5.1.3",
     "jest": "^29.5.0",
-    "lemmy-js-client": "0.20.0-modlog-combined.0",
+    "lemmy-js-client": "0.20.0-no-delete-token.2",
     "prettier": "^3.4.2",
     "ts-jest": "^29.1.0",
     "typescript": "^5.7.3",

@@ -55,7 +55,6 @@ test("Upload image and delete it", async () => {
   const upload = await alphaImage.uploadImage(upload_form);
   expect(upload.image_url).toBeDefined();
   expect(upload.filename).toBeDefined();
-  expect(upload.delete_token).toBeDefined();
 
   // ensure that image download is working. theres probably a better way to do this
   const response = await fetch(upload.image_url ?? "");
@@ -82,7 +81,6 @@ test("Upload image and delete it", async () => {
 
   // delete image
   const delete_form: DeleteImageParams = {
-    token: upload.delete_token,
     filename: upload.filename,
   };
   const delete_ = await alphaImage.deleteImage(delete_form);
@@ -113,7 +111,6 @@ test("Purge user, uploaded image removed", async () => {
   };
   const upload = await user.uploadImage(upload_form);
   expect(upload.filename).toBeDefined();
-  expect(upload.delete_token).toBeDefined();
   expect(upload.image_url).toBeDefined();
 
   // ensure that image download is working. theres probably a better way to do this
@@ -144,7 +141,6 @@ test("Purge post, linked image removed", async () => {
   };
   const upload = await user.uploadImage(upload_form);
   expect(upload.filename).toBeDefined();
-  expect(upload.delete_token).toBeDefined();
   expect(upload.image_url).toBeDefined();
 
   // ensure that image download is working. theres probably a better way to do this

@@ -952,7 +952,6 @@ export async function deleteAllImages(api: LemmyHttp) {
     imagesRes.images
       .map(image => {
         const form: DeleteImageParams = {
-          token: image.local_image.pictrs_delete_token,
           filename: image.local_image.pictrs_alias,
         };
         return form;

@@ -21,7 +21,6 @@ pub struct ImageGetParams {
 #[cfg_attr(feature = "full", ts(export))]
 pub struct DeleteImageParams {
   pub filename: String,
-  pub token: String,
 }
 
 #[skip_serializing_none]
@@ -43,7 +42,6 @@ pub struct ImageProxyParams {
 pub struct UploadImageResponse {
   pub image_url: Url,
   pub filename: String,
-  pub delete_token: String,
 }
 
 /// Parameter for setting community icon or banner. Can't use POST data here as it already contains

@@ -265,7 +265,6 @@ pub struct PictrsResponse {
 #[derive(Deserialize, Serialize, Debug)]
 pub struct PictrsFile {
   pub file: String,
-  pub delete_token: String,
   pub details: PictrsFileDetails,
 }
 
@@ -355,24 +354,18 @@ pub async fn purge_image_from_pictrs(image_url: &Url, context: &LemmyContext) ->
   }
 }
 
-pub async fn delete_image_from_pictrs(
-  alias: &str,
-  delete_token: &str,
-  context: &LemmyContext,
-) -> LemmyResult<()> {
+pub async fn delete_image_from_pictrs(alias: &str, context: &LemmyContext) -> LemmyResult<()> {
   // Delete db row if any (old Lemmy versions didnt generate this).
   LocalImage::delete_by_alias(&mut context.pool(), alias)
     .await
     .ok();
 
   let pictrs_config = context.settings().pictrs()?;
-  let url = format!(
-    "{}image/delete/{}/{}",
-    pictrs_config.url, &delete_token, &alias
-  );
+  let url = format!("{}internal/delete?alias={}", pictrs_config.url, &alias);
   context
     .pictrs_client()
-    .delete(&url)
+    .post(&url)
+    .header("X-Api-Token", pictrs_config.api_key.unwrap_or_default())
     .timeout(REQWEST_TIMEOUT)
     .send()
     .await?
@@ -421,7 +414,6 @@ async fn generate_pictrs_thumbnail(image_url: &Url, context: &LemmyContext) -> L
     // IE, a local user shouldn't get to delete the thumbnails for their link posts
     local_user_id: None,
     pictrs_alias: image.file.clone(),
-    pictrs_delete_token: image.delete_token.clone(),
   };
   let protocol_and_hostname = context.settings().get_protocol_and_hostname();
   let thumbnail_url = image.image_url(&protocol_and_hostname)?;

@@ -680,13 +680,9 @@ async fn delete_local_user_images(person_id: PersonId, context: &LemmyContext) -
 
     // Delete their images
     for upload in pictrs_uploads {
-      delete_image_from_pictrs(
-        &upload.local_image.pictrs_alias,
-        &upload.local_image.pictrs_delete_token,
-        context,
-      )
-      .await
-      .ok();
+      delete_image_from_pictrs(&upload.local_image.pictrs_alias, context)
+        .await
+        .ok();
     }
   }
   Ok(())

@@ -1,5 +1,5 @@
 use crate::{
-  newtypes::DbUrl,
+  newtypes::{DbUrl, LocalUserId},
   schema::{image_details, local_image, remote_image},
   source::images::{ImageDetails, ImageDetailsForm, LocalImage, LocalImageForm, RemoteImage},
   utils::{get_conn, DbPool},
@@ -9,6 +9,7 @@ use diesel::{
   insert_into,
   result::Error,
   select,
+  BoolExpressionMethods,
   ExpressionMethods,
   NotFound,
   QueryDsl,
@@ -47,6 +48,23 @@ impl LocalImage {
       .await
   }
 
+  pub async fn delete_by_alias_and_user(
+    pool: &mut DbPool<'_>,
+    alias: &str,
+    local_user_id: LocalUserId,
+  ) -> Result<Self, Error> {
+    let conn = &mut get_conn(pool).await?;
+    diesel::delete(
+      local_image::table.filter(
+        local_image::pictrs_alias
+          .eq(alias)
+          .and(local_image::local_user_id.eq(local_user_id)),
+      ),
+    )
+    .get_result(conn)
+    .await
+  }
+
   pub async fn delete_by_url(pool: &mut DbPool<'_>, url: &DbUrl) -> Result<Self, Error> {
     let alias = url.as_str().split('/').last().ok_or(NotFound)?;
     Self::delete_by_alias(pool, alias).await

@@ -386,7 +386,6 @@ diesel::table! {
     local_image (pictrs_alias) {
         local_user_id -> Nullable<Int4>,
         pictrs_alias -> Text,
-        pictrs_delete_token -> Text,
         published -> Timestamptz,
     }
 }

@@ -26,7 +26,6 @@ pub struct LocalImage {
   #[cfg_attr(feature = "full", ts(optional))]
   pub local_user_id: Option<LocalUserId>,
   pub pictrs_alias: String,
-  pub pictrs_delete_token: String,
   pub published: DateTime<Utc>,
 }
 
@@ -36,7 +35,6 @@ pub struct LocalImage {
 pub struct LocalImageForm {
   pub local_user_id: Option<LocalUserId>,
   pub pictrs_alias: String,
-  pub pictrs_delete_token: String,
 }
 
 /// Stores all images which are hosted on remote domains. When attempting to proxy an image, it

@@ -3,6 +3,7 @@ use actix_web::web::*;
 use lemmy_api_common::{
   context::LemmyContext,
   image::{CommunityIdQuery, DeleteImageParams},
+  request::delete_image_from_pictrs,
   utils::{is_admin, is_mod_or_admin},
   SuccessResponse,
 };
@@ -121,27 +122,19 @@ pub async fn delete_user_banner(
   Ok(Json(SuccessResponse::default()))
 }
 
-// TODO: get rid of delete tokens and allow deletion by admin or uploader
 pub async fn delete_image(
   data: Json<DeleteImageParams>,
   context: Data<LemmyContext>,
-  // require login
-  _local_user_view: LocalUserView,
+  local_user_view: LocalUserView,
 ) -> LemmyResult<Json<SuccessResponse>> {
-  let pictrs_config = context.settings().pictrs()?;
-  let url = format!(
-    "{}image/delete/{}/{}",
-    pictrs_config.url, &data.token, &data.filename
-  );
-
-  context
-    .pictrs_client()
-    .delete(url)
-    .send()
-    .await?
-    .error_for_status()?;
-
-  LocalImage::delete_by_alias(&mut context.pool(), &data.filename).await?;
+  LocalImage::delete_by_alias_and_user(
+    &mut context.pool(),
+    &data.filename,
+    local_user_view.local_user.id,
+  )
+  .await?;
+
+  delete_image_from_pictrs(&data.filename, &context).await?;
 
   Ok(Json(SuccessResponse::default()))
 }
@@ -215,7 +215,6 @@ pub async fn do_upload_image(
     let form = LocalImageForm {
       local_user_id: Some(local_user_view.local_user.id),
       pictrs_alias: image.file.to_string(),
-      pictrs_delete_token: image.delete_token.to_string(),
     };
 
     let protocol_and_hostname = context.settings().get_protocol_and_hostname();
@@ -234,6 +233,5 @@ pub async fn do_upload_image(
   Ok(UploadImageResponse {
     image_url: url,
     filename: image.file,
-    delete_token: image.delete_token,
   })
 }
@@ -104,7 +104,7 @@ pub(super) async fn delete_old_image(
       .await
       .ok();
     if let Some(image) = image {
-      delete_image_from_pictrs(&image.pictrs_alias, &image.pictrs_delete_token, context).await?;
+      delete_image_from_pictrs(&image.pictrs_alias, context).await?;
     }
   }
   Ok(())

@@ -0,0 +1,19 @@
+ALTER TABLE local_image
+    ADD COLUMN pictrs_delete_token text NOT NULL DEFAULT '';
+
+ALTER TABLE local_image
+    ALTER COLUMN pictrs_delete_token DROP DEFAULT;
+
+ALTER TABLE local_image
+    ADD COLUMN published_new timestamp with time zone DEFAULT now() NOT NULL;
+
+UPDATE
+    local_image
+SET
+    published_new = published;
+
+ALTER TABLE local_image
+    DROP COLUMN published;
+
+ALTER TABLE local_image RENAME published_new TO published;
+
@@ -0,0 +1,3 @@
+ALTER TABLE local_image
+    DROP COLUMN pictrs_delete_token;
+
-Original file line number
+Diff line change
@@ Expand Up / @@ -104,7 +104,7 @@ pub(super) async fn delete_old_image( @@
           .await
           .ok();
         if let Some(image) = image {
-          delete_image_from_pictrs(&image.pictrs_alias, &image.pictrs_delete_token, context).await?;
+          delete_image_from_pictrs(&image.pictrs_alias, context).await?;
         }
       }
       Ok(())
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		ALTER TABLE local_image
		DROP COLUMN pictrs_delete_token;