there is a page about this on the lemmy docs: https://join-lemmy.org/docs/users/05-censorship-resistance.html

yup pretty sure

$ cat /etc/passwd
fox:hunter2:1000:1000::/home/fox:/usr/bin/zsh

😉

you don’t need to be root to read /etc/passwd

following a recipe is like executing an algorithm, except there is no segmentation fault. whats not to like.

However, the two Jumpsec Red Team members found that they could go around the restriction by changing the internal and external recipient ID in the POST request of a message, thus fooling the system into treating an external user as an internal one.

so they only do the check on client side. classic.