Orphan attachments without posts are never deleted
This is somewhere between bug, feature request, and vulnerability.
when a user uploads an attachment to Pleroma, but doesn't actually click "Post", the attachment stays publicly accessible with no way to administratively delete.
The admin setting to delete attachments only applies to attachments with activities.
This represents a way for malicious users to serve content without anyone noticing.
Recommend putting uploaded attachments in a non-public storage cache then moving them to the final destination when the activity is created, or finding some alternate solution to clean these orphan attachments regularly that doesn't put exessive load on the db (as it does when deleting with file de-duplication)
There was a thread about this today so I won't bother making this private even though it does have some potential for abuse.