security: skip non-public toots

[bannmann]

When composing a toot with Mastodon, users can select the following privacy settings:

Mode	Effect
Public	Visible for all
Unlisted	Visible for all, but opted-out of discovery
Followers only	Visible for followers only
Mentioned people only	Visible for mentioned users only

justmytoots should skip toots with any setting other than Public.

[bannmann]

To clarify: this should not be configurable by the visitor.

One could argue that this is just a default the person who links justmytoot in their profile could override. However, I would say that as this defeats the purpose of the privacy setting, the behavior should be hardcoded.

[cookiemumbles]

First off, thanks for creating an issue! I really appreciate people starting a conversation about these types of things.

The "followers only" and "mentioned people only" are not returned by the public api in the first place so they where not, and never will be, displayed on justmytoots. The "unlisted" toots however where displayed before, which I argue is still not listing them to discovery features as mastodon defines them (explore, federated etc). I'm open to discuss further about how people might use unlisted that I'm not aware of, but I think that it is currently used mainly for replies that are just out of context in discovery features, and if you want privacy you'll make them "Followers only".

I do agree though that it plays into the larger question of consent, and is a lot more of a problem the way the site worked before. But as I have promised I'll only take the site back online if I can figure out a way to have people opt-in explicitly. And after I've got that working, people that use the link will have consented to also 'optionally' showing unlisted for the time being.

On a larger timescale though, I do have some ideas how i can build upon the opt-in to allow people to explicitly configure the options allowed for their links. For example if people want to force a certain set of options and prevent visitors from modifying them themselves.

[cookiemumbles]

Now that I'm thinking about it more though, I have a hard time coming up with a scenario for people to set toots to "unlisted" but still wanting them to show on justmytoots...

[bannmann]

Now that I'm thinking about it more though, I have a hard time coming up with a scenario for people to set toots to "unlisted" but still wanting them to show on justmytoots...

Exactly; I was thinking along the same lines.

Also, when I read the "opted-out of discovery" in the description of the Unlisted option, my immediate thought was "justmytoots clearly is a discovery feature" (just not one built into Mastodon).

---

By the way: one use case for "unlisted" I read about is to apply it to messages 2 to 7 of a 7-message-thread. That way, people scrolling down their timeline won't see #7 #6 #5 #4 #3 #2 #1, but only #1, and when they open that, they see the remaining posts.

[cookiemumbles]

So I've been thinking about this a lot, and here's how I see it currently: The whole idea of this site is just so you can "check someone's vibe" by simply filtering out the boosts. The whole thing should have been a basic filter switch in mastodon, like there already is for the main timeline, but currently that's not an option for the user's home timeline. Twitter has the same issue, but for example the people over at funny twitter all have a link in their profile to a search that does exactly the same thing: filter out the retweets and only show the user's tweets.

Anyway, in that context of it being a filtered home timeline, I feel like filtering out unlisted would be confusing. It should actually even have a switch for including the boosts if someone wants. Basically be the users timeline but with more filtering options.

As to your feature request then, I feel like you have quite a valid argument, and I've gone back and forth on it, but for the time being I've decided I'll keep it as is, for the following reasons:

• justmytoots has since been changed to opt-in. This means that anyone who would be concerned about their more sensitive toots can (and probably will) simply never use the tool. I think the vast majority of people that are opted-in are not really that concerned with unlisted, but if there are people that are I'd rather add a way to force options (see point 3).
• Mastodon shows unlisted to users that are not logged in. This means that mastodon is not too protective of unlisted themselves, other then for their internal discovery features. Therefore i find it hard to argue that justmytoots should be more restrictive than mastodon, it being a service that is already opt-in.
• I'll be adding a feature for forcing the options set by the justmytoots-link author (like I've mentioned above). It would be for anyone that would want to justmytoots but is wants to have a choice in what people get to see. To opt-in, people have to put a link in their bio anyway, and that link can also contain additional options that I can read to determine if the option menu should even be allowed or if the options should be forced to the author's settings. This should be relatively straight forward to implement. This is "opt-out" in stead of "opt-in" but arguably hidden behind an opt-in service. And also this is in line with for example Mastodon's own "Opt-out of search engine indexing" option that is also not enabled by default.

[durka]

I'll be adding a feature for forcing the options set by the justmytoots-link author (like I've mentioned above)

Sorry to bump a closed issue, and not trying to put any time pressure on you, but this feature would I think make me comfortable putting the link in my profile. Happy to help implement if you're looking for contributions.

[cookiemumbles]

Oh hey I actually forgot to make this into a proper issue! I did it now ( #62 ) and I'll put it high on my list :)

Thanks for the feedback!

[cookiemumbles]

@durka This is now live. Hope you like it! And any more feedback is always appreciated. Thanks again!

[bannmann]

Seems to work, thanks!

One cosmetic issue though: the toggle button for "only public toots" should be disabled as well. I know it doesn't actually work (as it resets after submitting the form), but it looks weird and could give people the wrong impression.

[durka]

Sweet, adding to profile! Agree with Jens that it's a little confusing that you can change the options or even remove the URL params with no effect, but it kinda makes sense.

Also I'm sure you'll get to this but it's not very discoverable. Maybe you could have a URL builder on the "no consent" error page for folks that want to add the link to profile.

On Sun, Feb 26, 2023 at 3:16 PM Jens Bannmann @.***> wrote:

Seems to work, thanks!

One cosmetic issue though: the toggle button for "only public toots" should be disabled as well. I know it doesn't actually work (as it resets after submitting the form), but it looks weird and could give people the wrong impression.

— Reply to this email directly, view it on GitHub https://github.com/cookiemumbles/justmytoots.com/issues/48#issuecomment-1445456757, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALPH4SJUUOMV4J2YBM5FLWZO2ZHANCNFSM6AAAAAAT3ZUIQY . You are receiving this because you were mentioned.Message ID: @.***>

[cookiemumbles]

@bannmann Good point! Should be an easy fix. I've created #67 for it so I won't forget.

@durka Yes I've noticed this is getting hard. Especially figuring out if any of this works without having the consent yet. I've already created issue #63 for addressing this, and it will probably be one of the things I'll be building next.