Local-only toots can still be made to federate

[yiskah]

Replies and the search box can be used to retrieve a local only toot from another server

[hannahwhy]

Mentions, too. Here's what I see from my instance:

Probably related to the other conditions.

[ekiru]

ah, good point. Did it also show up in your instance's federated TL as well?

[hannahwhy]

Yep, also showed up in the federated timeline:

The distribution workers do check for 👁️; maybe we're missing a spot?

[ekiru]

Right, mentions are handled by the ProcessMentionsService, which pushs things out to mentioned accounts regardless. I'm not entirely sure how we should handle this, actually. It's weird if we allow mentions but they don't actually go to the mentioned user, but otoh then they end up not-local-only. Maybe we should forbid @ ing remote users in local-only toots?

[beatrix-bitrot]

We're definitely at least missing routes/controllers/etc where we serve requests for statuses, those get hit when instances pull toots for the search box, as well as for context threads.

[yiskah]

Does ActivityPub change our ability to keep local-only from being retrieved?

[ekiru]

bea made these stop showing up in some places (the public page for individual statuses, at least), but I found a few other spots, copying my messages from discord down here. quick summary: at least the following few places still show them:

• public hashtag pages (/ the hashtag timeline endpoint it uses)
• the /api/v1/timelines/public endpoint (probably also the public-timeline-on-the-about-page but that's disabled by default in glitch-soc, i think?)
• activitypub outboxes for users
• users' public account pages

going to note down here the relevant bits that we need to change to make local-only statuses not show up in the remaining public places I'm aware of them showing up (public pages for hashtags, /api/v1/timelines/public, and outboxes) outboxes use the Status::permitted_for method, so at https://github.com/glitch-soc/mastodon/blob/master/app/models/status.rb#L213 we'll want to make that limit itself to non-local-only statuses the public timeline API endpoint and hashtag public pages(/ the hashtag API endpoint) use Status.as_public_timeline and Status.as_tag_timeline at https://github.com/glitch-soc/mastodon/blob/master/app/models/status.rb#L157-L167 for non-logged-in requests those methods both call into filter_timeline_default so that seems like the natural place to filter on it. for users' public account pages, we probably need a check here https://github.com/glitch-soc/mastodon/blob/master/app/controllers/accounts_controller.rb#L51

[MightyPork]

it probably should show on the about-page timeline and the static accounts?

[ekiru]

I disagree. Completely hiding them from all external users can be pretty valuable.

For example, one of the main things I use local-only toots for is to make announcements of moderation actions on sprite.land. I make a little local-only public post in a particular hashtag when i silence an instance or account or such. Ideally this would not be visible to anyone outside of the instance who looks at my profile page. Without that, I need to be vague and uninformative in those posts to avoid the risk of antagonizing the silenced people/instances.

[hannahwhy]

253 has been merged and it looks like it addresses the cases in this bug; if that's true, we can close this. @yiskah, @ekiru?

[hannahwhy]

With #253:

• a local-only toot will no longer resolve via another Mastodon instance's search box
• a non-local reply (note: you need to explicitly turn off local-only) will show the local-only toot neither from an unauthenticated view nor another instance (try e.g. accessing https://dev.glitch.social/@ninjawedding/99326601255912512)

I think this combination of behaviors means this issue can be closed, so I'm closing it. There may be other local-only problems later on; let's move those to separate issues.