search

glitch-soc / mastodon

A glitchy but lovable microblogging server
https://glitch-soc.github.io/docs/
GNU Affero General Public License v3.0
704 stars 182 forks source link

[feature request] allow user to toggle RSS feed of their posts #1936

Open compufox opened 2 years ago

compufox commented 2 years ago

Pitch

currently every user has an automatic RSS feed containing their unlisted and public posts, i think it would be good if there was some account setting that allowed the user to turn this off.

Motivation

while unlisted/public posts are not hidden from other users, i can see where providing that data in an easy to scrape format (RSS feeds) would help provide new and faster methods for harassing users.

VyrCossont commented 1 year ago

Hometown implemented this in hometown-fork/hometown#1233; could we copy their implementation?

tamazonx commented 1 year ago

In light of the qoto ban evasion information (scraping rss feeds to get around people blocking other people), I would really like to see some movement on this.

ClearlyClaire commented 1 year ago

If the reason is to avoid bad actors subscribing to your feed, I'm afraid that limiting RSS would not be enough and would only provide a false sense of security: indeed, it would be as easy for a bad actor to use the REST API to get the same information.

What we could do, I guess, is an option to avoid non-logged users to list your posts. This would also disable the RSS feed. Of course, this means that random non-logged users will not be able to see your posts when visiting your profile. And it also doesn't prevent a bad actor from just looking at your feed from another server where you have a follower.

whatSocks commented 1 year ago

an option to avoid non-logged users to list your posts this would be great

selfawaresoup commented 1 year ago

Right now, RSS feeds are a way to circumvent DISALLOW_UNAUTHENTICATED_API_ACCESS so if that env setting is on, either the RSS feeds should respect it too or users should at least have the option to opt out.

sgrigson commented 10 months ago

DISALLOW_UNAUTHENTICATED_API_ACCESS as mentioned above, doesn't prevent this.

In addition, this is a setting only available to server admins with access to the server, and not individual users.

ShadowJonathan commented 9 months ago

Together with https://github.com/mastodon/mastodon/issues/29011, this would remove a ton of avenues that actors could use to scrape people's posts