Open lawremipsum opened 1 year ago
For context, this is prompted by https://github.com/mastodon/mastodon/pull/19803 .
This issue unfortunately strikes again: https://github.com/SnO2WMaN/deno2nix/issues/27#issuecomment-1431283646
@ironiridis have you seen this in practice? I just tried posting a local-only test message on my instance (which does not have that environment variable set) and visited my instance's feed (https://void.holdings/public/local) and via api at https://void.holdings/api/v1/timelines/public/. I could only see the public posts, not the local-only messages, when unauthenticated. local-only posts were present as expected when authenticated. seems like it works as expected.
@hartsick If that's the case, we may well be able to close this issue. I'll note that https://github.com/hometown-fork/hometown/issues/1293#issuecomment-1431527844 seems to have been me confusing myself (now hidden) and I haven't had time to look at this again.
@ironiridis oops, sorry to have tagged you! I missed that you weren't the original poster of this issue.
I'm going to tag @lawremipsum like I originally intended. (see https://github.com/hometown-fork/hometown/issues/1293#issuecomment-2218359997 for context)
@hartsick Yep, in fact she and I were working together as tech admins on the same instance, and I don't believe @lawremipsum is involved with the fediverse at the moment.
As I understand the new API, any anonymous user can read the local feed unless DISALLOW_UNAUTHENTICATED_API_ACCESS is turned on.
If this is an accurate understanding, it effectively makes all "local only" posts available to the public, fundamentally making the setting not just useless, but misleading.
I know that monitoring the API changes for improvements is on the roadmap, but this is effectively a privacy leak that undermines the community nature and a core feature of hometown, and hopefully can be prioritized.
Conversely, if this isn't how it works, it would be helpful to have that confirmed.
Thank you!