search

jointakahe / takahe

An ActivityPub/Fediverse server
BSD 3-Clause "New" or "Revised" License
1.1k stars 83 forks source link

Anonymous API access to statuses #702

Open pmakholm opened 4 months ago

pmakholm commented 4 months ago

The following API endpoints seems to be public by default on Mastodon, but requires the read:statuses scope on Takahe:

    path("v1/accounts/<id>/statuses", accounts.account_statuses),
    path("v1/statuses/<id>/source", statuses.status_source),
    path(
        "v1/statuses/<id>",
        methods(
            get=statuses.status,
        ),
    ),
    path("v1/statuses/<id>/context", statuses.status_context),

It would be nice if it was possible to configure Takahe to allow public access to these.

I believe all information available with these API's is also available on the public time line (if enabled), so one solution would be to implicitly enable read:statuses for anonymous access in api/decorators.py if public time line is enabled.

pmakholm commented 4 months ago

By the way, the favourited_by and reblogged_by API endpoints are not rescticted.

Without checking the precedence by Mastodon, these feels like they should be restricted at least at the same level as reading the status.