Disable unauthenticated API access while turning off timeline preview

[yingziwu]

Pitch

After turning off timeline preview on site settings, the /api/v1/timelines/public should disable unauthenticated access meanwhile.

Motivation

Today I found a website that can view the timeline of each instance, even if this instance close timeline preview. To protect the privacy of users, after turning off timeline preview on site settings, the /api/v1/timelines/public should disable unauthenticated access meanwhile.

[fediuser1232]

Disagree. One of the best factors about the Fediverse is its openness (no need to login to view someone's followers, their replies, etc), and making the public timeline available is part of that. If you don't want your posts to show on the public timeline, make them unlisted, otherwise, accept that public posts are public and will be shown publicly.

[lfuelling]

So /api/v1/timelines/public should not be public? In that case it should also not be called public.

[phryk]

@fediuser1232: I think that's bollocks. If the administrator of an instance already decided to hide the public timeline, then obviously that was a conscious decision which the corresponding API endpoint should honor as well. This is especially important for instances specialized for members that have a need for heightened privacy (think LGBT, people of color, radical leftists. etc.).

[lfuelling]

@phryk but those users can simply post unlisted and their stuff is hidden from the public timeline.

IMO: If you left your window open it's not the house manufacturer's obligation to make sure nobody takes the stuff inside. You close them, because you know that. Same applies to post privacy.

Addition: I might be wrong about this but the timeline preview that instance admins can show or hide in the "server settings" page, shows only the federated timeline. Not the public, local timeline.

[ghost]

@lfuelling the instance admin can choose whether to show the public (federated) timeline, the public (local) timeline, or nothing at all.

as far as i can tell the codebase as-is, the upcoming authorized fetch mode will disable unauthenticated API access (i may be wrong)!

[umonaca]

We run a instance where the majority of users are more concerned about the privacy of the contents. We made a lot of changes to the code, including this commit which just blocks any unauthorized access to /api/v1/timelines/public. Logged in users are never affected, while tools like Fedilab and unmung are blocked so that anyone outside of our instance cannot directly access our local public timeline. Our code may look a bit confusing - for anyone who may want to implement such restrictions, please use something like this instead to return an null relation.

[shioko]

@fediuser1232 So may be users could have a choice to show their toots only on local timeline? I think compulsory openness is not so different as privacy violation. btw I'd like to set toot privacy in this way ↓

*If I only checked 'local timeline', my followers in other instance cannot see my toot, some time we just want to talk on local timeline and these toots will be confused to others.

[ghost]

@shioko that's a separate issue; please search before posting a new feature request in an existing thread. https://github.com/tootsuite/mastodon/issues/861

[buyiyihu]

I have a similar issue that I think better posted here to avoid duplication. At the landing page, a unathorized visitor can see the admini account at the right bottom, click it you wiill go to the home page of the admin with a url: "domain.com/@admin" . Two problems here:

1. The admin can hide follwing and follwers, but TOOTS are still visible, I have gone through the docs and settings, findiing no way to hide them.
2. If modifying the url, say changing the @admin to any other @username, it will go straight to the user's home page, with all toots visible.

Could this be a privacy issue? I hope the admin can have the right to control the visibility of toots to unauthorized visitors

Thanks, great job !

[lfuelling]

@buyiyihu public posts are public.

If you only post "followers only" or "direct" with the admin user, no posts will be visible on the profile.