Anonymous API access to statuses
pmakholm opened this issue · comments
The following API endpoints seems to be public by default on Mastodon, but requires the read:statuses scope on Takahe:
path("v1/accounts/<id>/statuses", accounts.account_statuses),
path("v1/statuses/<id>/source", statuses.status_source),
path(
"v1/statuses/<id>",
methods(
get=statuses.status,
),
),
path("v1/statuses/<id>/context", statuses.status_context),
It would be nice if it was possible to configure Takahe to allow public access to these.
I believe all information available with these API's is also available on the public time line (if enabled), so one solution would be to implicitly enable read:statuses for anonymous access in api/decorators.py if public time line is enabled.
By the way, the favourited_by and reblogged_by API endpoints are not rescticted.
Without checking the precedence by Mastodon, these feels like they should be restricted at least at the same level as reading the status.