Public access to API should be reserved to public content

What is the problem you are facing?

I'm trying to make public content public, and private content private.

Turns out, if I understood correctly, it's not possible currently:

• either you open your API, and your whole libraries are browsable (though not playable, but a lot of metadata is available)
• or you keep your API closed, and then public content never appears to non-authenticated users (though some may have channels or public libraries).

I was assuming initially that setting anything public would make it visible / available to authenticated / non-authenticated users alike. I understand now that the design is different, but it would be great to have this in-between option. That could be shown on the About page as well, since it's instance-wise.

It adds more flexibility instance-wise, with an API setting that would differentiate between:

• Make all metadata public and public content available to anonymous access
• Only make public-content metadata & data available to anonymous access
• Require authenticated user to query API (access then depending on profile of libraries / user-accepted shares).

What are the possible drawbacks or issues with the requested changes?

I don't know.

Thanks a lot for reporting your experience with Funkwhale! 🐳 A member of the team will have a look at this ticket as soon as possible. Afterwards this ticket will follow our issue workflow. We would really appreciate if you could check back to answer questions. Enjoy!

/cc @funkwhale/steering-commitee

added StatusNeeds triage label

The metadata which is accessible when api is open is only the audio files metadata. But it can't be linked to your account anymore.

But its true metadata is open to everybody. This might be a problem and we could add another option has you suggested.

But we need to take into account that if your library was once public, the people who used the metadata need to have access to them (so theirs playlist, liked song etc are still complete) even if you close you library.

Maybe we should add a warning about this somewhere ?

removed StatusNeeds triage label

added AreaBackend AreaFrontend AreaSecurity StatusDraft TypeEnhancement labels

But we need to take into account that if your library was once public, the people who used the metadata need to have access to them (so theirs playlist, liked song etc are still complete) even if you close you library.

Yes, but that specific example is already applying to current situation, no? If someone converts a public library to a closed one, then the metadata will be there for others but they won't be able to play any of it, will they? I mean, it's good in all cases to warn users who a reverting from a public to a non-public library that this will an impact for anybody who used to access those audio files, and that this is usually advised against.

In a way, the warning should even be on the initial creation of the public library, no? That once public, closing it will potentially impact others?

What I meant is we will probably need to warn that once you've made your library public it's done and there is no way back. But we need to check the code to see what is possible to do. We could create some automatic prune an re-import but I don't know. This might be a big issue, we could propose this for Google summer of code if you want.

Fine by me, it would be great if this could be looked at during the Google summer of code.

I'm typically in the case that I don't want to expose unnecessary metadata, but would like to make my users' public audio files freely available to anyone.