Instance Privacy & Media Attachments

Hi All,

I’ve been attempting to create a private Mastodon instance for family. The goal of which is to provide a private area/newsfeed for family members to safely share content online.

To increase the default privacy levels of the Mastodon server, I:

  • Disabled registrations
  • Allowed invitation links by admins only
  • Disabled profile & timeline publicity (so the discover/about features are not available to unauthenticated users)
  • Enabled AUTHORIZED_FETCH in .env.production
  • Enabled WHITELIST_MODE in .env.production

The above addresses most of my privacy concerns. If unauthenticated users attempt to view statuses or profiles, they cannot.

My issue seems to be that media attachment URLs do not require authentication. An unauthenticated user cannot view a toot from a direct link but can view the toot content with a direct link.

I thought this was meant to happen with the following line appearing in the controllers for media and media proxy:

 before_action :authenticate_user!, if: :whitelist_mode?

But I realise now that this probably applies to specific views and not the direct URL to an image. Is there any way to additionally require Mastodon to authenticate users that wish to access media?

More Info

I am running Mastodon behind NGINX if that helps. (have been wondering whether it’s something to do with NGINX configuration or Mastodon…)

Additionally, the user that I have been testing post access with is the admin user for the server, however, the following settings have been applied:

  • Lock account
  • Posting Privacy: Followers only

So I’d fully expect the content posted by this user (especially if it’s for followers only) to not be publicly exposing media_attachments to anyone with a direct link.

Any advice is appreciated!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.