Visibility phase 3: redaction-safe public read API + leak test #44
Reference in New Issue
Block a user
Delete Branch "visibility-phase3-public-api"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Phase 3 — the privacy-critical anonymous read surface (
/api/v1/public).CurrentUserOrNoneoptional-auth dep (never 401s).public_view_service: every projection passes throughprivacy.person_visibility. Persons redacted (living→"Living person", hidden dropped); relationships only when both endpoints non-hidden; events only for FULL persons (partnership events only when both partners full); names only for FULL persons. Non-viewable trees → 404 (not 403) so the surface can't probe private trees. Media deferred (own pass).publicto all, addssite_membersfor authed; never lists unlisted/private.PublicTreeReadomits owner_id.Tests (ran locally, green — CI has no pytest): anonymous end-to-end leak test (a living person's real name/alias/birth-year appear in NO public response; deceased data does), private=404, unlisted-by-link-only, site_members-requires-login, directory visibility. Full suite 70 passed. Regenerated openapi.json + TS client.
⚠️ The AUTHED list endpoints still leak per-person for non-members (pre-existing) — fixed next, separately.
🤖 Generated with Claude Code