Clarifications to enable_authenticated_media

[reivilibre]

Some of the semantics around media access are not especially clear from the config manual and I realised I did not understand it as well as I thought I did.

I think this could be cleared up with a case by case breakdown?

• enable_authenticated_media = False:
  • unauthenticated client or homeserver requesting local media: accepted
  • unauthenticated client or homeserver requesting remote media: accepted as long as the media is in the cache, or the remote homeserver does not require authentication to retrieve the media
• enable_authenticated_media = True:
  • unauthenticated client or homeserver requesting local media: denied unless the media was stored on the server before enable_authenticated_media was True
  • unauthenticated client or homeserver requesting remote media: the same; denied unless the media was stored on the server before enable_authenticated_media was True

In all cases, authenticated clients or homeservers are allowed to access media (with the usual caveat that we won't perform a media fetch over federation on behalf of another federated homeserver)

Also note that each piece of media 'remembers' the flag at the time it is saved, so if you switch it to true(1) , back to false (2), then back to true (3), both media from (1) and (3) will be considered as 'requiring authentication'. Not sure how to phrase this nicely for the manual but may be worthwhile to know.

[daedric7]

Also note that each piece of media 'remembers' the flag at the time it is saved, so if you switch it to true(1) , back to false (2), then back to true (3), both media from (1) and (3) will be considered as 'requiring authentication'. Not sure how to phrase this nicely for the manual but may be worthwhile to know.

All media uploaded by a user while this flag is ON will be tagged as "authenticated only" and will not be available on legacy endpoints, regardless of the status of the enable_authenticated_media.