Bug Reports
Public claimed things show user/auth
by a8b987
· 12/03/26 18:17
If you dweet an update on a claimed thing but forget to add the private=1 because you want it to be public readable but not writeable the user and auth are included in the payload when any user then gets the latest dweet.
This means that any user can then use the user/auth to update the thing in the future
a8b987
· 12/03/26 18:25
Some more info, this only happens before you dweet with public=1. Thereafter the reading of the thing does requires auth. Also it seems once you publish with private=1 once it always needs to be 1 going forward (so publishing with private=0 didn't seem to update the thing).