Who Can Read: Public isn't working right?

Summary: Noticed by Chad: this page -- the Public Blurb for A Respectful Calm -- isn't actually Anonymous-readable. That probably means something is badly broken in security, and needs to be fixed ASAP.

The issue here is the way that we're handling entry-point security for the Client. Ultimately, it comes down to ClientApi.requestInfo(), which sets up the info structure for the Client. This currently tests whether you are allowed to access the Space, and bounces the request if you can't.

I'm going to leave this in place for now -- the right fix comes when we build the new Security UI, and split the concepts of Private vs. Hidden Spaces. A private Space is one where the pages are by default non-Public, but the existence of the Space is: it shows up on your Profile, and it makes sense to have some Public pages. RequestInfo() should allow those requests through. A hidden Space is one where only Members can even know that the Space exists -- it doesn't show up on your Profile, and it is inappropriate to have Public pages on it. RequestInfo should bounce those requests exactly as it is currently doing. (Indeed, this nicely encapsulates the key difference between Private and Hidden.)

Later: is that right? In that model, how do we handle "share this Space via URL", the way Google Docs does? That's a useful approach -- it is really only legal for Private, not Hidden?

Hmm. OTOH, we could deal with that differently: the sharing URL could contain a token, which sets a cookie, which provides access to this Space. That's rather crude, but it would provide us with a way to do that, if we decided it was needed.