Skip to content

Add attendee privacy setting independent of event visibility #490

Description

@tompscanlan

Summary

Add an "Attendee Privacy" toggle that is independent of event visibility (public/unlisted/private). When enabled, only organizers can see who is attending.

Problem

Users want to RSVP to discoverable events without broadcasting their attendance. Current model ties attendance visibility to event visibility:

  • Public events → attendance is public (on ATProtocol/firehose)
  • Unlisted events → attendance visible to anyone with URL

There's demand for a middle ground: discoverable events where attendance remains private.

Proposed Solution

Add an independent toggle: Attendee Privacy (enabled/disabled)

When attendee privacy is enabled:

  • UI: No attendees section shown to non-organizers (or shows "Attendance is private")
  • API: Attendee endpoints return 403 or empty for non-organizers
  • ATProtocol: Attendance records are NOT published to PDS regardless of event visibility
  • Organizers still see full attendee list in dashboard

This creates a clean orthogonal model:

Event Visibility Attendee Privacy Use Case
Public Off Social events, networking ("see who's going!")
Public On Discoverable but attendance protected
Unlisted Off Semi-private, attendees can see each other
Unlisted On Support groups, sensitive gatherings
Private Off Exclusive events, guest list is part of appeal
Private On High-security, even invitees don't see each other

Implementation Notes

  • Database: Add attendee_privacy_enabled: boolean to events table
  • Default: false (current behavior preserved)
  • API enforcement required - not just UI hiding
  • Consider: Should attendee count be hidden too, or just the list?

Acceptance Criteria

  • Event creation/edit UI includes attendee privacy toggle
  • When enabled, attendee list hidden from non-organizers in UI
  • When enabled, attendee API endpoints enforce access control
  • When enabled + public event, attendance records not published to PDS
  • Organizers always see full attendee list
  • Existing events default to privacy disabled (backwards compatible)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions