Web-public streams
This feature is in beta. Contact [email protected] to
enable it for your Zulip Cloud organization.
Administrators may enable the option to create web-public streams.
Web-public streams can be viewed by anyone on the Internet without
creating an account in your organization.
For example, you can link to a Zulip
topic in a web-public stream
from a GitHub issue, a social media post, or a forum thread, and
anyone will be able to click the link and view the discussion in the
Zulip web application without needing to create an account.
Users who wish to post content will need to create an account in order
to do so.
Web-public streams are indicated with a globe () icon.
Enabling web-public streams in your organization
Enabling web-public streams makes it possible to create web-public
streams in your organization. It also makes certain information about
your organization accessible to anyone on the Internet via the Zulip
API (details below).
To help protect closed organizations, creating web-public streams is
disabled by default for all organizations.
The following information about your organization can be accessed via the Zulip
API if web-public streams are enabled and there is currently at least one
web-public stream.
- The organization's settings (linkifiers, custom emoji, permissions
settings, etc.)
- Names of users
- Names of user groups and their membership
- Names and descriptions of streams
Enabling web-public streams is thus primarily recommended for open
communities such as open-source projects and research communities.
Enable or disable web-public streams
Self-hosted Zulip servers must enable support for web-public streams by setting
WEB_PUBLIC_STREAMS_ENABLED = True
in their server
settings
prior to proceeding.
- Instructions for all platforms
-
Go to Organization permissions.
-
Under Stream permissions, toggle the checkbox labeled "Allow
creating web-public streams (visible to anyone on the Internet)".
Manage who can create web-public streams
- Instructions for all platforms
-
Go to Organization permissions.
-
Under Stream permissions, make sure the checkbox labeled "Allow
creating web-public streams (visible to anyone on the Internet)" is
checked.
-
Under Who can create web-public streams?, select the option you prefer.
See Managing abuse to learn why only
trusted roles like Moderators and Administrators can create web-public streams.
Creating a web-public stream
To create a new web-public stream, follow the instructions for
creating stream, selecting
the Web-public option for Who can access the stream?.
To make an existing stream web-public, follow the instructions to
change the privacy of a
stream, selecting the
Web-public option for Who can access the stream?.
What can logged out visitors do?
Logged out visitors can browse all content in web-public streams,
including using Zulip's built-in search
to find conversations. Logged out visitors can only access
the web-public streams in your organization, and the topics, messages
(including uploaded files) and emoji reactions in those streams.
They cannot:
- View streams that are not configured as web-public streams (or see
whether any such streams exist) without creating an account.
- Send messages.
- React with emoji.
- Participate in polls, or do anything else that might be visible to
other users.
Logged out visitors have access to a subset of the metadata
information available to any new account in the Zulip organization,
detailed below.
- The Organization settings and Stream settings menus are not
available to logged out visitors. However, organization settings data is
required for Zulip to load, and may thus be accessed via the Zulip API.
- Logged out visitors cannot view organization statistics.
Logged out visitors can see the following information about users who
participate in web-public streams. They do not see this information
about users who do not participate in web-public streams in the Zulip
UI, though they may access it via the Zulip API.
- Name
- Avatar
- Role (e.g. Administrator)
- Join date
The following additional information is not available in the UI for
logged out visitors, but may be accessed without an account via the
Zulip API:
- Configured time zone
- Which user groups a user belongs to
The following information is available to all users with an account,
but not to logged out visitors:
- Presence information, i.e. whether the user is currently online,
their status,
and whether they have set themselves as unavailable.
- Detailed profile information, such as custom profile
fields.
- Which users are subscribed to which web-public streams.
Managing abuse
The unfortunate reality is that any service
that allows hosting files visible to the Internet is a potential target for bad
actors looking for places to distribute illegal or malicious content.
In order to protect Zulip organizations from
bad actors, web-public streams have a few limitations designed to make
Zulip an inconvenient target:
- Only users in trusted roles (moderators and administrators) can be given
permission to create web-public streams. This is intended to make it hard
for an attacker to host malicious content in an unadvertised web-public
stream in a legitimate organization.
- There are rate limits for unauthenticated access to uploaded
files, including viewing avatars and custom emoji.
Our aim is to tune anti-abuse protections so that they don't
interfere with legitimate use. Please contact us
if your organization encounters any problems with legitimate activity caused
these anti-abuse features.
As a reminder, Zulip Cloud organizations are expected to
moderate content to ensure compliance
with Zulip's Rules of Use.
Caveats
- Web-public streams do not yet support search engine indexing. You
can use zulip-archive to
create an archive of a Zulip organization that can be indexed by
search engines.
- The web-public view is not yet integrated with Zulip's live-update
system. As a result, a visitor will not see new messages that are
sent to a topic they are currently viewing without reloading the
browser window.
Related articles