Even if they're granted access.
Not sure what the best way to address this is.
I'd be interested in working on this, it's a blocker for me using todo.sr.ht effectively.
Can you explain more about why this is a blocker for you? I was considering doing away with anonymous users entirely.
It's often useful to receive bug reports from users without accounts, since that's friction to reporting. My alternative is to wrap my user account (or an anon-report account) to report bugs through another form, and I'd prefer not to do that.
I've also run across this. I was planning on using one of my trackers to help organise an event with some friends. Being able to run it myself, but let others submit/comment anonymously would be very useful, as I then don't need to convince others to create accounts on a service that they probably wouldn't use outside of the one event.
What about spam? Anonymous users on a successful project and/or platform will inevitably attract spam if the anon poster contributions is not moderated.
~adamh for your use case you may not need fully anonymous users: the ability to send links that contains one-off credentials for the event/person, so that there's no registration friction, without inviting the entire world to use your tracker as a pastebin.
Maybe if there was an e-mail interface for todo.sr.ht users could just e-mail the tracker and that'd create a ticket? This way no account is necessary and virtually everyone (guesstimate here) has an e-mail account.
While I do like the idea of e-mail issue reporting, I do think that anonymous tickets are important too. Considering how easy it's to create an account, I don't think that just letting anyone post an issue is really that much worse when it comes to spam.
For now participating by email fills this niche sufficiently, and I don't intend to do totally anonymous participation right now.
There's a bit of friction in creating a new webmail address. If you would just have to fill out a captcha I think that would prevent most spam, along with IP blocking and more conventional measures.
People could still fill out your captchas and spam, but that goes for webmail as well. If you're going to start requiring only 'good' email providers like Gmail, you're effectively deputizing them to do phone verification and all that icky stuff and then turning a blind eye to it.
On a similar note, another very cool thing to lower the friction would be so-called 'tripcodes'. You write your username and password while posting, and it posts your username along with the hash of your password. If you want to create an account later on, it could attach all the comments you posted by seeing if your supplied password hashes to anything interesting.