On 05/20/2018 07:32 AM, Rubén Fernández Asensio wrote: > Is this by design, or is this a bug in my Mailman installation? Is there > any way of making the roster visible to subscribers without giving > access to personal option pages through it?
One user does not have access to another user's options unless authenticated with a list admin password. If an ordinary user clicks another user's link, she only gets the options login page which can be gotten for any address just by knowing the address no matter how you get there. By making the roster visible to members you are exposing the addresses. Anyone can go to a url like http://example.com/mailman/options/listname/[email protected] to get to the options login page for [email protected]. That's how mailman works. There's nothing magic about coming from the roster. You can't get past the login page without proper authentication. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
