At Sun, 20 May 2018 08:26:38 -0700 Mark Sapiro <[email protected]> wrote:
> > On 05/20/2018 07:32 AM, Rubén Fernández Asensio wrote: > > Is this by design, or is this a bug in my Mailman installation? Is there > > any way of making the roster visible to subscribers without giving > > access to personal option pages through it? > > > One user does not have access to another user's options unless > authenticated with a list admin password. If an ordinary user clicks > another user's link, she only gets the options login page which can be > gotten for any address just by knowing the address no matter how you get > there. > > By making the roster visible to members you are exposing the addresses. > Anyone can go to a url like > http://example.com/mailman/options/listname/[email protected] to get to > the options login page for [email protected]. And yes the "options login page" also contains an "unsubscribe" button. But as Mark says, you need the user's list password for anything to actually happen. > > That's how mailman works. There's nothing magic about coming from the > roster. You can't get past the login page without proper authentication. > -- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services [email protected] -- Webhosting Services
------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
