Re: [Mailman-Users] Unsubscribe Using Web Form
On 11/08/2014 01:14 PM, Greg Sims wrote: It appears that Posting: http://SERVER/mailman/subscribe/LIST_NAME with: email = EMAIL_ADDRESS fullname = USERS_NAME email-button = SubscribeMM-Results always returns the contents of the file subscribe.html even in the presence of an invalid address like 'foo'. Have you modified this template? The standard template contains the tag MM-Results which is replaced by an informative message. Posting: http://SERVER/mailman/options/LIST_NAME with: email = EMAIL_ADDRESS login-unsub = Unsubscribe always returns the string The confirmation email has been sent.. ... I need to find a way to Post a CGI to Unsubscribe that tells my code if the EMAIL_ADDRESS is subscribed to the list and if a validation email was actually sent. As Richard indicated in another reply, if the membership roster is not public, the responses are generic to prevent using the (un)subscribe processes to fish for membership. Set the list's Privacy options... - Subscription rules - private_roster to Anyone and you will get more specific messages. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Unsubscribe Using Web Form
(2) It appears that the Subscription sequence always returns the contents of the file subscribe.html. Is this in fact always the case? I tried to subscribe to email address foo and did not receive an error -- even though this is not a valid email address. I suppose I could validate the email address format with my PHP code and provide user feedback. If you post an address like 'foo' to the subscribe CGI, you should get a result like Listname Subscription results The email address you supplied is not valid. (E.g. it must contain an `@'.) The validation is somewhat primitive and syntactic only, but it should refuse to subscribe a syntactically valid address. Did 'foo' actually get added to your list? 'foo' did not get added to the list as there is no way to for the system to send a validation email and get a response from the user. It appears that Posting: http://SERVER/mailman/subscribe/LIST_NAME with: email = EMAIL_ADDRESS fullname = USERS_NAME email-button = Subscribe always returns the contents of the file subscribe.html even in the presence of an invalid address like 'foo'. This is easy for me to work around as I simply check that EMAIL_ADDRESS has a valid format before Posting. My Subscribe code is working well for both normal and error cases. (3) It appears the Unsubscribe sequence I created allows for anyone to unsubscribe anyone else -- all they need to know is an email address that is subscribed to the list. This is exactly why Mailman does not allow unsubscribes without authentication or confirmation. I am now a believer that validating Unsubscribe through the user's email is the correct approach for my application. I have code that works for the normal Unsubscribe case but am having problems with the error cases. Posting: http://SERVER/mailman/options/LIST_NAME with: email = EMAIL_ADDRESS login-unsub = Unsubscribe always returns the string The confirmation email has been sent.. This is true even when the email address is not subscribed to the list -- this will likely be the case if the user mistypes their email address. I did another test that was even more confusing. I entered a valid email address that was not subscribed to the list. In this case the string The confirmation email has been sent. was received by my code consistent with what I said above. The reality is the unsubscribe validation email is never sent in this case. This would be very confusing for the user and will likely result in an I Need Help Unsubscribing! email to our webmaster. I need to find a way to Post a CGI to Unsubscribe that tells my code if the EMAIL_ADDRESS is subscribed to the list and if a validation email was actually sent. I tried to Post: http://SERVER/mailman/options/LIST_NAME with: email = EMAIL_ADDRESS email-button = Unsubscribe this does not seem to work for the normal path. I feel like we are getting close. The good news is my solution is only 50 lines of code including the Subscribe / Unsubscribe forms on a single page. It might be interesting to others if we can get this last piece sorted out. Thanks again Mark! Greg -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Unsubscribe Using Web Form
Mailman tries (and I think succeeds) at not letting an outsider know who is subscribed to a list (unless the list publishes its member list, then that list will reveal those who don't hide their email address.) If you want to help someone unsubscribe without them needing to use the confirmation email, you should first validate that the email address is theirs (maybe through having your own account system where they have confirmed that the email address is theirs), then, using the admin password, check the membership list for the email, and then you can use the web form to unsubscribe them, again using the admin password. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Unsubscribe Using Web Form
I have been slowly working on a somewhat similar project. My thoughts on unsubscribing is to have the module know the admin password for the site, and use that to post into the mailman admin web form an unsubscribe request via curl. On 11/6/14, 12:42 PM, Greg Sims wrote: Hi Mark, We are making good progress on our project thanks to your help a couple of weeks ago. The Subscribe portion of the process is working and the text is being translated into Chinese. I'm struggling with the Unsubscribe portion of the project. I extended the webform but can't get it to work. My goal is for our users to use the same web page to subscribe to and unsubscribe from the list with a minimum number of interactions. I understand the need for the two stage subscription process with email confirmation -- this is required (and working). I would like the Unsubscribe to be one click and done. http://www.raystedman.org/daily-devotions/chinese-subscription Please note the user has no idea they have a system generated password -- this is as it should be to keep things simple. Most of our users are older and only have the skills to deal with minimal user complexity. We need to keep things simple as a result. Thanks in advance for your help, Greg PS. I looked at the Drupal extension for Mailman. It carries too much overhead for large size lists. We already have a mailman list with 10,000 users and hope to double this number next year. We can't afford to have a Drupal user account for each of these users. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/richard%40damon-family.org -- Richard Damon -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Unsubscribe Using Web Form
Hey Mark, Subscribe / Unsubscribe works well for the normal case thanks to your help. (1) When I Unsubscribe an email address that does not exist, the result of Posting the form is: Bug in Mailman version 2.1.12 We're sorry, we hit a bug! Please inform the webmaster for this site of this problem. Printing of traceback and other system information has been explicitly inhibited, but the webmaster can find this information in the Mailman error logs. - The error log is: Nov 07 16:41:51 2014 admin(385): admin(385): [- Mailman Version: 2.1.12 -] admin(385): [- Traceback --] admin(385): Traceback (most recent call last): admin(385): File /usr/lib/mailman/scripts/driver, line 112, in run_main admin(385): main() admin(385): File /usr/lib/mailman/Mailman/Cgi/options.py, line 495, in main admin(385): user, 'via the member options page', userack=1) admin(385): File /usr/lib/mailman/Mailman/MailList.py, line 1007, in DeleteMember admin(385): self.ApprovedDeleteMember(name, whence, admin_notif, userack) admin(385): File /usr/lib/mailman/Mailman/MailList.py, line 1023, in ApprovedDeleteMember admin(385): self.removeMember(emailaddr) admin(385): File /usr/lib/mailman/Mailman/OldStyleMemberships.py, line 221, in removeMember admin(385): self.__assertIsMember(member) admin(385): File /usr/lib/mailman/Mailman/OldStyleMemberships.py, line 114, in __assertIsMember admin(385): raise Errors.NotAMemberError, member admin(385): NotAMemberError: x...@y.com The backtrace ends in a NotAMemberError which is exactly what happened. The result from the POST seems to be a bit off. I need to determine the difference between success and failure looking the the result of the POST. we hit a bug! is kind of a funny thing to match against. (2) It appears that the Subscription sequence always returns the contents of the file subscribe.html. Is this in fact always the case? I tried to subscribe to email address foo and did not receive an error -- even though this is not a valid email address. I suppose I could validate the email address format with my PHP code and provide user feedback. (3) It appears the Unsubscribe sequence I created allows for anyone to unsubscribe anyone else -- all they need to know is an email address that is subscribed to the list. This is as a result of using the list admin password in my PHP code. I wish there was a way to pass the email address and password of the subscriber from a non-digest email to my PHP code via POST. I tried turning personalization on. It does not seem to be possible to place a form in the footer (or header?) of the email. It also appears that mailman does not replace symbols in the body of an email. This led me to believe the only way to accomplish passing the email address and password via POST is by writing a custom mailman filter that replaces the symbols -- likely in the body of an email. It there a simple way to get the subscribers password (and email address but less important) via POST from a non-digest email to my PHP code? This ensures that someone using my Web Form can only unsubscribe the email address of a mailman email they received (or have access to). (4) When I get this all sorted out, would you like me to write it up for a FAQ or something? I would be happy to do this if you believe it is worthwhile. Thanks Mark! Greg -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Unsubscribe Using Web Form
On 11/07/2014 03:28 PM, Greg Sims wrote: Subscribe / Unsubscribe works well for the normal case thanks to your help. (1) When I Unsubscribe an email address that does not exist, the result of Posting the form is: Bug in Mailman version 2.1.12 ... The error log is: ... admin(385): raise Errors.NotAMemberError, member admin(385): NotAMemberError: x...@y.com The backtrace ends in a NotAMemberError which is exactly what happened. The result from the POST seems to be a bit off. I need to determine the difference between success and failure looking the the result of the POST. we hit a bug! is kind of a funny thing to match against. Actually, this is a real bug. It is unlikely to occur in practice, but it can happen if you visit the options page for a user and unsubscribe and between retrieving the options page and unsubscribing, the user is unsubscribed by another process, or more likely, you visit the options page, unsubscribe and then use the browser's back button to go back and unsubscribe again. I will fix it. (2) It appears that the Subscription sequence always returns the contents of the file subscribe.html. Is this in fact always the case? I tried to subscribe to email address foo and did not receive an error -- even though this is not a valid email address. I suppose I could validate the email address format with my PHP code and provide user feedback. If you post an address like 'foo' to the subscribe CGI, you should get a result like Listname Subscription results The email address you supplied is not valid. (E.g. it must contain an `@'.) The validation is somewhat primitive and syntactic only, but it should refuse to subscribe a syntactically valid address. Did 'foo' actually get added to your list? (3) It appears the Unsubscribe sequence I created allows for anyone to unsubscribe anyone else -- all they need to know is an email address that is subscribed to the list. This is exactly why Mailman does not allow unsubscribes without authentication or confirmation. This is as a result of using the list admin password in my PHP code. I wish there was a way to pass the email address and password of the subscriber from a non-digest email to my PHP code via POST. I tried turning personalization on. It does not seem to be possible to place a form in the footer (or header?) of the email. It also appears that mailman does not replace symbols in the body of an email. This led me to believe the only way to accomplish passing the email address and password via POST is by writing a custom mailman filter that replaces the symbols -- likely in the body of an email. But, unless you actually get the list password from the user, how can you know that it is the actual user that submitted the request. Either the user has to provide authentication or you have to do email confirmation. Otherwise, anyone can unsubscribe anyone. It there a simple way to get the subscribers password (and email address but less important) via POST from a non-digest email to my PHP code? This ensures that someone using my Web Form can only unsubscribe the email address of a mailman email they received (or have access to). I don't understand. If you mean you want to send the user's password to the user in each non-digest list mail, if the list is personalized, the string %(user_password)s in either msg_header or msg_footer will be replaced by the user's password. You can even craft a one-click unsubscribe link with something like %(user_optionsurl)?unsub=1unsubconfirm=1password=%(user_password)s but any of that is a really bad idea. Sophisticated user's don't like to see their passwords mailed in plain text, and unsophisticated users reply to and forward list messages without removing things like unsubscribe links specific to them. (4) When I get this all sorted out, would you like me to write it up for a FAQ or something? I would be happy to do this if you believe it is worthwhile. It might be. It depends on what you arrive at. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Unsubscribe Using Web Form
Hi Mark, We are making good progress on our project thanks to your help a couple of weeks ago. The Subscribe portion of the process is working and the text is being translated into Chinese. I'm struggling with the Unsubscribe portion of the project. I extended the webform but can't get it to work. My goal is for our users to use the same web page to subscribe to and unsubscribe from the list with a minimum number of interactions. I understand the need for the two stage subscription process with email confirmation -- this is required (and working). I would like the Unsubscribe to be one click and done. http://www.raystedman.org/daily-devotions/chinese-subscription Please note the user has no idea they have a system generated password -- this is as it should be to keep things simple. Most of our users are older and only have the skills to deal with minimal user complexity. We need to keep things simple as a result. Thanks in advance for your help, Greg PS. I looked at the Drupal extension for Mailman. It carries too much overhead for large size lists. We already have a mailman list with 10,000 users and hope to double this number next year. We can't afford to have a Drupal user account for each of these users. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Unsubscribe Using Web Form
On 11/06/2014 09:42 AM, Greg Sims wrote: I'm struggling with the Unsubscribe portion of the project. I extended the webform but can't get it to work. My goal is for our users to use the same web page to subscribe to and unsubscribe from the list with a minimum number of interactions. I understand the need for the two stage subscription process with email confirmation -- this is required (and working). I would like the Unsubscribe to be one click and done. http://www.raystedman.org/daily-devotions/chinese-subscription If you want immediate unsubscribe without confirmation, you need to provide either the user's list password or the list admin password as the value of the 'password' item in the form data. Given what you are doing, you could just add input type=hidden name=password value=the_list_admin_password to the form, but this is a really bad idea as anyone can do what I did and see this in the source of the page which exposes the list admin password to the world. A better idea is to post just the email address to your own script which if invoked directly just displays some 'result' HTML and have that script post to the options page or post to a list admin page to do the unsubscribe. That way, you script can know the list admin password without exposing it. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org