[Mailman-Developers] Re: what is being checked?

[Harald Meland]

[Phillip Porch]

> > My suggestion is: these sort of things should require the "password=<>" on
> > the same line as the request.  If I am a legitimate subscriber, I can
> > punch the HTML button to get my password mailed to me...it's not like I
> > have to keep it on a post and would be an inconvenient imposition to
> > require that parameter as part of the request.
> 
> I think it is the way it is to accomidate the different privacy
> settings.

I'm not sure of the exact context here, but yes, different
private_roster settings will give different results for the "who" mail
command.

 * If "private_roster" is set to "List admin only", the "who" mail
   command will tell you "Private list: No one may see subscription
   list."

 * If set to "List members", it wil tell you "Private list: only
   members may see list of subscribers." unless the request sender
   address is a list member.  This is the same algorithm that is used
   for deciding whether or not the "password" command with no
   arguments should mail back the member password or not -- so
   requiring a password to the "who" command in this case would just
   mean extra hassle, and not extra security.

 * If set to "Anyone", the roster will be mailed back without forther
   checking.

In all cases only non-hidden member addresses are included in the
roster.

This all mimics the information available via the web interface
closely.

Does that answer the questions you have?
-- 
Harald