[Mailman-Developers] Re: what is being checked?
Harald Meland
Harald.Meland@usit.uio.no
21 Jul 1999 10:13:49 +0200
[Phillip Porch]
> > My suggestion is: these sort of things should require the "password=<>" on
> > the same line as the request. If I am a legitimate subscriber, I can
> > punch the HTML button to get my password mailed to me...it's not like I
> > have to keep it on a post and would be an inconvenient imposition to
> > require that parameter as part of the request.
>
> I think it is the way it is to accomidate the different privacy
> settings.
I'm not sure of the exact context here, but yes, different
private_roster settings will give different results for the "who" mail
command.
* If "private_roster" is set to "List admin only", the "who" mail
command will tell you "Private list: No one may see subscription
list."
* If set to "List members", it wil tell you "Private list: only
members may see list of subscribers." unless the request sender
address is a list member. This is the same algorithm that is used
for deciding whether or not the "password" command with no
arguments should mail back the member password or not -- so
requiring a password to the "who" command in this case would just
mean extra hassle, and not extra security.
* If set to "Anyone", the roster will be mailed back without forther
checking.
In all cases only non-hidden member addresses are included in the
roster.
This all mimics the information available via the web interface
closely.
Does that answer the questions you have?
--
Harald