[Mailman-Developers] Re: Bug in current authentication

[Barry A. Warsaw]

>>>>> "DM" == Dan Mick <dmick@utopia.West.Sun.COM> writes:

    DM> but that misses the case of

    DM>     if not mlist.isMember(user) and mlist.private_roster == 1:

    DM> which is my case.  Why is that second check there?

To avoid leaking member information when the roster is private.  The
intent is that when rosters are private, you don't want a "no such
member" error message when a non-member address is entered (because
the lack of such a message reveals positive hits when you've actually
entered a member address).

The bug is that when rosters are public, and you've entered a
non-member address, you should not see the unsubscribe or remind
buttons.  I'll fix that.

-Barry