[Mailman-Developers] User-centric authentication and access control

Wed Sep 2 04:50:31 CEST 2015

I believe I have a better understanding of the puzzle pieces, now.  In a nutshell:

* Mailman 3 allows you to assign administrative privileges to individual users who may log in with their own credentials.
* Mailman 3 is composed of several separate projects that work together to form a coherent system.
* The Postorius component is the Django-based web UI component for Mailman 3.
* Because it is Django based, the authentication scheme for Postorious can be customized by configuring the appropriate Django authentication middleware (e.g. REMOTE_USER [1]).
* The Mailman REST API provides you with superuser-like access to Mailman, and should only be used to integrate trusted apps.
* Mailmania can be used to provide external access to the RESTful API.  Requests are are authenticated, and the typical access controls are enforced.

It seems to me that if I have an authentication mechanism that supports exporting the authenticated user via REMOTE_USER into the web server environment, then I could use that mechanism with Django + Postorius.

I'm assuming Mailmania relies on presenting a username and password directly to the Mailman REST API to authenticate?  Or would it also have some mechanism to let you customize the authentication mechanism?

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College

[1] https://docs.djangoproject.com/en/1.8/howto/auth-remote-user/

----- Original Message -----
From: "Andrew Stuart" <andrew.stuart at supercoders.com.au>
To: "waldbiec" <waldbiec at lafayette.edu>
Cc: "mailman-developers" <mailman-developers at python.org>
Sent: Tuesday, September 1, 2015 9:58:32 PM
Subject: Re: [Mailman-Developers] User-centric authentication and access control

Postorius is a Django app that talks directly to the Mailman 3 REST API and integrates everything needed to get the job done including user interface, authentication and authorization.

Mailmania is an authenticating reverse proxy server.  Effectively it would allow someone to write a purely JavaScript browser based interface to Mailman 3, and it would provide the back end authorization and authentication.  No such JavaScript interface exists though. Mailmania provides a way for the public to talk to the Mailman 3 core REST API. 

In very loose terms you can imagine if you pulled Postorius apart into a backend and a JavaScript userinterface/front end, then Mailmania would be the equivalent of the back end. Sort of.

If you wanted to write a user interface for Mailman using ReactJS or AngularJS then you’d probably want it to talk to Mailmania.

If you want to actually have a working interface to Mailman 3 then you need Postorius as no-one has written any user interface code for Mailmania.

as