[Mailman-Users] You gave the wrong password - how to solve this?

[Stephen J. Turnbull]

Ulf Dunkel writes:

 > When I try
 > 
 > <http://<mydomain>/mailman/admin/<listname>/members/remove?send_unsub_ack_to_this_batch=1&send_unsub_notifications_to_list_owner=0&unsubscribees_upload=<user_email>>
 > 
 > instead (without the adminpw stuff), I get this funny error on the webpage:
 > 
 > ----- snip -----
 > Error: The form lifetime has expired. (request forgery check)
 > ----- snap -----

That is odd.

 > Is there any chance to proceed with URLs like the one above and using
 > the web interface with the need to enter the admin password in the browser?

I would think it would work as you expect.  I suspect the problem has
something to do with what is called "cross-site request forgery"
(CSRF).  The technique for combatting that requires that you *start*
by entering the appropriate page, which provides a digitally signed
one-time authorization token, which expires after a fairly short
period.  You then send the token back when you fill in the form, thus
proving that you've followed the correct procedure.  I suspect absence
of a token is being treated the same as an expired token.  I hope it's
a bug and can be fixed, but I don't know much about that part.

Hopefully Mark has an answer to this one.