[Mailman-Users] You gave the wrong password - how to solve this?

Mark Sapiro mark at msapiro.net
Thu Nov 27 06:28:03 CET 2014


On 11/26/2014 05:50 AM, Ulf Dunkel wrote:

> I have now adjusted my stuff that way, that my server sends me myself an
> email with the desired link, e.g.
> 
> <http://<mydomain>/mailman/admin/<listname>/members/remove?send_unsub_ack_to_this_batch=1&send_unsub_notifications_to_list_owner=0&unsubscribees_upload=<user_email>&adminpw=<adminpassword>>
> 
> This works fine for me, but - I don't like to send passwords via email
> to my normal user mail account.


So why don't you just have your server do a wget or curl to get that URL
instead of mailing it to you, or is mailing it to you some kind of
confirmation step?


> When I try
> 
> <http://<mydomain>/mailman/admin/<listname>/members/remove?send_unsub_ack_to_this_batch=1&send_unsub_notifications_to_list_owner=0&unsubscribees_upload=<user_email>>
> 
> instead (without the adminpw stuff), I get this funny error on the webpage:
> 
> ----- snip -----
> Error: The form lifetime has expired. (request forgery check)
> ----- snap -----


As Stephen says, that's CSRF protection. See the documentation of
FORM_LIFETIME, SUBSCRIBE_FORM_SECRET and SUBSCRIBE_FORM_MIN_TIME in
Defaults.py


> Is there any chance to proceed with URLs like the one above and using
> the web interface with the need to enter the admin password in the browser?


I *think* it will work if you 'Logout' of the admin interface and then
go to the unsubscribe URL. This will get the login page and when you log
in, the unsubscribe will be processed.

Or, you can disable the CSRF protection by removing the setting for
SUBSCRIBE_FORM_SECRET from mm_cfg.py.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list