I'm actually going to close this as Fix Committed. Here's what you can do; if this is insufficient, please reopen this bug (although it may indeed get postponed until after 3.0).
Let's say you're Postorius and someone has just typed their email address and password. You GET this resource:
http://localhost:9001/3.0/users/anne@example.com
Dig out the `password` attribute in the json. Now, you are armed with the encoded-hashed password of the user, and the cleartext password they typed into the form. You then use this Python code to do the verification:
from flufl.password import verify if verify(json_password, typed_password): # The user successfully logged in.
See http://packages.python.org/flufl.password/docs/using.html#verifying-a-passwo... for details.
** Changed in: mailman Milestone: postponed => 3.0.0b2
** Changed in: mailman Status: Confirmed => Fix Committed
** Changed in: mailman Status: Fix Committed => Fix Released