Bugs item #864676, was opened at 2003-12-22 16:47 Message generated for change (Comment added) made by bwarsaw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=864676&group_id=103 Category: Web/CGI Group: 2.1 (stable)

Status: Closed Resolution: Fixed Priority: 5 Submitted By: Stephan Berndts (berndts) Assigned to: Nobody/Anonymous (nobody) Summary: Not able to substitute user login with admin login

Initial Comment: As a site or list admin I sometimes want to view the private archives of a mailing list. This was possible without problems in older Mailman installations. Mailman 2.1 rejects my login attempts. I even found the reason for the problem: For example in Mailman/Cgi/private.py (nearly the same code exists in roster.py) the authentication is done by calling the following code in line 116: <code> if not mlist.WebAuthenticate((mm_cfg.AuthUser, mm_cfg.AuthListModerator, mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin), password, username): </code> If I try to login with the site password I do not enter a username. Keep this in mind :) In <code>WebAuthenticate</code> (found in SecurityManager. py, l. 203) the authcontexts are passed to <code>Authenticate</code> (also in SecurityManager.py, l. 124) if no cookie exists yet. There the function <code>authenticateMember</code> (OldStyleMemberships.py, l. 105) is called (l. 195) for the first entry in authcontexts (AuthUser) and calls <code>getMemberPassword</code> (OldStyleMemberships.py, l. 99) which raises an <code>Errors.NotAMemberError</code> exception; that's ok as I did not provide a username. But: The exception is first handled in <code>WebAuthenticate</code>, bypassing <code>Authenticate</code> were all possible authcontexts should be given a try before returning a failure. I submitted a patch (#864674) which puts a try-except-block around the call of <code>authenticateMember</code> in SecurityManager.py (l. 195) which prevents exiting the for-loop before all possible authcontexts are checked. ----------------------------------------------------------------------

Comment By: Barry A. Warsaw (bwarsaw) Date: 2003-12-26 11:37

Message: Logged In: YES user_id=12800 Thanks for the bug report and patch. This makes it into 2.1.4. ---------------------------------------------------------------------- Comment By: Stephan Berndts (berndts) Date: 2003-12-22 16:59 Message: Logged In: YES user_id=129854 Sorry for the <code>-stuff. It makes the bug report hard to read -- I intented the opposite :( I hoped it would work ... and found no documentation about reporting bugs. Stephan ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=864676&group_id=103