On Thu, Oct 11, 2001 at 06:54:04PM -0400, Barry A. Warsaw wrote:
What we can do for MM2.1 is, if the subscriber list is not public, i.e. private_roster is not "Anyone", then if they attempt to subscribe an already subscribed address, we can show them a results page that looks no different whether they actually are subscribed or not.
Then if they are subscribed, we'll send the user a message saying somebody tried to subscribe their address (should we email the admin too?). If they aren't subscribed, then we'll do the normal routine.
I wouldn't bother the admin. It would be nice if the emails that mailman sends contained something like the Web client's IP address in the headers or message (maybe that already happens; I do not recall) in case some subscriber wants/needs to follow up on a request.
(I need to make sure the web message you'd see is identical regardless of whether you're subscribed or not. That's a little tricky, but doable.)
Sounds great.
In MM2.1
If the user is subscribed, and a url containing their email address is given, then they are presented with a page prompting only for their password. If the email address is incorrect, or missing in the url, then they are prompted for both their address and password.
This needs to change such that if private_roster is not "Anyone", then the same sets of prompts will be given regardless of whether the address is a member or not.
This should avoid leaking any membership information. I'll work on getting that into MM2.1. Watch CVS.
Barry, this all sounds great. We'll be setting up a test machine this weekend just for testing out MM CVS code so we can track this and do what we can to help out (and also to work with Postfix and VERP). These changes will be much appreciated!
-Peter