Simon Hanna writes:
While in theory it would be possible to enforce permissions in core about who is allowed to call specific rest calls, this would require a lot of changes. I'm not sure we want to go this way.
Mailman is used in a lot of enterprises contexts, where the system administrators would like to distribute the components across various hosts. Also, the Mailman subscription database itself may be sensitive. Eventually we're going to have to face this issue, although maybe not now.
For the styles, I don't think they're particularly sensitive. As I indicated in the quoted passage, we can simply interpret the "permissions" as a way to protect users from doing stupid things rather than an authn/authz system. In that case it's fine to do it in Postorius.
There are some things in core, that suggest that this might come sometime. (Users have passwords and you can authenticate them) But I guess this is somewhat legacy and will be dropped sometime in the future.
Yes, but it would be dropped in favor of OAuth or similar.