On Apr 06, 2016, at 06:08 PM, Aurelien Bompard wrote:
In that case, how should this address be validated? Should Postorius consider that the login system always validates addresses and set them as verified in Mailman? Should it ask mailman to verify the email addresses when it encounters a user's un-verified address? This does not seem possible in REST at the moment (unless I missed it), and should be protected against multiple checks.
This is why POST on members (i.e. create a subscription) has a pre_verified flag, which defaults to False. The core already has a subscription workflow to send the address a confirmation email if the subscribing address is not already verified, and pre_verified is False.
(It will send a similar confirmation email if pre_confirmed is False and the mailing list is set to confirm or confirm_then_moderate.)
By default, confirmation can only effectively happen by email reply, but the intent is that you could modify the confirm.txt template to include the appropriate link back into Postorius which would effect the same verification step as a mail-back. This link would POST to <api>/addresses/<email>/verify to verify the user's email address.
Thinking about it the terms you describe above, I guess there's another workflow that isn't directly covered. When Postorius creates the user, an address is also created and linked to the user, but it cannot be set as the preferred address until it's verified. I can see where you might want to send the verification email at some point before a subscription event, so that the linked address gets verified and thus could be set as their preferred address. If that's a use case you think we need, do file a bug. I don't think it would be too difficult to implement.
 Or w.r.t. GL issue #112, set a 'confirm.txt' template URL.