This is late, but I'd suggest something like this:

Require both e-mail address and password on sign-in. If no match is made, the error page contains a link to the form for "mail me password". I could go either way on the error page stating that the e-mail address is valid.

-----Original Message----- From: Harald Meland [mailto:Harald.Meland@usit.uio.no] Sent: Thursday, July 01, 1999 2:34 PM To: Rob Francis Cc: mailman-developers@python.org Subject: Re: [Mailman-Developers] Viewing anyone's options w/o a password

[Rob Francis]

It seems kind of odd to me that if I know someone's email address on a list that I can go to the Info page and enter their email address, and then w/o a password see what options they have set.

I agree -- in principle this really is giving away more info than it should, e.g. if I suspect that someone is subscribed to a list, I can use this "feature" to verify my suspicion.

However, if we make access to the user options page password restricted, we'd (obviously) have to put the "Email my password to me" button on some other page -- and I sort of think the listinfo page is crowded enough as it is.

Just wondering if this was a decision made on purpose, or perhaps an oversight.

I don't know for sure, but I suspect it was done like this because of the "Email my password to me" issue.

Good suggestions on how this should best be solved are welcome.

Harald

Mailman-Developers maillist - Mailman-Developers@python.org http://www.python.org/mailman/listinfo/mailman-developers