How to change that unsubscriptions also require confirmation
Hello, Due to current legislation we need to change mailman to also require confirmation for unsubscribe requests. Does anyone know how?
Thanks!
Somuchfun <somuchfun@atlantismail.com> wrote on 03.01.04:
Due to current legislation we need to change mailman to also require confirmation for unsubscribe requests.
That's built-in anyway, I think (unless the subscriber has authenticated himself with his password through the Web interface)?
But what strange sort of "legislation" are you talking about?
----------8<----------
Sender: mailman-developers-bounces+my=freexp.de@python.org ----------8<---------- ^^^^^^^^^^^^^
How and why has *that* sender header been created?
MichaelMichael, This feature is surprisingly not built in. If you go to the main list page and just enter your email address and unsubscribe there will be no confirmation - very unsafe! So basically anyone can unsubscribe someone else. This is a problem in terms of access control. Current legislation is very specific about liability and disclosure of breaches in access control. If we offer a system that has a problem with controlling access then we might be liable. I am surprised to see that unsubscriptions do not have the same options as subscriptions in terms of verification of the sender!
-----Original Message----- From: mailman-developers-bounces+somuchfun=atlantismail.com@python.o rg [mailto:mailman-developers-bounces+somuchfun=atlantismail.com@ python.org] On Behalf Of Michael Heydekamp Sent: Saturday, January 03, 2004 1:09 PM To: mailman-developers@python.org Subject: Re: [Mailman-Developers] How to change that unsubscriptions alsorequire confirmation
Somuchfun <somuchfun@atlantismail.com> wrote on 03.01.04:
Due to current legislation we need to change mailman to also require confirmation for unsubscribe requests.
That's built-in anyway, I think (unless the subscriber has authenticated himself with his password through the Web interface)?
But what strange sort of "legislation" are you talking about?
----------8<----------
Sender: mailman-developers-bounces+my=freexp.de@python.org ----------8<---------- ^^^^^^^^^^^^^
How and why has *that* sender header been created?
Michael
Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers
Somuchfun <somuchfun@atlantismail.com> wrote on 07.01.04:
This feature is surprisingly not built in. If you go to the main list page
Which main list page? The options page where you have three sections (authentication facility to change your settings, cancel the subscription and sending a password reminder)?
and just enter your email address and unsubscribe there will be no confirmation - very unsafe!
If you're right, I agree. And then the text at least on the English and German page would be wrong.
So basically anyone can unsubscribe someone else.
Hmm. We are running Mailman in a test environment just since a short while and still have some tests before us - this is one of them.
I'll test this during the next days and will confirm or deny this behaviour. Which version of Mailman are you running?
This is a problem in terms of access control. Current legislation is very specific about liability and disclosure of breaches in access control. If we offer a system that has a problem with controlling access then we might be liable.
Liable for what? This is in the worst case a software bug or leak or whatever which is not nice but does not create real damage IMO. Well, somebody not being authorized might cancel a mailing list subscription, I can think of worse scenarios...
You're in California, right? OK, I'm of course not familiar with the legislation over there but I have heard that in the U.S. almost everybody is being held liable for almost everything, so you might be right. ;-)
BTW: Your Outlook is screwing up the subject ("alsorequire"). ^^
Michael
On Wed, 2004-01-07 at 15:28, Somuchfun wrote:
So basically anyone can unsubscribe someone else.
Not true in Mailman 2.1, unless that someone is a logged in list administrator. Then that person can unsub anybody through the Membership Management pages.
-Barry
participants (3)
-
Barry Warsaw -
Michael Heydekamp -
Somuchfun