[ mailman-Bugs-864676 ] Not able to substitute user login with admin login

SourceForge.net noreply at sourceforge.net
Mon Dec 22 16:59:28 EST 2003


Bugs item #864676, was opened at 2003-12-22 22:47
Message generated for change (Comment added) made by berndts
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=864676&group_id=103

Category: Web/CGI
Group: 2.1 (stable)
Status: Open
Resolution: None
Priority: 5
Submitted By: Stephan Berndts (berndts)
Assigned to: Nobody/Anonymous (nobody)
Summary: Not able to substitute user login with admin login

Initial Comment:
As a site or list admin I sometimes want to view the private 
archives of a mailing list. This was possible without problems in 
older Mailman installations. Mailman 2.1 rejects my login attempts.

I even found the reason for the problem: For example in 
Mailman/Cgi/private.py (nearly the same code exists in roster.py) 
the authentication is done by calling the following code in line 116:

<code>
if not mlist.WebAuthenticate((mm_cfg.AuthUser,
                                mm_cfg.AuthListModerator,
                                mm_cfg.AuthListAdmin,
                                mm_cfg.AuthSiteAdmin),
                                 password, username):
</code>

If I try to login with the site password I do not enter a username. 
Keep this in mind :)

In <code>WebAuthenticate</code> (found in SecurityManager.
py, l. 203) the authcontexts are passed to 
<code>Authenticate</code> (also in SecurityManager.py, l. 124) if 
no cookie exists yet.
There the function <code>authenticateMember</code> 
(OldStyleMemberships.py, l. 105) is called (l. 195) for the first entry 
in authcontexts (AuthUser) and calls 
<code>getMemberPassword</code> (OldStyleMemberships.py, l. 
99) which raises an <code>Errors.NotAMemberError</code> 
exception; that's ok as I did not provide a username.
But: The exception is first handled in 
<code>WebAuthenticate</code>, bypassing 
<code>Authenticate</code> were all possible authcontexts should 
be given a try before returning a failure.

I submitted a patch (#864674) which puts a try-except-block around 
the call of <code>authenticateMember</code> in 
SecurityManager.py (l. 195) which prevents exiting the for-loop 
before all possible authcontexts are checked.

----------------------------------------------------------------------

>Comment By: Stephan Berndts (berndts)
Date: 2003-12-22 22:59

Message:
Logged In: YES 
user_id=129854

Sorry for the <code>-stuff. It makes the bug report hard to read -- I 
intented the opposite :( I hoped it would work ... and found no 
documentation about reporting bugs.
Stephan

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=100103&aid=864676&group_id=103



More information about the Mailman-coders mailing list