[Bug 1065447] [NEW] Feature request: REST api to verify password

Dieter Maurer dieter at handshake.de
Thu Oct 11 12:03:15 CEST 2012

Public bug reported:

"mailman" manages users with their individual passwords. It is supposed
to be controlled via a REST api which uses a global (user independent)
authentication. Obviously, an arbitrary user should not be allowed to
change preferences (and other settings) for a different user. This
implies that a REST client has to check user access rights and
(especially) verify the user's identity. The typical way for user
identity verification would be to check that the user knows the password
registered with this user in "mailman". However, the REST api lacks a
corresponding operation.

The REST api should probably be extended by a "verify_password" user
subresource. To avoid passwords being logged by typical webserver
logging, the password to be verified should probably be submitted via
"POST" (not transmitted as part of the "URL").

If the project does not want to go this route (password verification via
a REST operation), then it must document how a client can verify a given
cleartext password against the encrypted password information available
as user attribute.

** Affects: mailman
     Importance: Undecided
         Status: New

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Feature request: REST api to verify password

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list