[Mailman-Developers] Viewing anyone's options w/o a password

[Aahz]

This is late, but I'd suggest something like this:

Require both e-mail address and password on sign-in.  If no match is made,
the error page contains a link to the form for "mail me password".  I could
go either way on the error page stating that the e-mail address is valid.


-----Original Message-----
From: Harald Meland [mailto:Harald.Meland@usit.uio.no]
Sent: Thursday, July 01, 1999 2:34 PM
To: Rob Francis
Cc: mailman-developers@python.org
Subject: Re: [Mailman-Developers] Viewing anyone's options w/o a
password


[Rob Francis]

> It seems kind of odd to me that if I know someone's email address on
> a list that I can go to the Info page and enter their email address,
> and then w/o a password see what options they have set.

I agree -- in principle this really is giving away more info than it
should, e.g. if I suspect that someone is subscribed to a list, I can
use this "feature" to verify my suspicion.

However, if we make access to the user options page password
restricted, we'd (obviously) have to put the "Email my password to me"
button on some other page -- and I sort of think the listinfo page is
crowded enough as it is.

> Just wondering if this was a decision made on purpose, or perhaps an
> oversight.

I don't know for sure, but I suspect it was done like this because of
the "Email my password to me" issue.

Good suggestions on how this should best be solved are welcome.
-- 
Harald

_______________________________________________
Mailman-Developers maillist  -  Mailman-Developers@python.org
http://www.python.org/mailman/listinfo/mailman-developers