[Mailman-Developers] [Mailman-checkins] [Branch ~mailman-coders/mailman/2.1] Rev 1297: A new list poster password has been implemented. This password may only

Barry Warsaw barry at list.org
Tue Apr 26 03:30:32 CEST 2011 

Hi Mark,

Thanks for taking care of these (as always!).  I have one quick comment.

On Apr 26, 2011, at 01:00 AM, noreply at launchpad.net wrote:

>------------------------------------------------------------
>revno: 1297
>committer: Mark Sapiro <msapiro at value.net>
>branch nick: 2.1
>timestamp: Mon 2011-04-25 16:52:35 -0700
>message:
>  A new list poster password has been implemented.  This password may only
>  be used in Approved: or X-Approved: headers for pre-approving posts.
>  Using this password for that purpose precludes compromise of a more
>  valuable password sent in plain text email.  Bug #770581.
>modified:
>  Mailman/Cgi/admin.py
>  Mailman/Defaults.py.in
>  Mailman/Handlers/Approve.py
>  Mailman/SecurityManager.py
>  Mailman/Version.py
>  Mailman/versions.py
>  NEWS

=== modified file 'Mailman/Defaults.py.in'
--- Mailman/Defaults.py.in	2011-04-25 22:40:16 +0000
+++ Mailman/Defaults.py.in	2011-04-25 23:52:35 +0000
@@ -1375,6 +1375,11 @@
 #   option settings
 # - List creator, someone who can create and delete lists, but cannot
 #   (necessarily) configure the list.
+# - List poster, someone who can pre-approve her/his own posts to the list by
+#   including an Approved: or X-Approved: header or first body line pseudo-
+#   header containing the poster password. The list admin and moderator
+#   passwords can also be used for this purpose, but the poster password can
+#   only be used for this and nothing else.
 # - List moderator, someone who can tend to pending requests such as
 #   subscription requests, or held messages
 # - List administrator, someone who has total control over a list, can
@@ -1389,7 +1394,8 @@
 AuthCreator = 2       # List Creator / Destroyer
 AuthListAdmin = 3     # List Administrator (total control over list)
 AuthListModerator = 4 # List Moderator (can only handle held requests)
-AuthSiteAdmin = 5     # Site Administrator (total control over everything)
+AuthListPoster = 5    # List poster (Approved: <pw> header in posts only)
+AuthSiteAdmin = 6     # Site Administrator (total control over everything)
>------------------------------------------------------------

While this is probably harmless, it does make me nervous.  I'd probably have
added the AuthListPoster as value 6 and left AuthSiteAdmin as 5.  It's
unlikely that someone has squirreled these values away, but if they have,
this might break their code because their AuthSiteAdmin enum value is now
AuthListPoster.

I'll leave it up to you, but please consider changing AuthSiteAdmin back to 5
and adding AuthListPoster as 6.

Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20110425/2b25b10b/attachment.pgp>

More information about the Mailman-Developers mailing list