[Mailman-Developers] Authorization System in Core

Harshit Bansal harshitbansal2015 at gmail.com
Sat May 21 18:08:50 EDT 2016

Hi Simon,
This is the discussion that I was referring to:

Harshit Bansal writes:

 > I think the "Permissions Systems" would have nothing to do with the
 > core. It would be related to Postorius. We will have to create a style
 > model separately in Postorius which would store the style name and the
 > user who created it. Then only the user who has created the style
 > would be granted the permission to edit it.

Stephen J. Turnbull wrote:

Then there is no *permissions* system!  For example, one project last
year created a Javascript client -- that would completely bypass the
"permissions" system as you describe it.  You could imagine that style
changes are a "friendly users" feature, and so the "style owner"
system would be a *safety* feature of the Postorius UI rather than an
*authorization* feature of styles.  But in an enterprise context (eg,
a virtual hosting service), I'm sure that users will think of it as an
authorization system.  While at present it seems unlikely that there
would be multiple interfaces on one hosting service, you never know
what users will do[1].  Also, it would not be obvious to somebody who
installed the node.js Mailman client that they are likely bypassing
"security" as documented in the typical Mailman manuals and tutorials
that you would find on the web.

Harshit Bansal

>Earlier, while discussing the permission system for manging styles, it
>decided that the permissions system should be enforced in the core
>than in the postorius since otherwise it can be bypassed(deliberately
>undeliberately). But one thing that I think I forgot to discuss was
>currently there is no authorisation system in the core and now I am
>to figure out that how could the permissions be enforced in the core
>without an authorisation system.
>Should I workout an authorisation system for the core first or enforce
>permissions in postorius only?
Can you elaborate a little more?
What do you want to use the authorization for? Why isn't doing it in
postorius safe enough?

Sent from my Android device with K-9 Mail. Please excuse my brevity.
Mailman-Developers mailing list
Mailman-Developers at python.org
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:

Security Policy: http://wiki.list.org/x/QIA9

More information about the Mailman-Developers mailing list