[Mailman-Developers] Authorization System in Core

Stephen J. Turnbull stephen at xemacs.org
Sat May 21 20:30:39 EDT 2016

Simon Hanna writes:

 > While in theory it would be possible to enforce permissions in core
 > about who is allowed to call specific rest calls, this would
 > require a lot of changes. I'm not sure we want to go this way.

Mailman is used in a lot of enterprises contexts, where the system
administrators would like to distribute the components across various
hosts.  Also, the Mailman subscription database itself may be
sensitive.  Eventually we're going to have to face this issue,
although maybe not now.

For the styles, I don't think they're particularly sensitive.  As I
indicated in the quoted passage, we can simply interpret the
"permissions" as a way to protect users from doing stupid things
rather than an authn/authz system.  In that case it's fine to do it in

 > There are some things in core, that suggest that this might come
 > sometime. (Users have passwords and you can authenticate them) But
 > I guess this is somewhat legacy and will be dropped sometime in the
 > future.

Yes, but it would be dropped in favor of OAuth or similar.

More information about the Mailman-Developers mailing list