[Mailman-Users] List marked private, still accessible from web?

Mark Sapiro msapiro at value.net
Tue May 2 00:39:40 CEST 2006


Michael Urashka wrote:

>About a year ago I set up 3 lists. I was fairly certain I set
>up 2 of the lists as private and 1 as public.


I assume you're talking about archives here.


>A couple weeks ago
>we discovered that all three were set to public (looking in the web
>admin interface). Now I'm not certain if somehow I didn't originally set
>them private. We've upgraded Mailman at least once in this time, not
>sure if that could possibly have affected the settings but I should think
>it unlikely.


Upgrading Mailman shouldn't change a list's archive from private to
public or vice versa. I haven't heard of this failing.


>Anyway, we then toggled the 2 lists we wanted back to private, but
>searching Google I am able to find a couple posts.


The posts were indexed in Google while the archive was public, but with
a 'pipermail' URL that won't work. They will eventually disappear from
Google.


>Additionally, going
>to the Mailman-run web site for one of the mailing lists (the page
>people can subscribe from or view the archives, etc), when one clicks
>one the Archives, one isn't prompted
>for authentication and just gets the /mailman/private/list archive pages
>(listed by month: thread/author/subject/date) and one is able to click
>and read the archives.


Most likely because you previously authorized as the list admin (or a
list member) during that browser session and still have the
authorization cookie.


>I attempted to rebuild the archives with the arch command but that
>appears to not have the desired affect.
>
>Running check_perms showed that the /private archives had the +x for
>'other' set so I toggled that to -x.


This will probably break access to your remainin public archive via the
'pipermail' URL. If it doesn't, that's great - leave it o-x, but I
think you'll probably need to put it back to o+x to access public
archives via the 'pipermail URL.


>I can still go to the list archives page and view the private archives
>though.


o+x or o-x on the archives/private directory will have no effect on
private archive access. I still think you are able to access the
private archive without authorizing because of a saved cookie from
prior authorization in the browser session.


>I was wondering what the best way to limit viewing of these pages from
>the outside public but allow list members to still have access to the 
>archives is.


Making the archive private should do it.


>Is there something obvious I am missing?


The cookie.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan




More information about the Mailman-Users mailing list