[Mailman-Users] List marked private, still accessible from web?

Mark Sapiro msapiro at value.net
Tue May 2 00:39:40 CEST 2006

Michael Urashka wrote:

>About a year ago I set up 3 lists. I was fairly certain I set
>up 2 of the lists as private and 1 as public.

I assume you're talking about archives here.

>A couple weeks ago
>we discovered that all three were set to public (looking in the web
>admin interface). Now I'm not certain if somehow I didn't originally set
>them private. We've upgraded Mailman at least once in this time, not
>sure if that could possibly have affected the settings but I should think
>it unlikely.

Upgrading Mailman shouldn't change a list's archive from private to
public or vice versa. I haven't heard of this failing.

>Anyway, we then toggled the 2 lists we wanted back to private, but
>searching Google I am able to find a couple posts.

The posts were indexed in Google while the archive was public, but with
a 'pipermail' URL that won't work. They will eventually disappear from

>Additionally, going
>to the Mailman-run web site for one of the mailing lists (the page
>people can subscribe from or view the archives, etc), when one clicks
>one the Archives, one isn't prompted
>for authentication and just gets the /mailman/private/list archive pages
>(listed by month: thread/author/subject/date) and one is able to click
>and read the archives.

Most likely because you previously authorized as the list admin (or a
list member) during that browser session and still have the
authorization cookie.

>I attempted to rebuild the archives with the arch command but that
>appears to not have the desired affect.
>Running check_perms showed that the /private archives had the +x for
>'other' set so I toggled that to -x.

This will probably break access to your remainin public archive via the
'pipermail' URL. If it doesn't, that's great - leave it o-x, but I
think you'll probably need to put it back to o+x to access public
archives via the 'pipermail URL.

>I can still go to the list archives page and view the private archives

o+x or o-x on the archives/private directory will have no effect on
private archive access. I still think you are able to access the
private archive without authorizing because of a saved cookie from
prior authorization in the browser session.

>I was wondering what the best way to limit viewing of these pages from
>the outside public but allow list members to still have access to the 
>archives is.

Making the archive private should do it.

>Is there something obvious I am missing?

The cookie.

Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list