[Mailman-Users] List marked private, still accessible from web?
Michael Urashka
murashka at anticlockwise.com
Thu May 11 00:29:40 CEST 2006
> >Additionally, going
> >to the Mailman-run web site for one of the mailing lists (the page
> >people can subscribe from or view the archives, etc), when one clicks
> >one the Archives, one isn't prompted
> >for authentication and just gets the /mailman/private/list archive pages
> >(listed by month: thread/author/subject/date) and one is able to click
> >and read the archives.
>
> Most likely because you previously authorized as the list admin (or a
> list member) during that browser session and still have the
> authorization cookie.
>
> Making the archive private should do it.
This indeed seemed to be the case! Two systems we had been accessing the
lists from both had the authentication cookie. Deleting all cookies and
trying to access the :
http://www.somewebsite.com/mailman/private/somelist
Now prompts for email address and password. Many thanks.
###
One last current issue though. Currently going directly to a page
like this still lets me in after deleting cookies of course.
http://www.somesite.com/pipermail/somelist/2005-October/000003.html
But these pages give a 'Forbidden' error:
http://www.somesite.com/pipermail/
http://www.somesite.com/pipermail/somelist/
http://www.somesite.com/pipermail/somelist/2005-October/
Looking in Apache's httpd.conf there's an alias for pipermail into:
Alias /pipermail/ "/usr/local/mailman/archives/private/"
Will changing this (or commenting it out) likely break access to any
of the public lists on the same server? Having inherited these mailing
lists and mailman and web server, I'm uncertain exactly how things were
set up and should be.
Or should I just put a .htaccess file (or directive in httpd.conf) in the
/usr/local/mailman/archives/private/ directory?
--
Michael
More information about the Mailman-Users
mailing list