[Mailman-Users] Admin access restrictions in 2.1.9

Mark Sapiro mark at msapiro.net
Thu Dec 4 16:20:07 CET 2008

Allan Hansen wrote:
>I just upgraded my system from Mailman 2.1.5 to 2.1.9. After this change I am no longer
>able to use the 'Change globally' options when helping my subscribers change their
>subscription addresses or such.

This was changed because it was considered a security issue to allow
the owner of one list to change settings for a user on another list. A
malicious owner could even mass subscribe a member of some other list
and change that user's settings on the other list.

>I have used mmsitepass to set a site administrator password (to be sure that that is the password I'm using).

The site admin can still make global user changes, but in order for
this to work you have to set


in mm_cfg.py. This is because in the absence of this setting, when you
authenticate to a list with the site password, you get a list admin
cookie, not a site admin cookie. See the comments above this setting
in Defaults.py for why the default is No.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list