[Mailman-Users] Admin access restrictions in 2.1.9
mark at msapiro.net
Thu Dec 4 16:20:07 CET 2008
Allan Hansen wrote:
>I just upgraded my system from Mailman 2.1.5 to 2.1.9. After this change I am no longer
>able to use the 'Change globally' options when helping my subscribers change their
>subscription addresses or such.
This was changed because it was considered a security issue to allow
the owner of one list to change settings for a user on another list. A
malicious owner could even mass subscribe a member of some other list
and change that user's settings on the other list.
>I have used mmsitepass to set a site administrator password (to be sure that that is the password I'm using).
The site admin can still make global user changes, but in order for
this to work you have to set
ALLOW_SITE_ADMIN_COOKIES = Yes
in mm_cfg.py. This is because in the absence of this setting, when you
authenticate to a list with the site password, you get a list admin
cookie, not a site admin cookie. See the comments above this setting
in Defaults.py for why the default is No.
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users