[Mailman-Users] Programmatic Subscription

[Mark Sapiro]

Brad Knowles wrote:

>Bill Honneus (honneus) wrote:
>
>> When a user subscribes or unsubscribes from a mailing list, they are
>> sent an email confirmation and must click a link on the web interface or
>> reply to the email to confirm their subscription/removal. One of our
>> engineers is creating a portlet on a web application, and what he wants
>> to do is allow  the user to be immediately subscribed as soon as they
>> click a link.  Is there a way to configure Mailman so that a user is
>> immediately subscribed or removed without the confirmation process?
>
>It's easy enough to do with the command-line tools, if you know what you're 
>doing.


Or see some of the results from
<http://www.google.com/search?q=site%3Amail.python.org++inurl%3Amailman++wget>.


>> Alternatively, if we were to write some custom code on our application,
>> could we simply call the subscribe cgi script, and then send the
>> confirmation request from the application without asking the user for
>> further input?
>>  
>> Please let me know if this is a sound approach.
>
>I would strongly encourage you folks to *NOT* do this.  It's so easy to 
>abuse these kinds of systems and sign someone up for a billion different 
>mailing lists.
>
>There's a reason why the default with Mailman is so that the user has to 
>confirm their subscription request.


I see in another reply that you plan on verifying the user via your web
application before the subscribe/unsubscribe. This is fine, but you
have to be sure that you protect against a user viewing the html
source of your request form and figuring out how to post a
(un)subscribe request to your application.

In other words, you have to protect against one validated user
(un)subscribing other users.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan