[Mailman-Users] Unsubscribe Using Web Form

Greg Sims greg at headingup.net
Sat Nov 8 22:14:51 CET 2014 

>> (2) It appears that the Subscription sequence always returns the contents
>> of the file "subscribe.html".  Is this in fact always the case?  I tried
to
>> subscribe to email address "foo" and did not receive an error -- even
>> though this is not a valid email address.  I suppose I could validate the
>> email address format with my PHP code and provide user feedback.


>If you post an address like 'foo' to the subscribe CGI, you should get a
>result like

>Listname Subscription results
>The email address you supplied is not valid. (E.g. it must contain an `@'.)

>The validation is somewhat primitive and syntactic only, but it should
>refuse to subscribe a syntactically valid address.

>Did 'foo' actually get added to your list?

'foo' did not get added to the list as there is no way to for the system to
send a
validation email and get a response from the user.   It appears that
Posting:

        http://<SERVER>/mailman/subscribe/<LIST_NAME>
            with:
                email => <EMAIL_ADDRESS>
                fullname => <USERS_NAME>
                email-button => "Subscribe"

always returns the contents of the file "subscribe.html" even in the
presence
of an invalid address like 'foo'.  This is easy for me to work around as I
simply
check that EMAIL_ADDRESS has a valid format before Posting.  My Subscribe
code is working well for both normal and error cases.


>> (3) It appears the Unsubscribe sequence I created allows for anyone to
>> unsubscribe anyone else -- all they need to know is an email address that
>> is subscribed to the list.

>This is exactly why Mailman does not allow unsubscribes without
>authentication or confirmation.

I am now a believer that validating Unsubscribe through the user's email is
the
correct approach for my application.  I have code that works for the normal
Unsubscribe case but am having problems with the error cases.

Posting:

            http://<SERVER>/mailman/options/<LIST_NAME>
                with:
                    email => <EMAIL_ADDRESS>
                    login-unsub => "Unsubscribe"

always returns the string "The confirmation email has been sent.".  This is
true
even when the email address is not subscribed to the list -- this will
likely be the
case if the user mistypes their email address.

I did another test that was even more confusing.  I entered a valid email
address
that was not subscribed to the list.  In this case the string "The
confirmation email
has been sent." was received by my code consistent with what I said above.
The
reality is the unsubscribe validation email is never sent in this case.
This would
be very confusing for the user and will likely result in an "I Need Help
Unsubscribing!"
email to our webmaster.

I need to find a way to Post a CGI to Unsubscribe that tells my code if the
EMAIL_ADDRESS is subscribed to the list and if a validation email was
actually
sent.  I tried to Post:

        http://<SERVER>/mailman/options/<LIST_NAME>
            with:
                email => <EMAIL_ADDRESS>
                email-button => "Unsubscribe"

this does not seem to work for the normal path.

I feel like we are getting close.  The good news is my solution is only 50
lines of code
including the Subscribe / Unsubscribe <forms> on a single page.  It might
be interesting
to others if we can get this last piece sorted out.

Thanks again Mark!  Greg

More information about the Mailman-Users mailing list