[Mailman-Users] Roster security
Rubén Fernández Asensio
enseikou at gmail.com
Sun May 20 10:32:08 EDT 2018
Hi all!
My question may be dumb, but I need some confirmation.
I set up a list so that the roster is visible to subscribers.
I just noticed that, when any subscriber logs into the roster, s/he can
access any other user's option page and try to unsubscribe that user or
send a password reminder.
I know no user can be unsubscribed without replying to the confirmation
message, but I was very surprised that any subscriber would be allowed
to do that to any other. I thought making the roster visible to
subscribers would only expose their emails (and names, if they provided
one).
Is this by design, or is this a bug in my Mailman installation? Is there
any way of making the roster visible to subscribers without giving
access to personal option pages through it?
Rubén
More information about the Mailman-Users
mailing list