Re: Web-based membership management

From: Franky Van Liedekerke <liedekef_at_invalid.domain>
Date: Tue, 26 Jan 2010 14:43:59 +0100

On Tue, Jan 26, 2010 at 2:21 PM, Ben Schmidt
<mail_ben_schmidt_at_yahoo.com.au>wrote:

> Hi, once again!
>
> The final two things on my wish list for now are to do with membership
> management. This is the first.
>
> I'd like a web interface to allow membership management. I can easily write
> something in PHP to do this and have it join the other web interfaces in
> contrib.
>
> However, it is a bit more involved than the other interfaces. Control files
> are easy to fiddle with as they can be changed to have permissions writable
> by the webserver. Moderation is bearable, as emails can be sent that just do
> the job. For subscription and unsubscription, though, more care is needed.
> Permissions can't just be changed, as subscription/unsubscription by email
> would be affected. Mail can't simply be sent to do the job, as confirmation
> requests and so on would be generated undesirably.
>
> So...I'd like to propose an extension to subscription handling, where the
> subject line of mails to +subscribe or +unsubscribe can contain the
> commandline options of mlmmj-sub or mlmmj-unsub (as appropriate), excluding
> -L. The argument for -L would be implied by the address the mail was sent
> to, of course. Different addresses to the address the mail came from could
> easily be (un)subscribed by using the -a argument: in fact, it would be
> required to be the beginning of the subject line in order for the mechanism
> to be activated. To be secure, it would require the email to come from the
> list owner or someone listed in submod.
>
> A web interface could easily generate such emails to do required list
> admin.
>
> Perhaps for added security it could be required to be turned on with a
> tunable.
>
>
Hi Ben,

I like all the other stuff you proposed, but not this one :-)
From-addresses can be faked easily by script, so to just base yourself on
the sender as security mechanism is imho a no-no.
If I'm not mistaken, you don't like the other interfaces since they require
certain parts of the mail-list data to be web-writeable, correct? I'm
thinking that apache authentication/authorization is sufficient to protect
whatever part you want, and by limiting the files writeable by the webserver
to eg. just the subscribtion data, you're good to go, no?
What you're requiring is automatic mail-based list actions and to be honest,
I trust my webserver more than a from-address :-)

Franky
Received on Tue Jan 26 2010 - 15:43:59 EET

This message: [ Message body ]
Next message: Gerd v. Egidy: "[PATCH] add MIME-aware footers"
Previous message: Ben Schmidt: "Implementing moderation of new members"
In reply to: Ben Schmidt: "Web-based membership management"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]