diff options
| author | bwarsaw | 2001-08-20 15:13:02 +0000 |
|---|---|---|
| committer | bwarsaw | 2001-08-20 15:13:02 +0000 |
| commit | 275e866680f2a21a85244f40a1cf0c06f7dfdbba (patch) | |
| tree | 7b8c87a1f4b5e65075241a577a2b1f34ac6465c8 | |
| parent | f581d95289d180d54441fe163fa4ca510a99fc95 (diff) | |
| download | mailman-275e866680f2a21a85244f40a1cf0c06f7dfdbba.tar.gz mailman-275e866680f2a21a85244f40a1cf0c06f7dfdbba.tar.zst mailman-275e866680f2a21a85244f40a1cf0c06f7dfdbba.zip | |
| -rw-r--r-- | Mailman/Cgi/rmlist.py | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/Mailman/Cgi/rmlist.py b/Mailman/Cgi/rmlist.py index 83593bdc5..f8af31473 100644 --- a/Mailman/Cgi/rmlist.py +++ b/Mailman/Cgi/rmlist.py @@ -114,11 +114,13 @@ def process_request(doc, cgidata, mlist): delarchives = 0 # Removing a list is limited to the list-creator (a.k.a. list-destroyer), - # the list-admin, or the site-admin. - if not mlist.WebAuthenticate((mm_cfg.AuthCreator, - mm_cfg.AuthListAdmin, - mm_cfg.AuthSiteAdmin), - password): + # the list-admin, or the site-admin. Don't use WebAuthenticate here + # because we want to be sure the actual typed password is valid, not some + # password sitting in a cookie. + if mlist.Authenticate((mm_cfg.AuthCreator, + mm_cfg.AuthListAdmin, + mm_cfg.AuthSiteAdmin), + password) == mm_cfg.UnAuthorized: request_deletion( doc, mlist, _('You are not authorized to delete this mailing list')) |