diff options
| author | bwarsaw | 2001-10-12 05:09:20 +0000 |
|---|---|---|
| committer | bwarsaw | 2001-10-12 05:09:20 +0000 |
| commit | 6c7babc639ddaa52357c9d306c57d94307165873 (patch) | |
| tree | e836860ff88b7b96b63242c81405ac8907f093f8 /Mailman/HTMLFormatter.py | |
| parent | f0d083ad4926a447c38a5704a51ffe7e7fadfa72 (diff) | |
| download | mailman-6c7babc639ddaa52357c9d306c57d94307165873.tar.gz mailman-6c7babc639ddaa52357c9d306c57d94307165873.tar.zst mailman-6c7babc639ddaa52357c9d306c57d94307165873.zip | |
main(): Make the options page a little more bulletproof against
membership mining when private rosters are being used. Also, fix a
bug in the chopping up of the url parts.
We now print the "Authentication failed" message in the authentication
clause when the `password' key, not the `login' key is present (the
latter won't be when the email address is given on the url, but the
former will always be present).
When mlist.private_roster is <> 0, this means we do have private
rosters (either to the list membership or to the list admins). In
that case, set user to None and continue on. The display will use the
provided email address even if it's not a member, and we'll get a
normal "Authentication failed" message, which doesn't reveal whether
it was the email address or the password that mismatched.
loginpage(): Always set the form action to .../mailman/options
without the email address in the url. If the user was provided to the
login script, hide it (obscured) in a Hidden input field. This way,
we essentially clear any unauthorized emails from the url.
Diffstat (limited to 'Mailman/HTMLFormatter.py')
0 files changed, 0 insertions, 0 deletions