diff options
| -rw-r--r-- | Mailman/Cgi/rmlist.py | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/Mailman/Cgi/rmlist.py b/Mailman/Cgi/rmlist.py index 83593bdc5..f8af31473 100644 --- a/Mailman/Cgi/rmlist.py +++ b/Mailman/Cgi/rmlist.py @@ -114,11 +114,13 @@ def process_request(doc, cgidata, mlist): delarchives = 0 # Removing a list is limited to the list-creator (a.k.a. list-destroyer), - # the list-admin, or the site-admin. - if not mlist.WebAuthenticate((mm_cfg.AuthCreator, - mm_cfg.AuthListAdmin, - mm_cfg.AuthSiteAdmin), - password): + # the list-admin, or the site-admin. Don't use WebAuthenticate here + # because we want to be sure the actual typed password is valid, not some + # password sitting in a cookie. + if mlist.Authenticate((mm_cfg.AuthCreator, + mm_cfg.AuthListAdmin, + mm_cfg.AuthSiteAdmin), + password) == mm_cfg.UnAuthorized: request_deletion( doc, mlist, _('You are not authorized to delete this mailing list')) |