Developers of Sympa

[Adam Bernstein <address@concealed>]

Olivier suggested I move this to the dev list, so here it is.  I posted
a bug/feature request (#527), as follows:

> > We find many users getting confused by the Web subscription/unsubscription
> > process when they're not logged in.  It's much easier for everyone if all
> > unauthenticated requests are confirmed the same way, by simply Replying to
> > an email confirmation request, just the way it works now when a request is
> > initiated by email.  And it should always happen the same way, regardless
> > of whether the user's password is an INIT password or not, or whether
> > they're already in the user db.
> > 
> > The attached patch to wwsympa.fcgi makes this change, and in the process
> > simplifies the code a bit in do_subrequest() and do_sigrequest().  Of
> > course, you also have to modify the text of subrequest.tt2 and
> > sigrequest.tt2, so instead of telling you to input your password on the
> > Web page, it just says something like "A confirmation message has been
> > sent to you, please reply to it to subscribe/unsubscribe."  I'm not
> > attaching patches for those files.

I got the initial (one-line) patch from Riseup, but have since expanded
and generalized it, now replacing a dozen or so lines with a much
simpler line or two in each of the sub/unsub subroutines.

Olivier's (or someone's) response was:

> > That's a very good idea but the way you patched wwsympa we loose a
very
> > interesting feature : once the user performed the confirmation, he's not
> > logged in on the web interface (because the confirmation is sent to
> > sympa.pl, not to the web interface). 
> > 
> > The ideal way to change this would be to remove the notion of INIT
> > passwords and always use confirmations. Confirmation messages would
> > include a web URL instead of the mailto when triggered from the web
> > interface. While doing a confirmation the user would also login. 
> > 
> > These changes are related to a bigger work in sympa's web authentication :
> > 
> >  * manage authentication sessions centraly in wwsympa (not just cookies)
> >  * replace the password reminder with a password initializer

To which I say:

> I see your point, but I do think there's no need to connect the
> confirmation process with the login process -- they're really two
> totally different things.  It is convenient in some situations to have
> confirmations result in a login now, but I would say 98% of the time
> it's totally irrelevant.  So I would vote for just making this email
> confirmation change and skipping the login question.  But that's just
> me, and the two related projects you mention both sound great too.

So, other than figuring that Riseup is probably supportive of my
position (see above ;), I'm wondering if others would also find this
change to be a worthwhile improvement.  I like Olivier's idea of a
confirmation URL for all subscriptions instead of an email responder,
and it has the huge advantage of eliminating the problem where naive
users send their confirmation reply from a different address than they
requested subscription for.  But until that's available, email reply
confirmations for all?

    ab