Skip to Content.
Sympa Menu

en - [sympa-users] invite scenari

Subject: The mailing list for listmasters using Sympa

List archive

[sympa-users] invite scenari

Chronological Thread  
    < Chronological >       < Thread >
  • From: Matt Taggart <address@concealed>
  • To: address@concealed
  • Subject: [sympa-users] invite scenari
  • Date: Thu, 05 Apr 2012 16:33:06 -0700
Hi,

I was looking at the invite scenari and I noticed something inconsistent.
The invite.owner scenari makes sure that a listmaster authenticates before
letting them invite, but the invite.private one does not. In addition I
think both invite.owner and invite.private should auth their respective
user types before letting them invite, otherwise it's trivial to fake.

Attached is a patch that does these things. I made the patch consistant
with the other cases that do request_auth and thus require auth for dkim as
well. I suppose there could be additional scenari (like invite.ownerdkim)
that wouldn't require that, but I don't know if they are needed (and maybe
not worth adding unless requested).

What do you think?

Thanks,

--
Matt Taggart
address@concealed

--- invite.owner~	2012-04-05 16:16:51.000000000 -0700
+++ invite.owner	2012-04-05 16:18:28.000000000 -0700
@@ -1,6 +1,7 @@
-title.gettext invite perform by list owner do not need authentication
+title.gettext invite perform by list owner
 
-is_owner([listname],[sender])  smtp,dkim,md5,smime -> do_it
+is_owner([listname],[sender])  smtp,dkim -> request_auth
+is_owner([listname],[sender])  md5,smime -> do_it
 is_listmaster([sender])        smtp,dkim -> request_auth
 is_listmaster([sender])        md5,smime -> do_it
 true()                         smtp,dkim,md5,smime -> reject(reason='invite_owner')	
--- invite.private~	2012-04-05 16:18:41.000000000 -0700
+++ invite.private	2012-04-05 16:23:36.000000000 -0700
@@ -1,7 +1,11 @@
 title.gettext restricted to subscribers
 
-is_subscriber([listname],[sender])      smtp,dkim,md5,smime  -> do_it
-is_owner([listname],[sender])           smtp,dkim,md5,smime  -> do_it
-is_editor([listname],[sender])          smtp,dkim,md5,smime  -> do_it
-is_listmaster([sender])                 smtp,dkim,md5,smime  -> do_it
+is_subscriber([listname],[sender])      smtp,dkim  -> request_auth
+is_subscriber([listname],[sender])      md5,smime  -> do_it
+is_owner([listname],[sender])           smtp,dkim  -> request_auth
+is_owner([listname],[sender])           md5,smime  -> do_it
+is_editor([listname],[sender])          smtp,dkim  -> request_auth
+is_editor([listname],[sender])          md5,smime  -> do_it
+is_listmaster([sender])                 smtp,dkim  -> request_auth
+is_listmaster([sender])                 md5,smime  -> do_it
 true()                                  smtp,dkim,md5,smime  -> reject(reason='invite_subscriber')

  • [sympa-users] invite scenari, Matt Taggart, 04/05/2012

Archive powered by MHonArc 2.6.19+.

Top of Page