Subject: The mailing list for listmasters using Sympa
List archive
- From: Erin Michaud <address@concealed>
- To: Steve Shipway <address@concealed>, "address@concealed" <address@concealed>
- Subject: RE: [sympa-users] restricting list ownership
- Date: Wed, 7 May 2014 15:08:06 +0000
|
With the assistance of one of our in-house developers (I am not a coder by any stretch) we were able to modify wwwsympa.fcgi to accommodate our needs. Our scenario: we want external users to be able to authenticate to our sympa server, but only want list-ownership to be allowed to be granted to internal users (for us, anyone with a law.harvard.edu email). My initial attempt to modify List.pm quasi-worked, in that the web-gui threw an error if I set a non-hls email as owner, but it still actually wrote the email to the config file and granted that ownership, including sending a notification email to the new owner. After our fearless dev looked at all the code, it was determined that the best place to restrict this in in the cgi itself. This code is “law.harvard.edu” specific, and is admittedly a crude hack, but it works, with the added benefit of allowing hand-modification of the actual list config file to add non-hls emails in the rare exception cases we have. Our goal was primarily to disallow self-service granting of offsite owners.
Thank you Steve for a nudge in the right direction here. And if any sympa-devs are reading this, would love to see this as built-in functionality in a future release with a parameter setting somewhere in config files.
Diff in code is below:
+++ wwsympa.fcgi 2014-05-06 16:08:25.155056384 -0400 @@ -9141,6 +9141,14 @@ return 1; }
+sub is_valid_admin { + my $email = shift; + if ($email =~ /\@law\.harvard\.edu$/ || $email =~ /@.*\.law.harvard.edu$/) { + return 1; + } + return 0; +} + sub do_edit_list { &wwslog('info', 'do_edit_list()');
@@ -9498,6 +9506,30 @@ &report::notice_report_web('subscribers_noticed_deleted_topics',{},$param->{'action'}); }
+ ## Checking for invalid admins + foreach my $admin_type ('owner','editor') { + my (%previous_emails, %new_emails); + + ## Compile list of previous entries + foreach my $entry (@{$list->{'admin'}{$admin_type}}) { + $previous_emails{$entry->{'email'}} = 1; + } + + ## Check only new entries + foreach my $entry (@{$new_admin->{$admin_type}}) { + unless ($previous_emails{$entry->{'email'}} || &is_valid_admin($entry->{'email'})) { + # If it's not a pre-existing admin or an HLS address, reject it + &report::reject_report_web('user','p_family_wrong',{ + 'param' => $admin_type, + 'val' => ($entry->{'email'} . ' (cannot contain off-site address)') + }, $param->{'action'},$list); + &wwslog('info','do_edit_list: attempt to add non-HLS address: %s', $entry->{'email'}); + &web_db_log({'status' => 'error', 'error_type' => 'invalid admins'}); + return undef; + } + } + } + ## Delete selected params foreach my $p (keys %delete) {
From: Steve Shipway [mailto:address@concealed]
I don't believe there is any way to do this with an unmodified sympa; a privileged list owner is trusted to add whoever they want as owner or editor.
Steve Shipway University of Auckland ITS UNIX Systems Design Lead Ph: +64 9 373 7599 ext 86487
From:
address@concealed [address@concealed] on behalf of Erin Michaud [address@concealed] Hello, I would like to make it so that current list owners cannot add owners that are outside our organization - i.e. list owners can only be added that have a "law.harvard.edu" email address. Have searched the archives here with no luck and would appreciate any nudges in the right direction. I have a working config that only allows list creation to certain members of our community via LDAP group membership, but need to make sure list ownership (even non-priv ownership) cannot get set to non-internal subscribers.
Thanks, Erin Michaud Linux Systems Administrator Harvard Law School ITS
|
- RE: [sympa-users] restricting list ownership, Erin Michaud, 05/07/2014
Archive powered by MHonArc 2.6.19+.