The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

In the current 6.1.19 Sympa, it seems that Listmasters will automatically inherit Owner permissions for all lists whenever a Scenario is evaluated.

 

This produced the unfortunate side effect that, if you are a listmaster, you can post to any list that allows an owner to post to it, even if you are not the list owner or member.  Therefore, lists to which you would have expected to have your postings moderated will allow you to post without problem.  This is causing us some headaches with people bypassing moderation on highly-sensitive lists unintentionally.

 

The reason for this is in Scenario.pm, function verify(), around line 889.  The scenario is evaluated, and is_owner (and is_editor) are checked by calling $list->am_i with parameters ‘owner’ and the user email.  The am_i function (in List.pm) grants Listmasters Owner and Editor rights to everything unless in ‘strict’ mode.

 

I would suggest that the calls to am_i should pass the ‘strict’ parameter.  If you want Listmasters to have the rights automatically, you can always  put ‘is_listmaster([sender]) smtp,dkim,smime do_it’ into your scenario or into include.send.header if you prefer.

 

Thus, we would change this:

 

                if ($list2->am_i('owner', $arg)) {

 

to this:

 

                if ($list2->am_i('owner', $arg,{strict=>1})) {

 

and similarly for the ‘editor’ check a few lines later.

 

Since (I don’t believe) the current behaviour of is_owner and is_editor is documented in the Sympa documentation, I think that it should be changed to the more intuitive ‘strict’ behaviour.

 

Does anyone have any comments?  Else I’ll log this as a feature request to the tracker.

 

Steve

 

Steve Shipway

University of Auckland

UNIX Systems Design Team Lead

address@concealed

+64 (9) 3737 599 ext 86487

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature