It might be helpful if I explain what Mailmania does. login - an anonymous HTTP request can be sent to the server asking to log in and POSTing Mailman username and password. Success results in a response with a JWT in the HTTP headers. authentication - when an HTTP request arrives, it is examined to see if it contains a valid Jason web token (JWT) in its headers authorization - when an HTTP request comes in, the request is examined to determine if the requesting user (as defined by the JWT attached to the request) has permission to access the resource they have requested. It has a set of business rules that make decisions about what resources a user is able to access. If authorization is approved, the request is proxied to the Mailman core REST API.
The Mailman permissions model is based on the idea that Mailman has the following resources: a server domains lists users Users can have auth roles: (not the same as Mailman 2 roles I think) userowner (this is implied, a user is its own owner) listowner listmember listmoderator listnonmember domainowner serverowner Any HTTP request to Mailmania must be from a specific user, attempting to access a specific resource. Mailmania basically just figures out if that user is indeed allowed access to the resource that have asked for, and sends it through or denies it. _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9