Hello, Sending email to the listname-request alias, I'm able to verify that I can everyone who is on a mailing list by supplying the list administrator or moderator password to retrieve the roster (I have the list roster is limited to list administrators and moderators only).
The issue is I can send the 'who' email command with the admin password from /*any*/ email address (not even subscribed) and get the roster... is this right? Wouldn't it be better if the 'who' command only worked for email addresses corresponding to list admins/moderators when the list roster is configured to be only available to these privileged users? (Or am I being overly paranoid?) Thanks ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
