[Mailman-Users] Re: Mailman 2.1.15 doesn't allow admin changes on private lists

[Mark Sapiro]

On 7/6/23 10:26 AM, Charles Buckley wrote:


In hindsight, I think this problem was more to do with the fact that I run 
three lists on this server, two of which have the same list admin password, one 
of which doesn't.  If the developer team were thinking too pointy-headedly 
while developing it, and stored a hash of the password as a cookie value, and 
it didn't match, but they didn't incorporate the list name into the cookie 
name, then that might lead to an issue such as the one I experienced.



Login cookies are stored per list so that shouldn't be an issue.

--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

[Mailman-Users] Re: Mailman 2.1.15 doesn't allow admin changes on private lists

[Charles Buckley]

I have access to practically nothing, neither config.pck nor mm_cfg.py, but was 
able to wait out the problem as reported earlier.

In hindsight, I think this problem was more to do with the fact that I run 
three lists on this server, two of which have the same list admin password, one 
of which doesn't.  If the developer team were thinking too pointy-headedly 
while developing it, and stored a hash of the password as a cookie value, and 
it didn't match, but they didn't incorporate the list name into the cookie 
name, then that might lead to an issue such as the one I experienced.   

I'm just glad to have this task out of the way, and without having to wait for 
a people's paradise bureaucratic synaptic gap to be jumped.Thankfully, the 
patience for people's paradises is coming to an end.

Ch.

-Original Message-
From: Stephen J. Turnbull  
Sent: Thursday, 6 July 2023 19:13
To: Richard Damon 
Cc: mailman-users@python.org
Subject: [Mailman-Users] Re: Mailman 2.1.15 doesn't allow admin changes on 
private lists

Anyway, it would be easy to check if Charles has access to mm_cfg.py.
(I don't think there's anything in config.pck that affects the URL
scheme.)

Steve
--
Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an 
email to mailman-users-le...@python.org 
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: 
http://wiki.list.org/x/QIA9 Searchable Archives: 
https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: c...@buckley.ch

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

[Mailman-Users] Re: Mailman 2.1.15 doesn't allow admin changes on private lists

[Stephen J. Turnbull]

Richard Damon writes:

 > One configuration error that I remember being able to cause this
 > sort of issue is if the list is configured with a http:// address,
 > but the server automatically forwards to https:// then it can lose
 > the data for the submission.

Interesting idea.  But I don't think the effect would be so narrow.  I
haven't worked with Mailman 2 in a while but IIRC the base URL is
configured once, and everything else is derived from that.  Of course
there's the perennial issue where somebody changes from HTTP to HTTPS
and doesn't run fixurl, but that affects *everything* that requires a
login, doesn't it?

Anyway, it would be easy to check if Charles has access to mm_cfg.py.
(I don't think there's anything in config.pck that affects the URL
scheme.)

Steve
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org

[Mailman-Users] Re: Mailman 2.1.15 doesn't allow admin changes on private lists

[Richard Damon]

One configuration error that I remember being able to cause this sort of 
issue is if the list is configured with a http:// address, but the 
server automatically forwards to https:// then it can lose the data for 
the submission.


On 7/5/23 10:51 PM, Charles Buckley wrote:

Answer I can provide that usefully add value are listed below:

I actually precisely wrote what I did.  I started reverse engineering how to 
solve the problem, using my other two preexisting lists.  One was already 
'public' (meaning browsable).  Since I could delete the footer on that one 
without changing to browsable, I tried eliminating the footer on the other 
non-browsable list by changing it to browsable.  That worked, but I couldn't do 
the same magic on the non-browsable list I wanted to change, apparently because 
of the same bug.

The fact that all three browsers installed on my PC demonstrate the same 
misbehaviour suggest it is indeed NOT a browser issue.

You asked about how mailman is installed.   This is a shared server running 
Plesk.  I have the right to install my own applications that are available as 
installable packages.  Once these are installed, I get nagged *frequently* 
about upgrading these packages I install to the most recent version.  But 
mailman is part of the base package, so I never get invited to update that one. 
 I have suggested to the service provider that they do this, but so far they're 
just thinking about it.  They asked for access to the list so they could see 
the behavior themselves.

To pick up on what Carl Zwanzig wrote and synthesize it with what you wrote, 
the bug is probably in the code implementing the actions of the 'Submit my 
changes' button.   I suppose that would be the next place to look, but I 
thought that, since this problem had been around so long, someone would know a 
workaround that would save me an extended session of webpage archaeology.

Heck, if I knew where the footer data was stored, I'd be happy to go in and 
edit the file by hand, the web page be damned.  I just want to get this 
delivered and out of the way.  Watch it probably be in some DB for which there 
was never any compelling need.

Ch.

-Original Message-
From: Mark Sapiro 
Sent: Wednesday, 5 July 2023 22:39
To: mailman-users@python.org
Subject: [Mailman-Users] Re: Mailman 2.1.15 doesn't allow admin changes on 
private lists

On 7/5/23 1:27 AM, Charles Buckley wrote:

I experimented with this a bit, and found that I could eliminate the footer on 
my public (browsable) list on the same server. So I tried converting my other 
private (non-browsable) list to be browsable, at which point I could eliminate 
the footer, and then switch the list back to being non-browsable.


You said in a reply that on this list you actually needed to set the list 
`public` before you could successfully change msg_footer.



But once I tried to implement the workaround on the non-browsable list I wanted 
to change, I got the same defective behaviour when trying to switch the list to 
be browsable -- I would get redirected to the admin login page for the list in 
question, log in successfully, only to come back and find myself on the same 
privacy page, with no changes having been made.


This is quit strange. The behavior you observe is a result of your login
cookie being lost. I could conjecture that there's something in the
browser that's not saving the cookie when this list's name is in the
URL, but the fact that you can make some changes to the other list
including switching it from private to public but can change msg_footer
only when it's public belies that.



I have also posted this as a bug via the Mailman launchpad.  This behaviour 
appears to be browser-independent; I have tried it on Firefox, Chrome, and Edge.

More confirmation that it's not a browser issue. I have added a comment
to your bug report to see this thread.

Do you know how Mailman is installed on the server? Is it from source or
a third party package? I can't see anything in the admin UI code that
would effectively log you out upon submission of an update form, but
this is what's happening. Either your login cookie is being removed or
for some reason, not being saved.

Normally, I would suspect the issues in the FAQ at
, but those normally affect all changes
to all lists, so that may not be relevant here.



--
Richard Damon

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org