>> (2) It appears that the Subscription sequence always returns the contents >> of the file "subscribe.html". Is this in fact always the case? I tried to >> subscribe to email address "foo" and did not receive an error -- even >> though this is not a valid email address. I suppose I could validate the >> email address format with my PHP code and provide user feedback.
>If you post an address like 'foo' to the subscribe CGI, you should get a >result like >Listname Subscription results >The email address you supplied is not valid. (E.g. it must contain an `@'.) >The validation is somewhat primitive and syntactic only, but it should >refuse to subscribe a syntactically valid address. >Did 'foo' actually get added to your list? 'foo' did not get added to the list as there is no way to for the system to send a validation email and get a response from the user. It appears that Posting: http://<SERVER>/mailman/subscribe/<LIST_NAME> with: email => <EMAIL_ADDRESS> fullname => <USERS_NAME> email-button => "Subscribe" always returns the contents of the file "subscribe.html" even in the presence of an invalid address like 'foo'. This is easy for me to work around as I simply check that EMAIL_ADDRESS has a valid format before Posting. My Subscribe code is working well for both normal and error cases. >> (3) It appears the Unsubscribe sequence I created allows for anyone to >> unsubscribe anyone else -- all they need to know is an email address that >> is subscribed to the list. >This is exactly why Mailman does not allow unsubscribes without >authentication or confirmation. I am now a believer that validating Unsubscribe through the user's email is the correct approach for my application. I have code that works for the normal Unsubscribe case but am having problems with the error cases. Posting: http://<SERVER>/mailman/options/<LIST_NAME> with: email => <EMAIL_ADDRESS> login-unsub => "Unsubscribe" always returns the string "The confirmation email has been sent.". This is true even when the email address is not subscribed to the list -- this will likely be the case if the user mistypes their email address. I did another test that was even more confusing. I entered a valid email address that was not subscribed to the list. In this case the string "The confirmation email has been sent." was received by my code consistent with what I said above. The reality is the unsubscribe validation email is never sent in this case. This would be very confusing for the user and will likely result in an "I Need Help Unsubscribing!" email to our webmaster. I need to find a way to Post a CGI to Unsubscribe that tells my code if the EMAIL_ADDRESS is subscribed to the list and if a validation email was actually sent. I tried to Post: http://<SERVER>/mailman/options/<LIST_NAME> with: email => <EMAIL_ADDRESS> email-button => "Unsubscribe" this does not seem to work for the normal path. I feel like we are getting close. The good news is my solution is only 50 lines of code including the Subscribe / Unsubscribe <forms> on a single page. It might be interesting to others if we can get this last piece sorted out. Thanks again Mark! Greg ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org