Ulf Dunkel writes: > When I try > > <http://<mydomain>/mailman/admin/<listname>/members/remove?send_unsub_ack_to_this_batch=1&send_unsub_notifications_to_list_owner=0&unsubscribees_upload=<user_email>> > > instead (without the adminpw stuff), I get this funny error on the webpage: > > ----- snip ----- > Error: The form lifetime has expired. (request forgery check) > ----- snap -----
That is odd. > Is there any chance to proceed with URLs like the one above and using > the web interface with the need to enter the admin password in the browser? I would think it would work as you expect. I suspect the problem has something to do with what is called "cross-site request forgery" (CSRF). The technique for combatting that requires that you *start* by entering the appropriate page, which provides a digitally signed one-time authorization token, which expires after a fairly short period. You then send the token back when you fill in the form, thus proving that you've followed the correct procedure. I suspect absence of a token is being treated the same as an expired token. I hope it's a bug and can be fixed, but I don't know much about that part. Hopefully Mark has an answer to this one. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
