Mark Sapiro wrote: > On 08/04/2016 08:06 PM, Stephen J. Turnbull wrote: >> Beu, Ed (DOA) writes: >> >> > We've discovered that if the Unsubscribe_Policy is set to Yes (1), >> > the moderator can unsubscribe members without the members input! >> > The member simply gets a notice that they've been unsubscribed. >> >> But that means that *anybody* can unsubscribe a member, since only >> moderation is enabled by the moderation password, not other list >> management features such as subscription management. So there is >> apparently no authorization or authentication required to unsubscribe >> someone. > > > No. It means anyone can request unsubscription of anyone, but the > unsubscription requires moderator approval. Presumably the moderator > won't approve it if she didn't initiate it.
However, I realize there is a problem in that all unsubscribes, even those initiated by a user with a password, require moderator approval so if a moderator sees an unsubscription request that she didn't initiate, she has no way to know if this was intentionally initiated by the user or inadvertently or maliciously by someone else. -- Mark Sapiro <[email protected]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
