Christian Schneider writes:
did you manage to disable the local registration (with django accounts)? I am trying to get rid of these locally registered accounts as well.
The easist way to do this is to require SSO authentication to access webapps (this can be done in the front-end webserver), then use the identity provider to pass the authenticated user to Django. This can be done with a small custom extension to Django, and no modifications to code provided by Mailman or Django. Just registering the extension in the usual way.
(A list member can be any (external) user...I only care about moderators/admins and moderators)
This is very hard. Django authenticates *users*, users possess *roles*, and roles are authorized to access *resources*. However, owners can add roles to other users to make them moderators or even owners -- but this cannot trigger a change in the users' authentication process. So if owner A decides to make external user B a moderator, B will still authenticate however they did previously.
Of course you can decide you trust all your owners and superusers not to do that. I'm just saying if they decide to do such a thing nothing in Mailman suite will stop them.
SOCIALACCOUNT_ONLY = True ACCOUNT_EMAIL_VERIFICATION = EmailVerificationMethod.NONE ACCOUNT_ADAPTER = 'django_mailman3.views.user_adapter.DisableSignupAdapter'
I don't think these settings do what you want (but I'm not a Django expert). In particular, you must disable all "unofficial" socialauth providers, which is unlikely to make your users happy.
Also, I think this disables web signups and account management for everyone who isn't in your official identity provider. Finally, I think EMAIL_VERIFICATION refers to the normal process of sending a one-time key to the address, to confirm that the anonymous person who is trying to sign up the email can read that mailbox, not to login authentication. If so, that would be bad, as anyone could claim any email address. (Could be wrong, though.)
Is there any way to get approach (only sso-authorized owners/admins/moderators) working?
If you're going to allow "external" users, the approaches that pretty clearly will work require substantial and tricky code changes. It might be possible to mask the "administrative" links in the front-end webserver and require SSO authentication to "see" them, but that's never a very robust solution. If you're willing to manage identities of all users, it's straightforward.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan