mathias@koerber.org writes:
Does Mailman 3 have an REST API that allows list-owners/moderators to perform list-management functions without having access to the whole server/other lists etc?
No. You can provide selective access to a selection of REST API endpoints via a front-end webserver such as Apache or nginx, but it would be rather painful, and possibly also rather insecure.[1]
The documentation seems to only indicate a single one-admin-user REST API that should not even be accessible from outside?
That's right. If the documentation only "indicates" that, we should fix the documentation. The point of separating Postorius from core was to put authentication and authorization in the hands of people who know how to do it (ie, Django).
Footnotes: [1] That depends on what threats you're worried about. But the endpoint hierarchy is designed to make sense to application programmers, not to make it easy to disable access to "dangerous" endpoints that allow deleting lists or extracting user information.