Hi folks, I'm running Mailman3 3.3.10, with postorius and hyperkitty. I want unadvertised lists to be visible only to the people who are subscribed to them and to site administrators.
Right now, anyone who has the name of a list can construct a URL to the signup page, even for unadvertised lists.
So, I can go to: https://site.name/postorius/lists/test.site.name/ and get to the test list, even if it is unadvertised. I see people scanning URLs like this in the NGINX logs, looking for lists.
How can I prevent anyone not logged in, and not a member of an unadvertised list, from seeing it?
Peter C
On 1/5/26 12:54, Peter Chubb via Mailman-users wrote:
How can I prevent anyone not logged in, and not a member of an unadvertised list, from seeing it?
You could probably modify code to do that. For Postorius, the mods would probably be in the ListSummaryView class in postorius/views/list.py.
It seems to me that in the general case, this would not be desirable as it would prevent things like a user being told out of band that they should go to, e.g., https://www.example.com/mailman3/lists/unadvertized.example.com/ and subscribe.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro -
Peter Chubb