-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal for invite.owner with auth #1790
Comments
Thinking about this more... Does sympa have any policy about scenari changes? Looking at the default scenari it seems they don't change very often, so maybe it has not come up much? If sympa were to decide to start requiring auth for things like add/del/invite, what would the potential migration look like? If users provide their own version of a scenari in the modify existing scenariUsing
introduce scenari changes with new files, migrate to themIn the case, for our example
This is all using my example for invite, but probably you can tell I am trying to think about this generically because I think it's probably time that sympa move away from some of this older scenari behavior that is now a problem. In particular many of the |
I +1 to add
Having too many scenarios is troubling. I think it is a flaw in the current design that we have to have as many options as there are all possible conditions, but we have to live with this for the time being. |
I would like to have a version of the "invite" scenari for owner but with authentication. Currently "invite.owner" could be abused by someone forging mail from the owner address, and having an auth version would prevent this.
It could maybe be argued that "invite.owner" should require auth by default. I think that is probably a good idea, but that may come as a surprise to users not expecting it (and automation/form processing people may have written taking advantage of it). Also depending on naming some migration might be required between releases. There may also be use cases where this auth is not required and just adds extra steps (non-public email systems?)
We have the examples of {add,del}.owner vs {add,del}.auth, but also send.owner vs send.ownerauth to use as reference. I think this new scenari could be named either "invite.auth" or "invite.ownerauth", I guess I would lean toward the former. Based on the others, here is probably what it should look like:
(I left "perform" like it is in invite.owner, but they could both be changed to "performed").
Let me know what you think of this, or if I can help in any way.
Thanks!
The text was updated successfully, but these errors were encountered: