FAQ
Hi all,

I'd like to protect my mailing list archives behind some .htaccess
protection, but my mailman installation is a central one which serves a
number of different websites.

I was thinking I could get around this by using a script to automate a
log in to the archives and then scraping the results back to my
.htaccess protected folder. I'm using GET variables to use the
subscription page at the moment (adding &adminpw=PASSWORD onto the end
of the url) and was wondering if there was anything similar that I could
do with the archives?

Alternatively, if anyone can think of another way to get the archives
behind a .htaccess wall I'd be keen to hear!

Thanks all,

Phil

Search Discussions

  • Mark Sapiro at Feb 9, 2010 at 2:39 pm

    Phil Ewels wrote:
    I'd like to protect my mailing list archives behind some .htaccess
    protection, but my mailman installation is a central one which serves a
    number of different websites.

    Why not just use private archives? You could use a .htaccess file to
    prevent access by URL if you really don't want public access at all.
    Then all archive access would have to be through
    Mailman/Cgi/private.py.

    I was thinking I could get around this by using a script to automate a
    log in to the archives and then scraping the results back to my
    .htaccess protected folder. I'm using GET variables to use the
    subscription page at the moment (adding &adminpw=PASSWORD onto the end
    of the url) and was wondering if there was anything similar that I could
    do with the archives?

    If for some reason Mailman's private archive authentication is not
    satisfactory and you want to bypass the login page, you can append
    ?password=PASSWORD (where PASSWORD is a list admin or moderator or
    site admin password) to any private archive URL.

    Alternatively, if anyone can think of another way to get the archives
    behind a .htaccess wall I'd be keen to hear!

    If I understood the desired end result, I might be able to suggest more.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Phil Ewels at Feb 9, 2010 at 3:23 pm
    I'd like to avoid using the standard private archives because that would
    require users to log in a second time, with a second username and
    password. I'm attempting to hide everything behind a single .htaccess wall.

    The other reason is that the users are currently being signed up by an
    automated script, which does it silently, so they are not getting any
    welcome messages and will not know what their subscription password is.

    I'll have a go using ?password=PASSWORD and see where I get to...

    Cheers,

    Phil




    Mark Sapiro wrote:
    Phil Ewels wrote:
    I'd like to protect my mailing list archives behind some .htaccess
    protection, but my mailman installation is a central one which serves a
    number of different websites.

    Why not just use private archives? You could use a .htaccess file to
    prevent access by URL if you really don't want public access at all.
    Then all archive access would have to be through
    Mailman/Cgi/private.py.

    I was thinking I could get around this by using a script to automate a
    log in to the archives and then scraping the results back to my
    .htaccess protected folder. I'm using GET variables to use the
    subscription page at the moment (adding &adminpw=PASSWORD onto the end
    of the url) and was wondering if there was anything similar that I could
    do with the archives?

    If for some reason Mailman's private archive authentication is not
    satisfactory and you want to bypass the login page, you can append
    ?password=PASSWORD (where PASSWORD is a list admin or moderator or
    site admin password) to any private archive URL.

    Alternatively, if anyone can think of another way to get the archives
    behind a .htaccess wall I'd be keen to hear!

    If I understood the desired end result, I might be able to suggest more.
  • Mark Sapiro at Feb 9, 2010 at 3:33 pm

    Phil Ewels wrote:
    I'd like to avoid using the standard private archives because that would
    require users to log in a second time, with a second username and
    password. I'm attempting to hide everything behind a single .htaccess wall.

    OK, but I don't think dynamically modifying .htaccess can work. What if
    you have two 'disjoint' users trying to browse different archives
    concurrently?

    Or were you thinking of per-list .htaccess modified by your subscribe
    process?

    The other reason is that the users are currently being signed up by an
    automated script, which does it silently, so they are not getting any
    welcome messages and will not know what their subscription password is.

    I'll have a go using ?password=PASSWORD and see where I get to...

    OK

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Phil Ewels at Feb 9, 2010 at 3:45 pm
    So everyone will be using the same login details for the .htaccess
    protection (it's a fairly small group of users who need to access these
    pages, who all trust each other and having one login for all saves a lot
    of hassle). So no dynamic modification needed (if I understand you
    correctly).

    Users will be subscribed to a maximum of four lists, but I'd like them
    to be able to browse the archives of all of them. In other words, have
    the mailing lists behave as if they have public archive access, but
    behind a .htaccess wall to prevent Joe Bloggs from reading the lists.

    This may get overly complicated, so I might just create a dummy account
    and publicise the login details on a page protected by .htaccess. Messy
    but easy.

    Phil




    Mark Sapiro wrote:
    Phil Ewels wrote:
    I'd like to avoid using the standard private archives because that would
    require users to log in a second time, with a second username and
    password. I'm attempting to hide everything behind a single .htaccess wall.

    OK, but I don't think dynamically modifying .htaccess can work. What if
    you have two 'disjoint' users trying to browse different archives
    concurrently?

    Or were you thinking of per-list .htaccess modified by your subscribe
    process?

    The other reason is that the users are currently being signed up by an
    automated script, which does it silently, so they are not getting any
    welcome messages and will not know what their subscription password is.

    I'll have a go using ?password=PASSWORD and see where I get to...

    OK
  • Mark Sapiro at Feb 9, 2010 at 4:09 pm

    Phil Ewels wrote:
    So everyone will be using the same login details for the .htaccess
    protection (it's a fairly small group of users who need to access these
    pages, who all trust each other and having one login for all saves a lot
    of hassle). So no dynamic modification needed (if I understand you
    correctly).

    Then I don't understand what "I was thinking I could get around this by
    using a script to automate a log in to the archives and then scraping
    the results back to my .htaccess protected folder." means.

    Unless, maybe it means that the .htaccess only allows access by IP and
    you'd be updating that.

    Users will be subscribed to a maximum of four lists, but I'd like them
    to be able to browse the archives of all of them. In other words, have
    the mailing lists behave as if they have public archive access, but
    behind a .htaccess wall to prevent Joe Bloggs from reading the lists.

    So just have public archives and put the .htaccess in either
    /path/to/mailman/archives/private/ or
    /path/to/mailman/archives/public/ - either one should do it as long as
    you have AllowOverride explicitly or implicitly on the directory.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Phil Ewels at Feb 9, 2010 at 4:43 pm
    Ah, so this is what I initially thought, but the problem with that is my
    installation of Mailman - it is a central installation which serves
    lists to a whole range of different domains, so putting a .htaccess
    restriction in the archives folder would then stop access to the
    archives for all of my other websites.



    Mark Sapiro wrote:
    Phil Ewels wrote:
    So everyone will be using the same login details for the .htaccess
    protection (it's a fairly small group of users who need to access these
    pages, who all trust each other and having one login for all saves a lot
    of hassle). So no dynamic modification needed (if I understand you
    correctly).

    Then I don't understand what "I was thinking I could get around this by
    using a script to automate a log in to the archives and then scraping
    the results back to my .htaccess protected folder." means.

    Unless, maybe it means that the .htaccess only allows access by IP and
    you'd be updating that.

    Users will be subscribed to a maximum of four lists, but I'd like them
    to be able to browse the archives of all of them. In other words, have
    the mailing lists behave as if they have public archive access, but
    behind a .htaccess wall to prevent Joe Bloggs from reading the lists.

    So just have public archives and put the .htaccess in either
    /path/to/mailman/archives/private/ or
    /path/to/mailman/archives/public/ - either one should do it as long as
    you have AllowOverride explicitly or implicitly on the directory.
  • Mark Sapiro at Feb 9, 2010 at 5:04 pm

    Phil Ewels wrote:
    Ah, so this is what I initially thought, but the problem with that is my
    installation of Mailman - it is a central installation which serves
    lists to a whole range of different domains, so putting a .htaccess
    restriction in the archives folder would then stop access to the
    archives for all of my other websites.

    So then put .htaccess files in archives/private/listname for each of
    this domain's lists. These will work with public archives since
    public/listname is just a symlink to private/listname.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Adam McGreggor at Feb 9, 2010 at 4:49 pm

    On Mon, Feb 08, 2010 at 03:40:44PM +0000, Phil Ewels wrote:
    I'd like to protect my mailing list archives behind some .htaccess
    protection, but my mailman installation is a central one which serves a
    number of different websites.

    I was thinking I could get around this by using a script to automate a
    log in to the archives and then scraping the results back to my
    .htaccess protected folder.
    How about setting the archive directory for each applicable list as it's own
    <Directory> in a vhost config, I dunno, something like: (untested)

    <VirtualHost *:443>
    ServerName archives.lists.example.org
    DocumentRoot /usr/local/mailman/archives/private/

    Options -Indexes

    <Directory /usr/local/mailman/archives/private/listname>
    AuthType basic
    AuthName "Private Archive"
    AuthUserFile /path/to/htpasswd.file
    Require valid-user
    Options +Indexes
    </Directory>
    </VirtualHost>

    or perhaps use a glob and AllowOverrides (assuming Apache as your
    httpd), or something like one of the Match directives.

    Just as an idea, in production, you'll possibly want to lock-down a
    virtualhost like that a bit more.
    Alternatively, if anyone can think of another way to get the archives
    behind a .htaccess wall I'd be keen to hear!
    Failing the hackish monstrosity above, you might find

    https://secure.mysociety.org/cvstrac/dir?d=mysociety/lists/web-admin/lists

    (and elsewhere in https://secure.mysociety.org/cvstrac/dir?d=mysociety/lists)

    useful if you're a coder.

    --
    ``If the media object to a judgment or sentencing decision,
    we suggest they focus their efforts on persuading the
    Government to rectify the legal and policy framework.''
    (Lords' Select Committee on Constitution: Eleventh Report)

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedFeb 8, '10 at 3:40p
activeFeb 9, '10 at 5:04p
posts9
users3
websitelist.org

People

Translate

site design / logo © 2022 Grokbase