[Mailman-Users] .htaccess protection of archives

Why not just use private archives? You could use a .htaccess file to
prevent access by URL if you really don't want public access at all.
Then all archive access would have to be through
Mailman/Cgi/private.py.


If for some reason Mailman's private archive authentication is not
satisfactory and you want to bypass the login page, you can append
?password=PASSWORD (where PASSWORD is a list admin or moderator or
site admin password) to any private archive URL.


If I understood the desired end result, I might be able to suggest more.

I'd like to avoid using the standard private archives because that would
require users to log in a second time, with a second username and
password. I'm attempting to hide everything behind a single .htaccess wall.

The other reason is that the users are currently being signed up by an
automated script, which does it silently, so they are not getting any
welcome messages and will not know what their subscription password is.

I'll have a go using ?password=PASSWORD and see where I get to...

Cheers,

Phil




Mark Sapiro wrote:

OK, but I don't think dynamically modifying .htaccess can work. What if
you have two 'disjoint' users trying to browse different archives
concurrently?

Or were you thinking of per-list .htaccess modified by your subscribe
process?


OK

So everyone will be using the same login details for the .htaccess
protection (it's a fairly small group of users who need to access these
pages, who all trust each other and having one login for all saves a lot
of hassle). So no dynamic modification needed (if I understand you
correctly).

Users will be subscribed to a maximum of four lists, but I'd like them
to be able to browse the archives of all of them. In other words, have
the mailing lists behave as if they have public archive access, but
behind a .htaccess wall to prevent Joe Bloggs from reading the lists.

This may get overly complicated, so I might just create a dummy account
and publicise the login details on a page protected by .htaccess. Messy
but easy.

Phil




Mark Sapiro wrote:

Then I don't understand what "I was thinking I could get around this by
using a script to automate a log in to the archives and then scraping
the results back to my .htaccess protected folder." means.

Unless, maybe it means that the .htaccess only allows access by IP and
you'd be updating that.


So just have public archives and put the .htaccess in either
/path/to/mailman/archives/private/ or
/path/to/mailman/archives/public/ - either one should do it as long as
you have AllowOverride explicitly or implicitly on the directory.

Ah, so this is what I initially thought, but the problem with that is my
installation of Mailman - it is a central installation which serves
lists to a whole range of different domains, so putting a .htaccess
restriction in the archives folder would then stop access to the
archives for all of my other websites.



Mark Sapiro wrote:

So then put .htaccess files in archives/private/listname for each of
this domain's lists. These will work with public archives since
public/listname is just a symlink to private/listname.

How about setting the archive directory for each applicable list as it's own
<Directory> in a vhost config, I dunno, something like: (untested)

<VirtualHost *:443>
ServerName archives.lists.example.org
DocumentRoot /usr/local/mailman/archives/private/

Options -Indexes

<Directory /usr/local/mailman/archives/private/listname>
AuthType basic
AuthName "Private Archive"
AuthUserFile /path/to/htpasswd.file
Require valid-user
Options +Indexes
</Directory>
</VirtualHost>

or perhaps use a glob and AllowOverrides (assuming Apache as your
httpd), or something like one of the Match directives.

Just as an idea, in production, you'll possibly want to lock-down a
virtualhost like that a bit more.
Failing the hackish monstrosity above, you might find

https://secure.mysociety.org/cvstrac/dir?d=mysociety/lists/web-admin/lists

(and elsewhere in https://secure.mysociety.org/cvstrac/dir?d=mysociety/lists)

useful if you're a coder.