views:

220

answers:

3

I am running Plone 3.2.3 and I have installed HumaineMailman so that the users on the website can subscribe and unsubscribe themselves from our various mailinglists. HumaineMailman works very simple. There is a special URL/action that gives you a plain text list of all e-mail addresses that are subscribed on a list. For example:

http://www.example.org/[email protected]&password=secret

You're supposed to simply wget that URL and feed the plain text list into Mailman's sync_members. Easy.

The problem is that Plone does not allow me to access that URL anonymously. When I am logged in as administrator I can access the URL in my browser and see the list of e-mail addresses. But when I am not logged in (and when retrieving that URL using wget) then Plone redirects me to the login page.

How do I tell plone that I want to allow anonymous access to that URL/action? The action itself (in code) is defined in Products/HumaineMailman/skins/mailman_autolist_update.py.

Thanks in advance!

+2  A: 

Figure out what permission is protecting that page, and give that permission to the Anonymous role in the Plone root.

Lennart Regebro
It didn't solve it for me, but it did point me in the right direction. Thanks.
Sander Marechal
A: 

HumaineMailman needs ManagePortal permissions. Those are too much to give to Anonymous so Lennarts answer didn't solve it for me. Instead, I edited HumaineMailman and redeclared the respective function calls as public. This is a slight security risk though. My Plone is behind an Apache proxy so I compensated by only allow access to the memberlist from localhost (where the wget synchronisation script and mailman itself are running as well).

Sander Marechal
A: 

There are a couple ways to address this without apache or redeclaring security (which would make me nervous too)

http://www.example.org:8080/[email protected]&password=secret&__ac_name=**USERNAME**&__ac_password=**PASSWORD**&pwd_empty=0&cookies_enabled=1&js_enabled=0&form.submitted=1"

I frequently use this trick in scripts with a special user only does "services". There is also a HTTP Auth trick that looks like http://USERNAME:PASSWORD@www.example.org/[email protected]&password=secret which may or may not be supported depending on your client lib.

Alternatively, if that code is running in a (script) Python then you can add a metadata file (myScript.py.metadata) and give that script a proxy permission of Manager.i.e.

[default]
title = Do something useful in the c/py that requires elevated privs
proxy = Manager