>>> I have noticed that resend does admin and taboo checks before checking that
>>> the submitter is allowed to post. Isn't this backwards? I'm planning on
>>> switching the order in my resend, and wondered if there was some reason the
>>> checks were done in the current order?
>> Yeah, because there could be an approved header or line hiding in
>> there someplace that would allow a "taboo" message to be sent...
> But a valid "Approved:" _should_ allow a taboo message to be sent...
> "Approved: with a valid password should override almost any rejection,
> other than perhaps something fundamentally broken in the message
> (unbalanced "<" and ">" in an address, for example).
> I don't think Paul is talking about the "Approved:" header checks; I think
> he's talking about the "is member of magic list of posters" checks, though
> I don't have the code available at the moment to check (I'm working offline
> from my Mac in a hotel room in Minneapolis). For instance, the checks that
> allow you to create a list to which only subscribers can post by setting
> the approved-posters to be the list itself.
> If that _is_ what Paul's talking about, then I think the code is already in
> the right order, and should not be changed. Messages that trip the taboo
> and administrivia checks should require an explicit "Approved:" header and
> password, regardless of who they come from.
Yes, that's what I'm talking about. But the order I'm talking about
is the order of the admin checks and the restrict-post checks. I don't
understand what you thought I meant.
It makes sense to check if the poster has any rights to be there at all
before checking to see if they used any naughty words in their post, for
example. This is NOT how majordomo does things today, and that's what I
think is broken. Of course, if the message is approved, this is all moot.
Find out who we're talking to, then find out if there are problems with
the post. The way resend is written today makes this very difficult and
Paul Close <email@example.com> http://reality.sgi.com/pdc
No fate but what we make