I've been working with the mlm module lately for supporting multiple mailing lists on my site. First, way to go with this module!!! It's awesome for those who use ezmlm (since that's the only mailing list currently supported). After a few hours of learning I got it working perfectly.

For those trying to get it to work with ezmlm, you have to make sure you have mysql support compiled into your ezmlm binaries. You also have to make sure your default database connection in settings.php has the ['default'] setting. The mlm module uses it's own ezmlm-idx to read and write directly to the ezmlm db. This is way cool... HOWEVER.

Here is an issue I found with the code. Because the module reads/writes directly to/from the db, it bypasses the standard ezmlm verification process for anonymous users. What this means is, if the mlm node is published and accessible by anonymous users, ANYONE can go to that node then input ANY EMAIL ADDRESS AND HAVE IT AUTOMATICALLY SUBSCRIBED to the specified mailing list. Uh oh!!!!! Is it just me or is there some other way to prevent this?

Currently, the only way to avoid this is to use some type of node access control - and prevent anonymous users from submitting email addresses. Not my preferred option since it requires an additional module.

The preferred option is to modify the code and make the subscribe function in mlm.module follow standard mailing list subscription proceedures for anon users (e.g $user->uid == 0 then use mimemail to send a subscribe email to the list itself - not simply add the address to the db). This would be coded as a function call to the backend being used where the listname-subscribe@example.com email should be sent if the user is anonymous.

Since I'm working on my site and I just needed a quick fix, here is what I did to the mlm_subscribe () function in mlm.module

function mlm_subscribe($list, $mail, $type='subscriber', $notify=false, $batch=false) {
  if ($user->uid != 0) {
    if (is_array($mail) && !isset($mail['mail'])) {
      $res = true;
      foreach ($mail as $m) {
        $res = mlm_subscribe($list, $m, $type, $notify, true) && $res;
      }
      return $res;
    }

    if (is_object($mail)) $mail = $mail->mail;  // you can use an address or a $user object

    if ($res = mlm_backend_call($list->mlm_backend, 'subscribe', $list, $mail, $type)) {
      if (!$batch) {
        drupal_set_message(t('%mail subscribed to %list', array('%mail'=> $mail, '%list'=>$list->title)));
      }
      if ($notify && $body = $list->mlm_text->welcome) {
        mimemail(null, $mail, t('Subscribed to "%list"', array('%list'=>$list->title)), $body);
      }
    }
    return $res;
  
  }
  else {
    drupal_goto('node/1'); // you should use a variable_get of a user specified node
  }
}

When I get some more time I'll write a patch to ezmlm-idx.inc and mlm.module to send a subscribe email to the list rather than writing the email address to the db and sending out a confirmation email.

If this isn't a bug then please advise. From where I'm sitting right now, this is a security issue. Of course, since there is no official branch for this module, it may be an oversight.

Comments

mattman’s picture

mattman commented

Oh, one more thing... Please note that I am aware of the permissions control you can exercise on "subscribe to mailing lists" (e.g don't allow anonymous users to subscribe) within Access Control. My goal, however, is to allow anonymous users to subscribe to mailing lists without having to create a login account. In that sense, this probably isn't a "critical" bug, but more of an alteration in implementation. I don't know how many people want to allow users to subscribe to mailing lists without having to get an account on the site - but I do.

allie micka’s picture

allie micka
she/her
commented
Title: Bad subscribe implementation » Subscription workflow

True that.

I consider this a feature, but, as you say, it can also be a problem.

In many announcement-style lists, you do not want to interfere with someone's ability to (un)subscribe immediately. Getting them to agree to be subscribed is a barrier and a source of confusion, and double-opting-OUT is an even more hairy! For this reason, I've typically used the "jump" flags when setting up new ezmlm lists, and do not consider this to be problematic behavior.

However, ezmlm is also useful for discussion lists. Because we're using the same interface for all lists, the behavior carries over. If I'm annoyed by what someone has to say on a mailing list, I can visit the site and unsubscribe him. Worse, I could key in a whole bunch of email addresses, and then launch a spammy post (because discussion lists generally allow posts by all subscribers).

The streamlined workflow that suits announcement lists definitely causes problems for discussion lists. So I wouldn't call it "bad", but it definitely needs work :)

A healthy compromise is to add the functionality you describe, but make it optional. If the list type is "discussion" then make the listname-subscribe@example.com behavior the default. If the list type is "announcement" then make this option available but not selected by default.

If it's not already in use, we should use some of Drupal's built-in flood control to limit subscription requests overall.

mattman’s picture

mattman commented

I totally agree with you! It was a bad choice to use the word "bad" within my title. After reviewing my own post, I realized that not too many people are likely to choose to allow anonymous users to subscribe to a list.

In my situation, a mailing list, even an announcement type, is primarily a marketing communication tool. This means it's desirable to allow someone to get on the list even if they're not registered. The verification process (such as editing the text/sub-confirm file) also serves as a chance to provide additional marketing information.

As I mentioned in my original post. I'll work on a patch that will implement this feature (since I need it for myself). As a side question.. Do you have plans to migrate to 5.0? I'm glad the module is coded for 4.7. I'll still be working with 4.7 because of my mix of modules - but eventually, I'll move to 5.0 for the jQuery support (unless I use the patches for 4.7).

And here's a cool tip for anyone using this module (should you find these comments). When you're using clean url's, it's a great idea to make a url alias that points to the /mlm path - where users can subscribe or unsubscribe. You set your ezmlm list to use the trailer file and specify something like this.
Click this url to unsubscribe from this list http://www.<#H#>/unsubscribe/<#L#>/
This will translate into something like http://www.example.com/unsubscribe/listname/. Even if you don't alias a path to /unsubscribe/listname. Drupal's menu system will default to the /unsubscribe path - which will go to the /mlm path where a user can sign off. VERY COOL!

allie micka’s picture

allie micka
she/her
commented
Title: Subscription workflow » Subscription workflow ( double opt-in via web interface )

See also: http://drupal.org/node/108054

Thanks for your notes and work thus far, mattman! I'm renaming this issue and citing your original patch.