Not able to substitute user login with admin login

As a site or list admin I sometimes want to view the private
archives of a mailing list. This was possible without problems in
older Mailman installations. Mailman 2.1 rejects my login attempts.

I even found the reason for the problem: For example in
Mailman/Cgi/private.py (nearly the same code exists in roster.py)
the authentication is done by calling the following code in line 116:

<code>
if not mlist.WebAuthenticate((mm_cfg.AuthUser,
                                mm_cfg.AuthListModerator,
                                mm_cfg.AuthListAdmin,
                                mm_cfg.AuthSiteAdmin),
                                 password, username):
</code>

If I try to login with the site password I do not enter a username.
Keep this in mind :)

In <code>WebAuthenticate</code> (found in SecurityManager.
py, l. 203) the authcontexts are passed to
<code>Authenticate</code> (also in SecurityManager.py, l. 124)
if
no cookie exists yet.
There the function <code>authenticateMember</code>
(OldStyleMemberships.py, l. 105) is called (l. 195) for the first entry
in authcontexts (AuthUser) and calls
<code>getMemberPassword</code> (OldStyleMemberships.py, l.
99) which raises an <code>Errors.NotAMemberError</code>
exception; that's ok as I did not provide a username.
But: The exception is first handled in
<code>WebAuthenticate</code>, bypassing
<code>Authenticate</code> were all possible authcontexts should

be given a try before returning a failure.

I submitted a patch (#864674) which puts a try-except-block around
the call of <code>authenticateMember</code> in
SecurityManager.py (l. 195) which prevents exiting the for-loop
before all possible authcontexts are checked.

[http://sourceforge.net/tracker/index.php?func=detail&aid=864676&group_id=103&atid=100103]