From 60781c8fdd17c0c6b79276ecb77d4c0e21666342 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss_git@polytechnique.org>
Date: Fri, 11 Apr 2014 23:24:58 +0200
Subject: [PATCH] Revert "Force-normalize user emails for list unsubscribe."

This reverts commit 84d77e72a59ce20615794ad9154e71339014da84 but keeps bug fix
from commit b32a94b8b784a4ab4d4d2af47974b6ab0659a78f.

Some external subscribers don't have an user account and hence needs to be
able to unsubscribe to mailing list using their email address only.

[Security]
Env::v('del_member') is directly transmitted (through RPC) as the "user" param
of "mlist.ApprovedDeleteMember(user)" (bin/lists.rpc.py function mass_unsubscribe line 491).
Hence it relies on mailman to correctly handle this user-controlled input.
This is why the content of "del_member" is not checked to be ASCII-only nor
escaped. Mailman is supposed to take this value "as is".

Conflicts:
	modules/lists.php
---
 modules/lists.php | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/modules/lists.php b/modules/lists.php
index b11a245..1683913 100644
--- a/modules/lists.php
+++ b/modules/lists.php
@@ -771,8 +771,12 @@ class ListsModule extends PLModule
         if (Env::has('del_member')) {
             S::assert_xsrf_token();
 
-            if ($del_member = User::getSilent(Env::t('del_member'))) {
-                $mlist->unsubscribeBulk(array($del_member->forlifeEmail()));
+            if (strpos(Env::v('del_member'), '@') === false) {
+                if ($del_member = User::getSilent(Env::t('del_member'))) {
+                    $mlist->unsubscribeBulk(array($del_member->forlifeEmail()));
+                }
+            } else {
+                $mlist->unsubscribeBulk(array(Env::v('del_member')));
             }
             pl_redirect('lists/admin/'.$liste);
         }
@@ -793,8 +797,12 @@ class ListsModule extends PLModule
         if (Env::has('del_owner')) {
             S::assert_xsrf_token();
 
-            if ($del_owner = User::getSilent(Env::t('del_owner'))) {
-                $mlist->removeOwner($del_owner->forlifeEmail());
+            if (strpos(Env::v('del_owner'), '@') === false) {
+                if ($del_owner = User::getSilent(Env::t('del_owner'))) {
+                    $mlist->removeOwner($del_owner->forlifeEmail());
+                }
+            } else {
+                $mlist->removeOwner(Env::v('del_owner'));
             }
             pl_redirect('lists/admin/'.$liste);
         }
-- 
2.1.4