Problems with showing private lists on the preferences page

[bramley]

A problem raised in the user forum https://discuss.phplist.org/t/showing-private-lists-seems-to-be-broken/6031 seems to show this earlier commit doesn't work as intended

https://github.com/phpList/phplist3/pull/559

In "normal" processing a subscribe page can include only public lists. Once a list is associated with a subscribe page it cannot be change to private. It needs to be removed from the subscribe page first. The pull request seems to be unnecessary in this case.

By using the config setting PREFERENCEPAGE_SHOW_PRIVATE_LISTS the preferences page can show any private lists to which the subscriber belongs. The earlier pull request breaks the preferences page in this case.

@xh3n1 can you remember the specific problem that the pull request was trying to address? I guess someone could try to spoof a subscribe or preferences submission to include a private list. if that is the problem that it needs a bit more thought.

[xh3n1]

hey @bramley, As far as I can recall it I was trying to resolve a security issue by preventing subscribers to subscribe to private lists. The vulnerability would allow anyone to add themselves to private subscriber lists and receive emails sent to them. I don't think I was aware of PREFERENCEPAGE_SHOW_PRIVATE_LISTSconfig, maybe @suelaP has more feedback.