Avoid NotAMemberError in CSRF check from user options page.

2 files changed, 18 insertions, 11 deletions

diff --git a/Mailman/Cgi/options.py b/Mailman/Cgi/options.py
index 3db0a172..af6e3add 100644
--- a/Mailman/Cgi/options.py
+++ b/Mailman/Cgi/options.py
@@ -156,17 +156,6 @@ def main():
         else:
             user = user[-1].strip()
 
-    # Avoid cross-site scripting attacks
-    if set(params) - set(safe_params):
-        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
-                                  Utils.UnobscureEmail(urllib.unquote(user)))
-    else:
-        csrf_checked = True
-    # if password is present, void cookie to force password authentication.
-    if cgidata.getfirst('password'):
-        os.environ['HTTP_COOKIE'] = ''
-        csrf_checked = True
-
     safeuser = Utils.websafe(user)
     try:
         Utils.ValidateEmail(user)
@@ -183,6 +172,17 @@ def main():
         print doc.Format()
         return
 
+    # Avoid cross-site scripting attacks
+    if set(params) - set(safe_params):
+        csrf_checked = csrf_check(mlist, cgidata.getfirst('csrf_token'),
+                                  Utils.UnobscureEmail(urllib.unquote(user)))
+    else:
+        csrf_checked = True
+    # if password is present, void cookie to force password authentication.
+    if cgidata.getfirst('password'):
+        os.environ['HTTP_COOKIE'] = ''
+        csrf_checked = True
+
     # Find the case preserved email address (the one the user subscribed with)
     lcuser = user.lower()
     try:
diff --git a/NEWS b/NEWS
index 3ccc4c76..8b874ee2 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,13 @@ Copyright (C) 1998-2020 by the Free Software Foundation, Inc.
 
 Here is a history of user visible changes to Mailman.
 
+2.1.38 (xx-xxx-xxxx)
+
+  Bug Fixes and other patches
+
+    - NotAMemberError exception from the user options page when the user has
+      been asynchronously unsubscribed is fixed.  (LP: #1951769)
+
 2.1.37 (12-Nov-2021)
 
   Bug Fixes and other patches