There is no way to policy check a mailing list, and all the options are bad:
- Using the logged-out user will break mail for non-public installs, in the general case.
- Using the omnipotent user will turn mailing lists into a gaping policy hole.
- Using the actor will carry the issues in T6367 forward.
I think the cleanest solution here is to turn mailing lists into real users, similar to "Bot" users. These users would have all the restrictions that Bot users do, except that they would receive mail and they would be unable to use the Conduit API.
Then these users can be added to spaces and projects, included in policies, etc.
Some alternatives might be:
- Generalize Viewer and let other objects be viewers: I think this is a grotesque amount of effort for basically no benefit.
- Remove mailing lists entirely: I'd love to be able to do this but I think this functionality is important for too many installs.
- Stop formally supporting them and offer some kind of hack-around: Arguable, but I think a reasonable hack-around is probably about the same amount of work as sort-of-reasonable support. Particularly, we need to provide a way to migrate, which is most of the work.