Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-19874

CreateOrCommentHandler should fall back to defaultreporter if email user does not have permissions to perform operation

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      With the current mail handler, if Jira receives an email whose address is associated with a user that does not have permission to comment or create issues, the email is rejected. However, if the address is not associated with any user, and the handler has a reporterusername, then the comment will be added as that default user.

      This ends in the absurd situation where a non existing user can add comments to a case, but an existing user cannot. This user could then create a bogus email account to add comments to the issue.

      In my understanding, the logic of the handleMessage/getReporter mail handlers should be changed. For the previous case (existing user but no permissions) the logic should be:

      1. Get user from email
      2. If user exists, check if user has permission to perform operation
      3. If no permissions, fall back to reporterusername

      I am aware that JRA-16786 was raised in the past with a similar request, and the functionality was claimed to be like that by design. However, I think the situation I describe is a flaw in that design.

      If the logic was as described before, we could have avoided creating the proxy commenter for SAC to fix JRA-15431. The proxy commenter performs the logic as described before (with some additional magic)

            [JRASERVER-19874] CreateOrCommentHandler should fall back to defaultreporter if email user does not have permissions to perform operation

            Kerrod Williams (Inactive) added a comment -

            Thanks for taking the time to raise this issue.

            Due to the large volume of JIRA feature suggestions, we have to prioritise our development efforts. In part, that means concentrating on those issues that resonate the most with our users.

            I am writing this note to advise you, that we have decided to close your Suggestion as it has not gained traction on jira.atlassian.com. We believe being upfront and direct with you will assist you in your decision making rather than believing Atlassian will eventually address this issue.

            Thank you again for your suggestion and if you have any concerns or question, please don’t hesitate to email me.
            Kind Regards,
            Kerrod Williams
            JIRA Product Management
            kerrod.williams at atlassian dot com

            Kerrod Williams (Inactive) added a comment - Thanks for taking the time to raise this issue. Due to the large volume of JIRA feature suggestions, we have to prioritise our development efforts . In part, that means concentrating on those issues that resonate the most with our users. I am writing this note to advise you, that we have decided to close your Suggestion as it has not gained traction on jira.atlassian.com. We believe being upfront and direct with you will assist you in your decision making rather than believing Atlassian will eventually address this issue. Thank you again for your suggestion and if you have any concerns or question, please don’t hesitate to email me. Kind Regards, Kerrod Williams JIRA Product Management kerrod.williams at atlassian dot com

            Thomas Hirsch added a comment -

            +1 for the previous comment. - Any chance to get this feature? Should really be a small thing.

            Thomas Hirsch added a comment - +1 for the previous comment. - Any chance to get this feature? Should really be a small thing.

            Michael Puskar added a comment -

            We have launched a new website where you can comment on the site, for things like inaccurate content, rendering problems, broken links, etc. This feedback form is accessible to anyone. If the person sending feedback happens to also exist in our jira installation, for a completely separate project, their feedback is rejected because they don't have permission to create issues/comment on this particular project. The only solution right now is to give all jira users create issue/comment right to the project collecting the email. Ours seems to be a very legitimate use case and I hope Atlassian will take some time to fix this. The solution proposed by Diego Alonso would be great.

            Michael Puskar added a comment - We have launched a new website where you can comment on the site, for things like inaccurate content, rendering problems, broken links, etc. This feedback form is accessible to anyone. If the person sending feedback happens to also exist in our jira installation, for a completely separate project, their feedback is rejected because they don't have permission to create issues/comment on this particular project. The only solution right now is to give all jira users create issue/comment right to the project collecting the email. Ours seems to be a very legitimate use case and I hope Atlassian will take some time to fix this. The solution proposed by Diego Alonso would be great.

            Andy Brook (Javahollic Software) added a comment -

            If you look at JEMH, in addition to just creating issues by email, even when the 'defaultUser' is used as a fallback scenario, the from: address can be stored in a CustomField, adding some traceability, also, such emails can be stamped as 'created by email' to give readers some caution. Granted we are relying on smtp mail which can be spoofed, but still.

            Andy Brook (Javahollic Software) added a comment - If you look at JEMH , in addition to just creating issues by email, even when the 'defaultUser' is used as a fallback scenario, the from: address can be stored in a CustomField, adding some traceability, also, such emails can be stamped as 'created by email' to give readers some caution. Granted we are relying on smtp mail which can be spoofed, but still.

              Unassigned Unassigned
              dalonso Diego Alonso [Atlassian]
              Votes:
              4 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: