Jira users without application access are able to add comments to existing issues via the Jira Mail Handler

Issue Summary

The Jira Core Mail Handler (configured in ⚙ > System > Incoming Mail) acts in an inconsistent manner with Jira users who don't have application access (no license):

• If a user without application access sends an email meant to create a new issue, the mail is rejected, and the error below is thrown in the logs, which is expected

  Cannot create issue due to invalid license: [Sorry, you can't create any issues right now, as you need to have access to a Jira application to be able to create issues. To gain application access you need to be a member of a group assigned to an application.]
  

• However, if the same user sends an email meant to add a comment to an existing issue, the mail is processed, and the comment is added

In other words, Jira users without application access are able to add comments to existing issues via the Jira Mail Handler, while they are unable to create issues.

The way the Jira Mail Handler checks if a user without application access can create issues or add comments should be the same: if a Jira user does not have application access, the email should be rejected.

Steps to replicate

1. Create a Jira Mail Handler via the page ⚙ > System > Incoming Mail with the type Create a new issue or add a comment to an existing issue, and associate it with a Jira project
2. Create a new Jira user without application access
3. Create a new Jira issue in the project, and take note of its key
4. Have the new Jira user send an email to the Mail Handler, mentioning the issue key in the subject of the email
5. Wait for the email to be processed

Expected behavior

The email should be rejected, as it will be the case for any email meant to create new Jira issues.

Observed behavior

The email is processed successfully, and its content is added as a comment to the existing issue, even though the user does not have application access

Notes

Note 1

Jira unlicensed users can add a comment to existing Jira issues with all the Mail Handler types listed below:

• Create a new issue or add a comment to an existing issue
• Add a comment from the non quoted email body
• Add a comment with the entire email body
• Add a comment before a specified marker or separator in the email body

Note 2

The following statement is written at the top of the documentation Creating issues and comments from email, which is misleading:

Admins can configure Jira to receive and process emails. Jira can receive emails from licensed users to create issues or add comments and attachments to existing issues automatically.

It is insinuating that only Jira licensed users can create issues or add comments, while it's not the case, since unlicensed users can add comments to existing issues.