Currently Smart Commits parses every commit message and executes any actions as the author of that commit. This means a malicious person given access to your codebase can act as another user for Smart Commit actions, and instances that don't have this level of trust in the people writing their code can't use Smart Commits.

This suggestion is to introduce an option that will only execute actions on commits where the author's email address matches the email address of the Bitbucket Server user doing the push.

This means a pusher can't maliciously attribute actions to others, but also means that if a pusher is the first person to push someone else's commits to Bitbucket Server, those commits will never have their actions run.

Workaround

Bitbucket Server 5.0 includes the "Verify committer" repository hook that ensures all new commits are authored by the person pushing them. If you enable this hook, the pusher will not be able to perform actions on behalf of other users by faking commit data.