-
Type:
Bug
-
Resolution: Low Engagement
-
Priority:
Medium
-
None
-
Affects Version/s: 6.9.1
-
Component/s: Server - Mail Archiving
-
1
-
Severity 2 - Major
Summary of Issue
When the Confluence Mail Archiving Plugin is creating pages from Emails, it is:
- Recording attachments by a random user (i.e. that user is not the email sender)
- Users watching the Space are then sent an email notification that an attachment was added to a page (however, a notification was never sent about the original page created from the email so we shouldn't get an email notification from the attachments processing)
How to reproduce
- Install fresh Confluence 6.9.1
- Add two additional users outside of the Admin account with valid external email addresses (e.g. USER1, USER2)
- Login as USER1 and USER2 and watch the Space that the Confluence Mail Archiving will be enabled on (e.g. Product Development Space)
- To activate the Email Archive Add-on:
- Enable Confluence Mail Archiving Plugin system add-on in Confluence Administration » Add-Ons (click Show All)
- Navigate to Space Administration of the Product Development space » Integration » Setup a new Pop or Imap to your incoming Mail Box
- Send an email to the Pop server with an attachment
- Wait for the email to be processed into Confluence and check the Email turned into a Page
- In my local instance:
- I will only see attachments attached by Anonymous
- Confluence notifies all users watching the Space of an attachment made to the Email Generated Page (but Confluence did not send an email when the Email was converted to a Page in the first place)
Investigation conducted
- Attachments by the Confluence Mail Archiving Plugin are added to the Confluence page as such:
public void saveNewAttachment(Attachment attachment, InputStream attachmentData) { ... attachment.setCreator(AuthenticatedUserThreadLocal.get()); ... }public void saveNewAttachmentVersion(Attachment attachment, Attachment previousVersion, InputStream attachmentData) { ... attachment.setCreator(AuthenticatedUserThreadLocal.get()); ... }- So in summary, the creator of the attachment is set to the AuthenticatedUserThreadLocal.get() - it should be set to the current login user
- However, as it is a "scheduled job" that polls for emails - there is no current user on the "Scheduled job" thread unless something is setting it
Suspicion is that a third party add-on is setting a user into AuthenticatedUserThreadLocal so when the scheduler thread retrieves the User, it is pulling back a random user each time.
Add-on responsible for setting the AuthenticatedUserThreadLocal at this stage has been unconfirmed.
Expected results
- The attachments should either be Anonymous or at least match the Email Sender
- As we don't send email notifications when the Email is converted to a Confluence page, Confluence shouldn't be sending an email notification that emails were added to the page