Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Email handler seems to be ignoring messages from a particular user perhaps due to an unauthorized user with same address

Larry Talley
Larry Talley
Contributor
May 31, 2012

I created several users with the my email address. The first was noaa.test.user. I was able to submit email through the email handler and not surprisingly the reporter was noaa.test.user.

So I removed authorizations from noaa.test.user. I removed access to JIRA and all group memberships.

Now the email handler is ignoring email messages from my address, even though I still have authorized users with that address.

I have demonstrated that I can fix the problem by changing the email address of the unauthorized users to an address that will never match any incoming messages. Then the address of an authorized user will be found. This is an adequate solution, so you can close this issue.

But... it seems like a bug to me, you may want to notify the developers.

Answer
Watch
Like Be the first to like this
920 views

1 answer

0 votes
Carl Myers2
Carl Myers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 1, 2012

I agree, suprising behavior with easy alternative, I'd say that's a bug.

This also hits at a larger underlying issue, namely, that jira doesn't validate emails at all. If an issue is hidden to one user, but visible to another, you could possibly leak the issue's description or other details by sending an email to jira APPEARING to be from the authorized user, and also CCing yourself or an address jira doesn't know about (I think? I forget which functionality is built into jira and which comes from our plugins).

Long story short, comments made via email can't really be trusted at all and no permissions for things that come from email can really be enforced either, against a malicious user.

Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events