I'm using JIRA to manage a Scrum Development Project and I've observe that JIRA can send invitations by email to anyone even if that user has not been created using the correspondent functionality (user management). Then, when those invited is loged in, a user is created as a jira-software-users group member. On this conditions JIRA lets that any invited explore, créate issues (for any Project that exists), and search issues.
Don't you think that this functionality is to much open, I mean, The invitation itself let the user alter the present configuration (product backlog) of a Project. From my point of view this invitation need to be limited and associated to a Project specific so that the user can not alter configuratios so easily. Otherwise, our apreciated invited could create a caos in our projects.