Configure JEMH Comment Creation to disregard security


Iv had a rather strange request for one of our Queues today, and am not sure whether it is doable in JIRA

I was wondering whether a User could add a comment to an issue (via email) if they don't have the security to see the ticket? Currently when users raise a ticket via email, they often CC other users in, and these users don't get view permissions, but sometimes they respond and there response should be logged as a comment. Even if the Comment is logged under some Anonymous user account, as long as the comment is actually logged correctly

Sorry if that didnt make sense


1 answer

1 accepted

0 votes
Accepted answer

AFAIK the security permissions are respected while comments are added via emails. So with the default mail handler this may not be possible.

But if these people in Cc are not Jira users, then if defaultReporter is specified in email configuration, Jira actually adds their comments under the name of defaultReporter. A little strange though :)

JEMH seems to have this functionality

I leave to Andy to comment more.

Hi Renjith

Thanks for the response. I have tried using the defaultReporterUsername option, but it seems to reject the email still if the User is an actual JIRA user who doesn't have permission to comment on the issue - unless i'm using the wrong JEMH property?

May be that is what I wrote in the above comment. If defaultReporter is specified and mail comes from NON-Jira users, it gets added, while it comes from known Jira users without permissions, it is rejected.

Btw, there seems to be another parameter 'defaultReporterOverridesDerivedReporter' which you can use, but the bad part is that all comments may look like it has come from the same originator.

Yeah, its just not quite what I am after Renjith

Is it possibly something that could be solved with better security settings? Through the JIRA interface, only specified groups can access the tickets (which I currently have working), but via email, anyone can comment on a ticket (as to comment, they must know about the ticket)

I doubt.

May be a custom handler is needed for this.

JIRA has a security model that JEMH can respect fully, or bend a little if you configure it so. There is a configuration option that enforces strict JIRA security, relaxing that will mean a user, by email, may be able to do things that would not otherwise be possible (eg add a watcher). If you have users commenting on issues that they should not be able to, thats a bug or a configuration issue.

Not having a defaultReporter set will ensure issues cannot be created in projects that are not appropriate, as the 'reporter' must be derived from the incomng email address, associated with a JIRA user having the correct privileges.

If you're using JEMH 1.x I'd be more than happy to dig into cause.

In passing, when non-jira user support is needed (and is specifically enabled) in addition to the above 'correct' behaviour', it is possible that new users could email with an issue key in the subject.

Happy to dig into this in more detail in JIRA, if there is a use case not being addressed, just create an issue on the project issue tracker.

Thanks for the help guys - actually got close to what the guys wanted using JEMH's ccHandling, but I think to fully implement it would require a Custom Email Handler since it is a very specific case. I'm using JIRA 4.4.4 so not using JEMH 1.X yet Andy - thanks for the option though.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,749 views 18 21
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you