I created several users with the my email address. The first was noaa.test.user. I was able to submit email through the email handler and not surprisingly the reporter was noaa.test.user.
So I removed authorizations from noaa.test.user. I removed access to JIRA and all group memberships.
Now the email handler is ignoring email messages from my address, even though I still have authorized users with that address.
I have demonstrated that I can fix the problem by changing the email address of the unauthorized users to an address that will never match any incoming messages. Then the address of an authorized user will be found. This is an adequate solution, so you can close this issue.
But... it seems like a bug to me, you may want to notify the developers.
I agree, suprising behavior with easy alternative, I'd say that's a bug.
This also hits at a larger underlying issue, namely, that jira doesn't validate emails at all. If an issue is hidden to one user, but visible to another, you could possibly leak the issue's description or other details by sending an email to jira APPEARING to be from the authorized user, and also CCing yourself or an address jira doesn't know about (I think? I forget which functionality is built into jira and which comes from our plugins).
Long story short, comments made via email can't really be trusted at all and no permissions for things that come from email can really be enforced either, against a malicious user.
Atlassian Summit is an excellent opportunity for in-person support, training, and networking.Learn more
Hey everyone! My name is Natalie and I'm an editor of the Atlassian Blog and I've got a question for you: What's your favorite quote about teamwork? We've compiled a list here, along with...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG