I created several users with the my email address. The first was noaa.test.user. I was able to submit email through the email handler and not surprisingly the reporter was noaa.test.user.
So I removed authorizations from noaa.test.user. I removed access to JIRA and all group memberships.
Now the email handler is ignoring email messages from my address, even though I still have authorized users with that address.
I have demonstrated that I can fix the problem by changing the email address of the unauthorized users to an address that will never match any incoming messages. Then the address of an authorized user will be found. This is an adequate solution, so you can close this issue.
But... it seems like a bug to me, you may want to notify the developers.
I agree, suprising behavior with easy alternative, I'd say that's a bug.
This also hits at a larger underlying issue, namely, that jira doesn't validate emails at all. If an issue is hidden to one user, but visible to another, you could possibly leak the issue's description or other details by sending an email to jira APPEARING to be from the authorized user, and also CCing yourself or an address jira doesn't know about (I think? I forget which functionality is built into jira and which comes from our plugins).
Long story short, comments made via email can't really be trusted at all and no permissions for things that come from email can really be enforced either, against a malicious user.
It's officially Tuesday, which means it's officially time for another tip to help you better navigate this space we call the Atlassian Community. 😄 I got a great question from community member, Sa...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs