Security trouble - Create account with anonymous mail

Added by Vincent B over 6 years ago

To create account with anonymous mail I run a cronjob and use the parameters :

unknown_user=create no_permission_check=1

The big problem is that with no_permission_check=1 anybody can add a note on every ticket even though he has nothing to do with this project.
So if I have several projects for each client, one client can add a note on another client ticket by changing the title of his mail like :

If I remove no_permission_check=1 it checks well but no anonymous client can't be created anymore.

Is there a solution ?

I'm using Redmine 2.3.3.stable