Mailhandler reply security hole
I don't know if this is the expected behavior but I recognized that it's possible to reply to an issue of another project than the one specified in the /etc/aliases file.
Assume I have an /etc/aliases file with a line like this one:
foo: "| /opt/redmine/extra/mail_handler/rdm-mailhandler.rb --url=http://localhost:8080 --key=XXXX --project=foo --unknown-user=ignore"
Now I send an email to firstname.lastname@example.org with subject "Re:[#123]" and 123 is the id of an issue that is not part of project foo, anyway the email is not refused.
I would expect that this should not be possible because I limited that emailadress to project foo.
This would need to be a flag in the command line I would think: there are many of us that have project set as a default box, but are still listening to system-wide replies on this e-mail address.
--project option is for setting the default project for new issues, not to restrict the replies to a given project.
As far as I know there is no option --issue yet, even in the new redmine 2.1.0.
Is there any need so I could make a request for a future release?
- Category changed from Importers to Email receiving
Also available in: Atom