Feature #14420

Allow emails from a locked account to be overridden and credited to anonymous user

Added by Deoren Moor over 9 years ago. Updated over 8 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Email receiving
Target version:-
Resolution:

Description

I tried several times to submit a detailed report, but the submission filter kept blocking my attempts (Error 422 - This request was denied because it was consid...). I'll try to post that detailed report as a follow-up comment.

History

#1 Updated by Deoren Moor over 9 years ago

My follow-up attempt was also blocked, so I'll try to post the report to the forum thread mentioned previously.

#2 Updated by Deoren Moor over 9 years ago

Scenario:

  1. John Doe leaves Example.com and we lock his account (we don't want him logging into Redmine).
  2. John Doe notices a problem with the Example.com services/products, so he emails support from his email address.
    • While we don't want him in the system John Doe retains access to his original email account since he is an Example.com customer.
  3. John Doe's email is rejected and it is moved to rejected_emails where a support person may or may not notice it being there for some time.

Goal:

  • Allow overriding the locked account status to credit the email from jdoe as coming from an Anonymous user

#3 Updated by Deoren Moor over 9 years ago

The email scraping script used in its present form:

#!/bin/bash

cd /opt/redmine

sudo -u www-data bundle exec rake -f /opt/redmine/Rakefile redmine:email:receive_imap \
    RAILS_ENV="production" \
    host=mail.example.com username=support@example.com password=secretPassword \
    move_on_success=accepted_emails move_on_failure=rejected_emails \
    project=unassigned category=unassigned tracker=support \
    no_permission_check=1 unknown_user=accept port=993 ssl=1 \
    allow_override=project,tracker,status,priority,category,assigned_to,\
    fixed_version,start_date,due_date,estimated_hours,\
    done_ratio > /dev/null 2>&1

I could see an option similar to this one being introduced for use with an email scraping script:

unknown_user=[ignore|accept|create]

#4 Updated by Jan Niggemann (redmine.org team member) over 9 years ago

Deoren Moor wrote:

Scenario:
  • John Doe leaves Example.com and we lock his account (we don't want him logging into Redmine).
  • UserID of jdoe tied to
  • While we don't want him in the system John Doe retains access to his original email account since he is an Example.com customer.

Do employees and customers really share the same maildomain? I'd argue that this is insecure, random customers could identify themselves as employees and trick other customers into disclosing information (phishing)...

#5 Updated by Deoren Moor over 9 years ago

Jan Niggemann wrote:

Do employees and customers really share the same maildomain?

I used 'employee' and 'customer', but really what I had in mind is an educational institution where the same mail domain is shared. I can't speak for others, but ours is setup this way.

#6 Updated by Deoren Moor over 8 years ago

This would come in handy and would go nicely with other requests to allow locked accounts to be the target of assignee, author and other queries where they're currently excluded.

Perhaps a UI option to "Reject email from locked accounts" or something similar.

Also available in: Atom PDF