https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292013-07-09T19:03:19ZRedmineRedmine - Feature #14420: Allow emails from a locked account to be overridden and credited to anonymous userhttps://www.redmine.org/issues/14420?journal_id=504242013-07-09T19:03:19ZDeoren Moor
<ul></ul><p>My follow-up attempt was also blocked, so I'll try to post the report to the forum thread mentioned previously.</p> Redmine - Feature #14420: Allow emails from a locked account to be overridden and credited to anonymous userhttps://www.redmine.org/issues/14420?journal_id=504252013-07-09T19:08:19ZDeoren Moor
<ul></ul><p>Scenario:</p>
<ol>
<li>John Doe leaves Example.com and we lock his account (we don't want him logging into Redmine).
<ul>
<li>UserID of jdoe tied to <a class="email" href="mailto:jdoe@example.com">jdoe@example.com</a></li>
</ul>
</li>
<li>John Doe notices a problem with the Example.com services/products, so he emails support from his email address.
<ul>
<li>While we don't want him <em>in the system</em> John Doe retains access to his original email account since he is an Example.com customer.</li>
</ul>
</li>
<li>John Doe's email is rejected and it is moved to <code>rejected_emails</code> where a support person may or may not notice it being there for some time.</li>
</ol>
<p>Goal:</p>
<ul>
<li>Allow overriding the locked account status to credit the email from <code>jdoe</code> as coming from an Anonymous user</li>
</ul> Redmine - Feature #14420: Allow emails from a locked account to be overridden and credited to anonymous userhttps://www.redmine.org/issues/14420?journal_id=504262013-07-09T19:08:53ZDeoren Moor
<ul></ul><p>The email scraping script used in its present form:</p>
<pre>
#!/bin/bash
cd /opt/redmine
sudo -u www-data bundle exec rake -f /opt/redmine/Rakefile redmine:email:receive_imap \
RAILS_ENV="production" \
host=mail.example.com username=support@example.com password=secretPassword \
move_on_success=accepted_emails move_on_failure=rejected_emails \
project=unassigned category=unassigned tracker=support \
no_permission_check=1 unknown_user=accept port=993 ssl=1 \
allow_override=project,tracker,status,priority,category,assigned_to,\
fixed_version,start_date,due_date,estimated_hours,\
done_ratio > /dev/null 2>&1
</pre>
<p>I could see an option similar to this one being introduced for use with an email scraping script:</p>
<pre><code>unknown_user=[ignore|accept|create]</code></pre> Redmine - Feature #14420: Allow emails from a locked account to be overridden and credited to anonymous userhttps://www.redmine.org/issues/14420?journal_id=504302013-07-09T21:18:03ZJan Niggemann (redmine.org team member)jan.niggemann@redmine.org
<ul></ul><p>Deoren Moor wrote:</p>
<blockquote>
Scenario:
<ul>
<li>John Doe leaves Example.com and we lock his account (we don't want him logging into Redmine).</li>
<li>UserID of jdoe tied to <a class="email" href="mailto:jdoe@example.com">jdoe@example.com</a></li>
<li>While we don't want him <em>in the system</em> John Doe retains access to his original email account since he is an Example.com customer.</li>
</ul>
</blockquote>
<p>Do employees and customers really share the same maildomain? I'd argue that this is insecure, random customers could identify themselves as employees and trick other customers into disclosing information (phishing)...</p> Redmine - Feature #14420: Allow emails from a locked account to be overridden and credited to anonymous userhttps://www.redmine.org/issues/14420?journal_id=504312013-07-09T21:30:45ZDeoren Moor
<ul></ul><p>Jan Niggemann wrote:</p>
<blockquote>
<p>Do employees and customers really share the same maildomain?</p>
</blockquote>
<p>I used 'employee' and 'customer', but really what I had in mind is an educational institution where the same mail domain <em>is</em> shared. I can't speak for others, but ours is setup this way.</p> Redmine - Feature #14420: Allow emails from a locked account to be overridden and credited to anonymous userhttps://www.redmine.org/issues/14420?journal_id=581152014-08-15T13:58:48ZDeoren Moor
<ul></ul><p>This would come in handy and would go nicely with other requests to allow locked accounts to be the target of assignee, author and other queries where they're currently excluded.</p>
<p>Perhaps a UI option to "Reject email from locked accounts" or something similar.</p>