Accept emails from anyone on a private project
Is that a fair assumption? I hope not since I'm setting up a mail gateway into a non-public project where I want to use anonymous as creator of issue (--unknown_user accept).
Isn't it enough to check the actual checkboxes on the role to see if they are allowed to create issue (or see one)? Anon users will not be able to see things through web interface anyhow.
Older than devel versions allowed things "my way" but I assume refactoring on security-models tightend this a bit.