Page 1 of 1

How to limit bug creation from email based on user access

Posted: 16 Jul 2019, 16:05
by taras
In my setup I have multiple projects with private access. Let say some user DEMOUSER has access to PROJECT-A, but doesn't have access to PROJECT-B.
When I'm sending email from DEMOUSER's emial address I can create note in PROJECT-B, to which this user doesn't have access. See attached screenshot of such note.

This means that anyone who have access to at least one project in the system can create notes in any project in the system. It is not what I'm looking for. Could someone explain me whether EmailReporting can be setup in some way to meet my requirements?

Re: How to limit bug creation from email based on user access

Posted: 16 Jul 2019, 21:33
by SL-Gundam
The code is there. We are just undecided on how to handle a situation like this.
https://github.com/mantisbt-plugins/Ema ... i.php#L857
https://github.com/mantisbt-plugins/Ema ... i.php#L920

What should happen with emails that cannot be processed because of a permission denial?
Since we've never had anybody complain and the projects in my company are public this has never been a discussion that we needed to revisit

EmailReporting has mainly worked with the intend to process at all costs to make sure the user gets as much info as possible and EmailReporting keeps on processing instead of resulting in a stalemate with emails which it cannot process for various reasons

Congratulations. You are the happy user who will a voice in the direction of this functionality.

Re: How to limit bug creation from email based on user access

Posted: 17 Jul 2019, 08:02
by cas
We catch all emails in a central place ( helpdesk ).
There they take care of such issues. In case of "No Access", user is informed accordingly and ticket on hold untill confirmed by someone with proper access.

Re: How to limit bug creation from email based on user access

Posted: 17 Jul 2019, 12:41
by SL-Gundam
It's also has never been issue since users with no access would not receive notification emails about those issues anyway.

Since these days we track the msg id's as well, CC's of the email could reply and get there comments added to issues where they normally would not have had access

So these days the chances of this happening are higher then before

Re: How to limit bug creation from email based on user access

Posted: 17 Jul 2019, 12:58
by taras
SL-Gundam wrote: 16 Jul 2019, 21:33 The code is there. We are just undecided on how to handle a situation like this.
https://github.com/mantisbt-plugins/Ema ... i.php#L857
https://github.com/mantisbt-plugins/Ema ... i.php#L920

What should happen with emails that cannot be processed because of a permission denial?
Since we've never had anybody complain and the projects in my company are public this has never been a discussion that we needed to revisit

EmailReporting has mainly worked with the intend to process at all costs to make sure the user gets as much info as possible and EmailReporting keeps on processing instead of resulting in a stalemate with emails which it cannot process for various reasons

Congratulations. You are the happy user who will a voice in the direction of this functionality.
Hi SL-Gundam,

Thank you for your reply.

I’m not sure how mentioned code should works:
  • when I uncommented L857 system simply stopped processing emails from my mailbox (where I had mix of authorized and unauthorized emails). I use IMAP with specific base folder.
    when I uncommented L920 nothing changed. System still processing emails from unauthorized users.
So if I need to add some condition and error to stop creating bug notes from unauthorized user emails in private projects then please let me know.

As for my suggestion then at first I would like to have simple checkbox in the setup (Manage Configuration Options page) to ignore unauthorized user emails from creating bug notes in private projects or process them and create bug notes from them in any case. There could also be some additional setup what “ignore” means – to delete such emails from mailbox or just leave them or maybe log them somewhere – it’s an extra feature.

Next, it would be nice if Manage Configuration Options page works like standard setup pages and could be configured for all projects or for specific one. In this cases I would be able to differentiate processing rules for projects, for example for some project I would allow to create bugs from emails while for some I would allow to create only bug notes from any user emails, while for rest – to create only bug notes from authorized user emails etc. Most of the other parameters from Manage Configuration Options page would be nice to have specifically to the projects as well.

Re: How to limit bug creation from email based on user access

Posted: 17 Jul 2019, 13:03
by taras
SL-Gundam wrote: 17 Jul 2019, 12:41 It's also has never been issue since users with no access would not receive notification emails about those issues anyway.

Since these days we track the msg id's as well, CC's of the email could reply and get there comments added to issues where they normally would not have had access

So these days the chances of this happening are higher then before
Yes, actually anyone can add bug note to the private project by sending email with randomly guessed issue number in the subject.

Re: How to limit bug creation from email based on user access

Posted: 17 Jul 2019, 15:30
by SL-Gundam
taras wrote: 17 Jul 2019, 12:58 ...

I’m not sure how mentioned code should works:
  • when I uncommented L857 system simply stopped processing emails from my mailbox (where I had mix of authorized and unauthorized emails). I use IMAP with specific base folder.
    when I uncommented L920 nothing changed. System still processing emails from unauthorized users.
So if I need to add some condition and error to stop creating bug notes from unauthorized user emails in private projects then please let me know.

As for my suggestion then at first I would like to have simple checkbox in the setup (Manage Configuration Options page) to ignore unauthorized user emails from creating bug notes in private projects or process them and create bug notes from them in any case. There could also be some additional setup what “ignore” means – to delete such emails from mailbox or just leave them or maybe log them somewhere – it’s an extra feature.

Next, it would be nice if Manage Configuration Options page works like standard setup pages and could be configured for all projects or for specific one. In this cases I would be able to differentiate processing rules for projects, for example for some project I would allow to create bugs from emails while for some I would allow to create only bug notes from any user emails, while for rest – to create only bug notes from authorized user emails etc. Most of the other parameters from Manage Configuration Options page would be nice to have specifically to the projects as well.
L857 is for comments.
L920 is for new issues.

Those lines are a direct copy of MantisBT's procedure for new issues or notes. MantisBT is ok with stopping processing completely in this situation. Since you do not want EmailReporting to make a full stop in the middle, this code would need to be modified so that we get the end result we desire for EmailReporting.

Basically you're suggesting one new configuration option: "What to do with emails for projects a user does not have access to"
This would have 3 options
  • Ignore email
  • Ignore and Delete email
  • Process email without checking permissions
EmailReporting would output a message while processing. But for "Ignore and Delete email" it would only be shown once. So will likely be missed. Based on whether you use POP3 or IMAP will result in a message only one time or every time the script is run.
Can you think of any other options we should add?


We've looked at the idea for project specific settings.
EmailReporting switches between projects for every mailbox or incase of IMAP every subfolder in the mailbox and sometimes even every email since notes can be for issues in other projects then the one connected to the mailbox it was received on.
So while for MantisBT every page request happens for one project. EmailReporting switches between projects multiple times within a page request making this very complicated
This is the moment where we know the final project for a note: https://github.com/mantisbt-plugins/Ema ... i.php#L869
And here for new issues: https://github.com/mantisbt-plugins/Ema ... i.php#L936
Both of them are quite late in processing the email

I guess some configuration options could be project specific but a lot of them we just don't know the final project yet. We would have create two configuration option pages. One for project specific capable options and on for global only options

I have created a feature request for this here: https://mantisbt.org/bugs/view.php?id=25933
We will fist work on getting the permissions to work. The project specific settings will be long term project
Any further discussion should continue there.

This thread will deal with the permissions

Re: How to limit bug creation from email based on user access

Posted: 17 Jul 2019, 16:09
by taras
SL-Gundam wrote: 17 Jul 2019, 15:30 Basically you're suggesting one new configuration option: "What to do with emails for projects a user does not have access to"
This would have 3 options
  • Ignore email
  • Ignore and Delete email
  • Process email without checking permissions
EmailReporting would output a message while processing. But for "Ignore and Delete email" it would only be shown once. So will likely be missed. Based on whether you use POP3 or IMAP will result in a message only one time or every time the script is run.
Can you think of any other options we should add?
This approach looks enough for me; I don’t have any valuable parameters to add. However, I would rather leave deletion option within standard parameter called Delete processed email from the mailbox. Probably all emails that were read by EmailReporting plugin can be treated as processed that is why can be deleted. While I would extended Create new issues and Add notes parameters with following options (instead of Yes/No):
  • Yes, respect permission
    Yes, ignore permission
    No

Re: How to limit bug creation from email based on user access

Posted: 17 Jul 2019, 16:35
by SL-Gundam
That last one is a good idea.

Of course delete email would respect "Delete processed email from the mailbox"

Re: How to limit bug creation from email based on user access

Posted: 18 Jul 2019, 15:38
by taras
SL-Gundam wrote: 17 Jul 2019, 16:35 That last one is a good idea.

Of course delete email would respect "Delete processed email from the mailbox"
Do you have some forecast when this feature will be release?

Re: How to limit bug creation from email based on user access

Posted: 19 Jul 2019, 19:11
by SL-Gundam
No but i planned to work on it this weekend. Should not be too much work so might be finished this weekend. Otherwise its gonna take a couple more weekends

Re: How to limit bug creation from email based on user access

Posted: 20 Jul 2019, 20:16
by SL-Gundam
Alright i think this should work
https://github.com/mantisbt-plugins/Ema ... 63180b068d
https://github.com/mantisbt-plugins/Ema ... b94545f76f
http://www.mantisbt.org/wiki/doku.php/m ... ermissions

In the end it is not possible to manage this as discussed because it made the permission checks problematic for other functionality in EmailReporting

Please check if this suits your needs

Re: How to limit bug creation from email based on user access

Posted: 20 Jul 2019, 20:33
by SL-Gundam
I would like to add that while EmailReporting before did not check permissions, MantisBT did

So users adding notes through EmailReporting, could not get access to those issues, would not receive notifications etc.
The problematic footprint was limited.
You could actually say that a user even being in that email exchange is a bigger issue then the note he eventually created in EmailReporting

Re: How to limit bug creation from email based on user access

Posted: 20 Sep 2019, 14:26
by taras
Hi SL-Gundam,

Thank you for quick fix and sorry for delay with response.

I tested latest development release of the plugin. Added feature works as expected. Thank you!
SL-Gundam wrote: 20 Jul 2019, 20:33 You could actually say that a user even being in that email exchange is a bigger issue then the note he eventually created in EmailReporting
Don't actually understand the case. Is it about plug with or without this feature?

Re: How to limit bug creation from email based on user access

Posted: 20 Sep 2019, 21:00
by SL-Gundam
It was just an observation.
A user is not allowed access to a ticket but has seen the email exchange. If he is not allowed access to the ticket he should not have been in the email exchange in the first place

Good to hear it works for you