How to limit bug creation from email based on user access

This plugin allows you to report an issue in MantisBT by sending an email to a particular mail account

Moderators: Developer, Contributor

Post Reply
taras
Posts: 6
Joined: 16 Jul 2019, 15:52

How to limit bug creation from email based on user access

Post by taras »

In my setup I have multiple projects with private access. Let say some user DEMOUSER has access to PROJECT-A, but doesn't have access to PROJECT-B.
When I'm sending email from DEMOUSER's emial address I can create note in PROJECT-B, to which this user doesn't have access. See attached screenshot of such note.

This means that anyone who have access to at least one project in the system can create notes in any project in the system. It is not what I'm looking for. Could someone explain me whether EmailReporting can be setup in some way to meet my requirements?
Attachments
no_access.png
no_access.png (5.08 KiB) Viewed 15058 times
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

The code is there. We are just undecided on how to handle a situation like this.
https://github.com/mantisbt-plugins/Ema ... i.php#L857
https://github.com/mantisbt-plugins/Ema ... i.php#L920

What should happen with emails that cannot be processed because of a permission denial?
Since we've never had anybody complain and the projects in my company are public this has never been a discussion that we needed to revisit

EmailReporting has mainly worked with the intend to process at all costs to make sure the user gets as much info as possible and EmailReporting keeps on processing instead of resulting in a stalemate with emails which it cannot process for various reasons

Congratulations. You are the happy user who will a voice in the direction of this functionality.
cas
Posts: 1586
Joined: 11 Mar 2006, 16:08
Contact:

Re: How to limit bug creation from email based on user access

Post by cas »

We catch all emails in a central place ( helpdesk ).
There they take care of such issues. In case of "No Access", user is informed accordingly and ticket on hold untill confirmed by someone with proper access.
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

It's also has never been issue since users with no access would not receive notification emails about those issues anyway.

Since these days we track the msg id's as well, CC's of the email could reply and get there comments added to issues where they normally would not have had access

So these days the chances of this happening are higher then before
taras
Posts: 6
Joined: 16 Jul 2019, 15:52

Re: How to limit bug creation from email based on user access

Post by taras »

SL-Gundam wrote: 16 Jul 2019, 21:33 The code is there. We are just undecided on how to handle a situation like this.
https://github.com/mantisbt-plugins/Ema ... i.php#L857
https://github.com/mantisbt-plugins/Ema ... i.php#L920

What should happen with emails that cannot be processed because of a permission denial?
Since we've never had anybody complain and the projects in my company are public this has never been a discussion that we needed to revisit

EmailReporting has mainly worked with the intend to process at all costs to make sure the user gets as much info as possible and EmailReporting keeps on processing instead of resulting in a stalemate with emails which it cannot process for various reasons

Congratulations. You are the happy user who will a voice in the direction of this functionality.
Hi SL-Gundam,

Thank you for your reply.

I’m not sure how mentioned code should works:
  • when I uncommented L857 system simply stopped processing emails from my mailbox (where I had mix of authorized and unauthorized emails). I use IMAP with specific base folder.
    when I uncommented L920 nothing changed. System still processing emails from unauthorized users.
So if I need to add some condition and error to stop creating bug notes from unauthorized user emails in private projects then please let me know.

As for my suggestion then at first I would like to have simple checkbox in the setup (Manage Configuration Options page) to ignore unauthorized user emails from creating bug notes in private projects or process them and create bug notes from them in any case. There could also be some additional setup what “ignore” means – to delete such emails from mailbox or just leave them or maybe log them somewhere – it’s an extra feature.

Next, it would be nice if Manage Configuration Options page works like standard setup pages and could be configured for all projects or for specific one. In this cases I would be able to differentiate processing rules for projects, for example for some project I would allow to create bugs from emails while for some I would allow to create only bug notes from any user emails, while for rest – to create only bug notes from authorized user emails etc. Most of the other parameters from Manage Configuration Options page would be nice to have specifically to the projects as well.
taras
Posts: 6
Joined: 16 Jul 2019, 15:52

Re: How to limit bug creation from email based on user access

Post by taras »

SL-Gundam wrote: 17 Jul 2019, 12:41 It's also has never been issue since users with no access would not receive notification emails about those issues anyway.

Since these days we track the msg id's as well, CC's of the email could reply and get there comments added to issues where they normally would not have had access

So these days the chances of this happening are higher then before
Yes, actually anyone can add bug note to the private project by sending email with randomly guessed issue number in the subject.
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

taras wrote: 17 Jul 2019, 12:58 ...

I’m not sure how mentioned code should works:
  • when I uncommented L857 system simply stopped processing emails from my mailbox (where I had mix of authorized and unauthorized emails). I use IMAP with specific base folder.
    when I uncommented L920 nothing changed. System still processing emails from unauthorized users.
So if I need to add some condition and error to stop creating bug notes from unauthorized user emails in private projects then please let me know.

As for my suggestion then at first I would like to have simple checkbox in the setup (Manage Configuration Options page) to ignore unauthorized user emails from creating bug notes in private projects or process them and create bug notes from them in any case. There could also be some additional setup what “ignore” means – to delete such emails from mailbox or just leave them or maybe log them somewhere – it’s an extra feature.

Next, it would be nice if Manage Configuration Options page works like standard setup pages and could be configured for all projects or for specific one. In this cases I would be able to differentiate processing rules for projects, for example for some project I would allow to create bugs from emails while for some I would allow to create only bug notes from any user emails, while for rest – to create only bug notes from authorized user emails etc. Most of the other parameters from Manage Configuration Options page would be nice to have specifically to the projects as well.
L857 is for comments.
L920 is for new issues.

Those lines are a direct copy of MantisBT's procedure for new issues or notes. MantisBT is ok with stopping processing completely in this situation. Since you do not want EmailReporting to make a full stop in the middle, this code would need to be modified so that we get the end result we desire for EmailReporting.

Basically you're suggesting one new configuration option: "What to do with emails for projects a user does not have access to"
This would have 3 options
  • Ignore email
  • Ignore and Delete email
  • Process email without checking permissions
EmailReporting would output a message while processing. But for "Ignore and Delete email" it would only be shown once. So will likely be missed. Based on whether you use POP3 or IMAP will result in a message only one time or every time the script is run.
Can you think of any other options we should add?


We've looked at the idea for project specific settings.
EmailReporting switches between projects for every mailbox or incase of IMAP every subfolder in the mailbox and sometimes even every email since notes can be for issues in other projects then the one connected to the mailbox it was received on.
So while for MantisBT every page request happens for one project. EmailReporting switches between projects multiple times within a page request making this very complicated
This is the moment where we know the final project for a note: https://github.com/mantisbt-plugins/Ema ... i.php#L869
And here for new issues: https://github.com/mantisbt-plugins/Ema ... i.php#L936
Both of them are quite late in processing the email

I guess some configuration options could be project specific but a lot of them we just don't know the final project yet. We would have create two configuration option pages. One for project specific capable options and on for global only options

I have created a feature request for this here: https://mantisbt.org/bugs/view.php?id=25933
We will fist work on getting the permissions to work. The project specific settings will be long term project
Any further discussion should continue there.

This thread will deal with the permissions
taras
Posts: 6
Joined: 16 Jul 2019, 15:52

Re: How to limit bug creation from email based on user access

Post by taras »

SL-Gundam wrote: 17 Jul 2019, 15:30 Basically you're suggesting one new configuration option: "What to do with emails for projects a user does not have access to"
This would have 3 options
  • Ignore email
  • Ignore and Delete email
  • Process email without checking permissions
EmailReporting would output a message while processing. But for "Ignore and Delete email" it would only be shown once. So will likely be missed. Based on whether you use POP3 or IMAP will result in a message only one time or every time the script is run.
Can you think of any other options we should add?
This approach looks enough for me; I don’t have any valuable parameters to add. However, I would rather leave deletion option within standard parameter called Delete processed email from the mailbox. Probably all emails that were read by EmailReporting plugin can be treated as processed that is why can be deleted. While I would extended Create new issues and Add notes parameters with following options (instead of Yes/No):
  • Yes, respect permission
    Yes, ignore permission
    No
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

That last one is a good idea.

Of course delete email would respect "Delete processed email from the mailbox"
taras
Posts: 6
Joined: 16 Jul 2019, 15:52

Re: How to limit bug creation from email based on user access

Post by taras »

SL-Gundam wrote: 17 Jul 2019, 16:35 That last one is a good idea.

Of course delete email would respect "Delete processed email from the mailbox"
Do you have some forecast when this feature will be release?
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

No but i planned to work on it this weekend. Should not be too much work so might be finished this weekend. Otherwise its gonna take a couple more weekends
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

Alright i think this should work
https://github.com/mantisbt-plugins/Ema ... 63180b068d
https://github.com/mantisbt-plugins/Ema ... b94545f76f
http://www.mantisbt.org/wiki/doku.php/m ... ermissions

In the end it is not possible to manage this as discussed because it made the permission checks problematic for other functionality in EmailReporting

Please check if this suits your needs
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

I would like to add that while EmailReporting before did not check permissions, MantisBT did

So users adding notes through EmailReporting, could not get access to those issues, would not receive notifications etc.
The problematic footprint was limited.
You could actually say that a user even being in that email exchange is a bigger issue then the note he eventually created in EmailReporting
taras
Posts: 6
Joined: 16 Jul 2019, 15:52

Re: How to limit bug creation from email based on user access

Post by taras »

Hi SL-Gundam,

Thank you for quick fix and sorry for delay with response.

I tested latest development release of the plugin. Added feature works as expected. Thank you!
SL-Gundam wrote: 20 Jul 2019, 20:33 You could actually say that a user even being in that email exchange is a bigger issue then the note he eventually created in EmailReporting
Don't actually understand the case. Is it about plug with or without this feature?
SL-Gundam
Posts: 722
Joined: 06 Jul 2011, 14:17

Re: How to limit bug creation from email based on user access

Post by SL-Gundam »

It was just an observation.
A user is not allowed access to a ticket but has seen the email exchange. If he is not allowed access to the ticket he should not have been in the email exchange in the first place

Good to hear it works for you
Post Reply