How does Security for non JIRA account holders work?

Scenario

JEMH can support remote email users that don't have either (a) right to use, or even (b) any JIRA account at all. Until now there has been an issue with 'snooping' in that it was possible for anyone to mail the inbox with a speculative issue key (eg ABC-123) that would trigger JEMH to join that user into the conversation, some may argue this a feature, some a security risk.

Security Model for non JIRA account holders

As of 1.2.31

Creation

JEMH can be enabled to allow anyone to create issues by having an actual JIRA user set as the reporter to be used for the creation, and to create a specific TEXT (unlimited) Custom Field for storing email addresses. On issue creation, all non JIRA account holder email addresses (including the sender) are stored in this NON JIRA email address custom field. Optionally, the actual creator email address and 'personal' part of the email address can be stored in a separate custom fields.

The only way to restrict issue creation is by whitelisting specific domains as acceptable, or blacklisting ones as not.

Commenting

The JEMH approach to security is through a buddy system based on trust. For example, the original email:

jira@yourco.net is the JEMH inbound mail address

With this email used to create, there are only two categories of people who can get involved with the issue by email:

1. Those who have email addresses associated with a JIRA account holder that has privilege in the relevant project

2. Those who have email addresses NOT associated with a JIRA account holder but were previously listed in the creation email (and now have their addresses stored in the TEXT Custom Field.

So, an email from bill@otherplace.com will work, but dave@otherplace.com will not. Bill can invite Dave/anyone else by making then additional recipients in an email that gets processed by JEMH:

or

In this way JEMH works on invitation only.