I’m a bit confused by the bug vs. intended behaviour debate. The way I have interpreted it is that for security reasons, creating new topics via email is not permitted if the email address matches an existing non-staged user; this is because email addresses can be spoofed and therefore users could be impersonated.
Replies are presumably acceptable because the address includes the reply key, demonstrating that the sender was the recipient of the notification email and is therefore likely the real user.
If that interpretation of the intended behaviour is correct, it is contradictory to what I’m actually experiencing. If my user does have permission to create in the category and I send an email from my registered email address to the category’s email_in address, the email address is matched to my user and a new topic is created by my user.
This happens irrespective of whether accept emails from anonymous users with no accounts is enabled, since my user does have permission to create.
The current situation seems to be: (with email in anonymous users enabled)
- Email received from address with no user; staged user created, new topic created.
- " " " address with staged user; staged user matched, new topic created.
- " " " address with real user with create permission; real user matched, new topic created.
- " " " address with real user without create permission; real user matched, new topic rejected.
(Note: I did not test 4 just now) With email in anonymous users enabled, I would expect 3 and 4 to always behave the same. Whether that is both rejected to protect against impersonation or both accepted on the basis that a real user shouldn’t have fewer permissions than an anonymous user, they shouldn’t have different results.