Service desk issues can be created in archived projects

HackerOne report #430437 by ashish_r_padelkar on 2018-10-29:

Summary:

Hello,

When you archive any public projects , the project becomes read only and no issues, comments etc can be created. However, if the project has service desk enabled, anybody can still create issues even when project is in archived state

Description: As per below description, it should not be possible for anyone to create any issues in archived projects. If project has service desk enabled, anybody can use an incoming email and can create issues in such projects

Steps To Reproduce:

1. Archive any public project and use service desk feature (enabled by default in public projects)
2. Now anybody who knows the project link can use service desk email and send email to this project and issue will be created!

#SuggestedFix Service desk issue should be denied when project is in archived state

Regards, Ashish

Impact

Anyone can create issues in archived projects

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2018-10-30_at_01.13.05.png