Add another TODO that we need to verify identity better

1 files changed, 2 insertions, 0 deletions

diff --git a/lib/gitlab/email/receiver.rb b/lib/gitlab/email/receiver.rb
index 2b57b3a20fc..714f45d2d43 100644
--- a/lib/gitlab/email/receiver.rb
+++ b/lib/gitlab/email/receiver.rb
@@ -87,6 +87,8 @@ module Gitlab
       end
 
       # Find the first matched user in database from email From: section
+      # TODO: Since this address could be forged, we should have some kind of
+      #       auth token attached somewhere to verify the identity better.
       def message_sender
         @message_sender ||= message.from.find do |email|
           user = User.find_by_any_email(email)