I've spent some time looking at ticket #460, but I keep running in to problems. The underlying cause of these problems seems to be the free-form handling of user accounts and settings. I reopened #460 because it seemed strange that the email address I'd entered in the session settings was ignored when I created a new ticket as an authenticated user. My first reaction, as in the comments on that ticket, was to append the email address even to authenticated users. But allowing additional information in the reporter or owner field would cause problems elsewhere: reports would have to use "owner LIKE '%$USER%'", and this could pick up false-positives. Grouping by either of these fields could break if email address usage is inconsistent. I propose the following solution: * Leave the behavior I complained about in #460 as-is. Only the authenticated username will be entered. Other users wishing to assign/cc tasks to a user with an account should also use the username by itself. * Associate session-data more closely with authenticated users. Rather than requiring a session key, establish session variables as soon as the user authenticates. It may even be desirable to hide the parts of the settings page that deal with session keys from authenticated users. Behavior for anonymous users remains as-is. * When sending out notifications to a list which includes the name of a known user, query the user's saved session data for an email address. Comments? -- Cap Petschulat <cap at cdres.com> Crowley Davis Research, Inc.