-
Bug
-
Resolution: Fixed
-
Low
-
5.16.2, 6.3.1
-
1
-
Severity 3 - Minor
-
2
-
Issue Summary
When user management in Bitbucket Server is through a read-only directory (Crowd, LDAP etc), users trying to reset their password should be notified that the account is read only and they should contact their administrator - at the moment all users (internal/external) receive the same message:
"If you are a registered user, you will receive a password reset email"
Environment
Bitbucket 5.16 + with:
- On login page click "Unable to access you account?"
- Enter the username/email of a user belonging to a read-only directory
- Click "Reset password"
Expected Results
If the user belongs to a read-only directory the message should be:
"Your account details are read-only. Please contact your administrator to change your password."
Actual Results
The message is:
"If you are a registered user, you will receive a password reset email"
(Note that no password reset email is actually sent to users in read-only directories.)
Notes
A similar issue was fixed in Stash 4.0: BSERV-7548: Disable "reset your password" option for delegated LDAP (fixed in Bitbucket Server 4.0.0)
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
- relates to
-
BSERV-11923 Allow administrators to remove the forgot password link from the login screen
- Gathering Interest
- mentioned in
-
Page Loading...