Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-7986

Lock User Account Data in BBServer when using copy on login

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • High
    • Resolution: Duplicate
    • None
    • None
    • None
    • None

    Description

      When using the feature 'Delegating Stash authentication to an LDAP directory' with the copy users on login option, users still have the ability to edit their user account details. In effect this presents a vulnerability whereby one user could spoof another by changing their display name and email address to that of the other user.

      While this could be ultimately detected by referral to the username associated with an update this still represents a genuine opportunity for malicious or fraudulent activity to be masked.

      We need a fix that ensures that user profile details are fixed/maintained when using this mode in the same they are when connecting Stash to an existing LDAP Directory and syncing users in a specific user group.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              a84825c9556e Barclays Vendor Management
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: