Highest Issue Summary
After upgrading to the latest fixed release internal directory users are unable to reset their forgotten passwords or any accounts created with the password box checked so users receive an email to set their password does not work.
This is reproducible on Data Center: (yes)
Steps to Reproduce
- Upgrade/install to the latest fixed version of Confluence. (Multiple affected currently, might be all latest.)
- Get a user to click the forgotten password link
- Try resetting that password via the email
- You receive a system error
- Upgrade to the latest fixed version of Confluence. (Multiple affected currently, might be all latest.)
- As admin create a new user and select the option to send an email to the user to set their own password
- You receive the same system error when trying to save the new password
It's been reported Confluence connected to Crowd with only local Crowd user directories is also affected.
Expected Results
The password is changed as expected.
Actual Results
Any password reset/set from email apart from an invitation sign up link results in the same error.
http://localhost:27137/c7137/resetuserpassword.action?username=<USERNAME>&token=<TOKEN>
/c7137/doresetuserpassword.action
Logs
atl_token : d6de26b226a4604abba1e1c16c0c492f9f8e260d│token : 81ed7c5defa1c711266f1c3f19ae452d34155d4│username : test5│confirm : Reset│caused by: com.atlassian.confluence.core.InsufficientPrivilegeException: User [Anonymous] does not have the required privileges.│at com.atlassian.confluence.user.DefaultUserAccessor.alterPassword(DefaultUserAccessor.java:1071)
2022-06-08 15:39:43,643 ERROR [http-nio-27137-exec-5] [atlassian.confluence.servlet.ConfluenceServletDispatcher] sendError Could not execute action │ -- referer: http://localhost:27137/c7137/resetuserpassword.action?username=test6&token=9ad2133e4aad38cc7667184778dbdb943cf23c95 | url: /c7137/doresetuserpassword.action | traceId: 0b53fa96ad7c746c | userName: anonymous │com.atlassian.confluence.core.InsufficientPrivilegeException: User [Anonymous] does not have the required privileges. │ at com.atlassian.confluence.user.DefaultUserAccessor.alterPassword(DefaultUserAccessor.java:1071) │ at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) │ at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) │ at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) │ at java.lang.reflect.Method.invoke(Method.java:498)
Workaround
Option 1 for existing users
- It's reported it's possible for admins to reset the password from user management
- Then the user can manually change it it under their profile - that method is not affected
Option 2 for new users
- Send the invitation link instead of creating the accounts. That allows them to enter all details and the password is saved.
- Or create the account but set the password and allow them to change it as above
[CONFSERVER-79041] Internal users new and existing are unable to reset or set their password via email notification
Hi All,
We've investigated two reports that this functionality is still broken, and in both cases identified a third party app as the cause of the breakage. We've also reviewed the code in question heavily, and can't see any potential issues.
If you would like to validate if this is true in your environment, you can try disabling all third party apps and testing the functionality.
Should you continue to encounter issues, can you please reach out to our support team at https://support.atlassian.com and they'll help you investigate further.
karsten.hain - Being unable to change a Confluence password whilst running in Read Only Mode is by design in this case.
Thanks,
James Ponting
Engineering Manager - Confluence Data Center
I found a temporary bug fix provided by XALT Business Consulting GmbH.
You can use this bugfix, if you don't want install a fixed update version in the next time.
download here: https://docs.xalt.de/pldoc/confserver-79041-423364976.html
But beware: Download and use at your own risk and without guarantee!
Hi All
We have update out confluence to 7.13.8 and the password reset via e-mail work again. Thanks to fix this.
Best Regards
Werner
Hi Wiebke,
you can enable a read only mode in confluence data center.
https://confluence.atlassian.com/doc/using-read-only-mode-for-site-maintenance-952624304.html
Regards,
Karsten
hello,
the same is with the version 7.18.2, users cannot reset the password.
@karsten: what do you mean with: when maintenance mode is activated?
regards
wiebke
Hello,
I have noticed that after upgrading to Confluence 7.4.18 Data Center, the password cannot be changed in the user profile (Profile/Settings/Password page) when maintenance mode is activated.
The error message is: Oops - an error has occurred - https://.../confluence/users/changemypassword.action
If the maintenance mode is deactivated, the password change works.
The behaviour is reproducible in all my instances.
Regards,
Karsten
Hi @james,
We are experiencing the same thing Robert Mcneil described. Users are not able to reset password from Profile/Settings/Password page.
We're also still experiencing issues with 7.13.8. If a new user tries to set his initial password or a user changes their password while they are logged in, everything is fine. If we use the forgotuserpassword action we still run into an error.
In the log we see the following:
[08/Jul/2022:13:01:40 +0200] - https-jsse-nio2-127.0.0.1-8443-exec-5 10.17.1.113 GET /confluence/forgotuserpassword.action HTTP/1.1 200 41ms 7033 https://confluence-test.it.nrw.de/confluence/login.action?os_destination=%2Findex.action&permissionViolation=true Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [08/Jul/2022:13:01:40 +0200] - https-jsse-nio2-127.0.0.1-8443-exec-17 10.17.1.113 GET /confluence/rest/menu/latest/appswitcher?_=1657278100786 HTTP/1.1 401 6ms 672 https://confluence-test.it.nrw.de/confluence/forgotuserpassword.action Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [08/Jul/2022:13:01:49 +0200] - https-jsse-nio2-127.0.0.1-8443-exec-8 10.17.1.113 POST /confluence/doforgotuserpassword.action HTTP/1.1 403 37ms 7197 https://confluence-test.it.nrw.de/confluence/forgotuserpassword.action Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
We have not implemented any sort of workaround.
Hi All,
6b904cb52d91 - Thanks for the report. I've sent it through to the developer who worked on the fix to take a look. Having spoken to the developer, he reported he's unable to reproduce the behaviour you're seeing. Additionally, support haven't been able to replicate so far. Can you please contact support at https://support.atlassian.com and work with them to investigate this. If there's an ongoing issue here, we'd like to look into it further. As with the other reports, we'd particularly interested in any errors or logging that may occur on the node where the password reset was attempted.
8807b93d8249 - Is the report 6b904cb52d91 made above the same behaviour you're seeing?
I'll come back to you with our findings.
Thanks,
James Ponting
Engineering Manager - Confluence Data Center
@jponting Do you have tentative list of 3rd party plugins available in market place which are incompatible with their version and particularly causing this bug/error?