Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-79041

Internal users new and existing are unable to reset or set their password via email notification

    XMLWordPrintable

Details

    Description

      Issue Summary

      After upgrading to the latest fixed release internal directory users are unable to reset their forgotten passwords or any accounts created with the password box checked so users receive an email to set their password does not work.

      This is reproducible on Data Center: (yes)

      Steps to Reproduce

      1. Upgrade/install to the latest fixed version of Confluence. (Multiple affected currently, might be all latest.)
      2. Get a user to click the forgotten password link
      3. Try resetting that password via the email
      4. You receive a system error

       

      1. Upgrade to the latest fixed version of Confluence. (Multiple affected currently, might be all latest.)
      2. As admin create a new user and select the option to send an email to the user to set their own password
      3. You receive the same system error when trying to save the new password

      It's been reported Confluence connected to Crowd with only local Crowd user directories is also affected.

      Expected Results

      The password is changed as expected.

      Actual Results

      Any password reset/set from email apart from an invitation sign up link results in the same error.

      example password reset link
      http://localhost:27137/c7137/resetuserpassword.action?username=<USERNAME>&token=<TOKEN>
      reset link where the error occurs after saving password
      /c7137/doresetuserpassword.action
      Logs
      atl_token : d6de26b226a4604abba1e1c16c0c492f9f8e260d│token : 81ed7c5defa1c711266f1c3f19ae452d34155d4│username : test5│confirm : Reset│caused by: com.atlassian.confluence.core.InsufficientPrivilegeException: User [Anonymous] does not have the required privileges.│at com.atlassian.confluence.user.DefaultUserAccessor.alterPassword(DefaultUserAccessor.java:1071) 
      
      2022-06-08 15:39:43,643 ERROR [http-nio-27137-exec-5] [atlassian.confluence.servlet.ConfluenceServletDispatcher] sendError Could not execute action
      │ -- referer: http://localhost:27137/c7137/resetuserpassword.action?username=test6&token=9ad2133e4aad38cc7667184778dbdb943cf23c95 | url: /c7137/doresetuserpassword.action | traceId: 0b53fa96ad7c746c | userName: anonymous
      │com.atlassian.confluence.core.InsufficientPrivilegeException: User [Anonymous] does not have the required privileges.
      │       at com.atlassian.confluence.user.DefaultUserAccessor.alterPassword(DefaultUserAccessor.java:1071)
      │       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      │       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      │       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      │       at java.lang.reflect.Method.invoke(Method.java:498)
      

      Workaround

      Option 1 for existing users
      1. It's reported it's possible for admins to reset the password from user management
      2. Then the user can manually change it it under their profile - that method is not affected
      Option 2 for new users
      1. Send the invitation link instead of creating the accounts. That allows them to enter all details and the password is saved.
        1. Or create the account but set the password and allow them to change it as above

      Attachments

        Issue Links

          Activity

            People

              854eef6f5746 Kusal Kithul-Godage
              dmark@atlassian.com Danny
              Votes:
              80 Vote for this issue
              Watchers:
              113 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: