1. Go to the login page
2. Click "Forgot password"
3. Enter an existing username in uppercase
4. Click "Send it to me"

A username is normally in lowercase, but by entering the username in uppercase and saying that you have forgot the password a new password is generated like normally and send to the users email, but one other crucial thing also happens: The username is now also changed to uppercase.

When the unaware user gets the e-mail and try to login with the new auto generated password the user is told that "Sorry, your username and password are incorrect - please try again.". This is because he is now trying to login with a lowercase username. If the user is smart he will see that the mail with the new password also lists his username and that this is in uppercase. If he then tries to login with his username in uppercase and the new password, he is shown this message: "You do not have the permissions required to browse any projects." (Just like in the JRA-2349 issue).

The only solution for the user now is to do like the hacker and request a new password (just this time by writing his username in lowercase). Now his username is changed back to lowercase. When he now tries to login with his new password and his lowercase username it works fine.

An interesting side effect is that now it is not possible to login with an uppercase username anymore like in JRA-2349. It is still possible though to change the username back to uppercase again with the method described above.

BTW: This bug is close related to JRA-2349. JRA-2349 is in tern close related to JRA-2905 which is a duplicate. The two bugs JRA-2157 and JRA-2148 has maybe also some relevance - but not as much as JRA-2349 and is duplicate JRA-2905.