Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.3.4, 6.4.1
-
6.03
-
1
-
Severity 3 - Minor
-
0
-
Description
Steps to reproduce
- Set user A to be 'inactive'.
- Try to login as user A.
- Observe JIRA will deny login because the user is inactive.
- Click "Can't access your account?".
- Choose "forgot password".
- Enter username.
- Click submit.
- Observe that JIRA confirms "An email has been send with a link to reset your password".
- The user can click on the link in the email and setup a new password.
Expected Behaviour
- JIRA should alert the user that a password reset could not be performed or a similar message
- An inactive user should not be able to reset their JIRA password.
Actual Behaviour
- JIRA allows an inactive user to reset their password
Note however that JIRA rightly, still denies the inactive user login even after the allowed password reset.
Attachments
Issue Links
- is related to
-
JRASERVER-44685 Password reset messages are misleading
- Gathering Interest