Steps to reproduce

• Set user A to be 'inactive'.
• Try to login as user A.
• Observe JIRA will deny login because the user is inactive.
• Click "Can't access your account?".
• Choose "forgot password".
• Enter username.
• Click submit.
• Observe that JIRA confirms "An email has been send with a link to reset your password".
• The user can click on the link in the email and setup a new password.

Expected Behaviour

• JIRA should alert the user that a password reset could not be performed or a similar message
• An inactive user should not be able to reset their JIRA password.

Actual Behaviour

• JIRA allows an inactive user to reset their password

Note however that JIRA rightly, still denies the inactive user login even after the allowed password reset.