Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.13.9, 8.5.1
-
7.13
-
9
-
Severity 3 - Minor
-
0
-
Description
Issue Summary
Jira exposes embedded Crowd REST resources (i.e. /rest/usermanagement/1) along with Jira REST resources. However, some of these resources are not implemented in Jira, see NoopForgottenLoginManager.
With the current implementation of this class, the REST requests return various codes indicating successful processing (i.e. methods with void return types (see below for an example) return HTTP 204 that indicated success because NoopForgottenLoginManager does not throw exceptions.
However, according to REST conventions, these methods shall return HTTP 405 Method Not Allowed response status code, which indicates that the request method is known by the server but is not supported by the target resource (see discussion of response codes 405 and 501.
Steps to Reproduce
- On a vanilla Jira installation, go gg > User directories page, click Jira User Server on the left-hand side menu and create an application definition. Define a username and password (username/passw0rd) at this step which will be used on next step
- send a REST request using username/password above to Jira like below for an existing user (i.e. admin) like below
curl -i -u username:passw0rd -X POST <JIRA_BASE_URL>/rest/usermanagement/1/user/mail/password?username=admin --header 'Content-Type: application/json' --header 'Accept: application/json'
Expected Results
We receive an HTTP 405 response
Actual Results
We receive an HTTP 204 response, indicating a password reset mail has been sent to this user, however, no such mail is sent
Workaround
Use similar REST API that's provided by JIRA User REST endpoint