[CONFSERVER-5794] Don't send any notifications to disabled users Created: 27/Mar/2006  Updated: 09/Apr/2018  Resolved: 02/Dec/2015

Status: Resolved
Project: Confluence Server
Component/s: None
Affects Version/s: 2.1.5, 5.2, 5.4.2, 5.7.3, 5.8.17
Fix Version/s: 5.9.1, 5.8.18

Type: Bug Priority: Medium
Reporter: Tom Davies Assignee: Feng Xu
Resolution: Fixed Votes: 44
Labels: affects-server, loyalty, no-cvss-required, notifications, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Reference
relates to CONFSERVER-34847 Tools/Share sends e-mail to disabled ... Resolved
relates to CONFSERVER-37449 Notifications sent to disabled users Resolved
relates to CONFSERVER-22070 Provide a global admin setting to tur... Resolved
Participants:
Last Touched By: Graham Horsman
Last commented: 10 weeks, 2 days ago

 Description   

Once a user is disabled, they should not receive any notifications.



 Comments   
Comment by Lisa Dyer [ 14/Mar/2008 ]

Any insight into when this might be addressed? This problem is occurring on Confluence 2.6.2 (standalone). Thanks.

Comment by Per Fragemann [Atlassian] [ 07/Jul/2008 ]

This issue is borderline between "improvement" and "bug". I am changing it to "bug", cause it sounds like sending mail to disabled users is the wrong thing to do

Comment by Sherif Mansour [ 08/Oct/2011 ]

Linking to https://jira.atlassian.com/browse/CONF-22070?focusedCommentId=272555&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-272555. As Joel points out in that ticket, this problem is more apparent with the Atuowatch feature.

Comment by Steve Sweales [ 14/Nov/2013 ]

This is actually a data security risk and should be a much higher priority.

I have only just stumbled upon this issue as I have found that ex-employees are receiving emails on our current projects (receiving company sensitive data) due to this issue.

You can argue that all employees should be signing to Confluence with their work email addresses (which we would deactivate), however starting as a small company means we have some cases like this.

Comment by Dragana Brighton [ 10/Feb/2014 ]

I agree the priority should be much higher on this. Especially if there is no a workaround.

Comment by David Rizzuto [ 11/Feb/2014 ]

I'm increasing the priority of this due to the fact that it can potentially send emails to people who shouldn't get them.

Comment by Heshan Manamperi [ 12/Jun/2015 ]

Affected: 5.6.3 and 5.7.3

Comment by Darrell Bush [ 01/Oct/2015 ]

This is marked as Resolved-Fixed. What is the resolution? I am still seeing this in version 5.8.4.

Comment by Richard Atkins [ 01/Oct/2015 ]

Darrell Bush which kinds of notifications are being sent to deactivated users in your system? How are those users being deactivated? Is it by marking them disabled in LDAP, deactivating them directly in Confluence user management, or removing their "use confluence" permission? We believe we've resolved the issue for shares, but we could easily have missed other notification types - sorry about that. I'll reopen this, and ensure that we get coverage for all the notification types in Confluence before this issue is marked as resolved again.

Comment by Darrell Bush [ 02/Oct/2015 ]

Hi Richard, there are entries in the log file that indicate that emails are being sent to inactive users, according to https://confluence.atlassian.com/display/CONFKB/Email+notifications+trigger+a+NoSuchElementException+in+the+logs?focusedCommentId=781194392&#comment-781194392. The users are disabled in Active Directory, and we are using Crowd to read the Active Directory. There are two pages that are sending the emails, and only one watcher on one of those pages. I'm not sure why the emails are being sent. How can we identify the user from the log file value for user '8ae784ab4de7ac44014de8f684650042'?

2015-09-30 11:34:02,689 ERROR [NotificationSender:thread-2] [plugin.notifications.dispatcher.NotificationErrorRegistryImpl] addError Error sending notification to server '<Unknown>'(-1) for INDIVIDUAL task (resent 4 times): Error generating message for server 'System Mail' on medium 'mail' for user '8ae784ab4de7ac44014de8f684650042'. 
Comment by Hans-Peter Geier [ 13/Oct/2015 ]

same error on 5.8.x

Comment by Hans-Peter Geier [ 03/Dec/2015 ]

as the solution is known now and already fixed in 5.9.1, could you make the fix also available in a 5.8.xx release?
We don't have plans to upgrade to 5.9.x soon, and I believe this issue is important enough to provide a solution to 5.8.xx customers as well.

Comment by Stephen Gramm [ 03/Dec/2015 ]

We are also requesting a fix for version 5.8.17

Comment by Graham Horsman [ 09/Apr/2018 ]

I'm seeing this in 6.0.5.

2018-04-09 11:23:22,300 ERROR [NotificationSender:thread-3] [plugin.notifications.dispatcher.NotificationErrorRegistryImpl] addError Error sending notification to server '<Unknown>'(-1) for INDIVIDUAL task (resent 1 times): Error sending to individual '8a81e92b5c6db79d015c6dbb2e300814' on server 'System Mail'
NotificationException: javax.mail.MessagingException: Exception reading response;
  nested exception is:
	java.net.SocketTimeoutException: Read timed out
Generated at Wed Jun 20 20:27:10 UTC 2018 using JIRA 7.10.0#710001-sha1:03997172f7586fe4d51c3a770f17db185cf44cfa.