Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22208

Artifactory Forgot password feature does not check for the option Disable Internal Password when Can Update Profile is also checked .



    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 6.19.0, 6.19.1
    • Fix Version/s: 7.7.0
    • Component/s: None
    • Labels:
    • Severity:


      Problem Statement: Artifactory forgot password feature, allows external users (LDAP, AD) to reset the password when the Can Update Profile is enabled along with Disable internal password

      What is the expected behavior?  An external user who is not an admin should not be allowed to update the password. Even with Can update profile, he should not be able to reset the password

      Steps to reproduce:  

      1. Setup Artifactory with an external authentication provider such as LDAP, AD, etc
      2. Set the mail server config in the Artifactory to enable the forgot password feature
      3. Try to use the forgot password feature for a user (ex: user1 a non-admin user) with just the Disable internal password (by default it's enabled for external users) and observe the logs, which is expected not to permit the user1 to reset his password
        2020-05-21 14:07:23,931 [http-nio-8081-exec-7] [ERROR] (o.a.u.r.s.a.s.a.f.ForgotPasswordService:92) - Error while resetting password for user 'user1', requested from address 'X.X.X.X'. {}
        java.lang.RuntimeException: The specified user is not permitted to reset his password.
      4. Now enable the Can update profile in the user settings
      5. Retry the forgot password to reset the password, observe it works now.
        2020-05-21 14:08:17,217 [http-nio-8081-exec-5] [INFO ] (o.a.s.SecurityServiceImpl:1762) - The user: 'user1' has been sent a password reset message by mail.
        2020-05-21 14:08:49,947 [http-nio-8081-exec-9] [INFO ] (o.a.s.SecurityServiceImpl:1299) - Password for user 'user1' has been successfully changed
        2020-05-21 14:08:49,948 [http-nio-8081-exec-9] [INFO ] (o.a.u.r.s.a.s.a.f.ResetPasswordService:81) - The user: 'user1' has successfully reset his password.

      The Disable internal password condition is not checked when the Can update profile is enabled





              asafz Asaf Zalcman
              balajis Balaji Satish
              0 Vote for this issue
              4 Start watching this issue