Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22208

Artifactory Forgot password feature does not check for the option Disable Internal Password when Can Update Profile is also checked .

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 6.19.0, 6.19.1
    • Fix Version/s: 7.7.0
    • Component/s: None
    • Labels:
    • Severity:
      Medium

      Description

      Problem Statement: Artifactory forgot password feature, allows external users (LDAP, AD) to reset the password when the Can Update Profile is enabled along with Disable internal password

      What is the expected behavior?  An external user who is not an admin should not be allowed to update the password. Even with Can update profile, he should not be able to reset the password

      Steps to reproduce:  

      1. Setup Artifactory with an external authentication provider such as LDAP, AD, etc
      2. Set the mail server config in the Artifactory to enable the forgot password feature
      3. Try to use the forgot password feature for a user (ex: user1 a non-admin user) with just the Disable internal password (by default it's enabled for external users) and observe the logs, which is expected not to permit the user1 to reset his password
        2020-05-21 14:07:23,931 [http-nio-8081-exec-7] [ERROR] (o.a.u.r.s.a.s.a.f.ForgotPasswordService:92) - Error while resetting password for user 'user1', requested from address 'X.X.X.X'. {}
        java.lang.RuntimeException: The specified user is not permitted to reset his password.
      4. Now enable the Can update profile in the user settings
      5. Retry the forgot password to reset the password, observe it works now.
        2020-05-21 14:08:17,217 [http-nio-8081-exec-5] [INFO ] (o.a.s.SecurityServiceImpl:1762) - The user: 'user1' has been sent a password reset message by mail.
        2020-05-21 14:08:49,947 [http-nio-8081-exec-9] [INFO ] (o.a.s.SecurityServiceImpl:1299) - Password for user 'user1' has been successfully changed
        2020-05-21 14:08:49,948 [http-nio-8081-exec-9] [INFO ] (o.a.u.r.s.a.s.a.f.ResetPasswordService:81) - The user: 'user1' has successfully reset his password.

      The Disable internal password condition is not checked when the Can update profile is enabled

       

        Attachments

          Activity

              People

              Assignee:
              asafz Asaf Zalcman
              Reporter:
              balajis Balaji Satish
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: