Issue All my clients backup lists are visible for everyone

[Andoro]

I've set up FTP backup for all my clients, because I don't want to use my server's local storage.
Today I've enabled the backup settings for my clients, to let them manage their backups / restores.
I realized, that any of my clients has access to all other backups, so technically anybody could download and restore a backup, steal each others websites.

Is this possible???

That's also very frustrating when I open a domain or client and click on backup lists link, I see all the other backups which are not related to the selected domain or client.
The URL seems to filter my backup list:
https://myhostserver:8443/smb/backup/list/domainId/47
But it does nothing at all, just lists all of my backups.
I even can't differentiate them, because the domain or client name is missing from the list.

What I wanted to achieve:
I wanted to remove some backup for each clients.
I wanted to clean my server from backups, because I need more storage.

 

[Bitpalast]

I recommend to open a ticket with Plesk support. Normally a backup that one subscription makes is not visible to other subscriptions. There has got to be something severely wrong with file permissions or database content that the system shows backups of one customer in the account of another. This needs a detailed investigation.

In general, it is recommended to password-protect backups. In case of password protection that can be set in the backup settings, a backup file can only be restored if the password is entered correctly. So even if someone steals a backup repository, he cannot restore it or unpack the contents to take a look into it without knowing the password.