Locked out of control panel after changing user role of built-in user

[Toxalot]

When you create a customer, they are assigned a username and password to access the control panel. That control panel user is assigned the role of Owner. If you click on that user's name on the Users tab and go to Change Settings, the User role drop-down is disabled. However, if that user has an email address under the account, it's possible to change the User role from the Mail tab.

The problem is that the user can change the role to something that does not have permission to manage users and roles. And that effectively locks himself AND the Server Administrator out of the control panel for all subscriptions belonging to that customer.

As admin, I tried to click on the Control Panel link from my screen, and I got the message "Error: Access to the location account/switch is denied."

I solved this problem by digging into the database and finding the relevant tables. I got the info I needed from the smb_roles and smb_users tables. I was then able to manually update smb_users.roleId to the correct one.

This should be fixed in the control panel. The User role drop-down should be disabled on the Mail tab as it is on the Users tab for the isBuiltIn users.

Should I submit this as a feature request or is there another place to submit bugs?

 

[Toxalot]

Bump.

I consider this a bug. Is there a place to report bugs or should it be submitted as a feature request? If I have to vote for both bugs and feature requests, I need more than 20.

 

[IgorG]

Please never submit bugs as feature request on Plesk uservoice site! All these posts will be immediately deleted because Plesk uservoice project is only for Feature Requests!
If you need submit bugreport you may contact Support Team or use well known template http://forum.parallels.com/showthread.php?106113 where you should provide all necessary details, steps to reproduce, logs, error messages and so on.

 

[Toxalot]

---------------------------------------------------------------
PRODUCT, VERSION, MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
Plesk 11.5.30 #35 Centos 6.5 x64

PROBLEM DESCRIPTION
It's possible to change the user role of the main (isBuiltIn) panel user for a subscription. If the role is changed to one that has no permission to manage users and roles, it can't be changed back (even by the Server Administrator). If it is changed to one with no permissions, it effectively locks that user AND the Server Administrator out of the control panel for all subscriptions belonging to that customer.

STEPS TO REPRODUCE
- log into Control Panel as main panel user for a subscription
- go to Mail tab
- click on email address belonging to main panel user for subscription
- change User role in drop-down and click OK

ACTUAL RESULT
- User role is changed, and thus permissions as well
- If main panel user has no permissions, Server Administrator will receive message "Error: Access to the location account/switch is denied." when trying to access subscription control panel from admin control panel

EXPECTED RESULT
- User role of main panel user should always be Owner
- User role drop-down should be disabled for the main user on the Mail tab just as it is disabled on the Users tab (Users > 'main user contact name' > Change Settings)

ANY ADDITIONAL INFORMATION
--------------------------------------------------------------

 

[IgorG]

Thank you for report. I have submitted corresponding request to developers (PPPM-1469 for your reference)