Plesk Email Security (PES); email user logs into Plesk, PES page : access denied

[TomBoB]

Username:

TITLE

Plesk with PES; email user logs into Plesk, PES page : access denied

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk 18.0.52 #2, AlmaLinux 8.7 latest updates

PROBLEM DESCRIPTION

Use Plesk with PES. When email user logs into Plesk to check (and adjust) his security settings, an "access denied" warning shows and the page doesn't load.

STEPS TO REPRODUCE

Use Plesk with PES. Have email account allowed to log in via Plesk login page. Log in. Click in menu "Plesk Email Security."

ACTUAL RESULT

"access denied" and page never loads

EXPECTED RESULT

shows page

ANY ADDITIONAL INFORMATION

(DID NOT ANSWER QUESTION)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

Have you tried repair steps to fix this issue, e.g. "# plesk repair all"?

 

[TomBoB]

Yes, done that. No effect. Still showing "access denied".
Have checked above on 8 production servers - same symptom.

 

[Peter Debik]

The users who are affected, do they have the "create and manage websites" permission? Or are they mail only users? I am asking, because for the security configuration settings, the "create and manage websites" permission is necessary (PPS-13714, PPS-13571).

 

[TomBoB]

Hi Peter, no they do not have the "create and manage websites" permission. They are mail users only.

>for the security configuration settings, the "create and manage websites" permission is necessary

Ok, that does explain the scenario our clients are encountering.
Please allow me to be a little incredulous...
I'm 100% certain that this used to work for all mail users in the past.

For purpose of testing I've now enabled for a normal email users the "create and manage websites" permission. Result: when they log into Plesk using their email address they can enable/disable all kinds of important settings to do with the hosting. Can't have that under any circumstances !!!

We need it back to how it used to be:
Ordinary email user logs into Plesk using his/her email address. PES option in the menu works. In there the user can change the spam detection level for example, or choose: don't put in spam folder, but rather mark it as spam.
Nothing else.
How do we achieve that?

Please see attached files. One - what we see when logged in as admin. Two - what used to be shown when a normal email user with no other permissions but "Can be used to log in to Plesk" enabled. Now that doesn't show anymore, only the "access denied" error.

IMHO, something with the allocation of permissions went wrong in Plesk. Above used to work nicely, now it doesn't anymore. Hence me filing the bug report.

 

[Peter Debik]

We are aware of it, but it is expected behavior. There has been a discussion internally on the topic, but we concluded it needs to be a user request for a feature that users without "create and manage websites" should still have the permission to edit security settings. It is correct that in earlier versions of Plesk this has worked, but it also enabled bad actors to enable themselves for things that the account owner would not want. For security reasons the permission was removed from users who were not also entitled to edit account settings.

If you believe that this should be a separate setting, please formulate it as a feature request on Feature Suggestions: Top (1808 ideas) – Your Ideas for Plesk .

 

[TomBoB]

Thanks for explaining Will pass it on to our clients. They'll just have to go through the sites admin going forward. If explained in a security context they'll accept it.
Thanks Peter!

 

[Peter Debik]

Registered as EXTPLESK-4120.

 

[TomBoB]

I'd like to pick this up again. Just had a call from an "aggravated" client. The way it currently behaves - clicking Plesk Email Security and getting nothing but an forever loading empty page and an alert "access denied" - serves no purpose at all. [Except to have clients wonder what is wrong with the panel].

I'd like to suggest: If the permissions stay as they currently are - normal users can't see those permissions anymore - please hide the "Plesk Email Security" option in the left menu altogether. If the end clients can't see it, they can't click it.
Currently is just causes wasted support time and unhappy clients.