• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs [PPPM-13011] A user role limited to "database management" only can still change the PHP version used for the website

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
Username: Peter Debik

TITLE

A user role limited to "database management" only can still change the PHP version used for the website

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Obsidian, latest MU
CentOS 7.9

PROBLEM DESCRIPTION

A user account that has been created within a subscription and only has the privileges "database" is able to change the PHP version and interface from the "Hosting Settings" link. Such a user would be able to break a website.

STEPS TO REPRODUCE

1) Create a user-defined role and grant only the "database" privileges to that role.
2) Create an additional user in the subscription and associate that user with the database-only role.
3) Login with that user.
4) Click on "Websites & Domains", then "Hosting Settings".
5) Change PHP version or handler, click "OK".
6) Logout, login as the subscription user to verify that version and handler have been changed, although the user had only privileges to manage databases.

ACTUAL RESULT

User can apply changes to PHP version and handler.

EXPECTED RESULT

User should not be able to edit anything but database settings if his privileges are limited to database maintenance.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
5
Views
943
Kaspar@Plesk
Kaspar@Plesk
P
Forwarded to devs Event 'CP User Login' triggered despite invalid additional authentication step (MFA)
Replies
2
Views
706
Kaspar@Plesk
Kaspar@Plesk
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
623
NewGate
N
M
Issue with Connection Info slider preventing saving of system user credentials
Replies
5
Views
877
Peter Debik
P
andreios
Resolved PHP FPM 8.2.17 is not accurately checking cached files for changes
Replies
3
Views
6K
andreios
andreios
Back
Top