• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • The ImunifyAV extension is now deprecated and no longer available for installation.
    Existing ImunifyAV installations will continue operating for three months, and after that will automatically be replaced with the new Imunify extension. We recommend that you manually replace any existing ImunifyAV installations with Imunify at your earliest convenience.

Forwarded to devs [PPPM-13011] A user role limited to "database management" only can still change the PHP version used for the website

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
Username: Peter Debik

TITLE

A user role limited to "database management" only can still change the PHP version used for the website

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Obsidian, latest MU
CentOS 7.9

PROBLEM DESCRIPTION

A user account that has been created within a subscription and only has the privileges "database" is able to change the PHP version and interface from the "Hosting Settings" link. Such a user would be able to break a website.

STEPS TO REPRODUCE

1) Create a user-defined role and grant only the "database" privileges to that role.
2) Create an additional user in the subscription and associate that user with the database-only role.
3) Login with that user.
4) Click on "Websites & Domains", then "Hosting Settings".
5) Change PHP version or handler, click "OK".
6) Logout, login as the subscription user to verify that version and handler have been changed, although the user had only privileges to manage databases.

ACTUAL RESULT

User can apply changes to PHP version and handler.

EXPECTED RESULT

User should not be able to edit anything but database settings if his privileges are limited to database maintenance.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
You must log in or register to reply here.

Similar threads

K
Forwarded to devs Error notification missing for forwarding domain back to itself
Replies
2
Views
489
Sebahat.hadzhi
Sebahat.hadzhi
nethubonline
Resolved "plesk bin certificate -u" change SMTP port setting unexpectedly
Replies
2
Views
686
Sebahat.hadzhi
Sebahat.hadzhi
Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
7
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
W
Question Subscription locked except for when limits are reset to default?
Replies
0
Views
334
WeronikaS
W
P
Forwarded to devs Event 'CP User Login' triggered despite invalid additional authentication step (MFA)
Replies
2
Views
962
Kaspar@Plesk
Kaspar@Plesk
Back
Top