• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue User-Role Security issue in Obsidian?

g4marc

Basic Pleskian
Hi, we use Obsidian 18.0.24 on 5 physical Servers.
We hosted around 40 domains per server.
We set up another own server for one customer and migrated his web presence from one of the other servers.
Yesterday a customer logged in on the wrong server, on which his presence is not hosted.
He could log in with the user role "Domain Administrator" and see all Domains that are hosted on this server!
When searching for the problem, I found that all users from the other Server were migrated! But we migrated a SINGLE website only!
obviously this Users have access to the server, although the domains (subscriptions) are not stored there! They can see an administrate all hosted Domains,
even though they only have access to their own domain, which is not even hosted there!

It looks as if Obsidian grants access to all domains if a login via user roles exists (in my case "Domain-Administrator), but the assigned domain cannot be found on the Server.
How can that be?
 
Thank you for your report and detailed explanation of an issue. We are apologies for long silent. Actually an issue is under investigation now and we will reach you shortly with all the details.
 
Back
Top