• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs [PPPM-13011] A user role limited to "database management" only can still change the PHP version used for the website

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
Username: Peter Debik

TITLE

A user role limited to "database management" only can still change the PHP version used for the website

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Obsidian, latest MU
CentOS 7.9

PROBLEM DESCRIPTION

A user account that has been created within a subscription and only has the privileges "database" is able to change the PHP version and interface from the "Hosting Settings" link. Such a user would be able to break a website.

STEPS TO REPRODUCE

1) Create a user-defined role and grant only the "database" privileges to that role.
2) Create an additional user in the subscription and associate that user with the database-only role.
3) Login with that user.
4) Click on "Websites & Domains", then "Hosting Settings".
5) Change PHP version or handler, click "OK".
6) Logout, login as the subscription user to verify that version and handler have been changed, although the user had only privileges to manage databases.

ACTUAL RESULT

User can apply changes to PHP version and handler.

EXPECTED RESULT

User should not be able to edit anything but database settings if his privileges are limited to database maintenance.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
You must log in or register to reply here.

Similar threads

S
Resolved Rest API Fatal Errors
Replies
6
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
K
Forwarded to devs Error notification missing for forwarding domain back to itself
Replies
2
Views
631
Sebahat.hadzhi
Sebahat.hadzhi
nethubonline
Resolved "plesk bin certificate -u" change SMTP port setting unexpectedly
Replies
2
Views
885
Sebahat.hadzhi
Sebahat.hadzhi
L
Resolved Sitejet Builder - Publication failed
Replies
5
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
Hangover2
Forwarded to devs Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
9
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top