Hi there,
Apologies for the useless subject, but it will become obvious in a moment why I cannot be more specific.
I set up a new Virtualmin Pro server, added a test reseller, using my primary browser (Firefox). In another browser (Chromium) I logged in as the reseller and I noted a few oddities.
First of all, I could see a page that looked exactly the same as the "Edit Reseller" page in the master administrator account which, besides seeming to allow the reseller to change all of his limits, quotas, etc., showed a complete list of the "unowned domains" that only the master administrator should be able to see. It also seemed to allow the reseller to create his own resellers, which I had explicitly disallowed (the default) as the master administrator.
I logged out and went back to the master administrator account in Firefox so that I could impose some really low quota limits, so that I could try to change or exceed them in the resellers account.
Then I logged in again as the reseller in Chromium and ... the page had disappeared!
Unfortunately I have not been drinking, and since I didn't take screenshots the first time I have no proof and cannot show you how it's done. But the fact that I was using two different browsers means it's impossible that the page could somehow have been cached, which would surprise me anyway on an encrypted connection on a system requiring authentication.
But I didn't dream it. I swear. Weird.
Craig
Comments
Submitted by craigh on Fri, 03/04/2016 - 04:56 Pro Licensee Comment #1
OK, I wasn't dreaming.
I have set up five test resellers, and in every case the reseller was able to see and manipulate his limits AND see and manipulate the limits of other resellers AND create other resellers! Essentially, the reseller has the same power -- at least where resellers are concerned -- to do anything the master administrator can do.
I have 25 screenshots that will take far too long to edit to redact private information. I can also provide the log-in information for the reseller accounts to see for yourself, although I'd prefer NOT to turn my brand new production server into a bug-testing facility.
Please advise if you want those screenshots and how I should provide them privately. Thanks.
Craig
Submitted by JamieCameron on Fri, 03/04/2016 - 22:57 Comment #2
Sure, please email me the screenshots at jcameron@virtualmin.com , and reference this bug.
Submitted by craigh on Sat, 03/05/2016 - 05:13 Pro Licensee Comment #3
Hi Jamie,
Thanks. Have sent you the email.
Craig