When a Mail domain is created by admin through gui, the wedomain sys_userid wont be the one of the client, only sys_groupid becomes that. Is this by design? This causes some problems, amongst other with API, PHP: $session->mail_domain_get(['sys_userid' => $sys_userid]); wont return any result. Client wont be able to delete mail domain either.
It is by design, as the are times when you don't want a client to be able to break things, so you create them as admin to prevent that. I believe you have to change the database fields to switch ownership currently, there has never been an interface in the ui to do that. There was a setting added to turn off client protection, but iirc it only affects websites, not mail and other entities, which have to be changed manually - but you could give it a try. I believe the implementation was to revert ownership of all websites (and anything else it might change) to the user (rather than change underlying permission checks), so keep that in mind if you intend to test the feature and possibly go back (ie. you will need to again set admin ownership of any sites you wish to be protected from the client).
Oki, thanks for your reply, now I know, just need to take it into consideration in our API integration. Fix it via db is ok.
It would be better to fix https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5700 and turn off client protection for your install. Perhaps you could pick this up and open a merge request to share the fix with the community?
If you are referring to me, my fix is to fix is to use PHP: $session->mail_domain_get(['sys_groupid' => $sys_groupid]); instead, and catch if sys_usedid is different and fix manually directly in the db. btw, I tried to disable "client protection", but no change of behaviour wrt mail domains.
That's the right solution and the way ISPConfig GUI handles this as well. The sys_userid is the user id of the creator of an item. The owner (client) is defined by the group ID (sys_groupid), so if you want to get all items owned by a specifix client, filter them by sys_groupid. To turn off (or not turn on) admin protection for a website, sys_userid must be set to the user id of the client's user (not the sys_userid of the admin), and sys_perm_other must be set to 'riud' instead of 'ru'.