Set client as owner for emaildomain logged in as reseller dont work, the resellers client cant be set to own the domain. Also a "random" domain from admin is added when adding emaildomain as reseller, this is a big showstopper. This random domain can by admin be changed to correct owner later, but reseller could delete it by misstake taking all email accounts with it. Big security risk. Dont know if its new or old bug but we dont use resellers, until now. Cant test more now on the production server. Found this: https://git.ispconfig.org/ispconfig/ispconfig3/issues/4424 Isconfig 3.1.2, Debian Jessie, multiserver.
I tested this here and can't reproduce the behavior that you described. I can't set the client to be the owner of the domain when domain module is off (as outlined in the bugreport), the reseller is the owner instead. With active domain module, it works correctly. But no other client nor reseller gets assigned nor does any other domain which is owned by the admin, reseller or client is accessible, neither with domain module on or off.
Now tested on my testsystem. You do mean "Use the domain limits in client module to add new domains" ? If i activate that, reseller cant choose clients domain at all, only admin, so that is not an option. I cant reproduce the security bug on testsystem yet. On production system i have Billing module rev.28, and we add domains via API, so something might get added wrongly there. I need to trace database to see whats go wrong. Report back later if i find anything.
Reseller can choose the domain here. Maybe you did not add the domain as reseller or they were added with wrong permissions trough the api.
I cant add domain as Reseller at all when domains checked, there is no domain-field. Can only choose thoose Admin add. But this is not my main problem, i never use that checkbox for domains anyway.
Domains get added in the client module by the admin or reseller when the domain module is on and you have to ensure that the limits of this reseller allow him to add domains.
Checked database for the security problem. There seems to be only two domains that get added extra. From table: mail_domain Correct Domain1: 1842 1685 1678 riud ru Wrong Domain1: 1842 1685 1842 riud riud Correct Domain2: 1843 1686 1679 riud ru Wrong Domain2: 1843 1686 1843 riud riud As you can see when adding email-domain as reseller the sys_groupid gets overwritten by domain_id, and that matches the resellers sysgroup_id. This is hard to reproduce since you need matching domains and reseller id. But why does an "add domain" change other domains ?
Created another reseller, and yes, other domain_id matched that resellers group_id. Clearly a bug in code?
You can see the status of all bugs in the bug tracker: https://git.ispconfig.org/ispconfig/ispconfig3/issues/4424 As shown there, this bug is due to be fixed for the next release 3.1.3.
As you see there, my last post in the bugtracker was before tuesday, so the posts here in the forum are newer and therefore the results posted here can not be covered in my post from the bugtracker.
