Error: DA is stuck when admin/reseller logs in as user

[Richard G]

This happening.
I log in as admin or as user to DA.
Click the "List users" option.
Select a user
Clock "login as user". And from that point on, I get this error:

De aanvraag kon niet worden uitgevoerd omdat u daartoe niet geautoriseerd bent.

Which would be in English something like:

The request could not be executed because you are not authorized to do so.

After this I can do what I want, I can't even log out of Directadmin anymore, the error keeps coming back.

I'm on the pre-release binaries of Directadmin at the moment. But this should not happen.

I need help to fix this as I can not administer my users anymore this way.

 

[Richard G]

Just determined this is a bug.
When a packages is created in Evolution and limited to for example email access, then this will happen.

Also when a user is trying to login via webmail, the inbox is not presented anymore.

I removed the limitation to the "email only" setting and now everything is working again.

 

[Richard G]

Submitted a ticket #27542 for this as several other things were going on due to this bug.

 

[smtalk]

Just determined this is a bug.
When a packages is created in Evolution and limited to for example email access, then this will happen.

Also when a user is trying to login via webmail, the inbox is not presented anymore.

I removed the limitation to the "email only" setting and now everything is working again.

You disabled core functions I think (enabled by default), so only API has access to email functions

 

[Richard G]

You disabled core functions I think (enabled by default), so only API has access to email functions

Under User packages I selected a package. Scrolled down to "feature sets" and changed it from "allow all" to "allow selected" and ticked e-mail only and indeed disabled core functions.

I thought this was something else. I thought the "email only" setting already took care the user could do only email only things.

However, this does still not explain the odd behaviour happening, like user not getting suspended and when trying to log in as this user the error notice is shown (which might be correct) but you're not even able to logout anymore as reseller or admin. Not even when changing the link to something like https://domain.com:2222 whichout any CMD extension or using another CMD extension. Nothing was possible anymore.

Also odd that the user was able to login to roundcube, but was not able to see his inbox content.

So this still looks like bugs to me.

 

[Richard G]

Also it does not explain that the account was not suspended. Or when it was (quota was red in Evo, now orange), it was not visible that it was suspended. User could get not more emails at a certain point though.

 

[Richard G]

And found another one. When email only is enabled and core functions, it says "ssl enabled" but the user does not have rights to access ssl settings.

 

[smtalk]

Okay, let's go it 1-by-1. What's the actual issue with core features enabled?

Also when a user is trying to login via webmail, the inbox is not presented anymore.

As you mentioned in the ticket - it's because the user went over quota.

Why it was not suspended? Because DA disk usage does not trigger a suspension: https://help.directadmin.com/item.php?id=217

 

[Richard G]

Oke if accounts are not suspended anymore when over quota, I wonder why the "suspend at limit" function is still present. What's the use? Only bandwidth?
It says in that help section:

If you're wondering why the system quotas would allow more than 100% usage, the answer is that they don't.

But only email quota was at 1000 MB and user had 1.03 GB so still striks me as odd then.

Okay, let's go it 1-by-1. What's the actual issue with core features enabled?

At this moment, that the user can not access SSL settings while SSL is enabled, also when trying to login via webmail, they won't get SSL an SSL connection.

When core is not enabled, all kind of odd things happen, but at least one should be able to logout or go back to fix the core settings when disabled by accident.

 

[smtalk]

Oke if accounts are not suspended anymore when over quota, I wonder why the "suspend at limit" function is still present. What's the use? Only bandwidth?

Not anymore - it never did that It's mainly the bandwidth, but for example email accounts can be suspended because of spam (blockcracking).

And DA offers an option to suspend users at quota limit, but I personally see no reason to do this, because they cannot use more disk space.

But only email quota was at 1000 MB and user had 1.03 GB so still striks me as odd then.

He was over quota. But more on this can be found here: https://help.directadmin.com/item.php?id=413

When core is not enabled, all kind of odd things happen, but at least one should be able to logout or go back to fix the core settings when disabled by accident.

Users cannot adjust their own feature sets. It's a higher level (reseller/admin) doing this, so, they're able to login and do this, cannot they? We can improve it to auto-logout of course, if we detect that users came there from the skin, as I see it's confusing a bit "Core features" provides all the functions customers need for DA to run in their browser, without it - it's mainly used for API, when customers don't need access to DA. I hope it's clear. If you have suggestions how to make it less confusing - they're really welcome (we just tried to solve it by always setting "Core features" to on by default, unless de-selected).

 

[Richard G]

Users cannot adjust their own feature sets. It's a higher level (reseller/admin) doing this, so, they're able to login and do this, cannot they?

No they can't. Not when core features is not enabled. Then things happened as I described and even admin/reseller can't do anything and they get the lack permission notice permenantly.
So when Core features are disabled, admin/reseller can do nothing and that is odd, because they should be able to change things. They can't even logout or go back to admin or reseller settings.
That seems a bug to me.

I don't know yet on how to make the "core features" less confusing. Imho on an email only account, the user must be able to login to DA and use the options they have permissions to like webmail, spam settings but also to SSL settings. Maybe it's an idea to put a notice under it, like a question mark and on mouse over that it will say (only disable this when you only want to use api and no browser access) or something like that.

Thank you for explaining this further, it's now clear to me.

However at this moment there is also 1 issue when settings are correct, so Core featuers -are- enabled.

At this moment, the user can not access SSL settings while SSL is enabled, also when trying to login via webmail, they won't get SSL an SSL connection.

So concluding, 2 issues left. 1 when core features enabled, 1 when core features enabled.

 

[smtalk]

"SSL settings" is not in e-mail feature set. I can be added optionally. Thank you for the ideas above, we'll think something on it Regarding the text - it was already there, attaching.

 

[Richard G]

You're welcome about the idea's. I'm glad if I can be of help in any way.

"SSL settings" is not in e-mail feature set. I can be added optionally.

I presume this is nothing which we as admin or reseller can do?

Because when looking at the packages I see SSL access enabled. So imho it's logic to assume that SSL will be available for the user with the email feature sets. This is not the case and that is confusing because now we have a contradiction in the package manager.

Also... when logging in admin or reseller and from there logging in as the user, it's not possible to change any things maybe needed, like DNS settings, SSL settings or whatever.
So to change settings, you have first to disable the feature set, make the changes and then enabled feature set again. Maybe this can be improved some how.

Regarding the text - it was already there, attaching.

Thank you. However it might be a good idea to make the text visible when hovering over the complete bar or something.
It's not visible on the selection box and not visible anywhere else, only when the mouse is exactly over the text itself (the reason I missed it too), not even half a mm under the text.