Joomla! Issue Tracker | Joomla! CMS #19478 - Error 403 - System Information

Closed
16 Feb 2018
Medium
Build: 3.8.3
# 19478

dautrich
29 Jan 2018

I added a new user to standard user group Administrator. When I log in with this user, menu item System Information in panel System is shown (see 1.jpg). Clicking this item, an error 403 is thrown (see 2.jpg).

Steps to reproduce the issue

Add user to standard user group "Administrator".
Log in with this user.
Click on "System information" under "System".

Expected result

System information is displayed.

Actual result

Error 403 (Not authorized).

System information (as much as possible)

Joomla 3.8.3 with only a small number of extensions (Akeeba Backup, JCE, OSMap, Phoca Maps, SIGPlus; all updated)

Additional comments

In my understanding, an Administrator should be able to see the System Information. A Manager shouldn't.

dautrich - open - 29 Jan 2018

joomla-cms-bot - labeled - 29 Jan 2018

mbabker - comment - 29 Jan 2018

This is by design - https://github.com/joomla/joomla-cms/blob/3.8.3/administrator/components/com_admin/views/sysinfo/view.html.php#L71

The view checks for global super user permissions to see this screen as it exposes potentially sensitive information about the server setup.

dautrich - comment - 29 Jan 2018

I got your point. But if it's designed like this, the menu item "System Information" shouldn't be displayed for an Administrator, but only for a Super User.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19478.}

mbabker - comment - 29 Jan 2018

This sounds vaguely like another of the issues we have where admin menu items need to be shown/hidden based on ACL (or in this case an ACL level other than the core.manage usually used) and not viewing levels, for which there seem to already be a bunch of workarounds in https://github.com/joomla/joomla-cms/blob/3.8.3/administrator/modules/mod_menu/menu.php#L234 for.