-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
10.3.0, 10.3.2, 10.3.3
-
10.03
-
7
-
Severity 3 - Minor
-
8
-
Issue Summary
Accessing 'System Info' option from the Systems menu throws "403 - Forbidden" errors for the users having Jira Administrator privileges while it works properly for users with Jira System Administrator privileges.
However, this works well for both roles Jira Administrator, Jira System Administrator privileges in the older versions.
This is reproducible on Data Center: (yes) / (no)
Steps to Reproduce
- Install Jira Software Version 10.3.0 or higher.
- Create 2 user accounts one with 'Jira Administrator' and 'another one with Jira System Administrator' privileges.
- Login as user with user with 'Jira Administrator' privileges.
- Access the administration option and navigate to 'System --> System Info' option.
- Repeat the same for user with Jira System Administrator' privileges.
Expected Results
As described in this KB article Managing global permissions - ideally only users with Jira System Administrator privileges should be able to view or manage tasks from the the Systems menu. However it works both both roles in the older versions (tested for multiple versions in 9.12.X).
If there are no specific restrictions implemented in 10.X versions - then users under both roles 'Jira Administrator' and 'Jira System Administrator' should be able to view or manage tasks from the the Systems menu.
Actual Results
Users with 'Jira Administrator' role privileges can access the Systems menu. However, accessing the System Info option throws "403 - Forbidden" error in GUI.
Other options like monitoring, clean-up, audit logs are accessible for both roles.
Workaround
Grant the users with Jira System Administrator privileges if there is a need to access System Information.
Note
Note that in the impacted Jira versions, there are other pages which are returning the "Forbidden (403)" error, when accessed by a Jira Admin user who does not have Jira System Admin Permission:
- ⚙ > System > Jira mobile app
- ⚙ > System > Authentication methods
- ⚙ > Applications > Application Links > Create Link > External Application
It is important to note that it is expected for a non Jira System Admin user to not be able to access these pages. However, instead of throwing a 403 error, the Jira application should throw the error message below instead:
'user' does not have permission to access this page. You must log in as a system administrator to access this page.
