I have found a new bug.

Bug in SugarCRM (Bug Number: 36662)

Non Admin user can change Local Settings
../index.php?module=Administration&action=Locale&view =default

After save SugarCRM shows 'Unauthorized access to administration.' but the changes is saved.


Code Fix

Add to the header ('/modules/Administration/Locale.php')

if (!is_admin($GLOBALS['current_user']))
{
sugar_die("Unauthorized access to administration.");
}