Access Denied error when trying to customize some site texts

jordan-violet · February 5, 2025, 4:41am

Also, since I started down this path, I now get this when I attempt to edit certain site texts:

tobiaseigen · August 8, 2025, 3:39pm

Good catch and sorry for the delay responding! Next time post a Bug topic to get eyeballs on it sooner!

I am able to replicate this here on meta and on my personal site using the URL in your screenshot.

/admin/customize/site_texts?q=confirm%20old

Moin · August 8, 2025, 3:48pm

I can’t remember that the link ever worked without a locale parameter

/admin/customize/site_texts?q=confirm%20old&locale=en works fine for me.

And I think the fact that you cannot customize the “confirm old email” text is intended. It’s an email only send to staff

Discourse hacked via sophisticated social engineering

However

the hacker edited the staff old email confirmation template, so that it included the “yes, validate this old email change” URL and then once this was sent to the old email address and clicked, the hacker suddenly had permission to change the old email address to a new one he controls

Bear in mind this is a very sophisticated, in-depth attack, and it could have been stopped many levels above with practices that are already strongly recommended, just read through the lightbulb callouts above.

Still, we believe strongly in being safe by default at Discourse, and we think there is more we can do after closely analyzing this story. As a result, we just implemented a change such that nobody, not even an admin, can modify that particular email template. We believe it is a rare case, but worth addressing, because:

this particular email template is only ever sent to staff on email change, as both the old and new email addresses must be confirmed. For a regular user only the new email address needs to be confirmed. So changing this template for cosmetic design reasons would only be seen by staff, never by regular users, and is thus unimportant.

the risk of allowing admins to change this template is too high, as illustrated by the above REAL WORLD story which actually happened, and was the critical step that allowed the attacker access to the complete Discourse database.

tobiaseigen · August 8, 2025, 3:53pm

So is this a UX bug too? It shouldn’t be possible to land on a cryptic “Access Denied” page when searching for site texts and then editing them.

RGJ · August 8, 2025, 7:14pm

It looks like the custom message is not getting through to the user interface?

Moin · August 9, 2025, 12:27pm

It was brought to my attention that since Codinghorror’s post, the require change email confirmation setting has been added. This means the message can now be sent to more than just staff.

The original reason for blocking edits to this template was valid at the time, but today the protection it offers is different. An attacker who knows an admin password can simply:

Use the password to set up two-factor authentication for that account.
Create a new account.
Use the 2FA code to grant the new account admin rights.

From there, they can send the backup to their own email address without needing an admin to click a link to confirm an address change.

So the question is: does blocking edits to this template still make sense? It is now sent to regular users and it does no longer protect the download of a backup.

Also, Data Explorer is now always installed and can be used to access the database.

zogstrip · December 24, 2025, 12:56pm

It is indeed and the solution is to not show them when filtering/searching for them

github.com/discourse/discourse

FIX: Filter restricted email template keys from site text search

main ← fix-filter-restricted-email-template-keys-from-site-text-search

merged 01:33PM - 24 Dec 25 UTC

ZogStriP

+235 -242

Admins searching for "confirm_old_email" in site texts would see the restricted …keys in results, click them, and hit a confusing "Access Denied" page. Now these keys are filtered out of search results entirely. Also added `confirm_old_email_add` to the restricted list - it was missing but has the same restriction need as `confirm_old_email`. Refactored so `SiteTextsController::RESTRICTED_KEYS` is the single source of truth, with `EmailTemplatesController` deriving from it. Ref - https://meta.discourse.org/t/377902 Ref - https://meta.discourse.org/t/392070 **No more listed in email templates** <img width="1418" height="1001" alt="2025-12-24 @ 13 49 22" src="https://github.com/user-attachments/assets/339f69c5-2068-4683-9ba9-71e2393f5ac2" /> **No more listed in site texts** <img width="1418" height="1001" alt="2025-12-24 @ 13 48 16" src="https://github.com/user-attachments/assets/10eff780-d8ec-4a9a-83e4-6d521d31e5ea" />

Moin · December 24, 2025, 7:18pm

Isn’t finding nothing more confusing than seeing the error message that should be shown? And what about the fact that this is no longer only sent to staff and is no longer required for downloading a backup?

zogstrip · December 25, 2025, 7:00am

This topic was automatically closed after 14 hours. New replies are no longer allowed.

Topic		Replies	Views
Access Denied while editing old email address confirmation UX	8	958	October 24, 2019
Better error message for uneditable "user_notifications.confirm_old_email" texts UX	3	996	May 15, 2025
Some of Site Texts doesn't accept changes Support	10	720	September 30, 2020
How do I edit the email template for the welcoming email? Support	10	5108	December 6, 2015
How to change the account confirm email content Support	12	5219	November 27, 2015

Access Denied error when trying to customize some site texts

Related topics