Also, since I started down this path, I now get this when I attempt to edit certain site texts:
Good catch and sorry for the delay responding! Next time post a Bug topic to get eyeballs on it sooner!
I am able to replicate this here on meta and on my personal site using the URL in your screenshot.
/admin/customize/site_texts?q=confirm%20old
I can’t remember that the link ever worked without a locale parameter 
/admin/customize/site_texts?q=confirm%20old&locale=en works fine for me.
And I think the fact that you cannot customize the “confirm old email” text is intended. It’s an email only send to staff
2 Likes
So is this a UX bug too? It shouldn’t be possible to land on a cryptic “Access Denied” page when searching for site texts and then editing them.
2 Likes
It was brought to my attention that since Codinghorror’s post, the require change email confirmation setting has been added. This means the message can now be sent to more than just staff.
The original reason for blocking edits to this template was valid at the time, but today the protection it offers is different. An attacker who knows an admin password can simply:
- Use the password to set up two-factor authentication for that account.
- Create a new account.
- Use the 2FA code to grant the new account admin rights.
From there, they can send the backup to their own email address without needing an admin to click a link to confirm an address change.
So the question is: does blocking edits to this template still make sense? It is now sent to regular users and it does no longer protect the download of a backup.
Also, Data Explorer is now always installed and can be used to access the database.