Access Denied error when trying to customize some site texts

Moin · August 8, 2025, 3:48pm

I can’t remember that the link ever worked without a locale parameter

/admin/customize/site_texts?q=confirm%20old&locale=en works fine for me.

And I think the fact that you cannot customize the “confirm old email” text is intended. It’s an email only send to staff

Discourse hacked via sophisticated social engineering

However

the hacker edited the staff old email confirmation template, so that it included the “yes, validate this old email change” URL and then once this was sent to the old email address and clicked, the hacker suddenly had permission to change the old email address to a new one he controls

Bear in mind this is a very sophisticated, in-depth attack, and it could have been stopped many levels above with practices that are already strongly recommended, just read through the lightbulb callouts above.

Still, we believe strongly in being safe by default at Discourse, and we think there is more we can do after closely analyzing this story. As a result, we just implemented a change such that nobody, not even an admin, can modify that particular email template. We believe it is a rare case, but worth addressing, because:

this particular email template is only ever sent to staff on email change, as both the old and new email addresses must be confirmed. For a regular user only the new email address needs to be confirmed. So changing this template for cosmetic design reasons would only be seen by staff, never by regular users, and is thus unimportant.

the risk of allowing admins to change this template is too high, as illustrated by the above REAL WORLD story which actually happened, and was the critical step that allowed the attacker access to the complete Discourse database.

Topic		Replies	Views
Ability to return more than 50 site texts in the admin panel UX	9	65	August 9, 2025
Customize this error message Support	2	475	September 20, 2020
Lost all categories and admin access Support	11	178	July 21, 2024
Customize Text only works for some elements on the Site Bug	11	588	September 20, 2022
No Access after install Installation	5	1010	June 20, 2018

Access Denied error when trying to customize some site texts

Related topics