Also, since I started down this path, I now get this when I attempt to edit certain site texts:
4 לייקים
אני מצליח לשחזר את זה. זו הכתובת הזו שלא עובדת:
/admin/customize/site_texts?q=confirm%20old
I can’t remember that the link ever worked without a locale parameter 
/admin/customize/site_texts?q=confirm%20old&locale=en works fine for me.
And I think the fact that you cannot customize the “confirm old email” text is intended. It’s an email only send to staff
3 לייקים
So is this a UX bug too? It shouldn’t be possible to land on a cryptic “Access Denied” page when searching for site texts and then editing them.
2 לייקים
It was brought to my attention that since Codinghorror’s post, the require change email confirmation setting has been added. This means the message can now be sent to more than just staff.
The original reason for blocking edits to this template was valid at the time, but today the protection it offers is different. An attacker who knows an admin password can simply:
- Use the password to set up two-factor authentication for that account.
- Create a new account.
- Use the 2FA code to grant the new account admin rights.
From there, they can send the backup to their own email address without needing an admin to click a link to confirm an address change.
So the question is: does blocking edits to this template still make sense? It is now sent to regular users and it does no longer protect the download of a backup.
Also, Data Explorer is now always installed and can be used to access the database.
לייק 1
It is indeed and the solution is to not show them when filtering/searching for them
Isn’t finding nothing more confusing than seeing the error message that should be shown? And what about the fact that this is no longer only sent to staff and is no longer required for downloading a backup?
לייק 1
This topic was automatically closed after 14 hours. New replies are no longer allowed.