Also, since I started down this path, I now get this when I attempt to edit certain site texts:
Goed opgemerkt en sorry voor de vertraging met reageren! Plaats de volgende keer een Bug onderwerp om er sneller aandacht op te vestigen!
Ik kan dit hier op meta en op mijn persoonlijke site repliceren met behulp van de URL in je screenshot.
/admin/customize/site_texts?q=confirm%20old
I can’t remember that the link ever worked without a locale parameter 
/admin/customize/site_texts?q=confirm%20old&locale=en works fine for me.
And I think the fact that you cannot customize the “confirm old email” text is intended. It’s an email only send to staff
2 likes
So is this a UX bug too? It shouldn’t be possible to land on a cryptic “Access Denied” page when searching for site texts and then editing them.
2 likes
It was brought to my attention that since Codinghorror’s post, the require change email confirmation setting has been added. This means the message can now be sent to more than just staff.
The original reason for blocking edits to this template was valid at the time, but today the protection it offers is different. An attacker who knows an admin password can simply:
- Use the password to set up two-factor authentication for that account.
- Create a new account.
- Use the 2FA code to grant the new account admin rights.
From there, they can send the backup to their own email address without needing an admin to click a link to confirm an address change.
So the question is: does blocking edits to this template still make sense? It is now sent to regular users and it does no longer protect the download of a backup.
Also, Data Explorer is now always installed and can be used to access the database.