Access Denied while editing old email address confirmation

pablico · October 24, 2019, 5:48am

Hi there,

I think something broke on my Discourse instance while editing text entries on the Personalization panel. Any hint on how to procced would be really appreciated, since I’m not getting really any information about what’s going here.

This what I get each time I press EDIT on this entry:

Here’s what it look on the logs:

|message|Uncaught [object Object]|
|---|---|
|url|https://******/assets/ember_jquery-82558c4b4178a5371667ae9e87d3a56c737126be9d1394ca3dfde2d3833187f|
|line|1|
|column|262400|
|window_location|https://******/admin/customize/site_texts?q=email_prefix|

Thanks in advance!

tshenry · October 24, 2019, 4:08pm

I can repro this here on Meta with all three of the user_notifications.confirm_old_email templates. We’ll definitely take a look. Thanks for reporting this!

codinghorror · October 24, 2019, 5:46pm

Reminder that these confirm old email templates are not allowed to be changed for security reasons, in the case of staff accounts where both new and old email must be confirmed on email change.

For normal users only the new email has to be confirmed but that is not the case for staff.

joffreyjaffeux · October 24, 2019, 5:47pm

Yes I was looking at this issue and it’s def expected:

  def self.restricted_keys
    ['user_notifications.confirm_old_email.title',
     'user_notifications.confirm_old_email.subject_template',
     'user_notifications.confirm_old_email.text_body_template']
  end

Also the error message seems OK as it’s showing a 403. Could probably be more explicit, but nothing very broken here.

tshenry · October 24, 2019, 6:02pm

It looks like there was supposed to have been a more explicit message added at one point:

pablico · October 24, 2019, 6:16pm

Thank you all for the follow up.

I’m cleaning email subjects from [email_prefix] since the sender name is the same as site title and don’t want to have that duplicated.

Would be able to edit that entry in some way? It doesn’t seem to be a security issue for me.

codinghorror · October 24, 2019, 6:53pm

If edited, it potentially turns into a phishing mail so editing that one is not allowed.

tshenry · October 24, 2019, 6:55pm

You may already be aware, but you can edit the email prefix to be something other than the site title via the email prefix site setting.

pablico · October 24, 2019, 7:31pm

Ok, thanks for the clarification. I assume your are right about that @codinghorror

Yep, I’ve seen that option but the brackets [—] are still there, even if there’s no need to add anything.

We can extract to possible outcomes from this:

Add a better explanation to error, or even better prevent that error.
Move [—] inside ‘email_prefix’ so you can manipulate it globally from settings

Thanks

Topic		Replies	Views
Template for confirmation of old email before change to a new one Support	5	1054	February 21, 2022
Allow user to change email address before verification Feature	16	3696	October 28, 2017
Confirmation email link (after change) is broken ("Oops!") due to bad email customization Support	17	1609	July 11, 2024
On email address change second confirm fails due to email customization Support	20	1784	December 26, 2019
Email works fine, except for Confirmations and Password Changes Support	1	400	November 24, 2020

Access Denied while editing old email address confirmation

Related Topics