Moderators should not be able to access customizations

Hi there :wave:

I’ve discovered a security problem in Discourse related to moderators:
There are some restricted zones for moderators in Admin Panel, and only admins can reach them, BUT if you have the full URL you can enter them:

In this community I’m a moderator, but as you can see I can edit anything if I have the URL

Please, fix the issue

EDIT: It seems that the issue only affects to customize section, and only to some tabs


Here’s a fix:

It’s been backported to all branches.


Thanks for fixing it :+1: