Moderators should not be able to access customizations

(Diego Barreiro) #1

Hi there :wave:

I’ve discovered a security problem in Discourse related to moderators:
There are some restricted zones for moderators in Admin Panel, and only admins can reach them, BUT if you have the full URL you can enter them:

In this community I’m a moderator, but as you can see I can edit anything if I have the URL

Please, fix the issue

EDIT: It seems that the issue only affects to customize section, and only to some tabs

(Robin Ward) #3

Here’s a fix:

It’s been backported to all branches.

(Diego Barreiro) #4

Thanks for fixing it :+1:

(Alan Tan) #6