Moderators should not be able to access customizations

barreeeiroo · January 6, 2017, 7:16pm

Hi there

I’ve discovered a security problem in Discourse related to moderators:
There are some restricted zones for moderators in Admin Panel, and only admins can reach them, BUT if you have the full URL you can enter them:

In this community I’m a moderator, but as you can see I can edit anything if I have the URL

Please, fix the issue

EDIT: It seems that the issue only affects to customize section, and only to some tabs

eviltrout · January 6, 2017, 7:44pm

Here’s a fix:

https://github.com/discourse/discourse/commit/41307c3d1c75165445fe2f95b7b446507f4cf8e8

It’s been backported to all branches.

barreeeiroo · January 6, 2017, 7:45pm

Thanks for fixing it

Topic		Replies	Views
Moderators still able to access other users bookmarks bug	2	2398	April 4, 2016
How do I allow a file extension? support	5	841	November 22, 2022
Can media uploads be restricted to admin? support	3	403	October 13, 2022
Customize Text only works for some elements on the Site bug	11	518	September 20, 2022
Plugins admin section shows actions not available for moderators bug	2	783	September 28, 2015

Moderators should not be able to access customizations

Related Topics