Moderators should not be able to access customizations

Hi there :wave:

I’ve discovered a security problem in Discourse related to moderators:
There are some restricted zones for moderators in Admin Panel, and only admins can reach them, BUT if you have the full URL you can enter them:

In this community I’m a moderator, but as you can see I can edit anything if I have the URL

Please, fix the issue


EDIT: It seems that the issue only affects to customize section, and only to some tabs

5 Likes

Here’s a fix:

https://github.com/discourse/discourse/commit/41307c3d1c75165445fe2f95b7b446507f4cf8e8

It’s been backported to all branches.

9 Likes

Thanks for fixing it :+1: