Moderators should not be able to access customizations


(Diego Barreiro) #1

Hi there :wave:

I’ve discovered a security problem in Discourse related to moderators:
There are some restricted zones for moderators in Admin Panel, and only admins can reach them, BUT if you have the full URL you can enter them:

In this community I’m a moderator, but as you can see I can edit anything if I have the URL

Please, fix the issue


EDIT: It seems that the issue only affects to customize section, and only to some tabs


(Robin Ward) #3

Here’s a fix:

It’s been backported to all branches.


(Diego Barreiro) #4

Thanks for fixing it :+1:


(Alan Tan) #6