Moderators should not be able to access customizations

barreeeiroo · January 6, 2017, 7:16pm

Hi there

I’ve discovered a security problem in Discourse related to moderators:
There are some restricted zones for moderators in Admin Panel, and only admins can reach them, BUT if you have the full URL you can enter them:

In this community I’m a moderator, but as you can see I can edit anything if I have the URL

Please, fix the issue

EDIT: It seems that the issue only affects to customize section, and only to some tabs

eviltrout · January 6, 2017, 7:44pm

Here’s a fix:

https://github.com/discourse/discourse/commit/41307c3d1c75165445fe2f95b7b446507f4cf8e8

It’s been backported to all branches.

barreeeiroo · January 6, 2017, 7:45pm

Thanks for fixing it

Topic		Replies	Views
How to Modify Moderator Permissions and Remove Discourse Attribution Support	4	76	October 1, 2024
Moderators still able to access other users bookmarks Bug	2	2565	April 4, 2016
How do I allow a file extension? Support	5	1037	November 22, 2022
Can media uploads be restricted to admin? Support	3	472	October 13, 2022
Customize Text only works for some elements on the Site Bug	11	563	September 20, 2022

Moderators should not be able to access customizations

Related topics