SECURITY: Moderators should not be able to access customizations

2024-12-16 00:26:29 +08:00 · 2017-01-06 14:42:36 -05:00 · 2017-01-06 14:42:36 -05:00 · ad9af94ac9
commit ad9af94ac9
parent b0fe5d383e
1 changed files with 2 additions and 1 deletions
--- a/config/routes.rb
+++ b/config/routes.rb
@ -166,7 +166,8 @@ Discourse::Application.routes.draw do
    post "flags/disagree/:id" => "flags#disagree"
    post "flags/defer/:id" => "flags#defer"
    resources :site_customizations, constraints: AdminConstraint.new
-    scope "/customize" do
+
+    scope "/customize", constraints: AdminConstraint.new do
      resources :user_fields, constraints: AdminConstraint.new
      resources :emojis, constraints: AdminConstraint.new