From 7cb376d6f4bb3d9d7ad99fbb89e8e9f6e5c951e9 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Fri, 6 Jan 2017 14:42:36 -0500
Subject: [PATCH] SECURITY: Moderators should not be able to access
 customizations

---
 config/routes.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/routes.rb b/config/routes.rb
index cc95f859fe..5f40d681af 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -183,7 +183,8 @@ Discourse::Application.routes.draw do
     post "flags/disagree/:id" => "flags#disagree"
     post "flags/defer/:id" => "flags#defer"
     resources :site_customizations, constraints: AdminConstraint.new
-    scope "/customize" do
+
+    scope "/customize", constraints: AdminConstraint.new do
       resources :user_fields, constraints: AdminConstraint.new
       resources :emojis, constraints: AdminConstraint.new