- @douggreen opened merge request.
This permission is needed for users to see the FAQ and is usually given to anonymous. It's mistakenly labelled as an administrative permission using 'restrict access'. The point behind 'restrict access' is to tell Drupal (and site builders) to beware giving this permission. The attached patch just removes the setting.
I found this because the https://www.drupal.org/project/security_review β module flagged this access.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.