Browser URL can be accessed by anonymous users

Created on 28 May 2025, 3 months ago

Problem/Motivation

Since disclosure is no longer a security issue - I'll report the issue here

URL of Paragraph Browser (path: '/paragraphs_browser/{field_config}/{paragraphs_browser_type}/{uuid}') is accessible as an anon user because it has permissions "_permission: 'access content'" which is everybody

It will disclose which paragraph are available to be added etc
It should return 403 access denied.

Steps to reproduce

navigate to '/paragraphs_browser/{field_config}/{paragraphs_browser_type}/{uuid}'

Proposed resolution

Add a new permission "access paragraph browser" which should be assigned to all users who are allowed to view it

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇦🇺Australia jannakha Brisbane!

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Comments & Activities

Issue created by @jannakha

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024