Unprivileged users can add Layout Builder sections in 2.2.0

Open on Drupal.org →

Created on 17 June 2025, 15 days ago

Problem/Motivation

In layout_builder_perms version 2.2.0, users without the required specific permission are still able to add new sections to Layout Builder layouts. They can successfully click "Add section" and select a layout. However, after adding the section, they are unable to edit or remove it, as expected, due to missing the corresponding "edit" or "remove" permissions.

This is a security vulnerability as it grants unauthorized content modification capabilities.

Steps to reproduce

Install Drupal: Fresh Drupal 8/9/10 installation.
Enable Modules: layout_builder, layout_discovery, and layout_builder_perms (version 2.2.0).
Configure Layout Builder:
- Go to Structure > Content types > [Your content type, e.g., Basic page] > Manage display.
- Enable "Use Layout Builder" and "Allow each content item to have its layout customized."
Create a Role:
- Go to People > Roles.
- Add a new role (e.g., "Layout Test User").
Assign Permissions:
- Go to People > Permissions.
- Assign the "Layout Test User" role ONLY the following permissions (ensure no other Layout Builder related permissions are granted, especially not generic "Administer Layout Builder" or "Use Layout Builder" permissions if they exist):
  - View published content
  - Access content
  - (Optionally, for testing section_edit and section_remove later, but for this bug, ensure they do NOT have: add layout_onecol layouts on basic_page node entities or similar permissions for adding sections)
Create a User:
- Create a new user (e.g., testuser).
- Assign the "Layout Test User" role to this user.
Log in: Log in as testuser.
Attempt to add a section:
- Create a new content item (e.g., a Basic Page).
- Go to the "Layout" tab.
- Click the "Add section" button.
- Choose any available layout (e.g., "One column").

🐛 Bug report

Status

Active

Version

2.2

Component

Code

Created by

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!27Unprivileged users can add Layout Builder sections in 2.2.0
Open
Unnamed author
updated 15 days ago

Comments & Activities

Issue created by @mrwhittaker
Comment 15 days ago →
mrwhittaker
I'm having some trouble creating a Merge Request (MR), so I'll try to do that later. This is probably not the way we want to fix this long-term, but for now, I've made a patch that adds back the additional derivative for the second case.
Merge request !27Resolve #3530507 "Unprivileged users can add Layout Builder sections" → (Open) created by Unnamed author
Comment 15 days ago →
🇳🇱Netherlands eelkeblok Netherlands 🇳🇱
Comment 15 days ago →
mrwhittaker
Comment 15 days ago →
🇳🇱Netherlands eelkeblok Netherlands 🇳🇱
Strictly speaking, when this is a security vulnerability, this should have been reported through https://security.drupal.org. The impact is fairly small, although depending on site styling an "empty" section might still have some impact on a page, I suppose. Maybe best to do so still, just to be on the safe side. Maybe the security team has means to remove public reference to the issue (like also the Git commits).
Comment 15 days ago →
🇳🇱Netherlands eelkeblok Netherlands 🇳🇱
Comment 15 days ago →
🇳🇱Netherlands eelkeblok Netherlands 🇳🇱
Comment 15 days ago →
🇳🇱Netherlands eelkeblok Netherlands 🇳🇱
Comment 13 days ago →
🇳🇱Netherlands eelkeblok Netherlands 🇳🇱
Adding the issue that this MR is currently rolling back.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024