`api.config.auto-save.get` route returns data without any authentication

Created on 23 June 2025, about 5 hours ago

Overview

The experience_builder.api.config.auto-save.get route returns data of js_component and xb_asset_library entities without any authentication. This has been the case since 🐛 Content authors cannot see components Active landed.

Proposed resolution

Restrict access properly.

User interface changes

n/a

🐛 Bug report

Status

Active

Version

0.0

Component

… to be triaged

Created by

🇳🇱Netherlands balintbrews Amsterdam, NL

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @balintbrews
Comment about 5 hours ago →
🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺
Comment about 5 hours ago →
🇳🇱Netherlands balintbrews Amsterdam, NL
I just realized that I meant to open the issue for api.config.get, that's where I originally discovered the problem. I haven't tested api.config.auto-save.get, so let's be sure to check that, too.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024