Browser URL can be accessed by anonymous users [#3526994]

Problem/Motivation

Since disclosure is no longer a security issue - I'll report the issue here

URL of Paragraph Browser (path: '/paragraphs_browser/{field_config}/{paragraphs_browser_type}/{uuid}') is accessible as an anon user because it has permissions "_permission: 'access content'" which is everybody

It will disclose which paragraph are available to be added etc
It should return 403 access denied.

Steps to reproduce

navigate to '/paragraphs_browser/{field_config}/{paragraphs_browser_type}/{uuid}'

Proposed resolution

Add a new permission "access paragraph browser" which should be assigned to all users who are allowed to view it

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Comment #1

28 May 2025 at 11:18

jannakha created an issue. See original summary.

Comment #2

damienmckenna

TN, USA

commented 31 March 2026 at 19:08

Browser URL can be accessed by anonymous users

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Comment #1

Comment #2

Related issues

News items

Our community

Documentation

Drupal code base

Governance of community