The Bulk Paragraphs module allows Drupal content editors to generate multiple paragraphs at once with configurable default values and increment patterns. It integrates seamlessly with the Paragraphs widget, adding a "Bulk Generate" button next to each paragraph type.
This module is ideal for websites that frequently need to create repetitive content structures, such as event schedules, team member listings, FAQ sections, or any content type that requires multiple similar paragraph items. Instead of manually adding paragraphs one by one, editors can generate 1-100 items with pre-filled values in a single action.
Key features include:
- Bulk generation with configurable count (1-100)
- Support for text, date, number, image, and file fields
- Increment patterns for dates (+1 day/week/month) and numbers
- Template variables ({n} for numbering, {date:FORMAT} for dates)
- Single image/file upload applied to all generated paragraphs
Project link
https://www.drupal.org/project/bulk_paragraphs
Comments
Comment #2
avpadernoThank you for applying!
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
The important notes are the following.
To the reviewers
Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.
The important notes are the following.
For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.
Comment #3
batigolix1. Enable gitlab CI pipeline and run it in order to see the results.
2. The CHANGELOG.txt is not a common file in a contrib module (as far as I know). You can remove it.
3. Include a composer.json . See for example the composer.json of the paragraphs module itself.
4. It is not common for a contrib module to include translations. You can remove these.
5. The title mentions branch 1.0.x, but this branch does not exist in your repo.
6. The module does not not include any automated tests. Consider adding some tests.
7. If the module code includes any AI generated content, then it is a good practices to disclose this (on the project page or in the application). See https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett...
Comment #4
bbu23I'd like to add comments to the above comment:
point 2: I disagree, the CHANGELOG file should not be removed. The fact that it isn't common, it doesn't mean it's bad approach, especially with the conventional commits slowly integrating within Drupal git history which are fully compatible with git-cliff for generating great CHANGELOG files. It's actually good to have a CHANGELOG file in web packages.
point 3: Just adding a link to more info: https://www.drupal.org/docs/develop/using-composer/add-a-composerjson-file
Comment #5
vishal.kadam1.
mainis a wrong name for a branch and should be removed. Release branch names always end with the literal .x as described in Release branches.main will be a supported branch in future, but for the moment it is better not to use it. It is not wrong, but it is not completely supported on drupal.org.
2. FILE: bulk_paragraphs.module
For a new module that aims to be compatible with Drupal 10/11, it is expected it implements hooks as class methods as described in Support for object oriented hook implementations using autowired services.
The usual description for a .module file is “Hook implementations for the [module name] module”, where [module name] is the module name given in the .info.yml file.
Comment #6
sahksas commentedThank you for the review.
I have addressed all the feedback.
Looking forward to the re-review 🙏
Comment #7
sahksas commentedComment #8
vishal.kadamFILE: bulk_paragraphs.module
Since the module is declared compatible with Drupal 10.2, removing the function implementing the hook is not possible. The function still needs to be defined, but it calls the method defined by the service class, as described in Support for object oriented hook implementations using autowired services (Backwards-compatible Hook implementation for Drupal versions from 10.1 to 11.0).
Comment #9
sahksas commentedThank you for the feedback. I have added backward-compatible hook implementations in bulk_paragraphs.module for Drupal 10.2 compatibility.
Looking forward to the re-review 🙏
Comment #10
sahksas commentedComment #11
batigolix@sahkas. Thanks for all te improvements.
I reviewed the code again and here a couple more recommendations.
1. Consider more strict permission for the route: 'access content' is granted to anonymous users by default
2. Consider adding validation of the query string values entity_type, bundle, field_name etc. in BulkGenerateForm.php . These are fetched from the request but not validated.
3. Consider validating the result of splitting $field_parents_string (as numeric IDs or string )
4. Consider checking the code with phpmd. The module contains some long and complex methods that could be improved so that the code gets easier to read.
Comment #12
sahksas commented@batigolix
Thank you for the review.
I have addressed all the feedback.
- Route permission: Added custom permission 'use bulk paragraphs' to prevent anonymous user access
- Query string validation: Added validation for entity_type, bundle, field_name, and other parameters
- field_parents validation: Validate that split results are numeric IDs or valid machine names
- phpmd: Refactored code to reduce complexity
- Additional: Fixed potential XSS (#markup → #plain_text), use modern PHP function (str_starts_with)
Looking forward to the re-review 🙏
Comment #13
sahksas commentedI discovered a few areas I would like to improve personally, so I will be making some additional changes.
I will update the status again once I am ready for re-review. 🙏
Comment #14
sahksas commentedAdded the following features to the 1.0.x branch.
Planning to release as 1.1.0 after review approval.
add_mode: dropdownsettingwrapper_idquery parameter (XSS prevention)Ready for review 🙏
Comment #15
sahksas commentedPushed another commit to fix date field format handling.
Comment #16
sahksas commentedAdded support for additional field types in bulk edit modal
Also added unit tests for the new field type value calculations.
Commit: 82a65cd
Comment #17
sahksas commentedFixed compatibility issue with config entity forms
The module was causing errors on config entity edit forms (e.g., text format settings, views, image styles) because
hook_entity_prepare_formfires for all entity types, not just content entities.Added a check for
FieldableEntityInterfaceto skip processing of config entities that don't have field definitions.Commit: cc5041f, 9d8940e
Comment #18
avpadernoThank you for your contribution and for your patience with the review process!
I am going to update your account so you can opt into security advisory coverage any project you create, including the projects you already created.
These are some recommended readings to help you with maintainership:
You can find more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank also all the reviewers for helping with these applications.
Comment #19
avpadernoComment #21
sahksas commentedThank you all for the thorough review and helpful feedback! I've just released version 1.1.0 with security advisory coverage. Looking forward to contributing more to the Drupal community 🙇♂️