The Bulk Paragraphs module allows Drupal content editors to generate multiple paragraphs at once with configurable default values and increment patterns. It integrates seamlessly with the Paragraphs widget, adding a "Bulk Generate" button next to each paragraph type.

This module is ideal for websites that frequently need to create repetitive content structures, such as event schedules, team member listings, FAQ sections, or any content type that requires multiple similar paragraph items. Instead of manually adding paragraphs one by one, editors can generate 1-100 items with pre-filled values in a single action.

Key features include:

  • Bulk generation with configurable count (1-100)
  • Support for text, date, number, image, and file fields
  • Increment patterns for dates (+1 day/week/month) and numbers
  • Template variables ({n} for numbering, {date:FORMAT} for dates)
  • Single image/file upload applied to all generated paragraphs

Project link

https://www.drupal.org/project/bulk_paragraphs

Comments

sahksas created an issue. See original summary.

avpaderno’s picture

Thank you for applying!

Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.

The important notes are the following.

  • New releases are not necessary for these applications, which could require changes that are not backward-compatible. Not creating new releases avoids any possible issue.
  • Please do not change the branch to review once reviews started, except in the case the used branch needs to be deleted.
  • If you have not done it yet, enable GitLab CI for the project, and fix what reported from the phpcs job. This help to fix most of what reviewers would report.
  • For the time this application is open, only your commits are allowed. No other people, including other maintainers/co-maintainers can make commits.
  • The purpose of this application is giving you a new drupal.org role that allows you to opt projects into security advisory coverage, either projects you already created, or projects you will create. The project status won't be changed by this application.
  • Nobody else will get the permission to opt projects into security advisory policy. If there are other maintainers/co-maintainers who will to get that permission, they need to apply with a different module.
  • We only accept an application per user. If you change your mind about the project to use for this application, or it is necessary to use a different project for the application, please update the issue summary with the link to the correct project and the issue title with the project name and the branch to review.

To the reviewers

Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.

The important notes are the following.

  • It is preferable to wait for a Code Review Administrator before commenting on newly created applications. Code Review Administrators will do some preliminary checks that are necessary before any change on the project files is suggested.
  • Reviewers should show the output of a CLI tool only once per application. The configuration used for these tools needs to be the same configuration used by GitLab CI, stored in the GitLab Templates repository.
  • It may be best to have the applicant fix things before further review.

For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.

batigolix’s picture

Status: Needs review » Needs work

1. Enable gitlab CI pipeline and run it in order to see the results.

2. The CHANGELOG.txt is not a common file in a contrib module (as far as I know). You can remove it.

3. Include a composer.json . See for example the composer.json of the paragraphs module itself.

4. It is not common for a contrib module to include translations. You can remove these.

5. The title mentions branch 1.0.x, but this branch does not exist in your repo.

6. The module does not not include any automated tests. Consider adding some tests.

7. If the module code includes any AI generated content, then it is a good practices to disclose this (on the project page or in the application). See https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquett...

bbu23’s picture

I'd like to add comments to the above comment:

point 2: I disagree, the CHANGELOG file should not be removed. The fact that it isn't common, it doesn't mean it's bad approach, especially with the conventional commits slowly integrating within Drupal git history which are fully compatible with git-cliff for generating great CHANGELOG files. It's actually good to have a CHANGELOG file in web packages.

point 3: Just adding a link to more info: https://www.drupal.org/docs/develop/using-composer/add-a-composerjson-file

vishal.kadam’s picture

1. main is a wrong name for a branch and should be removed. Release branch names always end with the literal .x as described in Release branches.

main will be a supported branch in future, but for the moment it is better not to use it. It is not wrong, but it is not completely supported on drupal.org.

2. FILE: bulk_paragraphs.module

For a new module that aims to be compatible with Drupal 10/11, it is expected it implements hooks as class methods as described in Support for object oriented hook implementations using autowired services.

/**
 * @file
 * Main module file for the Bulk Paragraphs module.
 */

The usual description for a .module file is “Hook implementations for the [module name] module”, where [module name] is the module name given in the .info.yml file.

sahksas’s picture

Thank you for the review.
I have addressed all the feedback.

  • GitLab CI: Enabled and fixed to pass all pipelines.
  • CHANGELOG.txt: Kept, following bbu23's suggestion.
  • composer.json: Added.
  • Translation files: Removed.
  • Branch name: Renamed to the correct format (1.0.x).
  • Automated tests: Added Kernel and Unit tests.
  • AI disclosure: Added to README.
  • OOP hooks: Migrated to class-based implementation using Hook attributes.

Looking forward to the re-review 🙏

sahksas’s picture

Status: Needs work » Needs review
vishal.kadam’s picture

Status: Needs review » Needs work

FILE: bulk_paragraphs.module

Since the module is declared compatible with Drupal 10.2, removing the function implementing the hook is not possible. The function still needs to be defined, but it calls the method defined by the service class, as described in Support for object oriented hook implementations using autowired services (Backwards-compatible Hook implementation for Drupal versions from 10.1 to 11.0).

sahksas’s picture

Thank you for the feedback. I have added backward-compatible hook implementations in bulk_paragraphs.module for Drupal 10.2 compatibility.

Looking forward to the re-review 🙏

sahksas’s picture

Status: Needs work » Needs review
batigolix’s picture

Status: Needs review » Needs work

@sahkas. Thanks for all te improvements.

I reviewed the code again and here a couple more recommendations.

1. Consider more strict permission for the route: 'access content' is granted to anonymous users by default

2. Consider adding validation of the query string values entity_type, bundle, field_name etc. in BulkGenerateForm.php . These are fetched from the request but not validated.

3. Consider validating the result of splitting $field_parents_string (as numeric IDs or string )

4. Consider checking the code with phpmd. The module contains some long and complex methods that could be improved so that the code gets easier to read.

sahksas’s picture

Status: Needs work » Needs review

@batigolix
Thank you for the review.
I have addressed all the feedback.

- Route permission: Added custom permission 'use bulk paragraphs' to prevent anonymous user access
- Query string validation: Added validation for entity_type, bundle, field_name, and other parameters
- field_parents validation: Validate that split results are numeric IDs or valid machine names
- phpmd: Refactored code to reduce complexity
- Additional: Fixed potential XSS (#markup → #plain_text), use modern PHP function (str_starts_with)

Looking forward to the re-review 🙏

sahksas’s picture

Status: Needs review » Needs work

I discovered a few areas I would like to improve personally, so I will be making some additional changes.

I will update the status again once I am ready for re-review. 🙏

sahksas’s picture

Status: Needs work » Needs review

Added the following features to the 1.0.x branch.

Planning to release as 1.1.0 after review approval.

  • Bulk generation now works with nested paragraph fields
  • After bulk generation, only the widget refreshes without full page reload, preserving other field values
  • Bulk buttons now display as dropdown to match Paragraphs widget add_mode: dropdown setting
  • Minor style adjustments for form elements in modal
  • Added validation for wrapper_id query parameter (XSS prevention)

Ready for review 🙏

sahksas’s picture

Pushed another commit to fix date field format handling.

  • Date-only fields now correctly use Y-m-d format instead of Y-m-d\TH:i:s
sahksas’s picture

Added support for additional field types in bulk edit modal

  • List fields (list_string, list_integer, list_float) - dropdown selection
  • Link field - URL and title with template support
  • Email field - with template support
  • Telephone field - with template support
  • Text with summary field - body and summary with template support

Also added unit tests for the new field type value calculations.

Commit: 82a65cd

sahksas’s picture

Fixed compatibility issue with config entity forms

The module was causing errors on config entity edit forms (e.g., text format settings, views, image styles) because hook_entity_prepare_form fires for all entity types, not just content entities.

Added a check for FieldableEntityInterface to skip processing of config entities that don't have field definitions.

Commit: cc5041f, 9d8940e

avpaderno’s picture

Status: Needs review » Reviewed & tested by the community

Thank you for your contribution and for your patience with the review process!

I am going to update your account so you can opt into security advisory coverage any project you create, including the projects you already created.

These are some recommended readings to help you with maintainership:

You can find more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

I thank also all the reviewers for helping with these applications.

avpaderno’s picture

Status: Reviewed & tested by the community » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

sahksas’s picture

Thank you all for the thorough review and helpful feedback! I've just released version 1.1.0 with security advisory coverage. Looking forward to contributing more to the Drupal community 🙇‍♂️

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.