As of today, any authenticated user with access to a space can perform all operations on UI Extensions (reading an extension, creating a new extension, updating or deleting an existing extension). This was allowing users with limited access to a Contentful space to compromise the experience by, for example, deleting a UI Extension.

In order to improve security applied on mutative UI Extensions operations, we are proceeding with a change that will result in granting permissions to create, update and delete UI extensions only to spaces administrators. The behaviour for "read" operation will remain the same: any authenticated user with access to a space can read its UI Extensions.

The Contentful Web App and any applications using our delivery APIs will not be affected by this change. If you are using a non-admin access token to interact with UI Extensions (e.g. in scripts or CI) please replace it with an admin access token.