Remove `profile listings and forms` permission
Overview
The profile listings and forms
permission is shorthand for four other permissions relating to profiles - profile create
, profile edit
, profile listings
, profile view
.
I'm guessing that there was a historic reason for this but I think it is confusing and potentially leaves sites less secure as a result. I propose that it is removed. Instead each of the four permissions are set individually as required.
Current behaviour
There are five permissions relating to profiles:
profile create
profile edit
profile listings
profile view
profile listings and forms
The latter is a catch all for the other four.
Proposed behaviour
There are four permissions relating to profiles:
profile create
profile edit
profile listings
profile view
As part of the upgrade process the user is prompted to review permissions and ensure that any user roles that currently have the profile listings and forms
permission are given each of the above permissions.
Comments
The reason I have raised this issue is that it was unclear to me what each of these permissions were four. Following some discussion, I have made some proposals to improve the documentation but think it would be better if this permission were just removed.
The permissions are defined in CRM/Core/Permission.php.
I've found two uses of this permission in core:
And one in CiviVolunteer:
(There may be more, but these are the ones I've spotted.)