Remove `profile listings and forms` permission
profile listings and forms permission is shorthand for four other permissions relating to profiles -
I'm guessing that there was a historic reason for this but I think it is confusing and potentially leaves sites less secure as a result. I propose that it is removed. Instead each of the four permissions are set individually as required.
There are five permissions relating to profiles:
profile listings and forms
The latter is a catch all for the other four.
There are four permissions relating to profiles:
As part of the upgrade process the user is prompted to review permissions and ensure that any user roles that currently have the
profile listings and forms permission are given each of the above permissions.
The reason I have raised this issue is that it was unclear to me what each of these permissions were four. Following some discussion, I have made some proposals to improve the documentation but think it would be better if this permission were just removed.
The permissions are defined in CRM/Core/Permission.php.
I've found two uses of this permission in core:
And one in CiviVolunteer:
(There may be more, but these are the ones I've spotted.)