User can edit and delete contributions without associated permissions
Scenario: Front-end user is accessing their contact dashboard which includes contribution data. User has the "make online contributions" permission but NOT any other CiviContribute permissions (see screenshot_perms).
In the contact dashboard, recurring contributions have a 'View' option (screenshot_0) which opens details of the recurring contribution in a pop-up dialog. This includes details of Related Contributions, which have 'Edit' and 'Delete' options next to them (screenshot_1).
Expected behaviour: These links are not present (best) or issue an error when clicked (fall-back).
Observed behaviour: Clicking on either of these opens the edit (screenshot_3) or delete (screenshot_4) dialog. Although there are error messages, I was able to edit (by making changes then clicking 'Save') or delete (by clicking 'Delete') the contribution despite the permission settings.
Note: The membership pop-up dialog also has edit and delete links (screenshot_2) which issue an error if clicked. Ideally, these links would be simply removed when the user does not have permission.
This may relate to #1962 ? Seems to be a security flaw.