Access Control by Financial Type permissioning does not cover contribution_recur
When having Access Control by Financial Type turned on a user without the permission over a given financial type can still access it in 3 ways:
- Can view corresponding recurring contribution (under recurring contributions tab)
- Can cancel it
- Can view all contributions related to the recurring. So it is a backdoor around the permissioning.
I've checked the financial type in civicrm_contribution_recur and it is one they should not see.
WP 5.6.2 Civi 5.31.1