Permissions for custom fields are broken on public-facing pages
ACLs for custom fields are cached on a system-wide and not per-user basis. This means that non-permissioned users can see fields they shouldn't, and permissioned users won't see fields they should.
Steps to Replicate
Assuming a civibuild install:
- Remove the "CiviCRM: access all custom data" permission from anonymous users. They should now see no custom fields.
- Add a custom field to a contribution page's profile.
- As administrator, view the live contribution page. Note the field is present (which is correct).
- In an incognito window, view the live contribution page. The field is still present (which is incorrect).
- Clear cache.
- View the page again, but view as an anonymous user first. The field will be gone, but it will still be gone when you view as an administrator.
I don't intend to file a patch - this bug masked a misconfiguration in my client's case, and fixing it made this bug irrelevant to them. But I wanted to give reliable replication steps since folks like @darren.woods have encountered this in the wild.