Permission system can be bypassed from the search results action menu
Overview
I created a simple permission structure where a group of CiviCRM users ("Group A") has write access to a group of contacts ("Group B"). (Every logged in user can read all contacts in our system.)
When a contact is now added to "Group B", users of "Group A" see the edit button on the contact and can add/remove the contact to/from groups on the contact detail page. When removing the contact from "Group B", the edit button disappears. So far, everything as expected.
But when using the actions menu from the search results, users can add/remove group assignments of a contact which is not in "Group B".
Isn't this an inconsistency in the permission system? Or am I missing something? How to avoid group membership changes of contacts which are not in "Group B" by users which are in "Group A"?
Reproduction steps
- Create a role, assign it to "Group A" and create ACL "edit" for "Group B".
- Log in with a non-admin user which is member of "Group A".
- Search a contact which is not member of "Group B". Select it in the search results and choose "Group - add contact" or "Group - remove contact".
Current behaviour
I can change the group membership of this contact from within the action menu of the search result list.
Expected behaviour
Group membership changes should be refused since the contact is not member of "Group B".
When opening the contact's detail view, it works as expected, which means I'm not able to change the group memberships there.
Environment information
CiviCRM version 5.63.1 under WordPress