Can't self-service cancel a recurring contribution made while you're logged in
The self-service recurring payment page is accessible either a) with a checksum, b) if you have "Edit contributions" permission (code here).
However, if you're logged in when you create a recurring contribution, the email you receive doesn't contain a checksum (code here). So users without "Edit contributions" permission can't cancel their subscriptions.
I think the implication of allowing a user to cancel their payment via checksum is that we should also allow a user to cancel if the logged-in contact ID matches the contact ID of the recurring contribution. This would also mean on systems where users are logged in, you would have the added benefit of not worrying about expired checksums.
Is there any scenario in which we shouldn't allow a user to cancel a recurring subscription they "own"? If not I'll submit a PR.