Permissions on GroupContact API calls seem wrong
I got a support request from a user who didn't have "Edit All Contacts" permissions stating that they couldn't remove someone from a group. Sure enough, edit all contacts is the necessary permission. However, editing/removing tags just requires "access CiviCRM".
Does this seem correct to folks? Is it to prevent someone escalating their ACL permissions? If so, it feels like we need a different permission, and predates more nuanced solutions such as Group Protect. The only other entity that needs such high permissions is Relationship - that also seems wrong.
I propose that we add both GroupContact and Relationship entities to the
_civicrm_api3_check_edit_permissions() function. If you can edit the contact, you can edit their groups/relationships. If someone gives this a "Concept: Approved" I'll work on the PR.