ACLs don't work on "Tab with table" custom field groups
To replicate on master:
- Create a new role, "Read Only".
- Give the role only the "Access CiviCRM" permission.
- Create a new group "Read Only" of type "Access Control".
- Create a multi-record custom group with display type of "Tab with table".
- Create a new user, give them the "Read Only" role and place them in the "Read Only" group.
- Configure an ACL that grants "View" access to one or more contacts. Since "Edit own contact" is a special case, ensure that one of the contacts doesn't belong to the user.
- Configure an ACL that grants "View" access to the multi-record custom group.
Expected result:
- This user shouldn't be able to edit a contact's data.
Actual result:
- This user can edit custom fields that are on a "tab with table".
There's a few things that need fixing, I intend to move at least some of these forward:
- The template doesn't have a permission check on the "Add" button.
- The class doesn't have a permission check on the action links.
- The class doesn't have a permission check on postProcess.
Finally, the "Edit" ACL for custom fields don't seem to be respected - but this is out of scope for this issue.