Test mailings create new contacts even when "Add Contacts" permission is not present.
When sending a test mail, CiviCRM will check if the email matches an existing contact in the database. If it does, it uses that contact ID; if not, it creates a contact. However, it creates a contact without regard for whether a user has permission to add contacts.
Steps to replicate
- Create a user that does not have the "Add Contacts" permission.
- With that user, create a new mailing (traditional or Mosaico, doesn't matter).
- Send a test ("draft") mail to an email address that doesn't exist in the database.
No new contact is created.
A new contact is created.