jensschuppe
commented
3 years ago This involves introducing a dedicated permission, as the administer site configuration permission is currently being used for that, and it already has the "restricted" designation.
Also, in the D8/9 version of the module, the local connector can not be used anymore. This leaves this issue with missing documentation.
The local connector (as opposed to remote connectors) does not require a Drupal user and thus no permissions to send CiviCRM API requests via the CiviMRF interface.
The permission to add/edit CiviMRF profiles should therefore be marked as a restricted permission (see the
hook_permission()documentation) and a warning should be printed on the configuration page, explaining the implications involved with using the local connector.A problematic scenario would be Webform editors being granted the permission to configure CiviMRF for Webforms, which allows selecting the CiviMRF profile, regardless of whether the local or a remote connector is being used.