I have a project where there's only one profile type and only one instance of such profile type is allowed per user. Each user is allowed to update its profile but not to create one - once profile is created for such user by the administrator users are free to update their profiles.
Unfortunately, as of now, if the user has a "Profile: Update own profiles" permission granted but not the "Profile: Create profiles" permission they can still both create and update their profile even though the explicit "Profile: Create profiles" permission hasn't been granted.
Create profile type - allow only single profile instance per user.
Create a user account, grant no additional roles
Grant authenticated user role permission to update but not to create profile
Login/masquerade as a newly created user
Go to /user and observe that the user can create a new user profile even though corresponding permission hasn't been added
in UserController::checkAccess check if a user is allowed to create a new profile.
Needs work
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Currently, we check only if the user has 'update' permissions, so I created a simple patch.
First, it checks if the user already has a profile created for the current profile type, if no then it checks the 'create' permission if there is a profile then it checks the 'update' permission. I am not sure if this patch will break some other functionality but for this use case it definitely fixes the issue with few lines of code.