Fix permission checks on contact create popups

[colemanw]

Overview

The permissions checked to show buttons to create a new contact via entityRef were not the correct permissions to actually create a contact in a profile form, which meant that some users could see the buttons but not be able to add contacts.

Before

Removing "profile listings and forms" and "profile create" permissions from a user would result in the buttons still appearing but an error when clicking on it.

After

Button appears correctly when user has permission. Note in screenshot the user lacks admin or profile permissions, so no create buttons are shown in the entityRef widget.

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[eileenmcnaughton]

test this please

[eileenmcnaughton]

@colemanw I can replicate this & this PR fixes so that is good.

However, there is a meaningful change to how 'administer CiviCRM' interacts - prior to this PR it doesn't confer the permission to add profiles - this is somewhat meaningful as without having full access specific profiles can be permitted via ACLs (obviously in this place the code doesn't pick up this nuance but I feel like that could/ in an ideal world would be fixed).

In short - if giving additional rights to 'Administer CiviCRM' were a side thought I think we should remove it. If there is a case for it then we need to flush that out - possibly as a separate PR.

[colemanw]

Ok fair enough. Yes it was a side-thought, as in theory someone with "administer CiviCRM" permission can do whatever they want. But I'm happy to table that discussion and simplify this PR.