Security Best Practice for Editing?
In the case of the Profile Form, if editor rights are given to a user,he has total control to add/delete/edit anything on the page in any block.
While it is true that a user can update the content of the displayed fields in the Profile form without Editor Rights, he loses all Java script functions like the pop-up calendar and CSS formatting since it only gets loaded if the user is an editor.
Try it out! Create custom attribute of type Date/Time in the User Attributes.
Create a user without editor rights and log-in and try to edit his profile, no pop-up calendar!
Log-in as a user who has Editor rights and you will see a pop-up calendar when clicking in the date field.
What if all you want to allow is editing content in a single block and not allow add/delete of blocks in a page?
You have different users responsible for different blocks on the same page?
An example is an executive dashboard with Financial data, sales data and HR data all supplied by different content providers.
also take a look at advanced permissions
It has to do with the fact that when the Profile page loads, it first loads header_required.php and page_controls_header.php
While this is ok for users that need the ability to both add/remove blocks and edit the contents on the page, it doesn't protect against users who need to ONLY edit content and should Not be able to add/remove blocks or changes any properties of blocks.