I've been playing around with some ideas on a dev site using just Types & Forms and I've noticed that (sometimes) after a form has been submitted, these values are added to the wp_capabilities field in the usermeta table:-
Access is not installed so why is it necessary to add these fields?
What I find particularly troubling is that the values are added IN FRONT OF values that already exist in that field. Surely new values being added to any array anywhere in the database should always occupy the next position/s not push the existing value to the back of the queue? This behaviour potentially messes up any existing retrieval of information based on the (known) position of a value in an array.
It makes sense to add these special capabilities by default and without waiting for the Access plugin's activation, since, otherwise, they'll need to be added retrospectively for all existing users, when Access plugin actually gets activated.
I'm not sure I agree that Toolset should be making an assumption (or a presumption) that Access will be activated at some point and preparing for it; after all there are other role management solutions out there that would have to add permissions retrospectively for existing users and if Access were not the plugin of choice for anyone, the wpcf- fields would remain and be superfluous.
Just out of curiosity and for those that want to use a different solution, is there a filter/action hook that could be implemented to prevent the behaviour in the first place?
I stand corrected and my further testing and research show that those Toolset capabilities are not dependant on Toolset Forms or Access.
On a clean WordPress install, as soon as you'll activate the Toolset Types plugin, your admin user account will be updated with those capabilities.
The code audit confirms that these capabilities are used by the Types plugin to control which WordPress user can or can't access different Types features and admin menus, like managing post types, taxonomies, post custom fields, and user custom fields.
For this reason, removing/blocking these plugin capabilities is not recommended.