Custom graphql/content_type_view policy

Allows to restrict which content types a user is allowed to see over graphql.

```
DomainGroupContent:
  type: object
  fields:
    articles:
      type: "[ArticleContent]"
      public: '@=service("ezplatform_graphql.can_user").viewContentType("article")'
```

Author: Bertrand Dunogier

BDEzPlatformGraphQLBundle.php

@@ -1,20 +1,29 @@
 <?php
-
 namespace BD\EzPlatformGraphQLBundle;
 
 use BD\EzPlatformGraphQLBundle\DependencyInjection\Compiler;
+use BD\EzPlatformGraphQLBundle\DependencyInjection\Security\PolicyProvider;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 
 class BDEzPlatformGraphQLBundle extends Bundle
 {
     public function build(ContainerBuilder $container)
     {
-        parent::build($container); // TODO: Change the autogenerated stub
+        parent::build($container);
 
         $container->addCompilerPass(new Compiler\FieldValueTypesPass());
         $container->addCompilerPass(new Compiler\FieldValueBuildersPass());
         $container->addCompilerPass(new Compiler\SchemaWorkersPass());
         $container->addCompilerPass(new Compiler\SchemaBuildersPass());
+
+        $this->loadPolicyProviders($container);
+    }
+
+    private function loadPolicyProviders(ContainerBuilder $container)
+    {
+        $extension = $container->getExtension('ezpublish');
+        // Add the policy provider.
+        $extension->addPolicyProvider(new PolicyProvider());
     }
 }

DependencyInjection/Security/PolicyProvider.php

@@ -0,0 +1,12 @@
+<?php
+namespace BD\EzPlatformGraphQLBundle\DependencyInjection\Security;
+
+use eZ\Bundle\EzPublishCoreBundle\DependencyInjection\Security\PolicyProvider\YamlPolicyProvider;
+
+class PolicyProvider extends YamlPolicyProvider
+{
+    protected function getFiles()
+    {
+        return [__DIR__ . '/../../Resources/config/policies.yml'];
+    }
+}

Resources/config/policies.yml

@@ -0,0 +1,3 @@
+graphql:
+    content_type_view:
+        - Class

Resources/config/services.yml

@@ -28,3 +28,7 @@ services:
 
     BD\EzPlatformGraphQLBundle\GraphQL\ExpressionLanguage\Access\HasEzAccessToOneOfFunction:
         tags: ['overblog_graphql.expression_function']
+
+    ezplatform_graphql.can_user:
+        autowire: true
+        class: 'BD\EzPlatformGraphQLBundle\Security\CanUser'

Security/CanUser.php

@@ -0,0 +1,94 @@
+<?php
+namespace BD\EzPlatformGraphQLBundle\Security;
+
+use eZ\Publish\API\Repository\ContentTypeService;
+use eZ\Publish\API\Repository\Exceptions\BadStateException;
+use eZ\Publish\API\Repository\Exceptions\InvalidArgumentException;
+use eZ\Publish\API\Repository\Exceptions\NotFoundException;
+use eZ\Publish\API\Repository\PermissionResolver;
+use eZ\Publish\API\Repository\Values\Content\ContentInfo;
+use eZ\Publish\API\Repository\Values\User\Limitation\ContentTypeLimitation;
+use GraphQL\Error\UserError;
+
+class CanUser
+{
+    /**
+     * @var PermissionResolver
+     */
+    private $permissionResolver;
+
+    const MODULE = 'graphql';
+
+    const PERMISSION_CONTENT_TYPE_VIEW = 'content_type_view';
+    /**
+     * @var ContentTypeService
+     */
+    private $contentTypeService;
+
+    public function __construct(ContentTypeService $contentTypeService, PermissionResolver $permissionResolver)
+    {
+        $this->permissionResolver = $permissionResolver;
+        $this->contentTypeService = $contentTypeService;
+    }
+
+    public function viewContentType($identifier)
+    {
+        try {
+            $contentType = $this->contentTypeService->loadContentTypeByIdentifier($identifier);
+        } catch (NotFoundException $e) {
+            throw new UserError("Content type '$identifier' not found'");
+        }
+
+        $contentInfo = new ContentInfo(['contentTypeId' => $contentType->id]);
+        try {
+            return $this->permissionResolver->canUser(self::MODULE, self::PERMISSION_CONTENT_TYPE_VIEW, $contentInfo);
+        } catch (BadStateException $e) {;
+            throw new UserError($e->getMessage(), 0, $e);
+        } catch (InvalidArgumentException $e) {
+            throw new UserError($e->getMessage(), 0, $e);
+        }
+    }
+
+    public function hasAccessToContentType($identifier)
+    {
+        try {
+            $access = $this->permissionResolver->hasAccess(self::MODULE, self::PERMISSION_CONTENT_TYPE_VIEW);
+        } catch (InvalidArgumentException $e) {
+            throw new UserError("oops", 0, $e);
+        }
+
+        if (is_bool($access)) {
+            return $access;
+        }
+
+        if (!is_array($access)) {
+            throw new UserError("Invalid hasAccess() return type");
+        }
+
+        try {
+            $contentType = $this->contentTypeService->loadContentTypeByIdentifier($identifier);
+        } catch (NotFoundException $e) {
+            throw new UserError("Unknown content type $identifier");
+        }
+
+        /** @var \eZ\Publish\API\Repository\Values\User\Policy $policy */
+        foreach ($access as $limitation) {
+            foreach ($limitation['policies'] as $policy) {
+                if ($policy->module !== self::MODULE || $policy->function !== self::PERMISSION_CONTENT_TYPE_VIEW) {
+                    continue;
+                }
+                foreach ($policy->getLimitations() as $limitation) {
+                    if (!$limitation instanceof ContentTypeLimitation) {
+                        continue;
+                    }
+
+                    if (in_array($contentType->identifier, $limitation->limitationValues)) {
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+}