Allow permissions.yml files to declare 'permission_callbacks' for dynamic permissions

It is looking great so far!

1. +++ b/core/modules/node/node.permissions.yml
   @@ -0,0 +1,27 @@
   +'bypass node access':
   +  title: 'Bypass content access control'
   +  description: 'View edit and delete all content regardless of permission restrictions.'
   +  'restrict access': TRUE
   +'administer content types':
   +  title: 'Administer content types'
   +  description: 'Promote change ownership edit revisions and perform other tasks across all content types.'
   +  'restrict access': TRUE
   +'administer nodes':
   +  title: 'Administer content'
   +  'restrict access': TRUE
   +'access content':
   +  title: 'View published content'
   +'view own unpublished content':
   +  title: 'View own unpublished content'
   +'view all revisions':
   +  title: 'View all revisions'
   +'revert all revisions':
   +  title: 'Revert all revisions'
   +  description: 'Role requires permission <em>view revisions</em> and <em>edit rights</em> for nodes in question or <em>administer nodes</em>.'
   +'delete all revisions':
   +  title: 'Delete all revisions'
   +  description: 'Role requires permission to <em>view revisions</em> and <em>delete rights</em> for nodes in question or <em>administer nodes</em>.'
   +
   

   You don't need quotes for the keys ... see #2328411: Convert all permissions to yml files and permission callbacks

2. +++ b/core/modules/node/node.permissions.yml
   @@ -0,0 +1,27 @@
   +  - '\Drupal\node\NodePermissions::nodeTypePermissions'
   +  - '\Drupal\node\NodePermissions::contentPermissions'
   

   yeah you also don't need keys here.

3. +++ b/core/modules/node/src/NodePermissions.php
   @@ -0,0 +1,47 @@
   +class NodePermissions extends ControllerBase {
   

   oh, this feels wrong to be honest. we do have traits for t() and url(), in general.

4. +++ b/core/modules/node/src/NodePermissions.php
   @@ -0,0 +1,47 @@
   +      'access content overview' => array(
   +        'title' => $this->t('Access the Content overview page'),
   +        'description' => $this->t('Get an overview of <a href="!url">all content</a>.', array('!url' => $this->url('system.admin_content'))),
   +      ),
   

   webchick and I talked about that and considered this to be an edge case. If it would be really needed we thought of allowing twig inline templates here

5. +++ b/core/modules/simpletest/src/Tests/KernelTestBaseTest.php
   @@ -77,8 +77,8 @@ function testEnableModulesLoad() {
      function testEnableModulesInstall() {
   -    $module = 'node';
   -    $table = 'node_access';
   +    $module = 'module_test';
   +    $table = 'module_test';
    
   

   I really hate that these test fails

6. +++ b/core/modules/user/src/PermissionHandler.php
   @@ -94,7 +103,38 @@ public function getPermissions() {
   +          if ($callback_permissions = call_user_func($callback)) {
   

   can't you just use $callback()? Afaik ['class', 'method']() works

5. Yeah, that is not a cool fail. It's quite a strange test though tbh. Depending on a test module is better than node though IMO. So I think this is an improvement too.

If you convert all other permissions, as done in my other issue, you will see that there are even more places where this happens to break. There are quite some implementation
details in the kernel test base.

I am fine with the patch at it is. We have to work on additional issue anyway.

@damiankloip
Did you thought of a chance record?

+++ b/core/modules/node/node.permissions.yml
@@ -0,0 +1,27 @@
+bypass node access:
+  title: 'Bypass content access control'
+  description: 'View edit and delete all content regardless of permission restrictions.'
+  'restrict access': TRUE
+administer content types:
+  title: 'Administer content types'
...
+permission_callbacks:
+  - \Drupal\node\NodePermissions::nodeTypePermissions
+  - \Drupal\node\NodePermissions::contentPermissions

I don't like that permission_callbacks shares the same level as static permission keys. I think we should avoid this possible confusion. Possible structure:

static:
  bypass node access:
    title: 'Bypass content access control'
    description: 'View edit and delete all content regardless of permission restrictions.'
    'restrict access': TRUE
  administer content types:
    title: 'Administer content types'
...
callbacks:
  - \Drupal\node\NodePermissions::nodeTypePermissions
  - \Drupal\node\NodePermissions::contentPermissions

@claudiu.cristea
We do have a similar structure on the routing.yml already, so there is no reason to change this here.

views.ajax:
  path: '/views/ajax'
  defaults:
    _controller: '\Drupal\views\Controller\ViewAjaxController::ajaxView'
  options:
    _theme: ajax_base_page
  requirements:
    _access: 'TRUE'

route_callbacks:
  - 'views.route_subscriber:routes'

@damiankloip
Yes this is the best.

Let's get this one in first.

+1 for RTBC, this matches the dynamic code in RouteBuilder and looks great.

Quick rebase

1. +++ b/core/modules/node/src/NodePermissions.php
   @@ -0,0 +1,51 @@
   +      $perms += node_list_permissions($type);
   

   Let's move all of node_list_permissions() into NodePermissions::nodeTypePermissions() - this is the only usage.

2. +++ b/core/modules/user/src/PermissionHandler.php
   @@ -52,11 +60,12 @@ class PermissionHandler implements PermissionHandlerInterface {
       * @param \Drupal\Core\StringTranslation\TranslationInterface $string_translation
       *   The string translation.
       */
   -  public function __construct(ModuleHandlerInterface $module_handler, TranslationInterface $string_translation) {
   +  public function __construct(ModuleHandlerInterface $module_handler, TranslationInterface $string_translation, ControllerResolverInterface $controller_resolver) {
   

   Need to update doc block for new param.

Okay, cool

Committed bd8cb79 and pushed to 8.0.x. Thanks!

Can someone update the CR https://www.drupal.org/node/2311427 and link this issue. Thanks.

Setting to needs work until change record is updated... https://www.drupal.org/node/2311427

Updated.