Custom graphql/content policy

Allows to restrict which content types a user is allowed to see over graphql.

```
DomainGroupContent:
  type: object
  fields:
    articles:
      type: "[ArticleContent]"
      public: '@=service("ezplatform_graphql.can_user").viewContentOfType("article")'
```

fixup! Custom graphql/content_type_view policy

Author: Bertrand Dunogier

BDEzPlatformGraphQLBundle.php

@@ -1,20 +1,29 @@
 <?php
-
 namespace BD\EzPlatformGraphQLBundle;
 
 use BD\EzPlatformGraphQLBundle\DependencyInjection\Compiler;
+use BD\EzPlatformGraphQLBundle\DependencyInjection\Security\PolicyProvider;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 
 class BDEzPlatformGraphQLBundle extends Bundle
 {
     public function build(ContainerBuilder $container)
     {
-        parent::build($container); // TODO: Change the autogenerated stub
+        parent::build($container);
 
         $container->addCompilerPass(new Compiler\FieldValueTypesPass());
         $container->addCompilerPass(new Compiler\FieldValueBuildersPass());
         $container->addCompilerPass(new Compiler\SchemaWorkersPass());
         $container->addCompilerPass(new Compiler\SchemaBuildersPass());
+
+        $this->loadPolicyProviders($container);
+    }
+
+    private function loadPolicyProviders(ContainerBuilder $container)
+    {
+        $extension = $container->getExtension('ezpublish');
+        // Add the policy provider.
+        $extension->addPolicyProvider(new PolicyProvider());
     }
 }

DependencyInjection/Security/PolicyProvider.php

@@ -0,0 +1,12 @@
+<?php
+namespace BD\EzPlatformGraphQLBundle\DependencyInjection\Security;
+
+use eZ\Bundle\EzPublishCoreBundle\DependencyInjection\Security\PolicyProvider\YamlPolicyProvider;
+
+class PolicyProvider extends YamlPolicyProvider
+{
+    protected function getFiles()
+    {
+        return [__DIR__ . '/../../Resources/config/policies.yml'];
+    }
+}

Resources/config/policies.yml

@@ -0,0 +1,5 @@
+graphql:
+    content_type_view:
+        - Class
+    content:
+        - Class

Resources/config/services.yml

@@ -28,3 +28,7 @@ services:
 
     BD\EzPlatformGraphQLBundle\GraphQL\ExpressionLanguage\Access\HasEzAccessToOneOfFunction:
         tags: ['overblog_graphql.expression_function']
+
+    ezplatform_graphql.can_user:
+        autowire: true
+        class: 'BD\EzPlatformGraphQLBundle\Security\CanUser'

Security/CanUser.php

@@ -0,0 +1,50 @@
+<?php
+namespace BD\EzPlatformGraphQLBundle\Security;
+
+use eZ\Publish\API\Repository\ContentTypeService;
+use eZ\Publish\API\Repository\Exceptions\BadStateException;
+use eZ\Publish\API\Repository\Exceptions\InvalidArgumentException;
+use eZ\Publish\API\Repository\Exceptions\NotFoundException;
+use eZ\Publish\API\Repository\PermissionResolver;
+use eZ\Publish\API\Repository\Values\Content\ContentInfo;
+use GraphQL\Error\UserError;
+
+class CanUser
+{
+    /**
+     * @var PermissionResolver
+     */
+    private $permissionResolver;
+
+    const MODULE = 'graphql';
+
+    const FUNCTION_CONTENT = 'content';
+    /**
+     * @var ContentTypeService
+     */
+    private $contentTypeService;
+
+    public function __construct(ContentTypeService $contentTypeService, PermissionResolver $permissionResolver)
+    {
+        $this->permissionResolver = $permissionResolver;
+        $this->contentTypeService = $contentTypeService;
+    }
+
+    public function viewContentOfType($identifier)
+    {
+        try {
+            $contentType = $this->contentTypeService->loadContentTypeByIdentifier($identifier);
+        } catch (NotFoundException $e) {
+            throw new UserError("Content type '$identifier' not found'");
+        }
+
+        $contentInfo = new ContentInfo(['contentTypeId' => $contentType->id]);
+        try {
+            return $this->permissionResolver->canUser(self::MODULE, self::FUNCTION_CONTENT, $contentInfo);
+        } catch (BadStateException $e) {;
+            throw new UserError($e->getMessage(), 0, $e);
+        } catch (InvalidArgumentException $e) {
+            throw new UserError($e->getMessage(), 0, $e);
+        }
+    }
+}