The following methods should be factored out of the User class into PermissionManager, leaving only deprecated stubs:
* User::isAllowed -> PermissionManager::userHasRight or some such
* User::getRights -> PermissionManager::getUserPermissions.
* User::groupHasPermission -> PermissionManager::groupHasPermission
* User::getGroupPermissions -> PermissionManager::getGroupPermissions
* User::getGroupsWithPermission -> PermissionManager::getGroupsWithPermission
* User::groupHasPermission -> PermissionManager::groupHasPermission
* User::isEveryoneAllowed -> PermissionManager::isEveryoneAllowed
* User::getAllRights -> PermissionManager::getAllPermissions
Notes:
* This change should allow us to switch the public method signatures in PermissionManager from USer to UserIdentity. Some internal uses of User will remain for now, but they can be covered by User::newFromIdentity(). (Note that the "new" is a lie, the method will return the original instance if it's already a User object).
* Implementing getRights needs access to the user's session. This may not be possible for users other than the current user, making the behavior inconsistent in some cases (needs investigation of current behavior!). The method's contract should make this clear. Also, injecting any information about the current user, request or session is awkward for a service object, but should be acceptable due to PHP's per-request execution model, compare T218555.
* User::getAllGroups is based on the same information as getAllRights, but this fact should not be cemented by exposing getAllGroups in the PermissionManager interface. Instead, we should probably create a GroupManager service at some point.