Part of #3371246: [Meta, Plan] Pitch-Burgh: Policy based access in core
We want to convert the Flexible Permissions module into core code. This will allow for any access policy to be translated into a set of permissions so that access checks can run. These permissions are calculated once during a build phase and then pulled through an alter phase. After both phases are complete, the end result is poured into an immutable value object and cached.
This value object can then be used by a permission checker (such as the one introduced here #3347873: Centralize permission checks in a service) to verify if an account has permission to a given access check.
A key aspect that may not seem useful to core is the use of scopes. By default, all access policies will return permissions for the "drupal" scope, but to make it so access modules in contrib don't have to copy all of this logic, the use of scopes will allow them to define permissions in other scopes, such as Group, Domain, Commerce Stores, etc. where the calculated permissions will only have effect within the scope of, say, one domain or group.
Tasks remaining:
- Move all of Flexible Permissions code into the Drupal\Core\Session namespace
- Add AccessPolicyInterface::SCOPE_DRUPAL and make it the default