Domain Access: Further expand node_grants support for content assigned on domains

@mably yeah i see what you mean, i guess the first part is we need to only allow the permission for the single specific content type and not all of them. Do you have a rough idea on the sorta change that will need to be made to the domain_access_node_access hook? Maybe if i had a better idea of the plan it might be something i can get started on.

@mably thanks a lot for looking into this, so I’ve tested various scenarios between your implementations for the 2.x and 3.x branch and this is what i found.

Tests conducted
2.x MR (261)

• Only edit specific content type permission is enabled = Edit access is granted to all content types including one specified
• Only “Edit any content on assigned domains” = Edit access is granted to all content types

3.x MR (268)

• Only edit specific content type permission is enabled = No edit access to any content type including one specified
• Only “Edit any content on assigned domains” = Edit access is granted to all content types

So across both MR's, the edit any content on assigned domains permission is functioning as expected. But the individual particular permissions on a per content type basis aren’t functioning as expected in both MR's.

In terms of the reproducible scenario, i was able to also test this on a sandbox site that I’ve got which has minimal modules so less chance of conflicts and i got the same results as my main site.

Steps to reproduce:

1. Create a user with a specific role, lets say "content editor" and give them all the node access permissions possible (create, edit, delete)
2. Set this user up to have domain access for the specific site you want on the edit user page (At this point this user no longer has the ability to do anything to any content type)
3. Give the content editor role the "Edit any content on assigned domains" permission, on both MR's what happened in my tests will occur, they'll be able to edit ANY content types on the site
4. Remove the edit any content on assigned domains permission and give the role one of the "{content type}: Edit any content on assigned domains" permissions and depending on which MR you’re in, then they might be able to edit all content (which is wrong) this is for the 2.x MR and if you’re in the 3.x MR then they won’t have the ability to edit any content at all which is also wrong

Imagine this would be the same for the delete permissions so i didn’t test those specifically because the code is the same. Let me know if you have any other questions

@mably i believe I've managed to resolve the issue of the {content type}: Edit/delete any content on assigned domains permission on a single content type giving users the same permissions to ALL content types. I've added an explicit check which forbids access if the current user doesn’t have the specific update or delete permission for that content type. I’ve done several tests on my sites and this is working as expected.

I’ve only made this change on the 2.x MR for the moment.

@mably ignore my previous comment here, the permission issue i was seeing on my own set up was related to another permission on the content moderation module which I’ve removed and has seemingly resolved things.

So what this current patch is doing, is working for me. I'm gonna do some additional tests on a sandbox site now that i have more knowledge of the issue and then I’ll report back here :)

Okay @mably I’ve done a lot of testing today and i can confirm that the MR for 3.x is working on both my main site and the sandbox site so that's working as expected due to the grants being added based on the content types `$grants['domain_id:' . $type_id][] = $active_domain_id;` so good job on getting that sorted.

Obviously because this doesn’t exist on the 2.x you can guess that my tests haven’t proved fruitful there, but i think should be okay if the main fix will be available in 3.x? I'm guessing we can’t backport that change that's in the 3.x MR into 2.x because of the addition of the new type based grant which would make it a major version change? If we can backport the type based grant change then that's good news!

I’ve reviewed and tested this and can confirm it's working as expected. The edit and delete permissions on the content overview page and generally on content entities are functioning as requested on this issue.