NodeAccessControlHandler super-permissions are incompatible with direct hasPermission() evaluation

The proposed solution is a solid pragmatic fix, but I wonder if we should think one level deeper here.

The root problem is that the permission system has no concept of one permission implying others. For example, administer nodes → all granular node permissions is an implicit contract enforced in the access handler logic, invisible to everything else. The access policy workaround makes that expansion explicit at runtime, but it's still a layer on top rather than a fix to the underlying model.

What if the permission system supported declaring that a permission grants other permissions? Something like a permission definition being able to declare grants: [create article content, edit any article content, ...] or a parent key on granular permissions pointing back to their super-permission.

This would get us several things at once:

1. OAuth and API consumers get the right answer from hasPermission() without needing a separate expansion policy.
2. The permissions UI can surface the relationship natively. This could be disabled checkboxes, visual grouping, whatever makes sense, because it has the data to work with instead of reverse-engineering handler logic.
3. Entity API generalization also becomes straightforward. Any entity type declaring administer {entity_type} can wire up the grants relationship in its permission definitions.
4. Contrib, custom entities, and other use cases get the same behavior for free.

Thoughts?

Thanks for opening this, Matt. I'm pretty sure I've run into something similar in other contexts, although I'm forgetting those details right now.

I kinda like where #3 is headed. However, grants: in the "parent" permission is a non-starter. See core/modules/node/src/NodePermissions.php and friends. There are a metric crap-ton of permissions that are per node bundle, and those get auto-generated every time you add a new node type. Custom entity types can work the same way. We definitely would need all of these auto-generated permissions to point to their parent(s), not try to have a parent super permission list of all its children.

Meanwhile, at least for now, a specific node bundle "leaf" permission like 'create article content' can have multiple "super permissions" that would allow it (both 'bypass node access' and 'administer nodes'). So, the 'parent' permission key would need to be multi-valued. Which means this isn't a permission tree and those aren't leaves, but a directed graph. And we better hope it's acyclical (a DAG). 😅 So it gets pretty complicated, pretty quickly, especially if we try to surface any of this in the UI. 😬

Speaking of complexity, do we prevent "grandparent" permissions? Can/should we enforce that a permission which is acting as a parent cannot have any parents of its own? Or do we somehow allow this to be arbitrarily nested? E.g. "administer article content" is the parent of all the article CRUD permissions, but is itself a child of "administer nodes". Etc.

Maybe if we deprecate 'administer nodes' and do enough research, we can side step this mess, declare that a permission can only have a single parent, and go back to a tree not a DAG. And maybe we declare that this tree can only be 1 level deep, and enforce that parents can't themselves have parents. But it'd require a lot more investigation than I have time for right now.

-Derek