Improved authorize Twig extension

[Sommerregen]

This PR addresses https://getgrav.org/forum#!/general:hiding-certain-tabs-from-no and enhances the authorize Twig extension method with full backward-compatibility. Thus, it can be used as usual with

authorize(['admin.super', 'admin.pages']);
authorize('admin.super');

or with the new changes with

authorize([
  'admin' => [
    'super' => true
  ],
  'site' => [
    'user' => false
  ]
]);

which makes it possible to set access rights for tabs via blueprints as

assets:
  type: tab
  title: Assets
  security:
    admin:
      super: true
    site:
      user: false
  fields:
     ...

[flaviocopes]

👍 thanks!

[flaviocopes]

Just to clear things,

    admin:
      super: true
    site:
      user: false

means a tab is visible to users with admin.super who do not have site.user set to true? Or what is the logic there?

[Sommerregen]

@flaviocopes Good point! I tried to adapt the logic of the Login plugin. Atm it means what you said. Only users with admin.super are allowed to access the tab. Users with site.user not. I see this is redundant, because all other roles do not have access either... and it is not the same as the login plugin provides :-/ ...

Maybe it is better to replace L749-756 with

foreach ($action as $key => $rules) {
  $prefix = is_int($key) ? '' : $key . '.';
  $rules = $prefix ? (array) $rules : [$rules => true];
  foreach ($rules as $rule => $value) {
    if ($this->grav['user']->authorize($prefix . $rule) === $value) {
      return true;
    }
}

like the logic from the login plugin.

[flaviocopes]

My question is, in what case setting a value as false is a good use case? I don't see one at hand, but maybe you do, as you wrote the PR :)