Fixed almost everything, but all functional tests are broken at the last minute :(

api/rbac/.generated/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

api/rbac/Manager.php

@@ -0,0 +1,38 @@
+<?php
+declare(strict_types=1);
+
+namespace api\rbac;
+
+use Yii;
+use yii\rbac\Assignment;
+use yii\rbac\PhpManager;
+
+class Manager extends PhpManager {
+
+    /**
+     * In our application the permissions are given not to users itself, but to tokens,
+     * so we extract them from the extended identity interface.
+     *
+     * In Yii2, the mechanism of recursive permissions checking requires that the array
+     * with permissions must be indexed by the keys of these permissions.
+     *
+     * @param string $accessToken
+     * @return string[]
+     */
+    public function getAssignments($accessToken): array {
+        $identity = Yii::$app->user->getIdentity();
+        if ($identity === null) {
+            return [];
+        }
+
+        /** @noinspection NullPointerExceptionInspection */
+        $rawPermissions = $identity->getAssignedPermissions();
+        $result = [];
+        foreach ($rawPermissions as $name) {
+            $result[$name] = new Assignment(['roleName' => $name]);
+        }
+
+        return $result;
+    }
+
+}

api/rbac/Permissions.php

@@ -0,0 +1,41 @@
+<?php
+declare(strict_types=1);
+
+namespace api\rbac;
+
+final class Permissions {
+
+    // Top level Controller permissions
+    public const OBTAIN_ACCOUNT_INFO = 'obtain_account_info';
+    public const CHANGE_ACCOUNT_LANGUAGE = 'change_account_language';
+    public const CHANGE_ACCOUNT_USERNAME = 'change_account_username';
+    public const CHANGE_ACCOUNT_PASSWORD = 'change_account_password';
+    public const CHANGE_ACCOUNT_EMAIL = 'change_account_email';
+    public const MANAGE_TWO_FACTOR_AUTH = 'manage_two_factor_auth';
+    public const BLOCK_ACCOUNT = 'block_account';
+    public const COMPLETE_OAUTH_FLOW = 'complete_oauth_flow';
+    public const CREATE_OAUTH_CLIENTS = 'create_oauth_clients';
+    public const VIEW_OAUTH_CLIENTS = 'view_oauth_clients';
+    public const MANAGE_OAUTH_CLIENTS = 'manage_oauth_clients';
+
+    // Personal level controller permissions
+    public const OBTAIN_OWN_ACCOUNT_INFO = 'obtain_own_account_info';
+    public const OBTAIN_OWN_EXTENDED_ACCOUNT_INFO = 'obtain_own_extended_account_info';
+    public const CHANGE_OWN_ACCOUNT_LANGUAGE = 'change_own_account_language';
+    public const ACCEPT_NEW_PROJECT_RULES = 'accept_new_project_rules';
+    public const CHANGE_OWN_ACCOUNT_USERNAME = 'change_own_account_username';
+    public const CHANGE_OWN_ACCOUNT_PASSWORD = 'change_own_account_password';
+    public const CHANGE_OWN_ACCOUNT_EMAIL = 'change_own_account_email';
+    public const MANAGE_OWN_TWO_FACTOR_AUTH = 'manage_own_two_factor_auth';
+    public const MINECRAFT_SERVER_SESSION = 'minecraft_server_session';
+    public const VIEW_OWN_OAUTH_CLIENTS = 'view_own_oauth_clients';
+    public const MANAGE_OWN_OAUTH_CLIENTS = 'manage_own_oauth_clients';
+
+    // Data permissions
+    public const OBTAIN_ACCOUNT_EMAIL = 'obtain_account_email';
+    public const OBTAIN_EXTENDED_ACCOUNT_INFO = 'obtain_account_extended_info';
+
+    // Service permissions
+    public const ESCAPE_IDENTITY_VERIFICATION = 'escape_identity_verification';
+
+}

api/rbac/Roles.php

@@ -0,0 +1,10 @@
+<?php
+declare(strict_types=1);
+
+namespace api\rbac;
+
+final class Roles {
+
+    public const ACCOUNTS_WEB_USER = 'accounts_web_user';
+
+}

api/rbac/rules/AccountOwner.php

@@ -0,0 +1,58 @@
+<?php
+declare(strict_types=1);
+
+namespace api\rbac\rules;
+
+use common\models\Account;
+use Webmozart\Assert\Assert;
+use Yii;
+use yii\rbac\Rule;
+
+class AccountOwner extends Rule {
+
+    public $name = 'account_owner';
+
+    /**
+     * In our application the permissions are given not to users but to tokens,
+     * so we receive $accessToken here and extract all the assigned scopes from it.
+     *
+     * @param string|int     $accessToken
+     * @param \yii\rbac\Item $item
+     * @param array          $params the "accountId" parameter must be passed as the id of the account
+     *                               to which the request is made
+     *                               the "optionalRules" parameter allows you to disable the mandatory acceptance
+     *                               of the latest version of the rules
+     *
+     * @return bool a value indicating whether the rule permits the auth item it is associated with.
+     */
+    public function execute($accessToken, $item, $params): bool {
+        Assert::keyExists($params, 'accountId');
+        $accountId = $params['accountId'] ?? null;
+
+        $identity = Yii::$app->user->getIdentity();
+        if ($identity === null) {
+            return false;
+        }
+
+        $account = $identity->getAccount();
+        if ($account === null) {
+            return false;
+        }
+
+        if ($account->id !== (int)$accountId) {
+            return false;
+        }
+
+        if ($account->status !== Account::STATUS_ACTIVE) {
+            return false;
+        }
+
+        $actualRulesOptional = $params['optionalRules'] ?? false;
+        if (!$actualRulesOptional && !$account->isAgreedWithActualRules()) {
+            return false;
+        }
+
+        return true;
+    }
+
+}

api/rbac/rules/OauthClientOwner.php

@@ -0,0 +1,58 @@
+<?php
+declare(strict_types=1);
+
+namespace api\rbac\rules;
+
+use api\rbac\Permissions as P;
+use common\models\OauthClient;
+use Webmozart\Assert\Assert;
+use Yii;
+use yii\rbac\Rule;
+
+class OauthClientOwner extends Rule {
+
+    public $name = 'oauth_client_owner';
+
+    /**
+     * Accepts 2 params:
+     * - clientId - it's the client id, that user want access to.
+     * - accountId - if it is passed to check the VIEW_OAUTH_CLIENTS permission, then it will
+     *               check, that current user have access to the provided account.
+     *
+     * @param string|int     $accessToken
+     * @param \yii\rbac\Item $item
+     * @param array          $params
+     *
+     * @return bool a value indicating whether the rule permits the auth item it is associated with.
+     */
+    public function execute($accessToken, $item, $params): bool {
+        $accountId = $params['accountId'] ?? null;
+        if ($accountId !== null && $item->name === P::VIEW_OWN_OAUTH_CLIENTS) {
+            return (new AccountOwner())->execute($accessToken, $item, ['accountId' => $accountId]);
+        }
+
+        Assert::keyExists($params, 'clientId');
+        /** @var OauthClient|null $client */
+        $client = OauthClient::findOne(['id' => $params['clientId']]);
+        if ($client === null) {
+            return true;
+        }
+
+        $identity = Yii::$app->user->getIdentity();
+        if ($identity === null) {
+            return false;
+        }
+
+        $account = $identity->getAccount();
+        if ($account === null) {
+            return false;
+        }
+
+        if ($account->id !== $client->account_id) {
+            return false;
+        }
+
+        return true;
+    }
+
+}