IBX-6592: Allowed Location to be a part of permission check for Obj…

…ect State assignment

eZ/Publish/API/Repository/ObjectStateService.php

@@ -7,6 +7,7 @@
 namespace eZ\Publish\API\Repository;
 
 use eZ\Publish\API\Repository\Values\Content\ContentInfo;
+use eZ\Publish\API\Repository\Values\Content\Location;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectState;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateCreateStruct;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateGroup;
@@ -172,12 +173,13 @@ public function deleteObjectState(ObjectState $objectState): void;
      *
      * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException if the object state does not belong to the given group
      * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the user is not allowed to change the object state
-     *
-     * @param \eZ\Publish\API\Repository\Values\Content\ContentInfo $contentInfo
-     * @param \eZ\Publish\API\Repository\Values\ObjectState\ObjectStateGroup $objectStateGroup
-     * @param \eZ\Publish\API\Repository\Values\ObjectState\ObjectState $objectState
      */
-    public function setContentState(ContentInfo $contentInfo, ObjectStateGroup $objectStateGroup, ObjectState $objectState): void;
+    public function setContentState(
+        ContentInfo $contentInfo,
+        ObjectStateGroup $objectStateGroup,
+        ObjectState $objectState,
+        ?Location $location = null
+    ): void;
 
     /**
      * Gets the object-state of object identified by $contentId.

eZ/Publish/Core/Event/ObjectStateService.php

@@ -26,6 +26,7 @@
 use eZ\Publish\API\Repository\Events\ObjectState\UpdateObjectStateGroupEvent;
 use eZ\Publish\API\Repository\ObjectStateService as ObjectStateServiceInterface;
 use eZ\Publish\API\Repository\Values\Content\ContentInfo;
+use eZ\Publish\API\Repository\Values\Content\Location;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectState;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateCreateStruct;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateGroup;
@@ -214,7 +215,8 @@ public function deleteObjectState(ObjectState $objectState): void
     public function setContentState(
         ContentInfo $contentInfo,
         ObjectStateGroup $objectStateGroup,
-        ObjectState $objectState
+        ObjectState $objectState,
+        ?Location $location = null
     ): void {
         $eventData = [
             $contentInfo,
@@ -229,7 +231,7 @@ public function setContentState(
             return;
         }
 
-        $this->innerService->setContentState($contentInfo, $objectStateGroup, $objectState);
+        $this->innerService->setContentState($contentInfo, $objectStateGroup, $objectState, $location);
 
         $this->eventDispatcher->dispatch(
             new SetContentStateEvent(...$eventData)

eZ/Publish/Core/Limitation/NewObjectStateLimitationType.php

@@ -127,11 +127,11 @@ public function evaluate(APILimitationValue $value, APIUserReference $currentUse
             return false;
         }
 
-        foreach ($targets as $target) {
-            if (!$target instanceof ObjectState && !$target instanceof SPIObjectState) {
-                throw new InvalidArgumentException('$targets', 'Must contain ObjectState objects');
-            }
+        $targets = array_filter($targets, static function ($target) {
+            return $target instanceof ObjectState || $target instanceof SPIObjectState;
+        });
 
+        foreach ($targets as $target) {
             if (!in_array($target->id, $value->limitationValues)) {
                 return false;
             }

eZ/Publish/Core/Repository/ObjectStateService.php

@@ -12,6 +12,7 @@
 use eZ\Publish\API\Repository\PermissionResolver;
 use eZ\Publish\API\Repository\Repository as RepositoryInterface;
 use eZ\Publish\API\Repository\Values\Content\ContentInfo;
+use eZ\Publish\API\Repository\Values\Content\Location;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectState as APIObjectState;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateCreateStruct;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateGroup as APIObjectStateGroup;
@@ -463,14 +464,15 @@ public function deleteObjectState(APIObjectState $objectState): void
      *
      * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException if the object state does not belong to the given group
      * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the user is not allowed to change the object state
-     *
-     * @param \eZ\Publish\API\Repository\Values\Content\ContentInfo $contentInfo
-     * @param \eZ\Publish\API\Repository\Values\ObjectState\ObjectStateGroup $objectStateGroup
-     * @param \eZ\Publish\API\Repository\Values\ObjectState\ObjectState $objectState
      */
-    public function setContentState(ContentInfo $contentInfo, APIObjectStateGroup $objectStateGroup, APIObjectState $objectState): void
-    {
-        if (!$this->permissionResolver->canUser('state', 'assign', $contentInfo, [$objectState])) {
+    public function setContentState(
+        ContentInfo $contentInfo,
+        APIObjectStateGroup $objectStateGroup,
+        APIObjectState $objectState,
+        ?Location $location = null
+    ): void {
+        $targets = $location !== null ? [$location, $objectState] : [$objectState];
+        if (!$this->permissionResolver->canUser('state', 'assign', $contentInfo, $targets)) {
             throw new UnauthorizedException('state', 'assign', ['contentId' => $contentInfo->id]);
         }
 

eZ/Publish/Core/Repository/SiteAccessAware/ObjectStateService.php

@@ -9,6 +9,7 @@
 use eZ\Publish\API\Repository\LanguageResolver;
 use eZ\Publish\API\Repository\ObjectStateService as ObjectStateServiceInterface;
 use eZ\Publish\API\Repository\Values\Content\ContentInfo;
+use eZ\Publish\API\Repository\Values\Content\Location;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectState;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateCreateStruct;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateGroup;
@@ -127,9 +128,13 @@ public function deleteObjectState(ObjectState $objectState): void
         $this->service->deleteObjectState($objectState);
     }
 
-    public function setContentState(ContentInfo $contentInfo, ObjectStateGroup $objectStateGroup, ObjectState $objectState): void
-    {
-        $this->service->setContentState($contentInfo, $objectStateGroup, $objectState);
+    public function setContentState(
+        ContentInfo $contentInfo,
+        ObjectStateGroup $objectStateGroup,
+        ObjectState $objectState,
+        ?Location $location = null
+    ): void {
+        $this->service->setContentState($contentInfo, $objectStateGroup, $objectState, $location);
     }
 
     public function getContentState(ContentInfo $contentInfo, ObjectStateGroup $objectStateGroup): ObjectState

eZ/Publish/SPI/Repository/Decorator/ObjectStateServiceDecorator.php

@@ -10,6 +10,7 @@
 
 use eZ\Publish\API\Repository\ObjectStateService;
 use eZ\Publish\API\Repository\Values\Content\ContentInfo;
+use eZ\Publish\API\Repository\Values\Content\Location;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectState;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateCreateStruct;
 use eZ\Publish\API\Repository\Values\ObjectState\ObjectStateGroup;
@@ -121,9 +122,10 @@ public function deleteObjectState(ObjectState $objectState): void
     public function setContentState(
         ContentInfo $contentInfo,
         ObjectStateGroup $objectStateGroup,
-        ObjectState $objectState
+        ObjectState $objectState,
+        ?Location $location = null
     ): void {
-        $this->innerService->setContentState($contentInfo, $objectStateGroup, $objectState);
+        $this->innerService->setContentState($contentInfo, $objectStateGroup, $objectState, $location);
     }
 
     public function getContentState(