fix(security): PermissionHandler — bypass cache when schema has match rules

The per-request permission cache keys verdicts on
`(schemaId, action, userId, objectOwner, objectUuid)` and reuses them
within the request lifecycle. That is safe for schemas whose
authorization is purely group/role based, but unsafe for schemas
whose auth block contains a `match: { … }` clause: the rule reads
from `$object->getObject()`, which can mutate within a single
request via `saveObject()` / TransitionEngine. A write-then-write
pattern (e.g. batch update) would otherwise return a stale verdict
based on the pre-write field values.

Add `schemaHasMatchRule()` helper that walks the schema's
authorization block once and reports whether any entry carries a
non-empty `match`. `buildPermissionCacheKey()` returns null when it
does, forcing each call to re-evaluate the rule chain against fresh
object data. Cost: a hot-path per-request cache miss for the
specific schemas that opt into conditional rules — acceptable trade
versus the correctness regression.

Refs: #1419 review (concern 5) — discussion_r3187494474

Author: rubenvdlinde

lib/Service/Object/PermissionHandler.php

@@ -210,7 +210,8 @@ public function hasPermission(
             action: $action,
             userId: $userId,
             objectOwner: $objectOwner,
-            object: $object
+            object: $object,
+            schema: $schema
         );
         if ($cacheKey !== null && array_key_exists($cacheKey, $this->permissionCache) === true) {
             return $this->permissionCache[$cacheKey];
@@ -253,12 +254,24 @@ private function buildPermissionCacheKey(
         string $action,
         ?string $userId,
         ?string $objectOwner,
-        ?ObjectEntity $object
+        ?ObjectEntity $object,
+        ?Schema $schema=null
     ): ?string {
         if ($schemaId === null) {
             return null;
         }
 
+        // SECURITY: when the schema's authorization block contains any
+        // `match` rule, the verdict depends on the *current* object data
+        // — which may change within a single request via saveObject() /
+        // TransitionEngine. Cache reuse keyed on the (stable) object UUID
+        // would otherwise serve a pre-mutation verdict to a post-mutation
+        // re-check. Drop the cache for schemas with match rules so each
+        // call re-evaluates the rule chain against fresh data.
+        if ($schema !== null && $this->schemaHasMatchRule(schema: $schema) === true) {
+            return null;
+        }
+
         $objectUuid = null;
         if ($object !== null) {
             $objectUuid = $object->getUuid();
@@ -278,6 +291,45 @@ private function buildPermissionCacheKey(
         );
     }//end buildPermissionCacheKey()
 
+    /**
+     * Detect whether a schema's authorization block contains any
+     * conditional `match` rules.
+     *
+     * Used to disable the per-request permission cache for schemas
+     * whose verdict depends on the current object data — see
+     * {@see buildPermissionCacheKey()}.
+     *
+     * @param Schema $schema Schema to inspect.
+     *
+     * @return bool True when at least one authorization entry carries
+     *              a non-empty `match` block.
+     */
+    private function schemaHasMatchRule(Schema $schema): bool
+    {
+        $authorization = $schema->getAuthorization();
+        if (is_array($authorization) === false || $authorization === []) {
+            return false;
+        }
+
+        foreach ($authorization as $action => $entries) {
+            if (is_array($entries) === false) {
+                continue;
+            }
+
+            foreach ($entries as $entry) {
+                if (is_array($entry) === true
+                    && isset($entry['match']) === true
+                    && empty($entry['match']) === false
+                ) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+
+    }//end schemaHasMatchRule()
+
     /**
      * Evaluate the full RBAC rule chain for a permission check.
      *