Added UserObject::$isAuthorizedCallable to allow $user->isAuthorized() customization

CHANGELOG.md

@@ -5,6 +5,7 @@
     * Made `Grav::redirect()` to accept `Route` class
     * Added `translated()` method to `PageTranslateInterface`
     * Added second parameter to `UserObject::isMyself()` method
+    * Added `UserObject::$isAuthorizedCallable` to allow `$user->isAuthorized()` customization
     * Use secure session cookies in HTTPS by default (`system.session.secure_https: true`)
 2. [](#improved)
    * Upgraded vendor libs for PHP 8.1 compatibility

system/src/Grav/Common/Flex/Types/Users/UserObject.php

@@ -79,6 +79,8 @@ class UserObject extends FlexObject implements UserInterface, Countable
 
     /** @var Closure|null */
     static public $authorizeCallable;
+    /** @var Closure|null */
+    static public $isAuthorizedCallable;
 
     /** @var array|null */
     protected $_uploads_original;
@@ -690,6 +692,16 @@ class UserObject extends FlexObject implements UserInterface, Countable
      */
     protected function isAuthorizedOverride(UserInterface $user, string $action, string $scope, bool $isMe = false): ?bool
     {
+        // Check custom application access.
+        $isAuthorizedCallable = static::$isAuthorizedCallable;
+        if ($isAuthorizedCallable instanceof Closure) {
+            $callable = $isAuthorizedCallable->bindTo($this, $this);
+            $authorized = $callable($user, $action, $scope, $isMe);
+            if (is_bool($authorized)) {
+                return $authorized;
+            }
+        }
+
         if ($user instanceof self && $user->getStorageKey() === $this->getStorageKey()) {
             // User cannot delete his own account, otherwise he has full access.
             return $action !== 'delete';