identityLock) { throw new \RuntimeException('Identity is already locked and cannot be changed.'); } $this->identityData = $identity; $this->identityLock = $lock; } public function identity(): ?User { return $this->identityData; } public function identifier(): ?string { return $this->identityData?->getId(); } public function label(): ?string { return $this->identityData?->getLabel(); } public function mailAddress(): ?string { return $this->identityData?->getEmail(); } public function nameFirst(): ?string { return $this->identityData?->getFirstName(); } public function nameLast(): ?string { return $this->identityData?->getLastName(); } public function permissions(): array { return $this->identityData?->getPermissions() ?? []; } public function roles(): array { return $this->identityData?->getRoles() ?? []; } public function hasPermission(string $permission): bool { $permissions = $this->permissions(); // Exact match if (in_array($permission, $permissions)) { return true; } // Wildcard match foreach ($permissions as $userPerm) { if (str_ends_with($userPerm, '.*')) { $prefix = substr($userPerm, 0, -2); if (str_starts_with($permission, $prefix . '.')) { return true; } } } // Full wildcard if (in_array('*', $permissions)) { return true; } return false; } public function hasRole(string $role): bool { return in_array($role, $this->roles()); } }