Permissions and access

Permissions

Defined in moderation_note.permissions.yml:

Permission	Description
`access moderation notes`	View moderation notes.
`create moderation notes`	Create notes on moderated entities.
`create moderation notes on uneditable entities`	Create notes when the user cannot edit the entity.
`create moderation note replies`	Reply to existing notes (also implied by `create moderation notes`).
`resolve moderation notes`	Resolve notes (mark as resolved).
`resolve moderation notes on editable entities`	Resolve notes when the user can edit the notated entity (in addition to note owner).
`administer moderation notes`	Full admin; restrict access.

Entity access is handled by Drupal\moderation_note\AccessControlHandler (moderation_note.access handler).

Operation	Rules
view	`access moderation notes` or `administer moderation notes`, and user can view the moderated entity.
create	`_moderation_note_on_entity()` allows, or `administer moderation notes`.
update	Note owner or admin, and note is published.
delete	Note owner or admin, and (note is a reply or note is unpublished).
reply	`create moderation note replies` or `create moderation notes` or `administer moderation notes`.
resolve	Note owner or admin, or `resolve moderation notes on editable entities` + user can update the moderated entity; only top-level notes (no parent).

_moderation_note_on_entity(EntityInterface $entity, ?AccountInterface $account) (in moderation_note.module):

Allowed if user has create moderation notes.
Or if user has create moderation notes on uneditable entities and does not have update access on the entity.

So “create on uneditable” is for reviewers who can comment but not edit.

resolve moderation notes: typically the note author (or admin) can resolve.
resolve moderation notes on editable entities: users who can edit the notated entity can also resolve the note, even if they are not the note owner.

Access results are cached per permissions and per user; they also add the entity as a cacheable dependency.