The permissions plugin is used to verify access is allowed to the current or another user.
The plugin is written so you can send a signal to check whether any given user has access to any given URI. This is particularly useful to test whether a box can or cannot be shown. This also works with a very low granularity. For example, a menu item can be hidden because its destination page is not anyway accessible by that user.
The plugin first checks whether the permission information for the feat were cached. If so, it uses the cached permissions. The cached permissions are discarded after a relatively small amount of time, just in case the cache does not properly get updated when something changed.
When no cached data is available, the permissions plugin sends various signals to check that each plugin gives and does not give sets of permissions. Once that is done, the new data gets saved in the cache for later reuse.
A plugin can do two things:
The path plugin always calls the permissions plugin first to make sure the user has permission before checking whether a plugin will take care of the page. If the page can be accessed by the user, then the path proceeds and lets the system generate the page. If the cannot be accessed, the path plugin just returns a 403 Page Not Accessible error.