private function checkCapability(PhabricatorPolicyInterface $object, $capability)
 {
     $policy = $this->getObjectPolicy($object, $capability);
     if (!$policy) {
         // TODO: Formalize this somehow?
         $policy = PhabricatorPolicies::POLICY_USER;
     }
     if ($policy == PhabricatorPolicies::POLICY_PUBLIC) {
         // If the object is set to "public" but that policy is disabled for this
         // install, restrict the policy to "user".
         if (!PhabricatorEnv::getEnvConfig('policy.allow-public')) {
             $policy = PhabricatorPolicies::POLICY_USER;
         }
         // If the object is set to "public" but the capability is not a public
         // capability, restrict the policy to "user".
         $capobj = PhabricatorPolicyCapability::getCapabilityByKey($capability);
         if (!$capobj || !$capobj->shouldAllowPublicPolicySetting()) {
             $policy = PhabricatorPolicies::POLICY_USER;
         }
     }
     $viewer = $this->viewer;
     if ($viewer->isOmnipotent()) {
         return true;
     }
     if ($object instanceof PhabricatorSpacesInterface) {
         $space_phid = $object->getSpacePHID();
         if (!$this->canViewerSeeObjectsInSpace($viewer, $space_phid)) {
             $this->rejectObjectFromSpace($object, $space_phid);
             return false;
         }
     }
     if ($object->hasAutomaticCapability($capability, $viewer)) {
         return true;
     }
     switch ($policy) {
         case PhabricatorPolicies::POLICY_PUBLIC:
             return true;
         case PhabricatorPolicies::POLICY_USER:
             if ($viewer->getPHID()) {
                 return true;
             } else {
                 $this->rejectObject($object, $policy, $capability);
             }
             break;
         case PhabricatorPolicies::POLICY_ADMIN:
             if ($viewer->getIsAdmin()) {
                 return true;
             } else {
                 $this->rejectObject($object, $policy, $capability);
             }
             break;
         case PhabricatorPolicies::POLICY_NOONE:
             $this->rejectObject($object, $policy, $capability);
             break;
         default:
             if (PhabricatorPolicyQuery::isObjectPolicy($policy)) {
                 if ($this->checkObjectPolicy($policy, $object)) {
                     return true;
                 } else {
                     $this->rejectObject($object, $policy, $capability);
                     break;
                 }
             }
             $type = phid_get_type($policy);
             if ($type == PhabricatorProjectProjectPHIDType::TYPECONST) {
                 if (!empty($this->userProjects[$viewer->getPHID()][$policy])) {
                     return true;
                 } else {
                     $this->rejectObject($object, $policy, $capability);
                 }
             } else {
                 if ($type == PhabricatorPeopleUserPHIDType::TYPECONST) {
                     if ($viewer->getPHID() == $policy) {
                         return true;
                     } else {
                         $this->rejectObject($object, $policy, $capability);
                     }
                 } else {
                     if ($type == PhabricatorPolicyPHIDTypePolicy::TYPECONST) {
                         if ($this->checkCustomPolicy($policy, $object)) {
                             return true;
                         } else {
                             $this->rejectObject($object, $policy, $capability);
                         }
                     } else {
                         // Reject objects with unknown policies.
                         $this->rejectObject($object, false, $capability);
                     }
                 }
             }
     }
     return false;
 }