-- SPDX-FileCopyrightText: 2022-2024 Sarah Vaupel <sarah.vaupel@uniworx.de>, Gregor Kleen <gregor.kleen@ifi.lmu.de>, Sarah Vaupel <sarah.vaupel@ifi.lmu.de>, Steffen Jost <jost@tcs.ifi.lmu.de>, Wolfgang Witt <Wolfgang.Witt@campus.lmu.de>
--
-- SPDX-License-Identifier: AGPL-3.0-or-later

--
--  Accesss granted via tags; default is no accesss.
--  Permission must be explicitly granted.
--
--  Access permission is the disjunction of permit tags
--  Tags are split on "AND" to encode conjunction.
--
--  Note that nested routes automatically inherit all tags from the parent.
--
--  Admins always have access to entities within their assigned schools.
--
--  Access tags are defined in Model.Types.Security
--
--  Access Tags:
--    !free           -- free for all
--    !lecturer       -- lecturer    for this course (or for any school, if route is not connected to a course)
--    !corrector      -- corrector   for this sheet  (or the submission, if route is connected to a submission, or the course, if route is not connected to a sheet, or any course, if route is not connected to a course)
--    !course-registered     -- participant for this course (no effect outside of courses)
--    !tutorial-registered   -- participant for this tutorial (no effect outside of courses)
--    !participant    -- connected with a given course (not necessarily registered), i.e. has a submission, is a corrector, etc. (no effect outside of courses)
--
--    !register-group -- user is member in no other tutorial with same register group
--
--    !owner          -- part of the group of owners of this submission
--    !self           -- route refers to the currently logged in user themselves
--    !capacity       -- course this route is associated with has at least one unit of participant capacity
--    !empty          -- course this route is associated with has no participants whatsoever
--
--    !is-ldap        -- user has authentication mode set to LDAP
--    !is-pw-hash     -- user has authentication mode set to PWHash
--
--    !materials      -- only if course allows all materials to be free (no meaning outside of courses)
--    !time           -- access depends on time somehow
--    !read           -- only if it is read-only access (i.e. GET but not POST)
--    !write          -- only if it is write access     (i.e. POST only, included for completeness)
--
--    !token          -- requires bearer token
--    !no-escalation  --
--    !deprecated     -- like free, but logs and gives a warning; entirely disabled in production
--    !development    -- like free, but only for development builds

/static StaticR EmbeddedStatic appStatic                      !free

/auth   AuthR   Auth   getAuth                                !free

/metrics     MetricsR GET																			!free -- verify if this can be free

/err                          ErrorR           GET            !free

/                             NewsR            GET            !free
/users                        UsersR           GET POST       -- no tags, i.e. admins only
/users/#CryptoUUIDUser        AdminUserR       GET POST
/users/#CryptoUUIDUser/delete AdminUserDeleteR     POST
/users/#CryptoUUIDUser/hijack AdminHijackUserR GET POST       !adminANDno-escalation
/users/#CryptoUUIDUser/notifications  UserNotificationR           GET POST   !self
/users/#CryptoUUIDUser/password       UserPasswordR               GET POST   !selfANDis-pw-hash
!/users/functionary-invite/new        AdminNewFunctionaryInviteR  GET POST
!/users/functionary-invite            AdminFunctionaryInviteR     GET POST
!/users/add                   AdminUserAddR    GET POST
/admin                        AdminR           GET
/admin/test                   AdminTestR       GET POST
/admin/test/pdf               AdminTestPdfR    GET
/admin/errMsg                 AdminErrMsgR     GET POST
/admin/tokens                 AdminTokensR     GET POST
/admin/crontab                AdminCrontabR    GET
/admin/crontab/jobs           AdminJobsR       GET POST
/admin/avs                    AdminAvsR        GET POST
/admin/avs/#CryptoUUIDUser    AdminAvsUserR    GET
/admin/ldap                   AdminLdapR       GET POST
/admin/problems               AdminProblemsR			 GET
/admin/problems/no-contact    ProblemUnreachableR  GET
/admin/problems/no-avs-id     ProblemWithoutAvsId  GET
/admin/problems/r-without-f   ProblemFbutNoR       GET
/admin/problems/avs  					ProblemAvsSynchR 		 GET POST
/admin/problems/avs/errors		ProblemAvsErrorR 		 GET

/print                                PrintCenterR    GET POST  !system-printer
/print/acknowledge/#Day/#Int/#Int     PrintAckR       GET POST  !system-printer
/print/acknowledge/direct             PrintAckDirectR GET POST  !system-printer
/print/send                           PrintSendR      GET POST
/print/download/#CryptoUUIDPrintJob   PrintDownloadR  GET       !system-printer
/print/log                            PrintLogR       GET       !system-printer

/health                       HealthR           GET             !free
/health/interface/+Texts      HealthInterfaceR  GET             !free
/instance                     InstanceR         GET             !free
/info                         InfoR             GET             !free
/info/lecturer                InfoLecturerR     GET             !free
/info/supervisor              InfoSupervisorR   GET             !free
/info/legal                   LegalR            GET             !free
/info/glossary                GlossaryR         GET             !free
/info/faq                     FaqR              GET             !free
/info/terms-of-use            TermsOfUseR       GET             !free
/info/payments                PaymentsR         GET             !free
/imprint                      ImprintR          GET             !free
/data-protection              DataProtectionR   GET             !free
/version                      VersionR          GET             !free
/status                       StatusR           GET             !free

/help                         HelpR            GET POST         !free

/external-apis ExternalApisR ServantApiExternalApis getServantApi

/user                      ProfileR            GET POST         !free
/user/profile              ProfileDataR        GET              !free
/user/authpreds            AuthPredsR          GET POST         !free
/user/set-display-email    SetDisplayEmailR    GET POST         !free
/user/csv-options          CsvOptionsR         GET POST         !free
/user/lang                 LangR                   POST         !free
/user/storage-key          StorageKeyR             POST         !free

/for/#CryptoUUIDUser/user         ForProfileR       GET POST    !supervisor !self
/for/#CryptoUUIDUser/user/profile ForProfileDataR   GET         !supervisor !self

/firms                          FirmAllR            GET POST		-- not yet !supervisor
/firms/comm/+Companies          FirmsCommR          GET POST
/firm/#CompanyShorthand/comm    FirmCommR						GET POST
/firm/#CompanyShorthand         FirmUsersR          GET POST    -- not yet !supervisor
/firm/#CompanyShorthand/supers  FirmSupersR         GET POST    -- not yet !supervisor

/exam-office               ExamOfficeR                         !exam-office:
  /                        EOExamsR            GET POST        !system-exam-office
  /fields                  EOFieldsR           GET POST
  /users                   EOUsersR            GET POST        !system-exam-office
  /users/invite            EOUsersInviteR      GET POST        !system-exam-office

/external-exam             EExamListR          GET             !lecturer !¬empty
/external-exam/new         EExamNewR           GET POST        !lecturer
/external-exam/#TermId/#SchoolId/#CourseName/#ExamName EExamR  !lecturer:
  /                        EEShowR             GET             !exam-office !exam-result
  /edit                    EEEditR             GET POST
  /users                   EEUsersR            GET POST
  /grades                  EEGradesR           GET POST        !exam-office
  /staff-invite            EEStaffInviteR      GET POST
  /correct                 EECorrectR          GET POST


/term                      TermShowR           GET             !free
/term/current              TermCurrentR        GET             !free
/term/edit                 TermEditR           GET POST
/term/#TermId/edit         TermEditExistR      GET POST
!/term/#TermId             TermCourseListR     GET             !free
!/term/#TermId/#SchoolId   TermSchoolCourseListR  GET          !free


/school                    SchoolListR         GET
!/school/new               SchoolNewR          GET POST
/school/#SchoolId          SchoolR:
  /                        SchoolEditR         GET POST


/participants                   ParticipantsListR GET            !evaluation
/participants/#TermId/#SchoolId ParticipantsR     GET            !evaluation
/participants/intersect         ParticipantsIntersectR GET POST  !evaluation


-- For Pattern Synonyms see Foundation
/course/                    CourseListR        GET             !free
!/course/new                CourseNewR         GET POST        !lecturer
/course/#TermId/#SchoolId/#CourseShorthand CourseR             !lecturer:
  /                           CShowR           GET             !tutor !corrector !exam-corrector !course-registered !course-time !evaluation !exam-office
  /favourite                  CFavouriteR      GET POST        !free
  /register                   CRegisterR       GET POST        !timeANDcapacityAND¬course-registeredANDcourse-time !timeAND¬exam-resultANDcourse-registered !lecturer
  /edit                       CEditR           GET POST
  /lecturer-invite            CLecInviteR      GET POST
  /delete                     CDeleteR         GET POST        !lecturerANDempty
  /users                      CUsersR          GET POST
  !/users/new                 CAddUserR        GET POST        !lecturer
  /users/#CryptoUUIDUser      CUserR           GET POST        !lecturerANDparticipant !lecturer
  /correctors                 CHiWisR          GET
  /communication              CCommR           GET POST
  /notes                      CNotesR          GET POST        !corrector -- THIS route is used to check for overall course corrector access!
  /exam-office                CExamOfficeR     GET POST        !course-registered
  /subs                       CCorrectionsR    GET POST
  /subs/assigned              CAssignR         GET POST
  /sheet                      SheetListR       GET             !course-registered !materialsANDcourse-time !corrector !tutor
  /sheet/new                  SheetNewR        GET POST
  /sheet/current              SheetCurrentR    GET             !course-registered !materialsANDcourse-time !corrector !tutor
  /sheet/unassigned           SheetOldUnassignedR  GET
  /sheet/#SheetName SheetR:
    /show                       SShowR         GET             !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !timeANDtutor
    /show/download              SArchiveR      GET             !timeANDcourse-registeredANDexam-registered !timeANDmaterialsANDexam-registeredANDcourse-time !corrector !timeANDtutor
    /edit                       SEditR         GET POST
    /delete                     SDelR          GET POST
    /subs                       SSubsR         GET POST        -- for lecturer only
    !/subs/new                  SubmissionNewR GET POST        !timeANDcourse-registeredANDuser-submissionsANDsubmission-groupANDexam-registeredANDpersonalised-sheet-files
    !/subs/own                  SubmissionOwnR GET             !free
    !/subs/assign               SAssignR       GET POST        !lecturerANDtime
    /subs/#CryptoFileNameSubmission SubmissionR:
      /                         SubShowR       GET POST        !ownerANDtimeANDuser-submissionsANDsubmission-groupANDexam-registeredANDpersonalised-sheet-files !ownerANDread !correctorANDread
      /delete                   SubDelR        GET POST        !ownerANDtimeANDuser-submissionsANDexam-registeredANDpersonalised-sheet-files
      /assign                   SubAssignR     GET POST        !lecturerANDtime
      /correction               CorrectionR    GET POST        !corrector !ownerANDreadANDratedANDexam-time
      /invite                   SInviteR       GET POST        !ownerANDtimeANDuser-submissionsANDsubmission-groupANDexam-registeredANDpersonalised-sheet-files
      /authorship-statements    SubAuthorshipStatementsR GET   !owner !correctorAND¬correction-anonymous
      !/#SubmissionFileType     SubArchiveR    GET             !owner !corrector
      !/#SubmissionFileType/*FilePath SubDownloadR  GET        !owner !corrector
    /iscorrector                SIsCorrR       GET             !corrector -- Route is used to check for corrector access to this sheet
    /pseudonym                  SPseudonymR    GET POST        !course-registeredANDcorrector-submissionsANDexam-registered
    /corrector-invite/          SCorrInviteR   GET POST
    /personalised-files         SPersonalFilesR GET
    !/#SheetFileType            SZipR          GET             !timeANDcourse-registeredANDexam-registered !timeANDmaterialsANDexam-registered !corrector !timeANDtutor
    !/#SheetFileType/*FilePath  SFileR         GET             !timeANDcourse-registeredANDexam-registered !timeANDmaterialsANDexam-registered !corrector !timeANDtutor
  /file                          MaterialListR GET             !course-registered !materialsANDcourse-time !corrector !tutor
  /file/new                      MaterialNewR  GET POST
  /file/#MaterialName MaterialR:
    /edit                       MEditR         GET POST
    /delete                     MDelR          GET POST
    /show                       MShowR         GET             !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor
    !/download                  MArchiveR      GET             !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor
    !/download/*FilePath        MFileR         GET             !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor
    /video/#CryptoUUIDMaterialFile MVideoR        GET             !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor
  /tuts                         CTutorialListR GET             !tutor -- THIS route is used to check for overall course tutor access!
  /tuts/new                     CTutorialNewR  GET POST
  /tuts/#TutorialName TutorialR:
    /edit                     TEditR           GET POST        !tutorANDtutor-control
    /delete                   TDeleteR         GET POST
    /participants             TUsersR          GET POST        !tutor
    /participants/add         TAddUserR        GET POST        !tutor
    /register                 TRegisterR           POST        !timeANDcapacityANDcourse-registeredANDregister-group !timeANDtutorial-registered
    /communication            TCommR           GET POST        !tutor
    /tutor-invite             TInviteR         GET POST        !tutorANDtutor-control
  /exams                        CExamListR     GET             !tutor !corrector !exam-corrector !course-registered !course-time !exam-office
  /exams/new                    CExamNewR      GET POST
  /exams/#ExamName ExamR:
    /show                       EShowR         GET             !timeANDtutor !timeANDcorrector !timeANDexam-corrector !timeANDcourse-registered !timeANDcourse-time !exam-office
    /edit                       EEditR         GET POST
    /corrector-invite           ECInviteR      GET POST
    /users                      EUsersR        GET POST
    /users/new                  EAddUserR      GET POST
    /users/invite               EInviteR       GET POST
    /register                   ERegisterR         POST        !timeANDcourse-registeredAND¬exam-registered !timeANDexam-registeredAND¬exam-result
    /register/#ExamOccurrenceName ERegisterOccR    POST        !exam-occurrence-registrationANDtimeANDcapacityANDcourse-registeredAND¬exam-occurrence-registered !exam-occurrence-registrationANDtimeANDexam-occurrence-registeredAND¬exam-result
    /grades                     EGradesR       GET POST        !exam-office
    /assign-occurrences         EAutoOccurrenceR   POST
    /correct                    ECorrectR      GET POST        !exam-correctorANDtime
  !/news/add                    CNewsNewR      GET POST
  /news/#CryptoUUIDCourseNews CourseNewsR:
    /                           CNShowR        GET             !timeANDparticipant
    /edit                       CNEditR        GET POST
    /delete                     CNDeleteR      GET POST
    !/download                  CNArchiveR     GET             !timeANDparticipant
    !/download/*FilePath        CNFileR        GET             !timeANDparticipant
  !/events/add                  CEventsNewR    GET POST
  /events/#CryptoUUIDCourseEvent CourseEventR:
    /edit                       CEvEditR       GET POST
    /delete                     CEvDeleteR     GET POST
  /personalised-sheet-files     CPersonalFilesR GET


/subs          CorrectionsR          GET POST !corrector !lecturer
/subs/upload   CorrectionsUploadR    GET POST !corrector !lecturer
/subs/create   CorrectionsCreateR    GET POST !corrector !lecturer
/subs/grade    CorrectionsGradeR     GET POST !corrector !lecturer
/subs/download CorrectionsDownloadR  GET      !corrector !lecturer


/msgs                                MessageListR  GET POST
/msg/#{CryptoUUIDSystemMessage}      MessageR      GET POST        !timeANDreadANDauthentication
/msg/#{CryptoUUIDSystemMessage}/hide MessageHideR      POST        !timeANDauthentication


/upload        UploadR               PUT      !free


!/#UUID CryptoUUIDDispatchR GET                               !free -- just redirect
-- !/*{CI FilePath} CryptoFileNameDispatchR GET                  !free -- Disabled until preliminary check for valid cID exists

/qualification                                          QualificationAllR           GET       !free
/qualification/#SchoolId                                QualificationSchoolR        GET       !free
/qualification/#SchoolId/#QualificationShorthand        QualificationR              GET POST  !free
-- /qualification/#SchoolId/#QualificationShorthand/#CryptoUUIDUser QualificationUserR GET -- see LmsUserR
/qualifications/sap/direct                              QualificationSAPDirectR     GET  -- !token -- SAP EXPORT -- TODO reinstate token requirement


-- LMS
/lms                                                        LmsAllR                 GET POST
/lms/#SchoolId                                              LmsSchoolR              GET
/lms/#SchoolId/#QualificationShorthand                      LmsR  				          GET POST
/lms/#SchoolId/#QualificationShorthand/edit                 LmsEditR			          GET POST
-- new V2 LMS Interface
/lms/#SchoolId/#QualificationShorthand/learners             LmsLearnersR	          GET
/lms/#SchoolId/#QualificationShorthand/learners/direct      LmsLearnersDirectR	    GET       !token -- LMS
/lms/#SchoolId/#QualificationShorthand/report               LmsReportR              GET POST
/lms/#SchoolId/#QualificationShorthand/report/upload        LmsReportUploadR        GET POST
/lms/#SchoolId/#QualificationShorthand/report/direct        LmsReportDirectR            POST  !token -- LMS
-- other lms routes
/lms/#SchoolId/#QualificationShorthand/ident/#LmsIdent      LmsIdentR               GET       -- redirect to LmsR with filter-parameter
/lms/#SchoolId/#QualificationShorthand/user/#CryptoUUIDUser LmsUserR                GET
/lmsuser/#CryptoUUIDUser                                    LmsUserAllR             GET
/lmsuser/#CryptoUUIDUser/#SchoolId                          LmsUserSchoolR          GET

/api           ApiDocsR              GET      !free
/swagger       SwaggerR              GET      !free
/swagger.json  SwaggerJsonR          GET      !free

!/*WellKnownFileName WellKnownR GET !free