-- SPDX-FileCopyrightText: 2022 Gregor Kleen ,Sarah Vaupel ,Steffen Jost ,Wolfgang Witt -- -- SPDX-License-Identifier: AGPL-3.0-or-later -- -- Accesss granted via tags; default is no accesss. -- Permission must be explicitly granted. -- -- Access permission is the disjunction of permit tags -- Tags are split on "AND" to encode conjunction. -- -- Note that nested routes automatically inherit all tags from the parent. -- -- Admins always have access to entities within their assigned schools. -- -- Access tags are defined in Model.Types.Security -- -- Access Tags: -- !free -- free for all -- !lecturer -- lecturer for this course (or for any school, if route is not connected to a course) -- !corrector -- corrector for this sheet (or the submission, if route is connected to a submission, or the course, if route is not connected to a sheet, or any course, if route is not connected to a course) -- !course-registered -- participant for this course (no effect outside of courses) -- !tutorial-registered -- participant for this tutorial (no effect outside of courses) -- !participant -- connected with a given course (not necessarily registered), i.e. has a submission, is a corrector, etc. (no effect outside of courses) -- -- !register-group -- user is member in no other tutorial with same register group -- -- !owner -- part of the group of owners of this submission -- !self -- route refers to the currently logged in user themselves -- !capacity -- course this route is associated with has at least one unit of participant capacity -- !empty -- course this route is associated with has no participants whatsoever -- -- !is-ldap -- user has authentication mode set to LDAP -- !is-pw-hash -- user has authentication mode set to PWHash -- -- !materials -- only if course allows all materials to be free (no meaning outside of courses) -- !time -- access depends on time somehow -- !read -- only if it is read-only access (i.e. GET but not POST) -- !write -- only if it is write access (i.e. POST only, included for completeness) -- -- !token -- requires bearer token -- !no-escalation -- -- !deprecated -- like free, but logs and gives a warning; entirely disabled in production -- !development -- like free, but only for development builds /static StaticR EmbeddedStatic appStatic !free /auth AuthR Auth getAuth !free /metrics MetricsR GET !free -- verify if this can be free /err ErrorR GET !free / NewsR GET !free /users UsersR GET POST -- no tags, i.e. admins only /users/#CryptoUUIDUser AdminUserR GET POST /users/#CryptoUUIDUser/delete AdminUserDeleteR POST /users/#CryptoUUIDUser/hijack AdminHijackUserR POST !adminANDno-escalation /users/#CryptoUUIDUser/notifications UserNotificationR GET POST !self /users/#CryptoUUIDUser/password UserPasswordR GET POST !selfANDis-pw-hash !/users/functionary-invite/new AdminNewFunctionaryInviteR GET POST !/users/functionary-invite AdminFunctionaryInviteR GET POST !/users/add AdminUserAddR GET POST /admin AdminR GET /admin/test AdminTestR GET POST /admin/test/pdf AdminTestPdfR GET /admin/errMsg AdminErrMsgR GET POST /admin/tokens AdminTokensR GET POST /admin/crontab AdminCrontabR GET /admin/avs AdminAvsR GET POST /admin/ldap AdminLdapR GET POST /admin/problems AdminProblemsR GET /admin/problems/no-contact ProblemUnreachableR GET /admin/problems/no-avs-id ProblemWithoutAvsId GET /admin/problems/r-without-f ProblemFbutNoR GET /admin/problems/avs ProblemAvsSynchR GET POST /print PrintCenterR GET POST !system-printer /print/acknowledge/#Day/#Int/#Int PrintAckR GET POST !system-printer /print/acknowledge/direct PrintAckDirectR POST !system-printer /print/send PrintSendR GET POST /print/download/#CryptoUUIDPrintJob PrintDownloadR GET !system-printer /health HealthR GET !free /instance InstanceR GET !free /info InfoR GET !free /info/lecturer InfoLecturerR GET !free /info/supervisor InfoSupervisorR GET !free /info/legal LegalR GET !free /info/glossary GlossaryR GET !free /info/faq FaqR GET !free /info/terms-of-use TermsOfUseR GET !free /info/payments PaymentsR GET !free /imprint ImprintR GET !free /data-protection DataProtectionR GET !free /version VersionR GET !free /status StatusR GET !free /help HelpR GET POST !free /external-apis ExternalApisR ServantApiExternalApis getServantApi /user ProfileR GET POST !free /user/profile ProfileDataR GET !free /user/authpreds AuthPredsR GET POST !free /user/set-display-email SetDisplayEmailR GET POST !free /user/csv-options CsvOptionsR GET POST !free /user/lang LangR POST !free /user/storage-key StorageKeyR POST !free /for/#CryptoUUIDUser/user ForProfileR GET POST !supervisor !self /for/#CryptoUUIDUser/user/profile ForProfileDataR GET !supervisor !self /exam-office ExamOfficeR !exam-office: / EOExamsR GET POST !system-exam-office /fields EOFieldsR GET POST /users EOUsersR GET POST !system-exam-office /users/invite EOUsersInviteR GET POST !system-exam-office /external-exam EExamListR GET !lecturer !¬empty /external-exam/new EExamNewR GET POST !lecturer /external-exam/#TermId/#SchoolId/#CourseName/#ExamName EExamR !lecturer: / EEShowR GET !exam-office !exam-result /edit EEEditR GET POST /users EEUsersR GET POST /grades EEGradesR GET POST !exam-office /staff-invite EEStaffInviteR GET POST /correct EECorrectR GET POST /term TermShowR GET !free /term/current TermCurrentR GET !free /term/edit TermEditR GET POST /term/#TermId/edit TermEditExistR GET POST !/term/#TermId TermCourseListR GET !free !/term/#TermId/#SchoolId TermSchoolCourseListR GET !free /school SchoolListR GET !/school/new SchoolNewR GET POST /school/#SchoolId SchoolR: / SchoolEditR GET POST /participants ParticipantsListR GET !evaluation /participants/#TermId/#SchoolId ParticipantsR GET !evaluation /participants/intersect ParticipantsIntersectR GET POST !evaluation -- For Pattern Synonyms see Foundation /course/ CourseListR GET !free !/course/new CourseNewR GET POST !lecturer /course/#TermId/#SchoolId/#CourseShorthand CourseR !lecturer: / CShowR GET !tutor !corrector !exam-corrector !course-registered !course-time !evaluation !exam-office /favourite CFavouriteR GET POST !free /register CRegisterR GET POST !timeANDcapacityAND¬course-registeredANDcourse-time !timeAND¬exam-resultANDcourse-registered !lecturer /edit CEditR GET POST /lecturer-invite CLecInviteR GET POST /delete CDeleteR GET POST !lecturerANDempty /users CUsersR GET POST !/users/new CAddUserR GET POST !lecturer /users/#CryptoUUIDUser CUserR GET POST !lecturerANDparticipant !lecturer /correctors CHiWisR GET /communication CCommR GET POST /notes CNotesR GET POST !corrector -- THIS route is used to check for overall course corrector access! /exam-office CExamOfficeR GET POST !course-registered /subs CCorrectionsR GET POST /subs/assigned CAssignR GET POST /sheet SheetListR GET !course-registered !materialsANDcourse-time !corrector !tutor /sheet/new SheetNewR GET POST /sheet/current SheetCurrentR GET !course-registered !materialsANDcourse-time !corrector !tutor /sheet/unassigned SheetOldUnassignedR GET /sheet/#SheetName SheetR: /show SShowR GET !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !timeANDtutor /show/download SArchiveR GET !timeANDcourse-registeredANDexam-registered !timeANDmaterialsANDexam-registeredANDcourse-time !corrector !timeANDtutor /edit SEditR GET POST /delete SDelR GET POST /subs SSubsR GET POST -- for lecturer only !/subs/new SubmissionNewR GET POST !timeANDcourse-registeredANDuser-submissionsANDsubmission-groupANDexam-registeredANDpersonalised-sheet-files !/subs/own SubmissionOwnR GET !free !/subs/assign SAssignR GET POST !lecturerANDtime /subs/#CryptoFileNameSubmission SubmissionR: / SubShowR GET POST !ownerANDtimeANDuser-submissionsANDsubmission-groupANDexam-registeredANDpersonalised-sheet-files !ownerANDread !correctorANDread /delete SubDelR GET POST !ownerANDtimeANDuser-submissionsANDexam-registeredANDpersonalised-sheet-files /assign SubAssignR GET POST !lecturerANDtime /correction CorrectionR GET POST !corrector !ownerANDreadANDratedANDexam-time /invite SInviteR GET POST !ownerANDtimeANDuser-submissionsANDsubmission-groupANDexam-registeredANDpersonalised-sheet-files /authorship-statements SubAuthorshipStatementsR GET !owner !correctorAND¬correction-anonymous !/#SubmissionFileType SubArchiveR GET !owner !corrector !/#SubmissionFileType/*FilePath SubDownloadR GET !owner !corrector /iscorrector SIsCorrR GET !corrector -- Route is used to check for corrector access to this sheet /pseudonym SPseudonymR GET POST !course-registeredANDcorrector-submissionsANDexam-registered /corrector-invite/ SCorrInviteR GET POST /personalised-files SPersonalFilesR GET !/#SheetFileType SZipR GET !timeANDcourse-registeredANDexam-registered !timeANDmaterialsANDexam-registered !corrector !timeANDtutor !/#SheetFileType/*FilePath SFileR GET !timeANDcourse-registeredANDexam-registered !timeANDmaterialsANDexam-registered !corrector !timeANDtutor /file MaterialListR GET !course-registered !materialsANDcourse-time !corrector !tutor /file/new MaterialNewR GET POST /file/#MaterialName MaterialR: /edit MEditR GET POST /delete MDelR GET POST /show MShowR GET !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor !/download MArchiveR GET !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor !/download/*FilePath MFileR GET !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor /video/#CryptoUUIDMaterialFile MVideoR GET !timeANDcourse-registered !timeANDmaterialsANDcourse-time !corrector !tutor /tuts CTutorialListR GET !tutor -- THIS route is used to check for overall course tutor access! /tuts/new CTutorialNewR GET POST /tuts/#TutorialName TutorialR: /edit TEditR GET POST !tutorANDtutor-control /delete TDeleteR GET POST /participants TUsersR GET POST !tutor /participants/add TAddUserR GET POST !tutor /register TRegisterR POST !timeANDcapacityANDcourse-registeredANDregister-group !timeANDtutorial-registered /communication TCommR GET POST !tutor /tutor-invite TInviteR GET POST !tutorANDtutor-control /exams CExamListR GET !tutor !corrector !exam-corrector !course-registered !course-time !exam-office /exams/new CExamNewR GET POST /exams/#ExamName ExamR: /show EShowR GET !timeANDtutor !timeANDcorrector !timeANDexam-corrector !timeANDcourse-registered !timeANDcourse-time !exam-office /edit EEditR GET POST /corrector-invite ECInviteR GET POST /users EUsersR GET POST /users/new EAddUserR GET POST /users/invite EInviteR GET POST /register ERegisterR POST !timeANDcourse-registeredAND¬exam-registered !timeANDexam-registeredAND¬exam-result /register/#ExamOccurrenceName ERegisterOccR POST !exam-occurrence-registrationANDtimeANDcapacityANDcourse-registeredAND¬exam-occurrence-registered !exam-occurrence-registrationANDtimeANDexam-occurrence-registeredAND¬exam-result /grades EGradesR GET POST !exam-office /assign-occurrences EAutoOccurrenceR POST /correct ECorrectR GET POST !exam-correctorANDtime !/news/add CNewsNewR GET POST /news/#CryptoUUIDCourseNews CourseNewsR: / CNShowR GET !timeANDparticipant /edit CNEditR GET POST /delete CNDeleteR GET POST !/download CNArchiveR GET !timeANDparticipant !/download/*FilePath CNFileR GET !timeANDparticipant !/events/add CEventsNewR GET POST /events/#CryptoUUIDCourseEvent CourseEventR: /edit CEvEditR GET POST /delete CEvDeleteR GET POST /personalised-sheet-files CPersonalFilesR GET /subs CorrectionsR GET POST !corrector !lecturer /subs/upload CorrectionsUploadR GET POST !corrector !lecturer /subs/create CorrectionsCreateR GET POST !corrector !lecturer /subs/grade CorrectionsGradeR GET POST !corrector !lecturer /subs/download CorrectionsDownloadR GET !corrector !lecturer /msgs MessageListR GET POST /msg/#{CryptoUUIDSystemMessage} MessageR GET POST !timeANDreadANDauthentication /msg/#{CryptoUUIDSystemMessage}/hide MessageHideR POST !timeANDauthentication /upload UploadR PUT !free !/#UUID CryptoUUIDDispatchR GET !free -- just redirect -- !/*{CI FilePath} CryptoFileNameDispatchR GET !free -- Disabled until preliminary check for valid cID exists /qualification QualificationAllR GET !free /qualification/#SchoolId QualificationSchoolR GET !free /qualification/#SchoolId/#QualificationShorthand QualificationR GET POST !free /qualifications/sap/direct QualificationSAPDirectR GET -- !token -- SAP EXPORT -- TODO reinstate token requirement -- /qualification/CryptoUUIDUser/ -- maybe distingquish via URL -- LMS /lms LmsAllR GET POST /lms/#SchoolId LmsSchoolR GET /lms/#SchoolId/#QualificationShorthand LmsR GET POST /lms/#SchoolId/#QualificationShorthand/edit LmsEditR GET POST /lms/#SchoolId/#QualificationShorthand/users LmsUsersR GET /lms/#SchoolId/#QualificationShorthand/users/direct LmsUsersDirectR GET !token -- LMS /lms/#SchoolId/#QualificationShorthand/userlist LmsUserlistR GET POST /lms/#SchoolId/#QualificationShorthand/userlist/upload LmsUserlistUploadR GET POST !development /lms/#SchoolId/#QualificationShorthand/userlist/direct LmsUserlistDirectR POST !token -- LMS /lms/#SchoolId/#QualificationShorthand/result LmsResultR GET POST /lms/#SchoolId/#QualificationShorthand/result/upload LmsResultUploadR GET POST !development /lms/#SchoolId/#QualificationShorthand/result/direct LmsResultDirectR POST !token -- LMS /lmsuser/#CryptoUUIDUser LmsUserR GET /api ApiDocsR GET !free /swagger SwaggerR GET !free /swagger.json SwaggerJsonR GET !free !/*WellKnownFileName WellKnownR GET !free