-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | Server implementation of the Avers API
--   
--   Server implementation of the Avers API
@package avers-server
@version 0.1.0.1

module Avers.Server
serveAversAPI :: Handle -> Authorizations -> Server AversAPI

-- | Convert the <a>Credentials</a> into an <a>ObjId</a> to which the
--   ceredentials refer. That's the object the client is authenticated as.
credentialsObjId :: Handle -> Credentials -> Handler ObjId

-- | Defines all the authorization points which are used in the server. For
--   each you can supply your own logic. The default is to allow
--   everything.
data Authorizations
Authorizations :: (Credentials -> Text -> Authz) -> (Credentials -> ObjId -> Authz) -> (Credentials -> ObjId -> [Operation] -> Authz) -> (Credentials -> ObjId -> Authz) -> (Credentials -> Text -> Authz) -> (Credentials -> BlobId -> Authz) -> (Credentials -> BlobId -> Authz) -> Authorizations
[createObjectAuthz] :: Authorizations -> Credentials -> Text -> Authz
[lookupObjectAuthz] :: Authorizations -> Credentials -> ObjId -> Authz
[patchObjectAuthz] :: Authorizations -> Credentials -> ObjId -> [Operation] -> Authz
[deleteObjectAuthz] :: Authorizations -> Credentials -> ObjId -> Authz
[uploadBlobAuthz] :: Authorizations -> Credentials -> Text -> Authz
[lookupBlobAuthz] :: Authorizations -> Credentials -> BlobId -> Authz
[lookupBlobContentAuthz] :: Authorizations -> Credentials -> BlobId -> Authz

-- | Authorization logic is implemented as a list of <a>Avers</a> actions,
--   each of which we call a <tt>module</tt> and returns a result
--   (<a>AuthzR</a>), which determines what happens next.
type Authz = [Avers AuthzR]

-- | The result of a single module is either <a>ContinueR</a>, which means
--   we continue executing following modules, <a>AllowR</a> which means
--   that the action is allowed and any following modules are skipped, or
--   <tt>RejcetR</tt> which means that the action is rejected and following
--   modules are skipped as well.
data AuthzR
ContinueR :: AuthzR
AllowR :: AuthzR
RejectR :: AuthzR
defaultAuthorizations :: Authorizations

-- | Run the authorization logic inside of the Servant monad.
runAuthorization :: Handle -> Authz -> Handler ()

-- | This doesn't change the result, but allows you to run arbitrary
--   <a>Avers</a> actions. This is useful for debugging.
trace :: Avers () -> Avers AuthzR

-- | If the given <a>Avers</a> action returns <a>True</a>, it is sufficient
--   to pass the authorization check.
sufficient :: Avers Bool -> Avers AuthzR

-- | The given <a>Avers</a> action must return <a>True</a> for this
--   authorization check to pass.
requisite :: Avers Bool -> Avers AuthzR

-- | True if the session created the given object.
sessionCreatedObject :: Session -> ObjId -> Avers Bool

-- | True if the session is the given object. In most cases, a session has
--   full access to the object against which it was created.
sessionIsObject :: Session -> ObjId -> Avers Bool
