{
    "$schema": "http://json-schema.org/draft-07/schema#",
    "title": "JSON Schema tibi-server permissions configuration",
    "description": "tibi-server permissions linter",
    "type": "object",
    "additionalProperties": false,
    "properties": {
        "public": {
            "description": "permissions for unauthorized public access",
            "$ref": "#/definitions/permissionSet"
        },
        "user": {
            "description": "permissions for authorized users (nativ tibi-server auth)",
            "$ref": "#/definitions/permissionSet"
        }
    },
    "patternProperties": {
        "^x\\-": {
            "description": "template property"
        },
        "^token:": {
            "description": "permissions for header or query token",
            "$ref": "#/definitions/permissionSet"
        },
        "^[a-zA-Z0-9_]+$": {
            "description": "custom permissions",
            "$ref": "#/definitions/permissionSet"
        }
    },
    "required": ["public", "user"],
    "definitions": {
        "permissionSet": {
            "type": "object",
            "additionalProperties": false,
            "properties": {
                "methods": {
                    "type": "object",
                    "description": "permissions for http methods",
                    "additionalProperties": false,
                    "properties": {
                        "get": {
                            "oneOf": [
                                { "type": "boolean" },
                                {
                                    "type": "object",
                                    "properties": {
                                        "allow": { "type": "boolean", "description": "Allow GET." }
                                    },
                                    "required": ["allow"],
                                    "additionalProperties": false
                                }
                            ]
                        },
                        "post": {
                            "oneOf": [
                                { "type": "boolean" },
                                {
                                    "type": "object",
                                    "properties": {
                                        "allow": { "type": "boolean", "description": "Allow single-document POST." },
                                        "bulk": { "type": "boolean", "description": "Allow bulk POST (JSON array body)." }
                                    },
                                    "required": ["allow"],
                                    "additionalProperties": false
                                }
                            ]
                        },
                        "put": {
                            "oneOf": [
                                { "type": "boolean" },
                                {
                                    "type": "object",
                                    "properties": {
                                        "allow": { "type": "boolean", "description": "Allow single-document PUT." },
                                        "bulk": { "type": "boolean", "description": "Allow bulk PUT (without ID)." }
                                    },
                                    "required": ["allow"],
                                    "additionalProperties": false
                                }
                            ]
                        },
                        "delete": {
                            "oneOf": [
                                { "type": "boolean" },
                                {
                                    "type": "object",
                                    "properties": {
                                        "allow": { "type": "boolean", "description": "Allow single-document DELETE." },
                                        "bulk": { "type": "boolean", "description": "Allow bulk DELETE (without ID)." }
                                    },
                                    "required": ["allow"],
                                    "additionalProperties": false
                                }
                            ]
                        }
                    }
                },
                "validProjections": {
                    "type": "array",
                    "description": "list of projection names this permission set is allowed to use",
                    "items": {
                        "type": "string"
                    }
                },
                "filter": {
                    "type": "object",
                    "description": "MongoDB filter applied to all queries for this permission set",
                    "additionalProperties": true
                },
                "readonlyFields": {
                    "type": "array",
                    "description": "fields that are read-only for this permission set",
                    "items": {
                        "type": "string"
                    }
                },
                "hiddenFields": {
                    "type": "array",
                    "description": "fields that are hidden for this permission set",
                    "items": {
                        "type": "string"
                    }
                }
            },
            "required": ["methods"]
        }
    }
}