001/*-
002 * #%L
003 * HAPI FHIR - Server Framework
004 * %%
005 * Copyright (C) 2014 - 2024 Smile CDR, Inc.
006 * %%
007 * Licensed under the Apache License, Version 2.0 (the "License");
008 * you may not use this file except in compliance with the License.
009 * You may obtain a copy of the License at
010 *
011 *      http://www.apache.org/licenses/LICENSE-2.0
012 *
013 * Unless required by applicable law or agreed to in writing, software
014 * distributed under the License is distributed on an "AS IS" BASIS,
015 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
016 * See the License for the specific language governing permissions and
017 * limitations under the License.
018 * #L%
019 */
020package ca.uhn.fhir.rest.server.interceptor.auth;
021
022import java.util.Collection;
023
024/**
025 * @see AuthorizationInterceptor#setFlags(Collection)
026 */
027public enum AuthorizationFlagsEnum {
028
029        /**
030         * If this flag is set, attempts to perform read operations
031         * (read/search/history) will be matched by the interceptor before
032         * the method handler is called.
033         * <p>
034         * For example, suppose a rule set is in place that only allows read
035         * access to compartment <code>Patient/123</code>. With this flag set,
036         * any attempts
037         * to perform a FHIR read/search/history operation will be permitted
038         * to proceed to the method handler, and responses will be blocked
039         * by the AuthorizationInterceptor if the response contains a resource
040         * that is not in the given compartment.
041         * </p>
042         * <p>
043         * Setting this flag is less secure, since the interceptor can potentially leak
044         * information about the existence of data, but it is useful in some
045         * scenarios.
046         * </p>
047         *
048         * @since This flag has existed since HAPI FHIR 3.5.0. Prior to this
049         * version, this flag was the default and there was no ability to
050         * proactively block compartment read access.
051         */
052        DO_NOT_PROACTIVELY_BLOCK_COMPARTMENT_READ_ACCESS,
053
054        ALLOW_PATCH_REQUEST_UNCHALLENGED;
055}