From 2ffcd02ac31ad10b7bc8f4901b4e756f7f007443 Mon Sep 17 00:00:00 2001
From: Pavel Karpy <carpawell@nspcc.ru>
Date: Mon, 12 Sep 2022 14:10:32 +0300
Subject: [PATCH] [#1628] tree: Document ACL checks in tree service

Signed-off-by: Pavel Karpy <carpawell@nspcc.ru>
---
 pkg/services/tree/service.proto | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pkg/services/tree/service.proto b/pkg/services/tree/service.proto
index 43aba82c4..e1f8d678c 100644
--- a/pkg/services/tree/service.proto
+++ b/pkg/services/tree/service.proto
@@ -12,6 +12,21 @@ option go_package = "github.com/nspcc-dev/neofs-node/pkg/services/tree";
 service TreeService {
   /* Client API */
 
+  // Client methods are mapped to the object RPC:
+  //  [ Add, AddByPath, Remove, Move ] -> PUT;
+  //  [ GetNodeByPath, GetSubTree ] -> GET.
+  //  One of the following must be true:
+  //  - a signer passes non-extended basic ACL;
+  //  - a signer passes extended basic ACL AND bearer token is
+  //    attached AND the basic ACL allows attaching bearer token
+  //    to the GET/PUT operation AND eACL table in the bearer contains
+  //    an explicit allowing the signer's key (or its role) rule
+  //    for the GET/PUT operation;
+  //  - a signer passes extended basic ACL AND the extension
+  //    contains an explicit allowing the signer's key (or its role)
+  //    rule for GET/PUT operation.
+  //  Otherwise, a request is denied.
+
   // Add adds new node to the tree. Invoked by a client.
   rpc Add (AddRequest) returns (AddResponse);
   // AddByPath adds new node to the tree by path. Invoked by a client.