feat: Update ModesExtractors to support new permission interface

joachimvh · joachimvh · commit 7085252b3f22 · 2022-07-11T14:07:43.000+02:00
diff --git a/src/authorization/permissions/MethodModesExtractor.ts b/src/authorization/permissions/MethodModesExtractor.ts
@@ -1,8 +1,10 @@
 import type { Operation } from '../../http/Operation';
 import type { ResourceSet } from '../../storage/ResourceSet';
 import { NotImplementedHttpError } from '../../util/errors/NotImplementedHttpError';
+import { IdentifierSetMultiMap } from '../../util/map/IdentifierMap';
 import { isContainerIdentifier } from '../../util/PathUtil';
 import { ModesExtractor } from './ModesExtractor';
+import type { AccessMap } from './Permissions';
 import { AccessMode } from './Permissions';
 
 const READ_METHODS = new Set([ 'OPTIONS', 'GET', 'HEAD' ]);
@@ -31,33 +33,33 @@ export class MethodModesExtractor extends ModesExtractor {
     }
   }
 
-  public async handle({ method, target }: Operation): Promise<Set<AccessMode>> {
-    const modes = new Set<AccessMode>();
+  public async handle({ method, target }: Operation): Promise<AccessMap> {
+    const requiredModes: AccessMap = new IdentifierSetMultiMap();
     // Reading requires Read permissions on the resource
     if (READ_METHODS.has(method)) {
-      modes.add(AccessMode.read);
+      requiredModes.add(target, AccessMode.read);
     }
     // Setting a resource's representation requires Write permissions
     if (method === 'PUT') {
-      modes.add(AccessMode.write);
+      requiredModes.add(target, AccessMode.write);
       // …and, if the resource does not exist yet, Create permissions are required as well
       if (!await this.resourceSet.hasResource(target)) {
-        modes.add(AccessMode.create);
+        requiredModes.add(target, AccessMode.create);
       }
     }
     // Creating a new resource in a container requires Append access to that container
     if (method === 'POST') {
-      modes.add(AccessMode.append);
+      requiredModes.add(target, AccessMode.append);
     }
     // Deleting a resource requires Delete access
     if (method === 'DELETE') {
-      modes.add(AccessMode.delete);
+      requiredModes.add(target, AccessMode.delete);
       // …and, if the target is a container, Read permissions are required as well
       // as this exposes if a container is empty or not
       if (isContainerIdentifier(target)) {
-        modes.add(AccessMode.read);
+        requiredModes.add(target, AccessMode.read);
       }
     }
-    return modes;
+    return requiredModes;
   }
 }
diff --git a/src/authorization/permissions/N3PatchModesExtractor.ts b/src/authorization/permissions/N3PatchModesExtractor.ts
@@ -3,7 +3,9 @@ import type { N3Patch } from '../../http/representation/N3Patch';
 import { isN3Patch } from '../../http/representation/N3Patch';
 import type { ResourceSet } from '../../storage/ResourceSet';
 import { NotImplementedHttpError } from '../../util/errors/NotImplementedHttpError';
+import { IdentifierSetMultiMap } from '../../util/map/IdentifierMap';
 import { ModesExtractor } from './ModesExtractor';
+import type { AccessMap } from './Permissions';
 import { AccessMode } from './Permissions';
 
 /**
@@ -33,28 +35,28 @@ export class N3PatchModesExtractor extends ModesExtractor {
     }
   }
 
-  public async handle({ body, target }: Operation): Promise<Set<AccessMode>> {
+  public async handle({ body, target }: Operation): Promise<AccessMap> {
     const { deletes, inserts, conditions } = body as N3Patch;
 
-    const accessModes = new Set<AccessMode>();
+    const requiredModes: AccessMap = new IdentifierSetMultiMap();
 
     // When ?conditions is non-empty, servers MUST treat the request as a Read operation.
     if (conditions.length > 0) {
-      accessModes.add(AccessMode.read);
+      requiredModes.add(target, AccessMode.read);
     }
     // When ?insertions is non-empty, servers MUST (also) treat the request as an Append operation.
     if (inserts.length > 0) {
-      accessModes.add(AccessMode.append);
+      requiredModes.add(target, AccessMode.append);
       if (!await this.resourceSet.hasResource(target)) {
-        accessModes.add(AccessMode.create);
+        requiredModes.add(target, AccessMode.create);
       }
     }
     // When ?deletions is non-empty, servers MUST treat the request as a Read and Write operation.
     if (deletes.length > 0) {
-      accessModes.add(AccessMode.read);
-      accessModes.add(AccessMode.write);
+      requiredModes.add(target, AccessMode.read);
+      requiredModes.add(target, AccessMode.write);
     }
 
-    return accessModes;
+    return requiredModes;
   }
 }
diff --git a/src/authorization/permissions/SparqlUpdateModesExtractor.ts b/src/authorization/permissions/SparqlUpdateModesExtractor.ts
@@ -4,7 +4,9 @@ import type { Representation } from '../../http/representation/Representation';
 import type { SparqlUpdatePatch } from '../../http/representation/SparqlUpdatePatch';
 import type { ResourceSet } from '../../storage/ResourceSet';
 import { NotImplementedHttpError } from '../../util/errors/NotImplementedHttpError';
+import { IdentifierSetMultiMap } from '../../util/map/IdentifierMap';
 import { ModesExtractor } from './ModesExtractor';
+import type { AccessMap } from './Permissions';
 import { AccessMode } from './Permissions';
 
 /**
@@ -34,31 +36,31 @@ export class SparqlUpdateModesExtractor extends ModesExtractor {
     }
   }
 
-  public async handle({ body, target }: Operation): Promise<Set<AccessMode>> {
+  public async handle({ body, target }: Operation): Promise<AccessMap> {
     // Verified in `canHandle` call
     const update = (body as SparqlUpdatePatch).algebra as Algebra.DeleteInsert;
-    const modes = new Set<AccessMode>();
+    const requiredModes: AccessMap = new IdentifierSetMultiMap();
 
     if (this.isNop(update)) {
-      return modes;
+      return requiredModes;
     }
 
     // Access modes inspired by the requirements on N3 Patch requests
     if (this.hasConditions(update)) {
-      modes.add(AccessMode.read);
+      requiredModes.add(target, AccessMode.read);
     }
     if (this.hasInserts(update)) {
-      modes.add(AccessMode.append);
+      requiredModes.add(target, AccessMode.append);
       if (!await this.resourceSet.hasResource(target)) {
-        modes.add(AccessMode.create);
+        requiredModes.add(target, AccessMode.create);
       }
     }
     if (this.hasDeletes(update)) {
-      modes.add(AccessMode.read);
-      modes.add(AccessMode.write);
+      requiredModes.add(target, AccessMode.read);
+      requiredModes.add(target, AccessMode.write);
     }
 
-    return modes;
+    return requiredModes;
   }
 
   private isSparql(data: Representation): data is SparqlUpdatePatch {
diff --git a/src/index.ts b/src/index.ts
@@ -15,10 +15,11 @@ export * from './authorization/access/AgentClassAccessChecker';
 export * from './authorization/access/AgentGroupAccessChecker';
 
 // Authorization/Permissions
-export * from './authorization/permissions/Permissions';
+export * from './authorization/permissions/AclPermission';
 export * from './authorization/permissions/ModesExtractor';
 export * from './authorization/permissions/MethodModesExtractor';
 export * from './authorization/permissions/N3PatchModesExtractor';
+export * from './authorization/permissions/Permissions';
 export * from './authorization/permissions/SparqlUpdateModesExtractor';
 
 // Authorization
diff --git a/test/unit/authorization/permissions/MethodModesExtractor.test.ts b/test/unit/authorization/permissions/MethodModesExtractor.test.ts
@@ -1,13 +1,31 @@
 import { MethodModesExtractor } from '../../../../src/authorization/permissions/MethodModesExtractor';
+import type { AccessMap } from '../../../../src/authorization/permissions/Permissions';
 import { AccessMode } from '../../../../src/authorization/permissions/Permissions';
 import type { Operation } from '../../../../src/http/Operation';
+import { BasicRepresentation } from '../../../../src/http/representation/BasicRepresentation';
+import type { ResourceIdentifier } from '../../../../src/http/representation/ResourceIdentifier';
 import type { ResourceSet } from '../../../../src/storage/ResourceSet';
 import { NotImplementedHttpError } from '../../../../src/util/errors/NotImplementedHttpError';
+import { IdentifierSetMultiMap } from '../../../../src/util/map/IdentifierMap';
+import { compareMaps } from '../../../util/Util';
 
 describe('A MethodModesExtractor', (): void => {
+  const target: ResourceIdentifier = { path: 'http://example.com/foo' };
+  const operation: Operation = {
+    method: 'GET',
+    target,
+    preferences: {},
+    body: new BasicRepresentation(),
+  };
   let resourceSet: jest.Mocked<ResourceSet>;
   let extractor: MethodModesExtractor;
 
+  function getMap(modes: AccessMode[], identifier?: ResourceIdentifier): AccessMap {
+    return new IdentifierSetMultiMap(
+      modes.map((mode): [ResourceIdentifier, AccessMode] => [ identifier ?? target, mode ]),
+    );
+  }
+
   beforeEach(async(): Promise<void> => {
     resourceSet = {
       hasResource: jest.fn().mockResolvedValue(true),
@@ -16,44 +34,43 @@ describe('A MethodModesExtractor', (): void => {
   });
 
   it('can handle HEAD/GET/POST/PUT/DELETE.', async(): Promise<void> => {
-    await expect(extractor.canHandle({ method: 'HEAD' } as Operation)).resolves.toBeUndefined();
-    await expect(extractor.canHandle({ method: 'GET' } as Operation)).resolves.toBeUndefined();
-    await expect(extractor.canHandle({ method: 'POST' } as Operation)).resolves.toBeUndefined();
-    await expect(extractor.canHandle({ method: 'PUT' } as Operation)).resolves.toBeUndefined();
-    await expect(extractor.canHandle({ method: 'DELETE' } as Operation)).resolves.toBeUndefined();
-    await expect(extractor.canHandle({ method: 'PATCH' } as Operation)).rejects.toThrow(NotImplementedHttpError);
+    await expect(extractor.canHandle({ ...operation, method: 'HEAD' })).resolves.toBeUndefined();
+    await expect(extractor.canHandle({ ...operation, method: 'GET' })).resolves.toBeUndefined();
+    await expect(extractor.canHandle({ ...operation, method: 'POST' })).resolves.toBeUndefined();
+    await expect(extractor.canHandle({ ...operation, method: 'PUT' })).resolves.toBeUndefined();
+    await expect(extractor.canHandle({ ...operation, method: 'DELETE' })).resolves.toBeUndefined();
+    await expect(extractor.canHandle({ ...operation, method: 'PATCH' })).rejects.toThrow(NotImplementedHttpError);
   });
 
   it('requires read for HEAD operations.', async(): Promise<void> => {
-    await expect(extractor.handle({ method: 'HEAD' } as Operation)).resolves.toEqual(new Set([ AccessMode.read ]));
+    compareMaps(await extractor.handle({ ...operation, method: 'HEAD' }), getMap([ AccessMode.read ]));
   });
 
   it('requires read for GET operations.', async(): Promise<void> => {
-    await expect(extractor.handle({ method: 'GET' } as Operation)).resolves.toEqual(new Set([ AccessMode.read ]));
+    compareMaps(await extractor.handle({ ...operation, method: 'GET' }), getMap([ AccessMode.read ]));
   });
 
   it('requires append for POST operations.', async(): Promise<void> => {
-    await expect(extractor.handle({ method: 'POST' } as Operation)).resolves.toEqual(new Set([ AccessMode.append ]));
+    compareMaps(await extractor.handle({ ...operation, method: 'POST' }), getMap([ AccessMode.append ]));
   });
 
   it('requires write for PUT operations.', async(): Promise<void> => {
-    await expect(extractor.handle({ method: 'PUT' } as Operation))
-      .resolves.toEqual(new Set([ AccessMode.write ]));
+    compareMaps(await extractor.handle({ ...operation, method: 'PUT' }), getMap([ AccessMode.write ]));
   });
 
   it('requires create for PUT operations if the target does not exist.', async(): Promise<void> => {
     resourceSet.hasResource.mockResolvedValueOnce(false);
-    await expect(extractor.handle({ method: 'PUT' } as Operation))
-      .resolves.toEqual(new Set([ AccessMode.write, AccessMode.create ]));
+    compareMaps(await extractor.handle({ ...operation, method: 'PUT' }),
+      getMap([ AccessMode.write, AccessMode.create ]));
   });
 
   it('requires delete for DELETE operations.', async(): Promise<void> => {
-    await expect(extractor.handle({ method: 'DELETE', target: { path: 'http://example.com/foo' }} as Operation))
-      .resolves.toEqual(new Set([ AccessMode.delete ]));
+    compareMaps(await extractor.handle({ ...operation, method: 'DELETE' }), getMap([ AccessMode.delete ]));
   });
 
   it('also requires read for DELETE operations on containers.', async(): Promise<void> => {
-    await expect(extractor.handle({ method: 'DELETE', target: { path: 'http://example.com/foo/' }} as Operation))
-      .resolves.toEqual(new Set([ AccessMode.delete, AccessMode.read ]));
+    const identifier = { path: 'http://example.com/foo/' };
+    compareMaps(await extractor.handle({ ...operation, method: 'DELETE', target: identifier }),
+      getMap([ AccessMode.delete, AccessMode.read ], identifier));
   });
 });
diff --git a/test/unit/authorization/permissions/N3PatchModesExtractor.test.ts b/test/unit/authorization/permissions/N3PatchModesExtractor.test.ts
@@ -1,22 +1,33 @@
 import { DataFactory } from 'n3';
 import type { Quad } from 'rdf-js';
 import { N3PatchModesExtractor } from '../../../../src/authorization/permissions/N3PatchModesExtractor';
+import type { AccessMap } from '../../../../src/authorization/permissions/Permissions';
 import { AccessMode } from '../../../../src/authorization/permissions/Permissions';
 import type { Operation } from '../../../../src/http/Operation';
 import { BasicRepresentation } from '../../../../src/http/representation/BasicRepresentation';
 import type { N3Patch } from '../../../../src/http/representation/N3Patch';
+import type { ResourceIdentifier } from '../../../../src/http/representation/ResourceIdentifier';
 import type { ResourceSet } from '../../../../src/storage/ResourceSet';
 import { NotImplementedHttpError } from '../../../../src/util/errors/NotImplementedHttpError';
+import { IdentifierSetMultiMap } from '../../../../src/util/map/IdentifierMap';
+import { compareMaps } from '../../../util/Util';
 
 const { quad, namedNode } = DataFactory;
 
 describe('An N3PatchModesExtractor', (): void => {
+  const target: ResourceIdentifier = { path: 'http://example.com/foo' };
   const triple: Quad = quad(namedNode('a'), namedNode('b'), namedNode('c'));
   let patch: N3Patch;
   let operation: Operation;
   let resourceSet: jest.Mocked<ResourceSet>;
   let extractor: N3PatchModesExtractor;
 
+  function getMap(modes: AccessMode[], identifier?: ResourceIdentifier): AccessMap {
+    return new IdentifierSetMultiMap(
+      modes.map((mode): [ResourceIdentifier, AccessMode] => [ identifier ?? target, mode ]),
+    );
+  }
+
   beforeEach(async(): Promise<void> => {
     patch = new BasicRepresentation() as N3Patch;
     patch.deletes = [];
@@ -27,7 +38,7 @@ describe('An N3PatchModesExtractor', (): void => {
       method: 'PATCH',
       body: patch,
       preferences: {},
-      target: { path: 'http://example.com/foo' },
+      target,
     };
 
     resourceSet = {
@@ -47,30 +58,29 @@ describe('An N3PatchModesExtractor', (): void => {
 
   it('requires read access when there are conditions.', async(): Promise<void> => {
     patch.conditions = [ triple ];
-    await expect(extractor.handle(operation)).resolves.toEqual(new Set([ AccessMode.read ]));
+    compareMaps(await extractor.handle(operation), getMap([ AccessMode.read ]));
   });
 
   it('requires append access when there are inserts.', async(): Promise<void> => {
     patch.inserts = [ triple ];
-    await expect(extractor.handle(operation)).resolves.toEqual(new Set([ AccessMode.append ]));
+    compareMaps(await extractor.handle(operation), getMap([ AccessMode.append ]));
   });
 
   it('requires create access when there are inserts and the resource does not exist.', async(): Promise<void> => {
     resourceSet.hasResource.mockResolvedValueOnce(false);
     patch.inserts = [ triple ];
-    await expect(extractor.handle(operation)).resolves.toEqual(new Set([ AccessMode.append, AccessMode.create ]));
+    compareMaps(await extractor.handle(operation), getMap([ AccessMode.append, AccessMode.create ]));
   });
 
   it('requires read and write access when there are inserts.', async(): Promise<void> => {
     patch.deletes = [ triple ];
-    await expect(extractor.handle(operation)).resolves.toEqual(new Set([ AccessMode.read, AccessMode.write ]));
+    compareMaps(await extractor.handle(operation), getMap([ AccessMode.read, AccessMode.write ]));
   });
 
   it('combines required access modes when required.', async(): Promise<void> => {
     patch.conditions = [ triple ];
     patch.inserts = [ triple ];
     patch.deletes = [ triple ];
-    await expect(extractor.handle(operation)).resolves
-      .toEqual(new Set([ AccessMode.read, AccessMode.append, AccessMode.write ]));
+    compareMaps(await extractor.handle(operation), getMap([ AccessMode.read, AccessMode.append, AccessMode.write ]));
   });
 });
diff --git a/test/unit/authorization/permissions/SparqlUpdateModesExtractor.test.ts b/test/unit/authorization/permissions/SparqlUpdateModesExtractor.test.ts
diff --git a/test/util/Util.ts b/test/util/Util.ts

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,10 @@`
`1`	`1`	`import type { Operation } from '../../http/Operation';`
`2`	`2`	`import type { ResourceSet } from '../../storage/ResourceSet';`
`3`	`3`	`import { NotImplementedHttpError } from '../../util/errors/NotImplementedHttpError';`
	`4`	`+import { IdentifierSetMultiMap } from '../../util/map/IdentifierMap';`
`4`	`5`	`import { isContainerIdentifier } from '../../util/PathUtil';`
`5`	`6`	`import { ModesExtractor } from './ModesExtractor';`
	`7`	`+import type { AccessMap } from './Permissions';`
`6`	`8`	`import { AccessMode } from './Permissions';`
`7`	`9`
`8`	`10`	`const READ_METHODS = new Set([ 'OPTIONS', 'GET', 'HEAD' ]);`
`@@ -31,33 +33,33 @@ export class MethodModesExtractor extends ModesExtractor {`
`31`	`33`	`}`
`32`	`34`	`}`
`33`	`35`
`34`		`- public async handle({ method, target }: Operation): Promise<Set<AccessMode>> {`
`35`		`- const modes = new Set<AccessMode>();`
	`36`	`+ public async handle({ method, target }: Operation): Promise<AccessMap> {`
	`37`	`+ const requiredModes: AccessMap = new IdentifierSetMultiMap();`
`36`	`38`	`// Reading requires Read permissions on the resource`
`37`	`39`	`if (READ_METHODS.has(method)) {`
`38`		`- modes.add(AccessMode.read);`
	`40`	`+ requiredModes.add(target, AccessMode.read);`
`39`	`41`	`}`
`40`	`42`	`// Setting a resource's representation requires Write permissions`
`41`	`43`	`if (method === 'PUT') {`
`42`		`- modes.add(AccessMode.write);`
	`44`	`+ requiredModes.add(target, AccessMode.write);`
`43`	`45`	`// …and, if the resource does not exist yet, Create permissions are required as well`
`44`	`46`	`if (!await this.resourceSet.hasResource(target)) {`
`45`		`- modes.add(AccessMode.create);`
	`47`	`+ requiredModes.add(target, AccessMode.create);`
`46`	`48`	`}`
`47`	`49`	`}`
`48`	`50`	`// Creating a new resource in a container requires Append access to that container`
`49`	`51`	`if (method === 'POST') {`
`50`		`- modes.add(AccessMode.append);`
	`52`	`+ requiredModes.add(target, AccessMode.append);`
`51`	`53`	`}`
`52`	`54`	`// Deleting a resource requires Delete access`
`53`	`55`	`if (method === 'DELETE') {`
`54`		`- modes.add(AccessMode.delete);`
	`56`	`+ requiredModes.add(target, AccessMode.delete);`
`55`	`57`	`// …and, if the target is a container, Read permissions are required as well`
`56`	`58`	`// as this exposes if a container is empty or not`
`57`	`59`	`if (isContainerIdentifier(target)) {`
`58`		`- modes.add(AccessMode.read);`
	`60`	`+ requiredModes.add(target, AccessMode.read);`
`59`	`61`	`}`
`60`	`62`	`}`
`61`		`- return modes;`
	`63`	`+ return requiredModes;`
`62`	`64`	`}`
`63`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,9 @@ import type { N3Patch } from '../../http/representation/N3Patch';`
`3`	`3`	`import { isN3Patch } from '../../http/representation/N3Patch';`
`4`	`4`	`import type { ResourceSet } from '../../storage/ResourceSet';`
`5`	`5`	`import { NotImplementedHttpError } from '../../util/errors/NotImplementedHttpError';`
	`6`	`+import { IdentifierSetMultiMap } from '../../util/map/IdentifierMap';`
`6`	`7`	`import { ModesExtractor } from './ModesExtractor';`
	`8`	`+import type { AccessMap } from './Permissions';`
`7`	`9`	`import { AccessMode } from './Permissions';`
`8`	`10`
`9`	`11`	`/**`
`@@ -33,28 +35,28 @@ export class N3PatchModesExtractor extends ModesExtractor {`
`33`	`35`	`}`
`34`	`36`	`}`
`35`	`37`
`36`		`- public async handle({ body, target }: Operation): Promise<Set<AccessMode>> {`
	`38`	`+ public async handle({ body, target }: Operation): Promise<AccessMap> {`
`37`	`39`	`const { deletes, inserts, conditions } = body as N3Patch;`
`38`	`40`
`39`		`- const accessModes = new Set<AccessMode>();`
	`41`	`+ const requiredModes: AccessMap = new IdentifierSetMultiMap();`
`40`	`42`
`41`	`43`	`// When ?conditions is non-empty, servers MUST treat the request as a Read operation.`
`42`	`44`	`if (conditions.length > 0) {`
`43`		`- accessModes.add(AccessMode.read);`
	`45`	`+ requiredModes.add(target, AccessMode.read);`
`44`	`46`	`}`
`45`	`47`	`// When ?insertions is non-empty, servers MUST (also) treat the request as an Append operation.`
`46`	`48`	`if (inserts.length > 0) {`
`47`		`- accessModes.add(AccessMode.append);`
	`49`	`+ requiredModes.add(target, AccessMode.append);`
`48`	`50`	`if (!await this.resourceSet.hasResource(target)) {`
`49`		`- accessModes.add(AccessMode.create);`
	`51`	`+ requiredModes.add(target, AccessMode.create);`
`50`	`52`	`}`
`51`	`53`	`}`
`52`	`54`	`// When ?deletions is non-empty, servers MUST treat the request as a Read and Write operation.`
`53`	`55`	`if (deletes.length > 0) {`
`54`		`- accessModes.add(AccessMode.read);`
`55`		`- accessModes.add(AccessMode.write);`
	`56`	`+ requiredModes.add(target, AccessMode.read);`
	`57`	`+ requiredModes.add(target, AccessMode.write);`
`56`	`58`	`}`
`57`	`59`
`58`		`- return accessModes;`
	`60`	`+ return requiredModes;`
`59`	`61`	`}`
`60`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,9 @@ import type { Representation } from '../../http/representation/Representation';`
`4`	`4`	`import type { SparqlUpdatePatch } from '../../http/representation/SparqlUpdatePatch';`
`5`	`5`	`import type { ResourceSet } from '../../storage/ResourceSet';`
`6`	`6`	`import { NotImplementedHttpError } from '../../util/errors/NotImplementedHttpError';`
	`7`	`+import { IdentifierSetMultiMap } from '../../util/map/IdentifierMap';`
`7`	`8`	`import { ModesExtractor } from './ModesExtractor';`
	`9`	`+import type { AccessMap } from './Permissions';`
`8`	`10`	`import { AccessMode } from './Permissions';`
`9`	`11`
`10`	`12`	`/**`
`@@ -34,31 +36,31 @@ export class SparqlUpdateModesExtractor extends ModesExtractor {`
`34`	`36`	`}`
`35`	`37`	`}`
`36`	`38`
`37`		`- public async handle({ body, target }: Operation): Promise<Set<AccessMode>> {`
	`39`	`+ public async handle({ body, target }: Operation): Promise<AccessMap> {`
`38`	`40`	// Verified in `canHandle` call
`39`	`41`	`const update = (body as SparqlUpdatePatch).algebra as Algebra.DeleteInsert;`
`40`		`- const modes = new Set<AccessMode>();`
	`42`	`+ const requiredModes: AccessMap = new IdentifierSetMultiMap();`
`41`	`43`
`42`	`44`	`if (this.isNop(update)) {`
`43`		`- return modes;`
	`45`	`+ return requiredModes;`
`44`	`46`	`}`
`45`	`47`
`46`	`48`	`// Access modes inspired by the requirements on N3 Patch requests`
`47`	`49`	`if (this.hasConditions(update)) {`
`48`		`- modes.add(AccessMode.read);`
	`50`	`+ requiredModes.add(target, AccessMode.read);`
`49`	`51`	`}`
`50`	`52`	`if (this.hasInserts(update)) {`
`51`		`- modes.add(AccessMode.append);`
	`53`	`+ requiredModes.add(target, AccessMode.append);`
`52`	`54`	`if (!await this.resourceSet.hasResource(target)) {`
`53`		`- modes.add(AccessMode.create);`
	`55`	`+ requiredModes.add(target, AccessMode.create);`
`54`	`56`	`}`
`55`	`57`	`}`
`56`	`58`	`if (this.hasDeletes(update)) {`
`57`		`- modes.add(AccessMode.read);`
`58`		`- modes.add(AccessMode.write);`
	`59`	`+ requiredModes.add(target, AccessMode.read);`
	`60`	`+ requiredModes.add(target, AccessMode.write);`
`59`	`61`	`}`
`60`	`62`
`61`		`- return modes;`
	`63`	`+ return requiredModes;`
`62`	`64`	`}`
`63`	`65`
`64`	`66`	`private isSparql(data: Representation): data is SparqlUpdatePatch {`