Add ability to disable explicit permissions at object level (ref #893)

Kinto · Oct 1, 2020 · c104252 · c104252
1 parent 02a9545
commit c104252
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 1 deletion.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -6,6 +6,10 @@ This document describes changes between each past release.
 14.0.2 (unreleased)
 -------------------
 
+**New feature**
+
+- Add ability to disable explicit permissions at object level (ref #893). Use ``kinto.explicit_permissions = false`` to only rely on inherited permissions (see settings docs)
+
 **Internal Changes**
 
 - Distinguish readonly errors in storage backend (``kinto.core.storage.exceptions.ReadonlyError``)

diff --git a/kinto/core/__init__.py b/kinto/core/__init__.py
@@ -44,6 +44,7 @@
     "eos": None,
     "eos_message": None,
     "eos_url": None,
+    "explicit_permissions": True,
     "error_info_link": "https://github.com/Kinto/kinto/issues/",
     "http_host": None,
     "http_scheme": None,
@@ -155,7 +156,7 @@ def includeme(config):
     config.registry.heartbeats = {}
 
     # Public settings registry.
-    config.registry.public_settings = {"batch_max_requests", "readonly"}
+    config.registry.public_settings = {"batch_max_requests", "readonly", "explicit_permissions"}
 
     # Directive to declare arbitrary API capabilities.
     def add_api_capability(config, identifier, description="", url="", **kw):

diff --git a/kinto/core/resource/model.py b/kinto/core/resource/model.py
@@ -81,6 +81,15 @@ def _annotate(self, obj, perm_object_id):
 
     def _allow_write(self, perm_object_id):
         """Helper to give the ``write`` permission to the current user."""
+
+        # Without explicit permissions, the ACLs on the object will
+        # fully depend on the inherited permission tree (eg. read/write on parent).
+        # This basically means that if user loose the permission on the
+        # parent, they also loose the permission on children.
+        # See https://github.com/Kinto/kinto/issues/893
+        if not asbool(settings['explicitly_permissions']):
+            return
+
         self.permission.add_principal_to_ace(perm_object_id, "write", self.current_principal)
 
     def get_objects(

diff --git a/kinto/plugins/history/listener.py b/kinto/plugins/history/listener.py
@@ -109,6 +109,14 @@ def on_resource_changed(event):
         # Note: this will be rolledback if the transaction is rolledback.
         entry = storage.create(parent_id=bucket_uri, resource_name="history", obj=attrs)
 
+        # Without explicit permissions, the ACLs on the history entries will
+        # fully depend on the inherited permission tree (eg. bucket:read, bucket:write).
+        # This basically means that if user loose the permissions on the related
+        # object, they also loose the permission on the history entry.
+        # See https://github.com/Kinto/kinto/issues/893
+        if not asbool(settings['explicitly_permissions']):
+            return
+
         # The read permission on the newly created history entry is the union
         # of the object permissions with the one from bucket and collection.
         entry_principals = set(read_principals)