No inheritance for permissions forced in settings

[leplatrem]

For example, if I give write permissions in settings

kinto.bucket_write_principals = basicauth:c6c27f0c7297ba7d4abd2a70c8a2cb88

This user has permission to write, but not to read, whereas write implies read when permissions are specified through the JSON API.

[jesse-thompson]

Hi, I was looking to contribute. This would be my first time contributing to a project, and after looking around I'm not sure if this issue has been fixed or not. When going through the "getting started" steps, I'm still only seeing bob as having write permission.
Looking through the code, I'm leaning towards the applicable file being kinto -> authorization.py and the applicable code block being the PERMISSIONS_INHERITANCE_TREE at line 26.
I only saw bucket_write_principals in kinto -> views -> permissions.py, but only within a comment. I'm not really sure where to go with that.
Am I way off or should I dive in here?

[leplatrem]

Thanks for your interest in the kinto project!

This is not an easy one ;)

But yes, you're on the right direction. I would suggest you start by writing a test that describes the intent. And iterate from there using a draft pull-request.

I think that the main issue is that settings are read when checking permission (here but they are not matched with the "inheritance tree" to expand them (eg. write means read, or bucket:write means collection:write, etc.)
The work around is to specify them all in the .ini config file, which is not a big deal, that's why this issue was never worked on.