Kinto · leplatrem · Oct 4, 2016 · Sep 21, 2016 · Sep 26, 2016 · Sep 26, 2016
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -18,6 +18,13 @@ This document describes changes between each past release.
   don't have this field. If we're comparing to anything else, the record
   without such a field is treated as if it had '' as the value for this field.
   (fixes #815)
+- Parent **attributes are now readable** if children creation is allowed. That means for example
+  that collection attributes are now readable to users with ``record:create`` permission.
+  Same applies to bucket attributes and ``collection:create`` and ``group:create`` (fixes #803)
+- Return an empty list on the plural endpoint instead of ``403`` if the ``create``
+  permission is allowed
+
+Protocol is now at version **1.11**. See `API changelog`_.
 
 **Bug fixes**
 

diff --git a/docs/api/1.x/permissions.rst b/docs/api/1.x/permissions.rst
@@ -39,16 +39,17 @@ of object.
 |                |                        |                                  |
 +----------------+------------------------+----------------------------------+
 | Bucket         | ``read``               | Read all objects in the bucket.  |
-|                |                        |                                  |
 |                +------------------------+----------------------------------+
 |                | ``write``              | Write + read on the              |
 |                |                        | bucket and all children objects. |
 |                +------------------------+----------------------------------+
 |                | ``collection:create``  | Create new                       |
-|                |                        | collections in the bucket.       |
+|                |                        | collections in the bucket,       |
+|                |                        | and read bucket metadata.        |
 |                +------------------------+----------------------------------+
 |                | ``group:create``       | Create new groups                |
-|                |                        | in the bucket.                   |
+|                |                        | in the bucket,                   |
+|                |                        | and read bucket metadata.        |
 +----------------+------------------------+----------------------------------+
 | Collection     | ``read``               | Read all                         |
 |                |                        | objects in the collection.       |
@@ -57,7 +58,8 @@ of object.
 |                |                        | the collection.                  |
 |                +------------------------+----------------------------------+
 |                | ``record:create``      | Create new records               |
-|                |                        | in the collection.               |
+|                |                        | in the collection,               |
+|                |                        | and read collection metadata.    |
 +----------------+------------------------+----------------------------------+
 | Record         | ``read``               | Read the record.                 |
 |                |                        | record.                          |

diff --git a/docs/api/index.rst b/docs/api/index.rst
@@ -14,6 +14,11 @@ Changelog
 1.11 (unreleased)
 '''''''''''''''''
 
+- Parent attributes are now readable if children creation is allowed
+- Return an empty list on the plural endpoint instead of |status-403| if the ``create``
+  permission is allowed
+- Now returns a |status-412| instead of a |status-403| if the ``If-None-Match: *`` header is
+  provided and the ``create`` permission is allowed
 - The ``permissions`` attribute is now empty in the response if the user does not
   have the permission to write.
 

diff --git a/kinto/__init__.py b/kinto/__init__.py
@@ -13,7 +13,7 @@
 __version__ = pkg_resources.get_distribution(__package__).version
 
 # Implemented HTTP API Version
-HTTP_API_VERSION = '1.10'
+HTTP_API_VERSION = '1.11'
 
 # Main kinto logger
 logger = logging.getLogger(__name__)

diff --git a/kinto/authorization.py b/kinto/authorization.py
@@ -1,6 +1,6 @@
 import re
 
-from pyramid.security import IAuthorizationPolicy, Authenticated
+from pyramid.security import IAuthorizationPolicy
 from zope.interface import implementer
 
 from kinto.core import authorization as core_authorization
@@ -24,131 +24,150 @@
 
 # Dictionary which list all permissions a given permission enables.
 PERMISSIONS_INHERITANCE_TREE = {
-    'bucket:write': {
-        'bucket': ['write']
+    '': {  # Granted via settings only.
+        'bucket:create': {},
+        'write': {},
+        'read': {},
     },
-    'bucket:read': {
-        'bucket': ['write', 'read']
+    'bucket': {
+        'write': {
+            'bucket': ['write']
+        },
+        'read': {
+            'bucket': ['write', 'read'],
+        },
+        'read:attributes': {
+            'bucket': ['write', 'read', 'collection:create', 'group:create']
+        },
+        'group:create': {
+            'bucket': ['write', 'group:create']
+        },
+        'collection:create': {
+            'bucket': ['write', 'collection:create']
+        },
     },
-    'bucket:group:create': {
-        'bucket': ['write', 'group:create']
+    'group': {
+        'write': {
+            'bucket': ['write'],
+            'group': ['write']
+        },
+        'read': {
+            'bucket': ['write', 'read'],
+            'group': ['write', 'read']
+        },
     },
-    'bucket:collection:create': {
-        'bucket': ['write', 'collection:create']
+    'collection': {
+        'write': {
+            'bucket': ['write'],
+            'collection': ['write'],
+        },
+        'read': {
+            'bucket': ['write', 'read'],
+            'collection': ['write', 'read'],
+        },
+        'read:attributes': {
+            'bucket': ['write', 'read'],
+            'collection': ['write', 'read', 'record:create'],
+        },
+        'record:create': {
+            'bucket': ['write'],
+            'collection': ['write', 'record:create']
+        },
     },
-    'group:write': {
-        'bucket': ['write'],
-        'group': ['write']
-    },
-    'group:read': {
-        'bucket': ['write', 'read'],
-        'group': ['write', 'read']
-    },
-    'collection:write': {
-        'bucket': ['write'],
-        'collection': ['write'],
-    },
-    'collection:read': {
-        'bucket': ['write', 'read'],
-        'collection': ['write', 'read'],
-    },
-    'collection:record:create': {
-        'bucket': ['write'],
-        'collection': ['write', 'record:create']
-    },
-    'record:write': {
-        'bucket': ['write'],
-        'collection': ['write'],
-        'record': ['write']
-    },
-    'record:read': {
-        'bucket': ['write', 'read'],
-        'collection': ['write', 'read'],
-        'record': ['write', 'read']
+    'record': {
+        'write': {
+            'bucket': ['write'],
+            'collection': ['write'],
+            'record': ['write']
+        },
+        'read': {
+            'bucket': ['write', 'read'],
+            'collection': ['write', 'read'],
+            'record': ['write', 'read']
+        },
     }
 }
 
 
-def get_object_type(object_uri):
-    """Return the type of an object from its id."""
-    if re.match(r'/buckets/(.+)/collections/(.+)/records/(.+)?', object_uri):
-        return 'record'
-    if re.match(r'/buckets/(.+)/collections/(.+)?', object_uri):
-        return 'collection'
-    if re.match(r'/buckets/(.+)/groups/(.+)?', object_uri):
-        return 'group'
-    if re.match(r'/buckets/(.+)?', object_uri):
-        return 'bucket'
-    return None
-
-
-def build_permission_tuple(obj_type, unbound_permission, obj_parts):
-    """Returns a tuple of (object_uri, unbound_permission)"""
+def _resource_endpoint(object_uri):
+    """Determine the resource name and whether it is the plural endpoint from
+    the specified `object_uri`. Returns `(None, None)` for the root URL plural
+    endpoint.
+    """
+    url_patterns = [
+        ('record', r'/buckets/(.+)/collections/(.+)/records/(.+)?'),
+        ('collection', r'/buckets/(.+)/collections/(.+)?'),
+        ('group', r'/buckets/(.+)/groups/(.+)?'),
+        ('bucket', r'/buckets/(.+)?'),
+        ('', r'/(buckets)')  # Root buckets list.
+    ]
+    for resource_name, pattern in url_patterns:
+        m = re.match(pattern, object_uri)
+        if m:
+            plural = '/' in m.groups()[-1]
+            return resource_name, plural
+    raise ValueError("%r is not a resource." % object_uri)
+
+
+def _relative_object_uri(resource_name, object_uri):
+    """Returns object_uri
+    """
+    obj_parts = object_uri.split('/')
     PARTS_LENGTH = {
+        '': 1,
         'bucket': 3,
         'collection': 5,
         'group': 5,
         'record': 7
     }
-    if obj_type not in PARTS_LENGTH:
-        raise ValueError('Invalid object type: %s' % obj_type)
+    length = PARTS_LENGTH[resource_name]
+    parent_uri = '/'.join(obj_parts[:length])
 
-    if PARTS_LENGTH[obj_type] > len(obj_parts):
-        raise ValueError('You cannot build children keys from its parent key.'
-                         'Trying to build type "%s" from object key "%s".' % (
-                             obj_type, '/'.join(obj_parts)))
-    length = PARTS_LENGTH[obj_type]
-    return ('/'.join(obj_parts[:length]), unbound_permission)
+    if length > len(obj_parts):
+        error_msg = 'Cannot get URL of resource %r from parent %r.'
+        raise ValueError(error_msg % (resource_name, parent_uri))
 
+    return parent_uri
 
-def build_permissions_set(object_uri, unbound_permission,
-                          inheritance_tree=None):
-    """Build a set of all permissions that can grant access to the given
-    object URI and unbound permission.
 
-    >>> build_required_permissions('/buckets/blog', 'write')
-    set(('/buckets/blog', 'write'))
+def _inherited_permissions(object_uri, permission):
+    """Build the list of all permissions that can grant access to the given
+    object URI and permission.
 
-    """
+    >>> _inherited_permissions('/buckets/blog/collections/article', 'read')
+    [('/buckets/blog/collections/article', 'write'),
+     ('/buckets/blog/collections/article', 'read'),
+     ('/buckets/blog', 'write'),
+     ('/buckets/blog', 'read')]
 
-    if inheritance_tree is None:
-        inheritance_tree = PERMISSIONS_INHERITANCE_TREE
+    """
+    try:
+        resource_name, plural = _resource_endpoint(object_uri)
+    except ValueError:
+        return []  # URL that are not resources have no inherited perms.
 
-    obj_type = get_object_type(object_uri)
+    object_perms_tree = PERMISSIONS_INHERITANCE_TREE[resource_name]
 
-    # Unknown object type, does not map the INHERITANCE_TREE.
-    # In that case, the set of related permissions is empty.
-    if obj_type is None:
-        return set()
+    # When requesting permissions for a single object, we check if they are any
+    # specific inherited permissions for the attributes.
+    attributes_permission = '%s:attributes' % permission if not plural else permission
+    inherited_perms = object_perms_tree.get(attributes_permission, object_perms_tree[permission])
 
-    bound_permission = '%s:%s' % (obj_type, unbound_permission)
     granters = set()
+    for related_resource_name, implicit_permissions in inherited_perms.items():
+        for permission in implicit_permissions:
+            related_uri = _relative_object_uri(related_resource_name, object_uri)
+            granters.add((related_uri, permission))
 
-    obj_parts = object_uri.split('/')
-    for obj, permission_list in inheritance_tree[bound_permission].items():
-        for permission in permission_list:
-            granters.add(build_permission_tuple(obj, permission, obj_parts))
-
-    return granters
+    # Sort by ascending URLs.
+    return sorted(granters, key=lambda uri_perm: len(uri_perm[0]), reverse=True)
 
 
 @implementer(IAuthorizationPolicy)
 class AuthorizationPolicy(core_authorization.AuthorizationPolicy):
     def get_bound_permissions(self, *args, **kwargs):
-        return build_permissions_set(*args, **kwargs)
+        return _inherited_permissions(*args, **kwargs)
 
 
 class RouteFactory(core_authorization.RouteFactory):
     pass
-
-
-class BucketRouteFactory(RouteFactory):
-    def fetch_shared_records(self, perm, principals, get_bound_permissions):
-        """Buckets list is authorized even if no object is accessible for
-        the current principals.
-        """
-        shared = super(BucketRouteFactory, self).fetch_shared_records(
-            perm, principals, get_bound_permissions)
-        if shared is None and Authenticated in principals:
-            self.shared_ids = []
-        return self.shared_ids