Parent attributes with child creation (fixes #803, #101) #828
Conversation
leplatrem
force-pushed
the
803-parent-metadata-with-child-creation
branch
from
5939c63
to
9eb3249
Compare
|
I applied the same logics to bucket metadata ( Maybe we shouldn't and keep it for record+collection metadata only? What do you think @enguerran / @magopian ? |
|
I don't see any drawbacks in having the same behavior. Do you think it could be a security issue or something? |
|
|
||
| - Parent metadata is now readable if children creation is allowed | ||
| - Now returns a ``412`` instead of a ``403`` if the ``If-None-Match: *`` header is | ||
| provided and the ``create`` permission is allowed |
There was a problem hiding this comment.
Do you want to add a note about the fact that GETing the list of records will return an empty list (and not a 403) if the user doesn't have the read permission on the collection, and has not created any records yet? (as discussed in the issue #803)
There was a problem hiding this comment.
I believe test_list_can_be_obtained_if_allowed_to_create and test_list_is_denied_if_not_allowed_to_create cover this (?)
There was a problem hiding this comment.
Sure, the tests and the code are there, but how was wondering if you wanted to add a note to the changelog about that?
| def test_list_can_be_obtained_if_allowed_to_create(self): | ||
| resp = self.app.get('/buckets/beer/collections', headers=self.bob_headers) | ||
| self.assertEqual(len(resp.json['data']), 1) | ||
| self.assertEqual(resp.json['data'][0]['id'], 'barley') |
There was a problem hiding this comment.
I thought one could only see the list of his own created entries, or is that only for records? Is it expected that Bob can see this collection, while he only has the "create" permission on collections, and the 'barley' collection has been created by Alice?
There was a problem hiding this comment.
the barley collection was created by Bob (and Alice is allowed to create records). But you're right, the current version of the patch is not correct. I added a failing test that shows that users should only see their own records in this particular case.
I wouldn't say a security issue, but it makes the impact of the change bigger. |
leplatrem
changed the title
|
I cannot take a decision on this as I am not yet aware enough of kinto permissions system. I do discussed with @Natim. But I cannot understand how my needs are different from formbuilder's. Extract from https://github.com/Kinto/formbuilder/blob/master/formbuilder/actions/server.js:
The extra need is
In formbuilder, access are controlled by "encoded" URL. If you have the admin token, you'll have access to the collection's administration. If you have the user token, you'll have access to the form and can only create a record. As far as I could understand formbuilder's code. If I create a collection of "url with admin token" in a specific user's default bucket, I guess an admin could have access to several forms' administration. Again, I am just a beginner user of kinto and maybe I am wrong. |
suggested by @magopian
leplatrem
changed the title
leplatrem
changed the title
|
This cannot be reviewed without going through each commit. I'm very confident in the code and the test suite though. I changed and simplified a lot of code. Basically:
Don't hesitate to ping me for questions! @magopian r? |
| allowed = shared is not None | ||
| # If allowed to create this kind of object on parent, then allow to obtain the list. | ||
| if len(bound_perms) > 0: | ||
| parent_uri = bound_perms[0][0] # Bounds perms are ordered. |
There was a problem hiding this comment.
This takes the first object URI of the bound perms.
But the first is not always the parent! (Ex. record → collection → bucket)
So I guess this is wrong for records, because it will check that the user has the permission record:create on /buckets/test which will never be the case.
leplatrem
force-pushed
the
803-parent-metadata-with-child-creation
branch
from
f87e8d6
to
8e238d4
Compare
|
Final r+ my friends? |
|
\o/ |
leplatrem
changed the title
Fixes #803, Fixes #101