Kinto

------------------

**Protocol**

- Add a ``basicauth`` capability when activated on the server. (937)
- Add ability to delete history entries using ``DELETE`` (958)

Protocol is now at version **1.13**. See `API changelog`_.

**Bug fixes**

- Permissions are now correctly removed from permission backend when a parent
object is deleted (fixes 898)
- Heartbeat of storage backend does not leave tombstones (fixes 985)
- Fix ``record_id`` attribute in history entries when several records are
modified via a batch request (fixes 942)
- Fix crash on redirection when path contains control characters (fixes 962)
- Fix crash on redirection when path contains unicode characters (982)
- Fix performance issue when fetching shared objects from plural endpoints (fixes 965)
- Fix JSON-Merge validation (fixes 979)
- Fix crash when ``If-Match`` or ``If-None-Match`` headers contain invalid
unicode data (fixes 983)
- Add missing ``ETag`` and ``Last-Modified`` headers on ``POST`` and ``DELETE``
responses (980)
- Return 404 on non-existing objects for users with read permissions (fixes 918)
- Fix pagination with DELETE on plural endpoints (fixes 987)

**New features**

- Activate ``basicauth`` in admin by default. (943)
- Add a setting to limit the maximum number of bytes cached in the memory backend. (610)
- Add a setting to exclude certain resources from being tracked by history (fixes 964)

**Backend changes**

- ``storage.delete_all()`` now accepts ``sorting``, ``pagination_rules`` and ``limit``
parameters (997)
- ``permissions.get_accessible_objects()`` does not support Regexp and now accepts
a ``with_children`` parameter (975)
- ``cache.set()`` now logs a warning if ``ttl`` is ``None`` (967)

**Internal changes**

- Remove usage of assert (fixes 954)
- The ``delete_object_permissions()`` of the permission backend now supports
URI patterns (eg. ``/bucket/id*``)
- Refactor handling of prefixed user id among request principals
- Add a warning when a cache entry is set without TTL (ref 960)
- Replaced insecure use of ``random.random()`` and ``random.choice(...)`` with
more secure ``random.SystemRandom().random()`` and
``random.SystemRandom().choice(...)``. (955)
- Removed usage of pattern matching in PostgreSQL when not necessary (ref 907, fixes 974)
- Insist about authentication in concepts documentation (ref 976)
- Upgrade to Kinto-Admin 1.6.0

------------------

**Breaking changes**

- Upgraded to Cornice 2.0 (790)

**Protocol**

- Add support for `JSON-Patch (RFC 6902) <https://tools.ietf.org/html/rfc6902>`_.
- Add support for `JSON-Merge (RFC 7396) <https://tools.ietf.org/html/rfc7396>`_.
- Added a principals list to ``hello`` view when authenticated.
- Added details attribute to 404 errors. (818)

Protocol is now at version **1.12**. See `API changelog`_.

**New features**

- Added a new built-in plugin ``kinto.plugins.admin`` to serve the kinto admin.
- Added a new ``parse_resource`` utility to ``kinto.core.utils``

**Bug fixes**

- Fixed showing of backend type twice in StatsD backend keys (fixes 857)
- Fix crash when querystring parameter contains null string (fixes 882)
- Fix crash when redirection path contains CRLF character (fixes 887)
- Fix response status for OPTION request on version redirection (fixes 852)
- Fix crash in PostgreSQL backend when specified bound permissions is empty (fixes 906)
- Permissions endpoint now exposes the user permissions defined in settings (fixes 909)
- Fix bug when two subfields are selected in partial responses (fixes 920)
- Fix crash in permission endpoint when merging permissions from settings and from
permissions backend (fixes 926)
- Fix crash in authorization policy when object ids contain unicode (fixes 931)

**Internal changes**

- Resource ``mapping`` attribute is now deprecated, use ``schema`` instead (790)
- Clarify implicit permissions when allowed to create child objects (884)
- Upgrade built-in ``admin`` plugin to Kinto Admin 1.5.0
- Do not bump timestamps in PostgreSQL storage backend when non-data columns
are modified.
- Add some specifications for the permissions endpoint with regards to inherited
permissions
- Add deletion of multiple groups in API docs (928)


Thanks to all contributors, with a special big-up for gabisurita!

------------------

**Bug fixes**

- Make sure we redirect endpoints with trailing slashes with the default bucket plugin. (848)
- Fix group association when members contains ``system.Authenticated`` (fixes 776)
- Raise an error when members contains ``system.Everyone`` or a group ID (850)
- Fix StatsD view counter with 404 responses (853)
- Fixes filtering on ids with numeric values. (fixes 851)

------------------

**Protocol**

- Fix error response consistency with safe creations if the ``create`` permission
is granted (fixes 792). The server now returns a ``412`` instead of a ``403`` if
the ``If-None-Match: *`` header is provided and the ``create`` permission is granted.
- The ``permissions`` attribute is now empty in the response if the user has not the permission
to write on the object (fixes 123)
- Filtering records now works the same on the memory and postgresql backends:
if we're comparing to a number, the filter will now filter out records that
don't have this field. If we're comparing to anything else, the record
without such a field is treated as if it had '' as the value for this field.
(fixes 815)
- Parent **attributes are now readable** if children creation is allowed. That means for example
that collection attributes are now readable to users with ``record:create`` permission.
Same applies to bucket attributes and ``collection:create`` and ``group:create`` (fixes 803)
- Return an empty list on the plural endpoint instead of ``403`` if the ``create``
permission is allowed

Protocol is now at version **1.11**. See `API changelog`_.

**Bug fixes**

- Fix crash in history plugin when target had no explicit permission defined (fixes 805, 842)

**New features**

- The storage backend now allows ``parent_id`` pattern matching in ``kinto.core.storage.get_all``. (821)
- The history and quotas plugins execution time is now monitored on StatsD (``kinto.plugins.quotas``
and ``kinto.plugins.history``) (832)
``kinto.version_json_path`` settings (fixes 830)

**Internal changes**

- Fixed a failing pypy test by changing the way it was mocking
`transaction.manager.commit` (fixes 755)
- Moved storage/cache/permissions base tests to ``kinto.core.*.testing`` (fixes 801)
- Now fails with an explicit error when StatsD is configured but not installed.
- Remove redundant fields from data column in PostgreSQL records table (fixes 762)

------------------

**Protocol**

- Support for filtering records based on a text search (791)

Protocol is now at version **1.10**. See `API changelog`_.

**Bug fixes**

- Fix concurrent writes in the memory backend (fixes 759)
- Fix heartbeat transaction locks with PostgreSQL backends (fixes 804)
- Fix crash with PostgreSQL storage backend when filtering with integer on
a missing field (fixes 813)

**Internal changes**

- Fix links to comparison table in docs

------------------

**Bug fixes**

- Fix kinto init input function (796)