Kinto

------------------

**Protocol**

- Add new *experimental* endpoint ``GET /v1/permissions`` to retrieve the list of permissions
granted on every kind of object (600).
Requires setting ``kinto.experimental_permissions_endpoint`` to be set to ``true``.

Protocol is now at version **1.8**. See `API changelog`_.

**Bug fixes**

- Fix crash in authorization policy when requesting ``GET /buckets/collections`` (fixes 695)
- Fix crash with PostgreSQL storage backend when provided id in POST is an integer (688).
Regression introduced in 3.2.0 with 655.
- Fix crash with PostgreSQL storage backend is configured as read-only and reaching
the records endpoint of an unknown collection (fixes 693, related 558)
- Fix events payloads for actions in the default bucket (fixes 704)
- Fix bug in object permissions with memory backend
- Make sure the tombstone is deleted when the record is created with PUT. (715)
- Allow filtering and sorting by any attribute on buckets, collections and groups list endpoints
- Fix crash in memory backend with Python3 when filtering on unknown field

**Internal changes**

- Resource events constructors signatures were changed. The event payload is now
built immediately when event is fired instead of during transactoin commit (704).
- Fix crash when a resource is registered without record path.
- Changed behaviour of accessible objects in permissions backend when list of
bound permissions is empty.
- Bump ``last_modified`` on record when provided value is equal to previous
in storage ``update()`` method (713)
- Add ability to delete records and purge tombstones with just the ``parent_id``
parameter (711)
- Buckets deletion is now a lot more efficient, since every sub-objects are
deleted with a single operation on storage backend (711)
- Added ``get_objects_permissions()`` method in ``permission`` backend (714)
- Changed ``get_accessible_objects()``, ``get_authorized_principals()`` methods
in ``permission`` backend (714)
- Simplified and improved the code quality of ``kinto.core.authorization``,
mainly by keeping usage of ``get_bound_permissions`` callback in one place only.

------------------

**Protocol**

- Allow record IDs to be any string instead of just UUIDs (fixes 655).

Protocol is now at version **1.7**. See `API changelog`_.

**New features**

- ``kinto start`` now accepts a ``--port`` option to specify which port to listen to.
**Important**: Because of a limitation in `Pyramid tooling <http://stackoverflow.com/a/21228232/147077>`_,
it won't work if the port is hard-coded in your existing ``.ini`` file. Replace
it by ``%(http_port)s`` or regenerate a new configuration file with ``kinto init``.
- Add support for ``pool_timeout`` option in Redis backend (fixes 620)
- Add new setting ``kinto.heartbeat_timeout_seconds`` to control the maximum duration
of the heartbeat endpoint (fixes 601)
- Ability to define ID generators per object type via the settings

**Bug fixes**

- Fix loss of data attributes when permissions are replaced with ``PUT`` (fixes 601)
- Fix 400 response when posting data with ``id: "default"`` in default bucket.
- Fix 500 on heartbeat endpoint when a check does not follow the specs and raises instead of
returning false.

**Internal changes**

- Renamed some permission backend methods for consistency with other classes (fixes 608)
- Removed some deprecated code that had been in ``kinto.core`` for too long.

**Documentation**

- Mention in groups documentation that the principal of a group to be used in a permissions
definition is the full URI (e.g. ``"write": ["/buckets/blog/groups/authors"]``)
- Fix typo in GitHub tutorial (thanks SwhGo_oN, 673)
- New Kinto logo (thanks AymericFaivre, 676)
- Add a slack badge to the README (675)
- Add new questions on FAQ (thanks enguerran, 678)
- Fix links to examples (thanks maxdow, 680)

------------------

**Protocol**

- Added the ``GET /contribute.json`` endpoint for open-source information (fixes 607)

Protocol is now at version **1.6**. See `API changelog`_.


**Bug fixes**

- Fix internal storage filtering when an empty list of values is provided.
- Authenticated users are now allowed to obtain an empty list of buckets on
``GET /buckets`` even if no bucket is readable (454)
- Fix enabling flush enpoint with ``KINTO_FLUSH_ENDPOINT_ENABLED`` environment variable (fixes 588)
- Fix reading settings for events listeners from environment variables (fixes 515)
- Fix principal added to ``write`` permission when a publicly writable object
is created/edited (fixes 645)
- Prevent client to cache and validate authenticated requests (fixes 635)
- Fix bug that prevented startup if old Cliquet configuration values
were still around (633)

**Documentation**

- Improved documentation about running in production with uWSGI (543, 545)

------------------

**Bug fixes**

- Fix crash when a cache expires setting is set for a specific bucket or collection. (597)
- Mark old cliquet backend settings as deprecated (but continue to support them). (596)

------------------

- Major version update. Merged cliquet into kinto.core. This is
intended to simplify the experience of people who are new to Kinto.
Addresses 687.
- Removed ``initialize_cliquet()``, which has been deprecated for a while.
- Removed ``cliquet_protocol_version``. Kinto already defines
incompatible API variations as part of its URL format (e.g. ``/v0``,
``/v1``). Services based on kinto.core are free to use
``http_api_version`` to indicate any additional changes to their
APIs.
- Simplify settings code. Previously, ``public_settings`` could be
prefixed with a project name, which would be reflected in the output
of the ``hello`` view. However, this was never part of the API
specification, and was meant to be solely a backwards-compatibility
hack for first-generation Kinto clients. Kinto public settings
should always be exposed unprefixed. Applications developed against
kinto.core can continue using these names even after they transition
clients to the new implementation of their service.

**Bug fixes**

- Add an explicit message when the server is configured as read-only and the
collection timestamp fails to be saved (ref Kinto/kinto558)
- Prevent the browser to cache server responses between two sessions. (593)
- Redirects version prefix to hello page when trailing_slash_redirect is enabled. (700)
- Fix crash when setting empty permission list with PostgreSQL permission backend (fixes Kinto/kinto575)
- Fix crash when type of values in querystring for exclude/include is wrong (fixes Kinto/kinto587)
- Fix crash when providing duplicated principals in permissions with PostgreSQL permission backend (fixes 702)
- Add ``app.wsgi`` to the manifest file. This helps address 543.

------------------

**Bug fixes**

- Fix crash in JSON schema validation when additional properties are provided (fixes 548)
- Strip internal fields before validating JSON schema (fixes 549)
- Fix migration of triggers in PostgreSQL storage backend when upgrading from Kinto<2.0.
Run the ``migrate`` command will basically re-create them (fixes 559)

**Documentation**

- Fix typo in RHEL installation instructions (552, thanks enkidulan!)
- Link to english version of kinto presentation article (553, thanks glasserc!)
- Document basics about PostgreSQL privileges (547)
- Change links from readthedocs.org to readthedocs.io (557)
- Fix Parse server license in docs (571, thanks revolunet!)