Do not allow to search if no read permission on collection or bucket (f…

…ixes #7)

CHANGELOG.rst

@@ -13,6 +13,7 @@ Changelog
 **Bug fixes**
 
 - Only index records if the storage transaction is committed (fixes #15)
+- Do not allow to search if no read permission on collection or bucket (fixes #7)
 
 
 0.0.1 (2017-05-22)

kinto_elasticsearch/views.py

@@ -3,6 +3,7 @@
 import elasticsearch
 from kinto.core import authorization
 from kinto.core import Service
+from kinto.core import utils
 
 
 logger = logging.getLogger(__name__)
@@ -11,7 +12,8 @@
 class RouteFactory(authorization.RouteFactory):
     def __init__(self, request):
         super().__init__(request)
-        self.permission_object_id = request.path.replace("/search", "/records")
+        records_plural = utils.strip_uri_prefix(request.path.replace("/search", "/records"))
+        self.permission_object_id = records_plural
         self.required_permission = "read"
 
 

tests/__init__.py

@@ -19,6 +19,7 @@ def __init__(self, *args, **kwargs):
         self.headers.update(get_user_headers('mat'))
 
     def tearDown(self):
+        super().tearDown()
         self.app.app.registry.indexer.flush()
 
     @classmethod

tests/test_elasticsearch.py

@@ -65,6 +65,8 @@ def test_response_is_served_if_indexer_fails(self):
 
 class SearchView(BaseWebTest, unittest.TestCase):
     def test_search_response_is_empty_if_indexer_fails(self):
+        self.app.put("/buckets/bid", headers=self.headers)
+        self.app.put("/buckets/bid/collections/cid", headers=self.headers)
         with mock.patch("kinto_elasticsearch.indexer.Indexer.search",
                         side_effect=elasticsearch.ElasticsearchException):
             resp = self.app.post("/buckets/bid/collections/cid/search",