Merge branch 'master' of github.com:Pylons/pyramid

7 files changed, 99 insertions, 36 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index e40312c34..9f5ce064f 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,12 +1,13 @@
-Next release
-============
+1.4a4 (2012-11-14)
+==================
 
 Features
 --------
 
 - ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to
   support newer hashing algorithms such as ``sha512``. Existing applications
-  should consider updating if possible.
+  should consider updating if possible for improved security over the default
+  md5 hashing.
 
 - Added an ``effective_principals`` route and view predicate.
 
@@ -21,18 +22,11 @@ Features
 - Slightly better debug logging from
   ``pyramid.authentication.RepozeWho1AuthenticationPolicy``.
 
-- ``pyramid.security.view_execution_permitted`` used to return `True` if no
+- ``pyramid.security.view_execution_permitted`` used to return ``True`` if no
   view could be found. It now raises a ``TypeError`` exception in that case, as
   it doesn't make sense to assert that a nonexistent view is
   execution-permitted. See https://github.com/Pylons/pyramid/issues/299.
 
-- Get rid of shady monkeypatching of ``pyramid.request.Request`` and
-  ``pyramid.response.Response`` done within the ``__init__.py`` of Pyramid.
-  Webob no longer relies on this being done.  Instead, the ResponseClass
-  attribute of the Pyramid Request class is assigned to the Pyramid response
-  class; that's enough to satisfy WebOb and behave as it did before with the
-  monkeypatching.
-
 - Allow a ``_depth`` argument to ``pyramid.view.view_config``, which will
   permit limited composition reuse of the decorator by other software that
   wants to provide custom decorators that are much like view_config.
@@ -61,14 +55,26 @@ Bug Fixes
   ``physical_path`` predicate implementations; instead of raising an exception,
   return False.
 
+- ``pyramid.view.render_view`` was not functioning properly under Python 3.x
+  due to a byte/unicode discrepancy. See
+  http://github.com/Pylons/pyramid/issues/721
+
 Deprecations
 ------------
 
-- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning
-  if an application is using the policy without explicitly setting the
-  ``hashalg``. This is because the default is "md5" which is considered
-  insecure. If you really want "md5" then you must specify it explicitly to
-  get rid of the warning.
+- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning if
+  an application is using the policy without explicitly passing a ``hashalg``
+  argument. This is because the default is "md5" which is considered
+  theoretically subject to collision attacks. If you really want "md5" then you
+  must specify it explicitly to get rid of the warning.
+
+Documentation
+-------------
+
+- All of the tutorials that use
+  ``pyramid.authentication.AuthTktAuthenticationPolicy`` now explicitly pass
+  ``sha512`` as a ``hashalg`` argument.
+
 
 Internals
 ---------
@@ -81,6 +87,13 @@ Internals
   because that package should never be imported from non-Pyramid code.
   TopologicalSorter is still not an API, but may become one.
 
+- Get rid of shady monkeypatching of ``pyramid.request.Request`` and
+  ``pyramid.response.Response`` done within the ``__init__.py`` of Pyramid.
+  Webob no longer relies on this being done.  Instead, the ResponseClass
+  attribute of the Pyramid Request class is assigned to the Pyramid response
+  class; that's enough to satisfy WebOb and behave as it did before with the
+  monkeypatching.
+
 1.4a3 (2012-10-26)
 ==================
 
diff --git a/docs/conf.py b/docs/conf.py
index 9bda4c798..5e17de18a 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -81,7 +81,7 @@ copyright = '%s, Agendaless Consulting' % datetime.datetime.now().year
 # other places throughout the built documents.
 #
 # The short X.Y version.
-version = '1.4a3'
+version = '1.4a4'
 
 # The full version, including alpha/beta/rc tags.
 release = version
diff --git a/docs/whatsnew-1.3.rst b/docs/whatsnew-1.3.rst
index 14db1fe15..f32053202 100644
--- a/docs/whatsnew-1.3.rst
+++ b/docs/whatsnew-1.3.rst
@@ -289,13 +289,6 @@ Minor Feature Additions
   not a new feature, it just provides an API for adding a resource url
   adapter without needing to use the ZCA API.
 
-- The :meth:`pyramid.config.Configurator.scan` method can now be passed an
-  ``ignore`` argument, which can be a string, a callable, or a list
-  consisting of strings and/or callables.  This feature allows submodules,
-  subpackages, and global objects from being scanned.  See
-  http://readthedocs.org/docs/venusian/en/latest/#ignore-scan-argument for
-  more information about how to use the ``ignore`` argument to ``scan``.
-
 - Better error messages when a view callable returns a value that cannot be
   converted to a response (for example, when a view callable returns a
   dictionary without a renderer defined, or doesn't return any value at all).
diff --git a/docs/whatsnew-1.4.rst b/docs/whatsnew-1.4.rst
index 59e1f7a96..5da28bb03 100644
--- a/docs/whatsnew-1.4.rst
+++ b/docs/whatsnew-1.4.rst
@@ -77,6 +77,11 @@ Subrequest Support
 Minor Feature Additions
 -----------------------
 
+- :class:`pyramid.authentication.AuthTktAuthenticationPolicy` has been updated
+  to support newer hashing algorithms such as ``sha512``. Existing applications
+  should consider updating if possible for improved security over the default
+  md5 hashing.
+
 - :meth:`pyramid.config.Configurator.add_directive` now accepts arbitrary
   callables like partials or objects implementing ``__call__`` which don't
   have ``__name__`` and ``__doc__`` attributes.  See
@@ -182,7 +187,6 @@ Minor Feature Additions
   :meth:`pyramid.config.testing_securitypolicy` now sets a ``forgotten`` value 
   on the policy (the value ``True``) when its ``forget`` method is called.
 
-
 - The DummySecurityPolicy created by
   :meth:`pyramid.config.testing_securitypolicy` now sets a
   ``remembered`` value on the policy, which is the value of the ``principal``
@@ -196,6 +200,31 @@ Minor Feature Additions
   view when some object is traversed to, but you can't be sure about what kind
   of object it will be, so you can't use the ``context`` predicate.  
 
+- Added an ``effective_principals`` route and view predicate.
+
+- Do not allow the userid returned from the
+  :func:`pyramid.security.authenticated_userid` or the userid that is one of the
+  list of principals returned by :func:`pyramid.security.effective_principals`
+  to be either of the strings ``system.Everyone`` or ``system.Authenticated``
+  when any of the built-in authorization policies that live in
+  :mod:`pyramid.authentication` are in use.  These two strings are reserved for
+  internal usage by Pyramid and they will no longer be accepted as valid
+  userids.
+
+- Allow a ``_depth`` argument to :class:`pyramid.view.view_config`, which will
+  permit limited composition reuse of the decorator by other software that
+  wants to provide custom decorators that are much like view_config.
+
+- Allow an iterable of decorators to be passed to
+  :meth:`pyramid.config.Configurator.add_view`. This allows views to be wrapped
+  by more than one decorator without requiring combining the decorators 
+  yourself.
+
+- :func:`pyramid.security.view_execution_permitted` used to return `True` if no
+  view could be found. It now raises a :exc:`TypeError` exception in that case,
+  as it doesn't make sense to assert that a nonexistent view is
+  execution-permitted. See https://github.com/Pylons/pyramid/issues/299.
+
 Backwards Incompatibilities
 ---------------------------
 
@@ -289,6 +318,12 @@ Deprecations
   used in its place (it has all of the same capabilities but can also extend
   the request object with methods).
 
+- :class:`pyramid.authentication.AuthTktAuthenticationPolicy` will emit a
+  deprecation warning if an application is using the policy without explicitly
+  passing a ``hashalg`` argument. This is because the default is "md5" which is
+  considered theoretically subject to collision attacks. If you really want
+  "md5" then you must specify it explicitly to get rid of the warning.
+
 Documentation Enhancements
 --------------------------
 
@@ -299,6 +334,10 @@ Documentation Enhancements
 
 - Added a :ref:`subrequest_chapter` chapter to the narrative documentation.
 
+- All of the tutorials that use
+  :class:`pyramid.authentication.AuthTktAuthenticationPolicy` now explicitly 
+  pass ``sha512`` as a ``hashalg`` argument.
+
 - Many cleanups and improvements to narrative and API docs.
 
 Dependency Changes
diff --git a/pyramid/tests/test_view.py b/pyramid/tests/test_view.py
index 0af941e0d..a78b0cbab 100644
--- a/pyramid/tests/test_view.py
+++ b/pyramid/tests/test_view.py
@@ -224,12 +224,29 @@ class RenderViewToIterableTests(BaseTest, unittest.TestCase):
         response = DummyResponse()
         view = make_view(response)
         def anotherview(context, request):
-            return DummyResponse('anotherview')
+            return DummyResponse(b'anotherview')
         view.__call_permissive__ = anotherview
         self._registerView(request.registry, view, 'registered')
         iterable = self._callFUT(context, request, name='registered',
                                  secure=False)
-        self.assertEqual(iterable, ['anotherview'])
+        self.assertEqual(iterable, [b'anotherview'])
+
+    def test_verify_output_bytestring(self):
+        from pyramid.request import Request
+        from pyramid.config import Configurator
+        from pyramid.view import render_view
+        from webob.compat import text_type
+        config = Configurator(settings={})
+        def view(request):
+            request.response.text = text_type('<body></body>')
+            return request.response
+
+        config.add_view(name='test', view=view)
+        config.commit()
+
+        r = Request({})
+        r.registry = config.registry
+        self.assertEqual(render_view(object(), r, 'test'), b'<body></body>')
 
     def test_call_request_has_no_registry(self):
         request = self._makeRequest()
@@ -261,7 +278,7 @@ class RenderViewTests(BaseTest, unittest.TestCase):
         view = make_view(response)
         self._registerView(request.registry, view, 'registered')
         s = self._callFUT(context, request, name='registered', secure=True)
-        self.assertEqual(s, '')
+        self.assertEqual(s, b'')
 
     def test_call_view_registered_insecure_no_call_permissive(self):
         context = self._makeContext()
@@ -270,7 +287,7 @@ class RenderViewTests(BaseTest, unittest.TestCase):
         view = make_view(response)
         self._registerView(request.registry, view, 'registered')
         s = self._callFUT(context, request, name='registered', secure=False)
-        self.assertEqual(s, '')
+        self.assertEqual(s, b'')
 
     def test_call_view_registered_insecure_with_call_permissive(self):
         context = self._makeContext()
@@ -278,11 +295,11 @@ class RenderViewTests(BaseTest, unittest.TestCase):
         response = DummyResponse()
         view = make_view(response)
         def anotherview(context, request):
-            return DummyResponse('anotherview')
+            return DummyResponse(b'anotherview')
         view.__call_permissive__ = anotherview
         self._registerView(request.registry, view, 'registered')
         s = self._callFUT(context, request, name='registered', secure=False)
-        self.assertEqual(s, 'anotherview')
+        self.assertEqual(s, b'anotherview')
 
 class TestIsResponse(unittest.TestCase):
     def setUp(self):
diff --git a/pyramid/view.py b/pyramid/view.py
index 835982e79..1a66c9e9c 100644
--- a/pyramid/view.py
+++ b/pyramid/view.py
@@ -3,6 +3,7 @@ import venusian
 from zope.interface import providedBy
 from zope.deprecation import deprecated
 
+
 from pyramid.interfaces import (
     IRoutesMapper,
     IView,
@@ -93,8 +94,8 @@ def render_view_to_iterable(context, request, name='', secure=True):
     :exc:`ValueError` if a view function is found and called but the
     view function's result does not have an ``app_iter`` attribute.
 
-    You can usually get the string representation of the return value
-    of this function by calling ``''.join(iterable)``, or just use
+    You can usually get the bytestring representation of the return value of
+    this function by calling ``b''.join(iterable)``, or just use
     :func:`pyramid.view.render_view` instead.
 
     If ``secure`` is ``True``, and the view is protected by a permission, the
@@ -116,7 +117,7 @@ def render_view(context, request, name='', secure=True):
     configuration` that matches the :term:`view name` ``name``
     registered against the specified ``context`` and ``request``
     and unwind the view response's ``app_iter`` (see
-    :ref:`the_response`) into a single string.  This function will
+    :ref:`the_response`) into a single bytestring.  This function will
     return ``None`` if a corresponding :term:`view callable` cannot be
     found (when no :term:`view configuration` matches the combination
     of ``name`` / ``context`` / and ``request``).  Additionally, this
@@ -136,7 +137,7 @@ def render_view(context, request, name='', secure=True):
     iterable = render_view_to_iterable(context, request, name, secure)
     if iterable is None:
         return None
-    return ''.join(iterable)
+    return b''.join(iterable)
 
 class view_config(object):
     """ A function, class or method :term:`decorator` which allows a
diff --git a/setup.py b/setup.py
index 4ea63a3ee..2356e76ac 100644
--- a/setup.py
+++ b/setup.py
@@ -68,7 +68,7 @@ testing_extras = tests_require + [
     ]
 
 setup(name='pyramid',
-      version='1.4a3',
+      version='1.4a4',
       description=('The Pyramid web application development framework, a '
                    'Pylons project'),
       long_description=README + '\n\n' +  CHANGES,