curate the changelog

1 files changed, 24 insertions, 326 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index ead9eb4b9..bc4b1aa79 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -11,12 +11,28 @@ Backward Incompatibilities
 
   This change does mean that any existing auth tickets (and associated cookies)
   will no longer be valid, and users will no longer be logged in, and have to
-  login to their accounts again. No other backwards incompatible changes have
-  been made.
+  login to their accounts again.
+
+  See https://github.com/Pylons/pyramid/pull/2496
 
 Features
 --------
 
+- Added a new setting, ``pyramid.require_default_csrf`` which may be used
+  to turn on CSRF checks globally for every POST request in the application.
+  This should be considered a good default for websites built on Pyramid.
+  It is possible to opt-out of CSRF checks on a per-view basis by setting
+  ``require_csrf=False`` on those views.
+  See https://github.com/Pylons/pyramid/pull/2413
+
+- Added a ``require_csrf`` view option which will enforce CSRF checks on POST
+  requests. If the CSRF check fails a ``BadCSRFToken`` exception will be
+  raised and may be caught by exception views (the default response is a
+  ``400 Bad Request``). This option should be used in place of the deprecated
+  ``check_csrf`` view predicate which would normally result in unexpected
+  ``404 Not Found`` response to the client instead of a catchable exception.
+  See https://github.com/Pylons/pyramid/pull/2413
+
 - Pyramid HTTPExceptions will now take into account the best match for the
   clients Accept header, and depending on what is requested will return
   text/html, application/json or text/plain. The default for */* is still
@@ -36,7 +52,6 @@ Features
   stages of the pipeline such as the raw response from a view or prior to
   security checks. See https://github.com/Pylons/pyramid/pull/2021
 
-
 - Allow a leading ``=`` on the key of the request param predicate.
   For example, '=abc=1' is equivalent down to
   ``request.params['=abc'] == '1'``.
@@ -87,7 +102,12 @@ Bug Fixes
 Deprecations
 ------------
 
-- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8.
+- The ``check_csrf`` view predicate has been deprecated. Use the
+  new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting
+  to ensure that the ``BadCSRFToken`` exception is raised.
+  See https://github.com/Pylons/pyramid/pull/2413
+
+- Support for Python 3.3 will be removed in Pyramid 1.8.
   https://github.com/Pylons/pyramid/issues/2477
 
 - Python 2.6 is no longer supported by Pyramid. See
@@ -95,325 +115,3 @@ Deprecations
 
 - Dropped Python 3.2 support.
   See https://github.com/Pylons/pyramid/pull/2256
-
-
-1.6 (2015-04-14)
-================
-
-Backward Incompatibilities
---------------------------
-
-- IPython and BPython support have been removed from pshell in the core.
-  To continue using them on Pyramid 1.6+ you must install the binding
-  packages explicitly::
-
-    $ pip install pyramid_ipython
-
-    or
-
-    $ pip install pyramid_bpython
-
-Features
---------
-
-- pcreate will now ask for confirmation if invoked with
-  an argument for a project name that already exists or
-  is importable in the current environment.
-  See https://github.com/Pylons/pyramid/issues/1357 and
-  https://github.com/Pylons/pyramid/pull/1837
-
-- Make it possible to subclass ``pyramid.request.Request`` and also use
-  ``pyramid.request.Request.add_request.method``.  See
-  https://github.com/Pylons/pyramid/issues/1529
-
-- The ``pyramid.config.Configurator`` has grown the ability to allow
-  actions to call other actions during a commit-cycle. This enables much more
-  logic to be placed into actions, such as the ability to invoke other actions
-  or group them for improved conflict detection. We have also exposed and
-  documented the config phases that Pyramid uses in order to further assist
-  in building conforming addons.
-  See https://github.com/Pylons/pyramid/pull/1513
-
-- Add ``pyramid.request.apply_request_extensions`` function which can be
-  used in testing to apply any request extensions configured via
-  ``config.add_request_method``. Previously it was only possible to test
-  the extensions by going through Pyramid's router.
-  See https://github.com/Pylons/pyramid/pull/1581
-
-- pcreate when run without a scaffold argument will now print information on
-  the missing flag, as well as a list of available scaffolds.
-  See https://github.com/Pylons/pyramid/pull/1566 and
-  https://github.com/Pylons/pyramid/issues/1297
-
-- Added support / testing for 'pypy3' under Tox and Travis.
-  See https://github.com/Pylons/pyramid/pull/1469
-
-- Automate code coverage metrics across py2 and py3 instead of just py2.
-  See https://github.com/Pylons/pyramid/pull/1471
-
-- Cache busting for static resources has been added and is available via a new
-  ``pyramid.config.Configurator.add_cache_buster`` API. Core APIs are shipped
-  for both cache busting via query strings and via asset manifests for
-  integrating into custom asset pipelines.
-  See https://github.com/Pylons/pyramid/pull/1380 and
-  https://github.com/Pylons/pyramid/pull/1583 and
-  https://github.com/Pylons/pyramid/pull/2171
-
-- Add ``pyramid.config.Configurator.root_package`` attribute and init
-  parameter to assist with includeable packages that wish to resolve
-  resources relative to the package in which the ``Configurator`` was created.
-  This is especially useful for addons that need to load asset specs from
-  settings, in which case it is may be natural for a developer to define
-  imports or assets relative to the top-level package.
-  See https://github.com/Pylons/pyramid/pull/1337
-
-- Added line numbers to the log formatters in the scaffolds to assist with
-  debugging. See https://github.com/Pylons/pyramid/pull/1326
-
-- Add new HTTP exception objects for status codes
-  ``428 Precondition Required``, ``429 Too Many Requests`` and
-  ``431 Request Header Fields Too Large`` in ``pyramid.httpexceptions``.
-  See https://github.com/Pylons/pyramid/pull/1372/files
-
-- The ``pshell`` script will now load a ``PYTHONSTARTUP`` file if one is
-  defined in the environment prior to launching the interpreter.
-  See https://github.com/Pylons/pyramid/pull/1448
-
-- Make it simple to define notfound and forbidden views that wish to use
-  the default exception-response view but with altered predicates and other
-  configuration options. The ``view`` argument is now optional in
-  ``config.add_notfound_view`` and ``config.add_forbidden_view``..
-  See https://github.com/Pylons/pyramid/issues/494
-
-- Greatly improve the readability of the ``pcreate`` shell script output.
-  See https://github.com/Pylons/pyramid/pull/1453
-
-- Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and
-  the ``SignedCookieSessionFactory`` classes by using the stdlib's
-  ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+).
-  See https://github.com/Pylons/pyramid/pull/1457
-
-- Assets can now be overidden by an absolute path on the filesystem when using
-  the ``config.override_asset`` API. This makes it possible to fully support
-  serving up static content from a mutable directory while still being able
-  to use the ``request.static_url`` API and ``config.add_static_view``.
-  Previously it was not possible to use ``config.add_static_view`` with an
-  absolute path **and** generate urls to the content. This change replaces
-  the call, ``config.add_static_view('/abs/path', 'static')``, with
-  ``config.add_static_view('myapp:static', 'static')`` and
-  ``config.override_asset(to_override='myapp:static/',
-  override_with='/abs/path/')``. The ``myapp:static`` asset spec is completely
-  made up and does not need to exist - it is used for generating urls
-  via ``request.static_url('myapp:static/foo.png')``.
-  See https://github.com/Pylons/pyramid/issues/1252
-
-- Added ``pyramid.config.Configurator.set_response_factory`` and the
-  ``response_factory`` keyword argument to the ``Configurator`` for defining
-  a factory that will return a custom ``Response`` class.
-  See https://github.com/Pylons/pyramid/pull/1499
-
-- Allow an iterator to be returned from a renderer. Previously it was only
-  possible to return bytes or unicode.
-  See https://github.com/Pylons/pyramid/pull/1417
-
-- ``pserve`` can now take a ``-b`` or ``--browser`` option to open the server
-  URL in a web browser. See https://github.com/Pylons/pyramid/pull/1533
-
-- Overall improvments for the ``proutes`` command. Added ``--format`` and
-  ``--glob`` arguments to the command, introduced the ``method``
-  column for displaying available request methods, and improved the ``view``
-  output by showing the module instead of just ``__repr__``.
-  See https://github.com/Pylons/pyramid/pull/1488
-
-- Support keyword-only arguments and function annotations in views in
-  Python 3. See https://github.com/Pylons/pyramid/pull/1556
-
-- ``request.response`` will no longer be mutated when using the
-  ``pyramid.renderers.render_to_response()`` API.  It is now necessary to
-  pass in a ``response=`` argument to ``render_to_response`` if you wish to
-  supply the renderer with a custom response object for it to use. If you
-  do not pass one then a response object will be created using the
-  application's ``IResponseFactory``. Almost all renderers
-  mutate the ``request.response`` response object (for example, the JSON
-  renderer sets ``request.response.content_type`` to ``application/json``).
-  However, when invoking ``render_to_response`` it is not expected that the
-  response object being returned would be the same one used later in the
-  request. The response object returned from ``render_to_response`` is now
-  explicitly different from ``request.response``. This does not change the
-  API of a renderer. See https://github.com/Pylons/pyramid/pull/1563
-
-- The ``append_slash`` argument of ```Configurator().add_notfound_view()`` will
-  now accept anything that implements the ``IResponse`` interface and will use
-  that as the response class instead of the default ``HTTPFound``.  See
-  https://github.com/Pylons/pyramid/pull/1610
-
-- Additional shells for ``pshell`` can now be registered as entrypoints. See
-  https://github.com/Pylons/pyramid/pull/1891 and
-  https://github.com/Pylons/pyramid/pull/2012
-
-- The variables injected into ``pshell`` are now displayed with their
-  docstrings instead of the default ``str(obj)`` when possible.
-  See https://github.com/Pylons/pyramid/pull/1929
-
-- ``pserve --reload`` will no longer crash on syntax errors!!!
-  See https://github.com/Pylons/pyramid/pull/2044
-
-Bug Fixes
----------
-
-- Work around an issue where ``pserve --reload`` would leave terminal echo
-  disabled if it reloaded during a pdb session.
-  See https://github.com/Pylons/pyramid/pull/1577,
-  https://github.com/Pylons/pyramid/pull/1592
-
-- ``pyramid.wsgi.wsgiapp`` and ``pyramid.wsgi.wsgiapp2`` now raise
-  ``ValueError`` when accidentally passed ``None``.
-  See https://github.com/Pylons/pyramid/pull/1320
-
-- Fix an issue whereby predicates would be resolved as maybe_dotted in the
-  introspectable but not when passed for registration. This would mean that
-  ``add_route_predicate`` for example can not take a string and turn it into
-  the actual callable function.
-  See https://github.com/Pylons/pyramid/pull/1306
-
-- Fix ``pyramid.testing.setUp`` to return a ``Configurator`` with a proper
-  package. Previously it was not possible to do package-relative includes
-  using the returned ``Configurator`` during testing. There is now a
-  ``package`` argument that can override this behavior as well.
-  See https://github.com/Pylons/pyramid/pull/1322
-
-- Fix an issue where a ``pyramid.response.FileResponse`` may apply a charset
-  where it does not belong. See https://github.com/Pylons/pyramid/pull/1251
-
-- Work around a bug introduced in Python 2.7.7 on Windows where
-  ``mimetypes.guess_type`` returns Unicode rather than str for the content
-  type, unlike any previous version of Python.  See
-  https://github.com/Pylons/pyramid/issues/1360 for more information.
-
-- ``pcreate`` now normalizes the package name by converting hyphens to
-  underscores. See https://github.com/Pylons/pyramid/pull/1376
-
-- Fix an issue with the final response/finished callback being unable to
-  add another callback to the list. See
-  https://github.com/Pylons/pyramid/pull/1373
-
-- Fix a failing unittest caused by differing mimetypes across various OSs.
-  See https://github.com/Pylons/pyramid/issues/1405
-
-- Fix route generation for static view asset specifications having no path.
-  See https://github.com/Pylons/pyramid/pull/1377
-
-- Allow the ``pyramid.renderers.JSONP`` renderer to work even if there is no
-  valid request object. In this case it will not wrap the object in a
-  callback and thus behave just like the ``pyramid.renderers.JSON`` renderer.
-  See https://github.com/Pylons/pyramid/pull/1561
-
-- Prevent "parameters to load are deprecated" ``DeprecationWarning``
-  from setuptools>=11.3. See https://github.com/Pylons/pyramid/pull/1541
-
-- Avoiding sharing the ``IRenderer`` objects across threads when attached to
-  a view using the `renderer=` argument. These renderers were instantiated
-  at time of first render and shared between requests, causing potentially
-  subtle effects like `pyramid.reload_templates = true` failing to work
-  in `pyramid_mako`. See https://github.com/Pylons/pyramid/pull/1575
-  and https://github.com/Pylons/pyramid/issues/1268
-
-- Avoiding timing attacks against CSRF tokens.
-  See https://github.com/Pylons/pyramid/pull/1574
-
-- ``request.finished_callbacks`` and ``request.response_callbacks`` now
-  default to an iterable instead of ``None``. It may be checked for a length
-  of 0. This was the behavior in 1.5.
-
-- ``pyramid.httpexceptions.HTTPException`` now defaults to
-  ``520 Unknown Error`` instead of ``None None`` to conform with changes in
-  WebOb 1.5.
-  See https://github.com/Pylons/pyramid/pull/1865
-
-- ``pshell`` will now preserve the capitalization of variables in the
-  ``[pshell]`` section of the INI file. This makes exposing classes to the
-  shell a little more straightfoward.
-  See https://github.com/Pylons/pyramid/pull/1883
-
-- Fix an issue when user passes unparsed strings to ``pyramid.session.CookieSession``
-  and ``pyramid.authentication.AuthTktCookieHelper`` for time related parameters
-  ``timeout``, ``reissue_time``, ``max_age`` that expect an integer value.
-  See https://github.com/Pylons/pyramid/pull/2050
-
-- Fixed usage of ``pserve --monitor-restart --daemon`` which would fail in
-  horrible ways. See https://github.com/Pylons/pyramid/pull/2118
-
-- Explicitly prevent ``pserve --reload --daemon`` from being used. It's never
-  been supported but would work and fail in weird ways.
-  See https://github.com/Pylons/pyramid/pull/2119
-
-- Fix an issue on Windows when running ``pserve --reload`` in which the
-  process failed to fork because it could not find the pserve script to
-  run. See https://github.com/Pylons/pyramid/pull/2137
-
-- Ensure that ``IAssetDescriptor.abspath`` always returns an absolute path.
-  There were cases depending on the process CWD that a relative path would
-  be returned. See https://github.com/Pylons/pyramid/issues/2187
-
-
-Deprecations
-------------
-
-- The ``pserve`` command's daemonization features have been deprecated as well
-  as ``--monitor-restart``. This includes the ``[start,stop,restart,status]``
-  subcommands as well as the ``--daemon``, ``--stop-daemon``, ``--pid-file``,
-  ``--status``, ``--user`` and ``--group`` flags.
-  See https://github.com/Pylons/pyramid/pull/2120
-  and https://github.com/Pylons/pyramid/pull/2189
-  and https://github.com/Pylons/pyramid/pull/1641
-
-  Please use a real process manager in the future instead of relying on the
-  ``pserve`` to daemonize itself. Many options exist including your Operating
-  System's services such as Systemd or Upstart, as well as Python-based
-  solutions like Circus and Supervisor.
-
-  See https://github.com/Pylons/pyramid/pull/1641
-  and https://github.com/Pylons/pyramid/pull/2120
-
-- Renamed the ``principal`` argument to ``pyramid.security.remember()`` to
-  ``userid`` in order to clarify its intended purpose.
-  See https://github.com/Pylons/pyramid/pull/1399
-
-Docs
-----
-
-- Moved the documentation for ``accept`` on ``Configurator.add_view`` to no
-  longer be part of the predicate list. See
-  https://github.com/Pylons/pyramid/issues/1391 for a bug report stating
-  ``not_`` was failing on ``accept``. Discussion with @mcdonc led to the
-  conclusion that it should not be documented as a predicate.
-  See https://github.com/Pylons/pyramid/pull/1487 for this PR
-
-- Removed logging configuration from Quick Tutorial ini files except for
-  scaffolding- and logging-related chapters to avoid needing to explain it too
-  early.
-
-- Clarify a previously-implied detail of the ``ISession.invalidate`` API
-  documentation.
-
-- Improve and clarify the documentation on what Pyramid defines as a
-  ``principal`` and a ``userid`` in its security APIs.
-  See https://github.com/Pylons/pyramid/pull/1399
-
-- Add documentation of command line programs (``p*`` scripts). See
-  https://github.com/Pylons/pyramid/pull/2191
-
-Scaffolds
----------
-
-- Update scaffold generating machinery to return the version of pyramid and
-  pyramid docs for use in scaffolds. Updated starter, alchemy and zodb
-  templates to have links to correctly versioned documentation and reflect
-  which pyramid was used to generate the scaffold.
-
-- Removed non-ascii copyright symbol from templates, as this was
-  causing the scaffolds to fail for project generation.
-
-- You can now run the scaffolding func tests via ``tox py2-scaffolds`` and
-  ``tox py3-scaffolds``.
-