diff options
| author | Michael Merickel <michael@merickel.org> | 2017-04-29 01:43:38 -0500 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2017-04-29 02:04:58 -0500 |
| commit | 682a9b9df6f42f8261daa077f04b47b65bf00c34 (patch) | |
| tree | 54232513a60d4c94b21221280e9138f7a2219485 /CHANGES.txt | |
| parent | 4b3603ad2f4850605c45e1b7bf4f077584303641 (diff) | |
| download | pyramid-682a9b9df6f42f8261daa077f04b47b65bf00c34.tar.gz pyramid-682a9b9df6f42f8261daa077f04b47b65bf00c34.tar.bz2 pyramid-682a9b9df6f42f8261daa077f04b47b65bf00c34.zip | |
final cleanup of csrf decoupling in #2854
- Renamed `SessionCSRFStoragePolicy` to `LegacySessionCSRFStoragePolicy` for
the version that uses the legacy `ISession.get_csrf_token` and
`ISession.new_csrf_token` apis and set that as the default.
- Added new `SessionCSRFStoragePolicy` that stores data in the session
similar to how the `SessionAuthenticationPolicy` works.
- `CookieCSRFStoragePolicy` did not properly return the newly generated
token from `get_csrf_token` after calling `new_csrf_token`. It needed
to cache the new value since the response callback does not affect
the current request.
- `CookieCSRFStoragePolicy` was not forwarding the `domain` value to the
`CookieProfile` causing that setting to be ignored.
- Removed `check_csrf_token` from the `ICSRFStoragePolicy` interface
to simplify implementations of storage policies.
- Added an introspectable item for the configured storage policy so that
it appears on the debugtoolbar.
- Added a change note on `ISession` that it no longer required the csrf methods.
- Leave deprecated shims in ``pyramid.session`` for
``check_csrf_origin`` and ``check_csrf_token``.
Diffstat (limited to 'CHANGES.txt')
| -rw-r--r-- | CHANGES.txt | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 762550053..7d70abbb8 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -24,12 +24,13 @@ Features can be alleviated by invoking ``config.begin()`` and ``config.end()`` appropriately. See https://github.com/Pylons/pyramid/pull/2989 -- A new CSRF implementation, :class:`pyramid.csrf.SessionCSRF` has been added, - which delegates all CSRF generation to the current session, following the - old API for this. A ``get_csrf_token()`` method is now available in template - global scope, to make it easy for template developers to get the current CSRF - token without adding it to Python code. - See https://github.com/Pylons/pyramid/pull/2854 +- A new CSRF implementation, ``pyramid.csrf.SessionCSRFStoragePolicy``, + has been added which delegates all CSRF generation to the current session, + following the old API for this. A ``pyramid.csrf.get_csrf_token()`` api is now + available in template global scope, to make it easy for template developers + to get the current CSRF token without adding it to Python code. + See https://github.com/Pylons/pyramid/pull/2854 and + https://github.com/Pylons/pyramid/pull/3019 Bug Fixes |