Merge pull request #3019 from mmerickel/fixes/csrf-decoupling-2854

Decouple CSRF protection from the session machinery (replaced #2854)

1 files changed, 12 insertions, 0 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 8868e6ff7..a2e2d6db1 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -24,6 +24,14 @@ Features
   can be alleviated by invoking ``config.begin()`` and ``config.end()``
   appropriately. See https://github.com/Pylons/pyramid/pull/2989
 
+- A new CSRF implementation, ``pyramid.csrf.SessionCSRFStoragePolicy``,
+  has been added which delegates all CSRF generation to the current session,
+  following the old API for this. A ``pyramid.csrf.get_csrf_token()`` api is now
+  available in template global scope, to make it easy for template developers
+  to get the current CSRF token without adding it to Python code.
+  See https://github.com/Pylons/pyramid/pull/2854 and
+  https://github.com/Pylons/pyramid/pull/3019
+
 - The ``pyramid.config.Configurator`` can now be used as a context manager
   which will automatically push/pop threadlocals (similar to
   ``config.begin()`` and ``config.end()``). It will also automatically perform
@@ -56,3 +64,7 @@ Backward Incompatibilities
 
 Documentation Changes
 ---------------------
+
+- Retrieving CSRF token from the session has been deprecated, in favor of
+  equivalent methods in :mod:`pyramid.csrf`.
+  See https://github.com/Pylons/pyramid/pull/2854