Merge branch 'master' of github.com:Pylons/pyramid

1 files changed, 99 insertions, 0 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index a228fbb3a..98784f3d7 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,12 +4,68 @@ Unreleased
 Features
 --------
 
+- An authorization API has been added as a method of the
+  request: ``request.has_permission``.
+
+  ``request.has_permission`` is a method-based alternative to the
+  ``pyramid.security.has_permission`` API and works exactly the same.  The
+  older API is now deprecated.
+
+- Property API attributes have been added to the request for easier access to
+  authentication data: ``request.authenticated_userid``,
+  ``request.unauthenticated_userid``, and ``request.effective_principals``.
+
+  These are analogues, respectively, of
+  ``pyramid.security.authenticated_userid``,
+  ``pyramid.security.unauthenticated_userid``, and
+  ``pyramid.security.effective_principals``.  They operate exactly the same,
+  except they are attributes of the request instead of functions accepting a
+  request.  They are properties, so they cannot be assigned to.  The older
+  function-based APIs are now deprecated.
+
 - Pyramid's console scripts (``pserve``, ``pviews``, etc) can now be run
   directly, allowing custom arguments to be sent to the python interpreter
   at runtime. For example::
 
       python -3 -m pyramid.scripts.pserve development.ini
 
+- Added a specific subclass of ``HTTPBadRequest`` named
+  ``pyramid.exceptions.BadCSRFToken`` which will now be raised in response
+  to failures in ``check_csrf_token``.
+  See https://github.com/Pylons/pyramid/pull/1149
+
+- Added a new ``SignedCookieSessionFactory`` which is very similar to the
+  ``UnencryptedCookieSessionFactoryConfig`` but with a clearer focus on
+  signing content. The custom serializer arguments to this function should
+  only focus on serializing, unlike its predecessor which required the
+  serializer to also perform signing.
+  See https://github.com/Pylons/pyramid/pull/1142
+
+- Added a new ``BaseCookieSessionFactory`` which acts as a generic cookie
+  factory that can be used by framework implementors to create their own
+  session implementations. It provides a reusable API which focuses strictly
+  on providing a dictionary-like object that properly handles renewals,
+  timeouts, and conformance with the ``ISession`` API.
+  See https://github.com/Pylons/pyramid/pull/1142
+
+- The anchor argument to ``pyramid.request.Request.route_url`` and
+  ``pyramid.request.Request.resource_url`` and their derivatives will now be
+  escaped via URL quoting to ensure minimal conformance.  See
+  https://github.com/Pylons/pyramid/pull/1183
+
+- Allow sending of ``_query`` and ``_anchor`` options to
+  ``pyramid.request.Request.static_url`` when an external URL is being
+  generated.
+  See https://github.com/Pylons/pyramid/pull/1183
+
+- You can now send a string as the ``_query`` argument to
+  ``pyramid.request.Request.route_url`` and
+  ``pyramid.request.Request.resource_url`` and their derivatives.  When a
+  string is sent instead of a list or dictionary. it is URL-quoted however it
+  does not need to be in ``k=v`` form.  This is useful if you want to be able
+  to use a different query string format than ``x-www-form-urlencoded``.  See
+  https://github.com/Pylons/pyramid/pull/1183
+
 Bug Fixes
 ---------
 
@@ -32,6 +88,16 @@ Bug Fixes
 
 - Remove unused ``renderer`` argument from ``Configurator.add_route``.
 
+- Allow the ``BasicAuthenticationPolicy`` to work with non-ascii usernames
+  and passwords. The charset is not passed as part of the header and different
+  browsers alternate between UTF-8 and Latin-1, so the policy now attempts
+  to decode with UTF-8 first, and will fallback to Latin-1.
+  See https://github.com/Pylons/pyramid/pull/1170
+
+- The ``@view_defaults`` now apply to notfound and forbidden views
+  that are defined as methods of a decorated class.
+  See https://github.com/Pylons/pyramid/issues/1173
+
 Documentation
 -------------
 
@@ -40,6 +106,9 @@ Documentation
 - Removed mention of ``pyramid_beaker`` from docs.  Beaker is no longer 
   maintained.  Point people at ``pyramid_redis_sessions`` instead.
 
+- Add documentation for ``pyramid.interfaces.IRendererFactory`` and
+  ``pyramid.interfaces.IRenderer``.
+
 Backwards Incompatibilities
 ---------------------------
 
@@ -50,6 +119,36 @@ Backwards Incompatibilities
   situation, leaving a query string of ``a=b&key=``.
   See https://github.com/Pylons/pyramid/issues/1119
 
+Deprecations
+------------
+
+- Deprecate the ``pyramid.interfaces.ITemplateRenderer`` interface. It was
+  ill-defined and became unused when Mako and Chameleon template bindings were
+  split into their own packages.
+
+- The ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` API has been 
+  deprecated and is superseded by the 
+  ``pyramid.session.SignedCookieSessionFactory``.  Note that while the cookies
+  generated by the ``UnencryptedCookieSessionFactoryConfig``
+  are compatible with cookies generated by old releases, cookies generated by
+  the SignedCookieSessionFactory are not. See 
+  https://github.com/Pylons/pyramid/pull/1142
+
+- The ``pyramid.security.has_permission`` API is now deprecated.  Instead, use
+  the newly-added ``has_permission`` method of the request object.
+
+- The ``pyramid.security.effective_principals`` API is now deprecated.
+  Instead, use the newly-added ``effective_principals`` attribute of the
+  request object.
+
+- The ``pyramid.security.authenticated_userid`` API is now deprecated.
+  Instead, use the newly-added ``authenticated_userid`` attribute of the
+  request object.
+
+- The ``pyramid.security.unauthenticated_userid`` API is now deprecated.
+  Instead, use the newly-added ``unauthenticated_userid`` attribute of the
+  request object.
+
 1.5a2 (2013-09-22)
 ==================