flip master to 1.8

1 files changed, 140 insertions, 0 deletions

diff --git a/HISTORY.txt b/HISTORY.txt
index b7f30ff86..53a17a4d3 100644
--- a/HISTORY.txt
+++ b/HISTORY.txt
@@ -1,3 +1,143 @@
+1.7a1 (2016-04-16)
+==================
+
+Backward Incompatibilities
+--------------------------
+
+- Following the Pyramid deprecation period (1.4 -> 1.6),
+  AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
+  to sha512. If you are using the authentication policy and need to continue
+  using md5, please explicitly set hashalg to 'md5'.
+
+  This change does mean that any existing auth tickets (and associated cookies)
+  will no longer be valid, and users will no longer be logged in, and have to
+  login to their accounts again.
+
+  See https://github.com/Pylons/pyramid/pull/2496
+
+- The ``check_csrf_token`` function no longer validates a csrf token in the
+  query string of a request. Only headers and request bodies are supported.
+  See https://github.com/Pylons/pyramid/pull/2500
+
+Features
+--------
+
+- Added a new setting, ``pyramid.require_default_csrf`` which may be used
+  to turn on CSRF checks globally for every POST request in the application.
+  This should be considered a good default for websites built on Pyramid.
+  It is possible to opt-out of CSRF checks on a per-view basis by setting
+  ``require_csrf=False`` on those views.
+  See https://github.com/Pylons/pyramid/pull/2413
+
+- Added a ``require_csrf`` view option which will enforce CSRF checks on any
+  request with an unsafe method as defined by RFC2616. If the CSRF check fails
+  a ``BadCSRFToken`` exception will be raised and may be caught by exception
+  views (the default response is a ``400 Bad Request``). This option should be
+  used in place of the deprecated ``check_csrf`` view predicate which would
+  normally result in unexpected ``404 Not Found`` response to the client
+  instead of a catchable exception.  See
+  https://github.com/Pylons/pyramid/pull/2413 and
+  https://github.com/Pylons/pyramid/pull/2500
+
+- Added an additional CSRF validation that checks the origin/referrer of a
+  request and makes sure it matches the current ``request.domain``. This
+  particular check is only active when accessing a site over HTTPS as otherwise
+  browsers don't always send the required information. If this additional CSRF
+  validation fails a ``BadCSRFOrigin`` exception will be raised and may be
+  caught by exception views (the default response is ``400 Bad Request``).
+  Additional allowed origins may be configured by setting
+  ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on
+  a non standard port) to allow. Subdomains are not allowed unless the domain
+  name has been prefixed with a ``.``. See
+  https://github.com/Pylons/pyramid/pull/2501
+
+- Added a new ``pyramid.session.check_csrf_origin`` API for validating the
+  origin or referrer headers against the request's domain.
+  See https://github.com/Pylons/pyramid/pull/2501
+
+- Pyramid HTTPExceptions will now take into account the best match for the
+  clients Accept header, and depending on what is requested will return
+  text/html, application/json or text/plain. The default for */* is still
+  text/html, but if application/json is explicitly mentioned it will now
+  receive a valid JSON response. See
+  https://github.com/Pylons/pyramid/pull/2489
+
+- A new event and interface (BeforeTraversal) has been introduced that will
+  notify listeners before traversal starts in the router. See
+  https://github.com/Pylons/pyramid/pull/2469 and
+  https://github.com/Pylons/pyramid/pull/1876
+
+- Add a new "view deriver" concept to Pyramid to allow framework authors to
+  inject elements into the standard Pyramid view pipeline and affect all
+  views in an application. This is similar to a decorator except that it
+  has access to options passed to ``config.add_view`` and can affect other
+  stages of the pipeline such as the raw response from a view or prior to
+  security checks. See https://github.com/Pylons/pyramid/pull/2021
+
+- Allow a leading ``=`` on the key of the request param predicate.
+  For example, '=abc=1' is equivalent down to
+  ``request.params['=abc'] == '1'``.
+  See https://github.com/Pylons/pyramid/pull/1370
+
+- A new ``request.invoke_exception_view(...)`` method which can be used to
+  invoke an exception view and get back a response. This is useful for
+  rendering an exception view outside of the context of the excview tween
+  where you may need more control over the request.
+  See https://github.com/Pylons/pyramid/pull/2393
+
+- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
+  for logging sections of the .ini file and populate these variables from
+  the ``pserve`` command line -- e.g.:
+  ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
+  See https://github.com/Pylons/pyramid/pull/2399
+
+Documentation Changes
+---------------------
+
+- A complete overhaul of the docs:
+
+  - Use pip instead of easy_install.
+  - Become opinionated by preferring Python 3.4 or greater to simplify
+    installation of Python and its required packaging tools.
+  - Use venv for the tool, and virtual environment for the thing created,
+    instead of virtualenv.
+  - Use py.test and pytest-cov instead of nose and coverage.
+  - Further updates to the scaffolds as well as tutorials and their src files.
+
+  See https://github.com/Pylons/pyramid/pull/2468
+
+- A complete overhaul of the ``alchemy`` scaffold as well as the
+  Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features
+  into the usage of SQLAlchemy with Pyramid and provide a better starting
+  point for new projects.
+  See https://github.com/Pylons/pyramid/pull/2024
+
+Bug Fixes
+---------
+
+- Fix ``pserve --browser`` to use the ``--server-name`` instead of the
+  app name when selecting a section to use. This was only working for people
+  who had server and app sections with the same name, for example
+  ``[app:main]`` and ``[server:main]``.
+  See https://github.com/Pylons/pyramid/pull/2292
+
+Deprecations
+------------
+
+- The ``check_csrf`` view predicate has been deprecated. Use the
+  new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting
+  to ensure that the ``BadCSRFToken`` exception is raised.
+  See https://github.com/Pylons/pyramid/pull/2413
+
+- Support for Python 3.3 will be removed in Pyramid 1.8.
+  https://github.com/Pylons/pyramid/issues/2477
+
+- Python 2.6 is no longer supported by Pyramid. See
+  https://github.com/Pylons/pyramid/issues/2368
+
+- Dropped Python 3.2 support.
+  See https://github.com/Pylons/pyramid/pull/2256
+
 1.6 (2016-01-03)
 ================