Features

--------

- In support of making it easier to configure applications which are
  "secure by default", a default permission feature was added.  If
  supplied, the default permission is used as the permission string to
  all view registrations which don't otherwise name a permission.
  These APIs are in support of that:

  - A new constructor argument was added to the Configurator:
    ``default_permission``.

  - A new method was added to the Configurator:
    ``set_default_permission``.

  - A new ZCML directive was added: ``default_permission``.

Documentation
-------------

- Added documentation for the ``default_permission`` ZCML directive.

- Added documentation for the ``default_permission`` constructor value
  and the ``set_default_permission`` method in the Configurator API
  documentation.

- Added a new section to the "security" chapter named "Setting a
  Default Permission".

- Document ``renderer_globals_factory`` and ``request_factory``
  arguments to Configurator constructor.

1 files changed, 0 insertions, 7 deletions

diff --git a/TODO.txt b/TODO.txt
index 2a81a5741..ce29c9e46 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -62,10 +62,3 @@
 - Change "Cleaning up After a Request" in the urldispatch chapter to
   use ``request.add_response_callback``.
 
-- Add a default_view_permission setting:
-
-  From IRC: if I use something like http://bfg.repoze.org/pastebin/764
-  (does it even make any sense?), why do I still have to put
-  view_permission="something_random" inside every <route>, so that
-  those alc's kick in? or am I doing it completely wrong?
-