diff options
| -rw-r--r-- | CHANGES.txt | 350 |
1 files changed, 24 insertions, 326 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index ead9eb4b9..bc4b1aa79 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -11,12 +11,28 @@ Backward Incompatibilities This change does mean that any existing auth tickets (and associated cookies) will no longer be valid, and users will no longer be logged in, and have to - login to their accounts again. No other backwards incompatible changes have - been made. + login to their accounts again. + + See https://github.com/Pylons/pyramid/pull/2496 Features -------- +- Added a new setting, ``pyramid.require_default_csrf`` which may be used + to turn on CSRF checks globally for every POST request in the application. + This should be considered a good default for websites built on Pyramid. + It is possible to opt-out of CSRF checks on a per-view basis by setting + ``require_csrf=False`` on those views. + See https://github.com/Pylons/pyramid/pull/2413 + +- Added a ``require_csrf`` view option which will enforce CSRF checks on POST + requests. If the CSRF check fails a ``BadCSRFToken`` exception will be + raised and may be caught by exception views (the default response is a + ``400 Bad Request``). This option should be used in place of the deprecated + ``check_csrf`` view predicate which would normally result in unexpected + ``404 Not Found`` response to the client instead of a catchable exception. + See https://github.com/Pylons/pyramid/pull/2413 + - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html, application/json or text/plain. The default for */* is still @@ -36,7 +52,6 @@ Features stages of the pipeline such as the raw response from a view or prior to security checks. See https://github.com/Pylons/pyramid/pull/2021 - - Allow a leading ``=`` on the key of the request param predicate. For example, '=abc=1' is equivalent down to ``request.params['=abc'] == '1'``. @@ -87,7 +102,12 @@ Bug Fixes Deprecations ------------ -- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8. +- The ``check_csrf`` view predicate has been deprecated. Use the + new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting + to ensure that the ``BadCSRFToken`` exception is raised. + See https://github.com/Pylons/pyramid/pull/2413 + +- Support for Python 3.3 will be removed in Pyramid 1.8. https://github.com/Pylons/pyramid/issues/2477 - Python 2.6 is no longer supported by Pyramid. See @@ -95,325 +115,3 @@ Deprecations - Dropped Python 3.2 support. See https://github.com/Pylons/pyramid/pull/2256 - - -1.6 (2015-04-14) -================ - -Backward Incompatibilities --------------------------- - -- IPython and BPython support have been removed from pshell in the core. - To continue using them on Pyramid 1.6+ you must install the binding - packages explicitly:: - - $ pip install pyramid_ipython - - or - - $ pip install pyramid_bpython - -Features --------- - -- pcreate will now ask for confirmation if invoked with - an argument for a project name that already exists or - is importable in the current environment. - See https://github.com/Pylons/pyramid/issues/1357 and - https://github.com/Pylons/pyramid/pull/1837 - -- Make it possible to subclass ``pyramid.request.Request`` and also use - ``pyramid.request.Request.add_request.method``. See - https://github.com/Pylons/pyramid/issues/1529 - -- The ``pyramid.config.Configurator`` has grown the ability to allow - actions to call other actions during a commit-cycle. This enables much more - logic to be placed into actions, such as the ability to invoke other actions - or group them for improved conflict detection. We have also exposed and - documented the config phases that Pyramid uses in order to further assist - in building conforming addons. - See https://github.com/Pylons/pyramid/pull/1513 - -- Add ``pyramid.request.apply_request_extensions`` function which can be - used in testing to apply any request extensions configured via - ``config.add_request_method``. Previously it was only possible to test - the extensions by going through Pyramid's router. - See https://github.com/Pylons/pyramid/pull/1581 - -- pcreate when run without a scaffold argument will now print information on - the missing flag, as well as a list of available scaffolds. - See https://github.com/Pylons/pyramid/pull/1566 and - https://github.com/Pylons/pyramid/issues/1297 - -- Added support / testing for 'pypy3' under Tox and Travis. - See https://github.com/Pylons/pyramid/pull/1469 - -- Automate code coverage metrics across py2 and py3 instead of just py2. - See https://github.com/Pylons/pyramid/pull/1471 - -- Cache busting for static resources has been added and is available via a new - ``pyramid.config.Configurator.add_cache_buster`` API. Core APIs are shipped - for both cache busting via query strings and via asset manifests for - integrating into custom asset pipelines. - See https://github.com/Pylons/pyramid/pull/1380 and - https://github.com/Pylons/pyramid/pull/1583 and - https://github.com/Pylons/pyramid/pull/2171 - -- Add ``pyramid.config.Configurator.root_package`` attribute and init - parameter to assist with includeable packages that wish to resolve - resources relative to the package in which the ``Configurator`` was created. - This is especially useful for addons that need to load asset specs from - settings, in which case it is may be natural for a developer to define - imports or assets relative to the top-level package. - See https://github.com/Pylons/pyramid/pull/1337 - -- Added line numbers to the log formatters in the scaffolds to assist with - debugging. See https://github.com/Pylons/pyramid/pull/1326 - -- Add new HTTP exception objects for status codes - ``428 Precondition Required``, ``429 Too Many Requests`` and - ``431 Request Header Fields Too Large`` in ``pyramid.httpexceptions``. - See https://github.com/Pylons/pyramid/pull/1372/files - -- The ``pshell`` script will now load a ``PYTHONSTARTUP`` file if one is - defined in the environment prior to launching the interpreter. - See https://github.com/Pylons/pyramid/pull/1448 - -- Make it simple to define notfound and forbidden views that wish to use - the default exception-response view but with altered predicates and other - configuration options. The ``view`` argument is now optional in - ``config.add_notfound_view`` and ``config.add_forbidden_view``.. - See https://github.com/Pylons/pyramid/issues/494 - -- Greatly improve the readability of the ``pcreate`` shell script output. - See https://github.com/Pylons/pyramid/pull/1453 - -- Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and - the ``SignedCookieSessionFactory`` classes by using the stdlib's - ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). - See https://github.com/Pylons/pyramid/pull/1457 - -- Assets can now be overidden by an absolute path on the filesystem when using - the ``config.override_asset`` API. This makes it possible to fully support - serving up static content from a mutable directory while still being able - to use the ``request.static_url`` API and ``config.add_static_view``. - Previously it was not possible to use ``config.add_static_view`` with an - absolute path **and** generate urls to the content. This change replaces - the call, ``config.add_static_view('/abs/path', 'static')``, with - ``config.add_static_view('myapp:static', 'static')`` and - ``config.override_asset(to_override='myapp:static/', - override_with='/abs/path/')``. The ``myapp:static`` asset spec is completely - made up and does not need to exist - it is used for generating urls - via ``request.static_url('myapp:static/foo.png')``. - See https://github.com/Pylons/pyramid/issues/1252 - -- Added ``pyramid.config.Configurator.set_response_factory`` and the - ``response_factory`` keyword argument to the ``Configurator`` for defining - a factory that will return a custom ``Response`` class. - See https://github.com/Pylons/pyramid/pull/1499 - -- Allow an iterator to be returned from a renderer. Previously it was only - possible to return bytes or unicode. - See https://github.com/Pylons/pyramid/pull/1417 - -- ``pserve`` can now take a ``-b`` or ``--browser`` option to open the server - URL in a web browser. See https://github.com/Pylons/pyramid/pull/1533 - -- Overall improvments for the ``proutes`` command. Added ``--format`` and - ``--glob`` arguments to the command, introduced the ``method`` - column for displaying available request methods, and improved the ``view`` - output by showing the module instead of just ``__repr__``. - See https://github.com/Pylons/pyramid/pull/1488 - -- Support keyword-only arguments and function annotations in views in - Python 3. See https://github.com/Pylons/pyramid/pull/1556 - -- ``request.response`` will no longer be mutated when using the - ``pyramid.renderers.render_to_response()`` API. It is now necessary to - pass in a ``response=`` argument to ``render_to_response`` if you wish to - supply the renderer with a custom response object for it to use. If you - do not pass one then a response object will be created using the - application's ``IResponseFactory``. Almost all renderers - mutate the ``request.response`` response object (for example, the JSON - renderer sets ``request.response.content_type`` to ``application/json``). - However, when invoking ``render_to_response`` it is not expected that the - response object being returned would be the same one used later in the - request. The response object returned from ``render_to_response`` is now - explicitly different from ``request.response``. This does not change the - API of a renderer. See https://github.com/Pylons/pyramid/pull/1563 - -- The ``append_slash`` argument of ```Configurator().add_notfound_view()`` will - now accept anything that implements the ``IResponse`` interface and will use - that as the response class instead of the default ``HTTPFound``. See - https://github.com/Pylons/pyramid/pull/1610 - -- Additional shells for ``pshell`` can now be registered as entrypoints. See - https://github.com/Pylons/pyramid/pull/1891 and - https://github.com/Pylons/pyramid/pull/2012 - -- The variables injected into ``pshell`` are now displayed with their - docstrings instead of the default ``str(obj)`` when possible. - See https://github.com/Pylons/pyramid/pull/1929 - -- ``pserve --reload`` will no longer crash on syntax errors!!! - See https://github.com/Pylons/pyramid/pull/2044 - -Bug Fixes ---------- - -- Work around an issue where ``pserve --reload`` would leave terminal echo - disabled if it reloaded during a pdb session. - See https://github.com/Pylons/pyramid/pull/1577, - https://github.com/Pylons/pyramid/pull/1592 - -- ``pyramid.wsgi.wsgiapp`` and ``pyramid.wsgi.wsgiapp2`` now raise - ``ValueError`` when accidentally passed ``None``. - See https://github.com/Pylons/pyramid/pull/1320 - -- Fix an issue whereby predicates would be resolved as maybe_dotted in the - introspectable but not when passed for registration. This would mean that - ``add_route_predicate`` for example can not take a string and turn it into - the actual callable function. - See https://github.com/Pylons/pyramid/pull/1306 - -- Fix ``pyramid.testing.setUp`` to return a ``Configurator`` with a proper - package. Previously it was not possible to do package-relative includes - using the returned ``Configurator`` during testing. There is now a - ``package`` argument that can override this behavior as well. - See https://github.com/Pylons/pyramid/pull/1322 - -- Fix an issue where a ``pyramid.response.FileResponse`` may apply a charset - where it does not belong. See https://github.com/Pylons/pyramid/pull/1251 - -- Work around a bug introduced in Python 2.7.7 on Windows where - ``mimetypes.guess_type`` returns Unicode rather than str for the content - type, unlike any previous version of Python. See - https://github.com/Pylons/pyramid/issues/1360 for more information. - -- ``pcreate`` now normalizes the package name by converting hyphens to - underscores. See https://github.com/Pylons/pyramid/pull/1376 - -- Fix an issue with the final response/finished callback being unable to - add another callback to the list. See - https://github.com/Pylons/pyramid/pull/1373 - -- Fix a failing unittest caused by differing mimetypes across various OSs. - See https://github.com/Pylons/pyramid/issues/1405 - -- Fix route generation for static view asset specifications having no path. - See https://github.com/Pylons/pyramid/pull/1377 - -- Allow the ``pyramid.renderers.JSONP`` renderer to work even if there is no - valid request object. In this case it will not wrap the object in a - callback and thus behave just like the ``pyramid.renderers.JSON`` renderer. - See https://github.com/Pylons/pyramid/pull/1561 - -- Prevent "parameters to load are deprecated" ``DeprecationWarning`` - from setuptools>=11.3. See https://github.com/Pylons/pyramid/pull/1541 - -- Avoiding sharing the ``IRenderer`` objects across threads when attached to - a view using the `renderer=` argument. These renderers were instantiated - at time of first render and shared between requests, causing potentially - subtle effects like `pyramid.reload_templates = true` failing to work - in `pyramid_mako`. See https://github.com/Pylons/pyramid/pull/1575 - and https://github.com/Pylons/pyramid/issues/1268 - -- Avoiding timing attacks against CSRF tokens. - See https://github.com/Pylons/pyramid/pull/1574 - -- ``request.finished_callbacks`` and ``request.response_callbacks`` now - default to an iterable instead of ``None``. It may be checked for a length - of 0. This was the behavior in 1.5. - -- ``pyramid.httpexceptions.HTTPException`` now defaults to - ``520 Unknown Error`` instead of ``None None`` to conform with changes in - WebOb 1.5. - See https://github.com/Pylons/pyramid/pull/1865 - -- ``pshell`` will now preserve the capitalization of variables in the - ``[pshell]`` section of the INI file. This makes exposing classes to the - shell a little more straightfoward. - See https://github.com/Pylons/pyramid/pull/1883 - -- Fix an issue when user passes unparsed strings to ``pyramid.session.CookieSession`` - and ``pyramid.authentication.AuthTktCookieHelper`` for time related parameters - ``timeout``, ``reissue_time``, ``max_age`` that expect an integer value. - See https://github.com/Pylons/pyramid/pull/2050 - -- Fixed usage of ``pserve --monitor-restart --daemon`` which would fail in - horrible ways. See https://github.com/Pylons/pyramid/pull/2118 - -- Explicitly prevent ``pserve --reload --daemon`` from being used. It's never - been supported but would work and fail in weird ways. - See https://github.com/Pylons/pyramid/pull/2119 - -- Fix an issue on Windows when running ``pserve --reload`` in which the - process failed to fork because it could not find the pserve script to - run. See https://github.com/Pylons/pyramid/pull/2137 - -- Ensure that ``IAssetDescriptor.abspath`` always returns an absolute path. - There were cases depending on the process CWD that a relative path would - be returned. See https://github.com/Pylons/pyramid/issues/2187 - - -Deprecations ------------- - -- The ``pserve`` command's daemonization features have been deprecated as well - as ``--monitor-restart``. This includes the ``[start,stop,restart,status]`` - subcommands as well as the ``--daemon``, ``--stop-daemon``, ``--pid-file``, - ``--status``, ``--user`` and ``--group`` flags. - See https://github.com/Pylons/pyramid/pull/2120 - and https://github.com/Pylons/pyramid/pull/2189 - and https://github.com/Pylons/pyramid/pull/1641 - - Please use a real process manager in the future instead of relying on the - ``pserve`` to daemonize itself. Many options exist including your Operating - System's services such as Systemd or Upstart, as well as Python-based - solutions like Circus and Supervisor. - - See https://github.com/Pylons/pyramid/pull/1641 - and https://github.com/Pylons/pyramid/pull/2120 - -- Renamed the ``principal`` argument to ``pyramid.security.remember()`` to - ``userid`` in order to clarify its intended purpose. - See https://github.com/Pylons/pyramid/pull/1399 - -Docs ----- - -- Moved the documentation for ``accept`` on ``Configurator.add_view`` to no - longer be part of the predicate list. See - https://github.com/Pylons/pyramid/issues/1391 for a bug report stating - ``not_`` was failing on ``accept``. Discussion with @mcdonc led to the - conclusion that it should not be documented as a predicate. - See https://github.com/Pylons/pyramid/pull/1487 for this PR - -- Removed logging configuration from Quick Tutorial ini files except for - scaffolding- and logging-related chapters to avoid needing to explain it too - early. - -- Clarify a previously-implied detail of the ``ISession.invalidate`` API - documentation. - -- Improve and clarify the documentation on what Pyramid defines as a - ``principal`` and a ``userid`` in its security APIs. - See https://github.com/Pylons/pyramid/pull/1399 - -- Add documentation of command line programs (``p*`` scripts). See - https://github.com/Pylons/pyramid/pull/2191 - -Scaffolds ---------- - -- Update scaffold generating machinery to return the version of pyramid and - pyramid docs for use in scaffolds. Updated starter, alchemy and zodb - templates to have links to correctly versioned documentation and reflect - which pyramid was used to generate the scaffold. - -- Removed non-ascii copyright symbol from templates, as this was - causing the scaffolds to fail for project generation. - -- You can now run the scaffolding func tests via ``tox py2-scaffolds`` and - ``tox py3-scaffolds``. - |