diff options
50 files changed, 289 insertions, 192 deletions
diff --git a/BFG_HISTORY.rst b/BFG_HISTORY.rst index 8a2d40920..a62c39f42 100644 --- a/BFG_HISTORY.rst +++ b/BFG_HISTORY.rst @@ -390,7 +390,7 @@ Bug Fixes - The route pattern registered internally for a local "static view" (either via the ``static`` ZCML directive or via the ``add_static_view`` method of the configurator) was incorrect. It - was regsistered for e.g. ``static*traverse``, while it should have + was registered for e.g. ``static*traverse``, while it should have been registered for ``static/*traverse``. Symptom: two static views could not reliably be added to a system when they both shared the same path prefix (e.g. ``/static`` and ``/static2``). @@ -450,7 +450,7 @@ Features constructor argument set to the value passed to ``with_package``. This feature will make it easier for future BFG versions to allow dotted names as arguments in places where currently only object - references are allowed (the work to allow dotted names isntead of + references are allowed (the work to allow dotted names instead of object references everywhere has not yet been done, however). - The new ``repoze.bfg.configuration.Configurator.maybe_dotted`` @@ -479,7 +479,7 @@ Backwards Incompatibilities The ``request`` argument is still a keyword argument, however. - The functions in ``repoze.bfg.renderers`` named ``render`` and - ``render_to_response`` now accept an additonal keyword argument + ``render_to_response`` now accept an additional keyword argument named ``package``. - The ``get_renderer`` API in ``repoze.bfg.renderers`` now accepts a @@ -516,7 +516,7 @@ Internal - Use ``imp.get_suffixes`` indirection in ``repoze.bfg.path.package_name`` instead of hardcoded ``.py`` - ``.pyc`` and ``.pyo`` to use for comparison when attemtping to + ``.pyc`` and ``.pyo`` to use for comparison when attempting to decide if a directory is a package. - Make tests runnable again under Jython (although they do not all @@ -574,7 +574,7 @@ Features will be the exception object). Documentation --------------- +------------- - Expanded the "Cleaning Up After a Request" section of the URL Dispatch narrative chapter. @@ -642,7 +642,7 @@ Backwards Incompatibilities depended upon may no longer happen. Documentation --------------- +------------- - Added description of the ``repoze.bfg.events.subscriber`` decorator to the Events narrative chapter. @@ -917,7 +917,7 @@ Documentation the exceptions chapter of the API documentation. Backwards Incompatibilities ----------------------------- +--------------------------- - in previous releases, when a URL could not be decoded from UTF-8 during traversal, a ``TypeError`` was raised. Now the error which @@ -1004,8 +1004,8 @@ Documentation via a group rather than via a direct username. - Redirect requests for tutorial sources to - http://docs.repoze.org/bfgwiki-1.3 and - http://docs.repoze.org/bfgwiki2-1.3/ respectively. + https://docs.pylonsproject.org/projects/pyramid/en/latest/tutorials/wiki/index.html and + https://docs.pylonsproject.org/projects/pyramid/en/latest/tutorials/wiki2/index.html respectively. - A section named ``Custom Route Predicates`` was added to the URL Dispatch narrative chapter. @@ -1140,8 +1140,8 @@ Features This feature was kindly contributed by Andrey Popp. -- Use "Venusian" (`http://docs.repoze.org/venusian - <http://docs.repoze.org/venusian>`_) to perform ``bfg_view`` +- Use "Venusian" (`https://docs.pylonsproject.org/projects/venusian/en/latest/ + <https://docs.pylonsproject.org/projects/venusian/en/latest/>`_) to perform ``bfg_view`` decorator scanning rather than relying on a BFG-internal decorator scanner. (Truth be told, Venusian is really just a generalization of the BFG-internal decorator scanner). @@ -1207,7 +1207,7 @@ Internal -------- - View registrations and lookups are now done with three "requires" - arguments instead of two to accomodate orthogonality of exception + arguments instead of two to accommodate orthogonality of exception views. - The ``repoze.bfg.interfaces.IForbiddenView`` and @@ -1525,10 +1525,10 @@ Documentation Licensing - Loosen the documentation licensing to allow derivative works: it is now offered under the `Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License - <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>`_. This is + <https://creativecommons.org/licenses/by-nc-sa/3.0/us/>`_. This is only a documentation licensing change; the ``repoze.bfg`` software continues to be offered under the Repoze Public License at - http://repoze.org/license.html (BSD-like). + https://web.archive.org/web/20190401024809/http://repoze.org/license.html (BSD-like). 1.2a9 (2009-12-27) ================== @@ -1540,10 +1540,10 @@ Documentation Licensing within the ``docs`` directory) in this release is now offered under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License as described by - http://creativecommons.org/licenses/by-nc-nd/3.0/us/ . This is only + https://creativecommons.org/licenses/by-nc-nd/3.0/us/ . This is only a licensing change for the documentation; the ``repoze.bfg`` software continues to be offered under the Repoze Public License - at http://repoze.org/license.html (BSD-like). + at https://web.archive.org/web/20190401024809/http://repoze.org/license.html (BSD-like). Documentation ------------- @@ -1670,8 +1670,8 @@ Internal - Remove the ``repoze.bfg.testing.registerTraverser`` function. This function was never an API. -Documenation ------------- +Documentation +------------- - Doc-deprecated most helper functions in the ``repoze.bfg.testing`` module. These helper functions likely won't be removed any time @@ -1892,9 +1892,9 @@ Features of a package nor the use of non-imperative configuration is required to create a simple ``repoze.bfg`` application any longer. - Imperative configuration makes ``repoze.bfg`` competetive with - "microframeworks" such as `Bottle <http://bottle.paws.de/>`_ and - `Tornado <http://www.tornadoweb.org/>`_. ``repoze.bfg`` has a good + Imperative configuration makes ``repoze.bfg`` competitive with + "microframeworks" such as `Bottle <https://bottlepy.org/docs/dev/>`_ and + `Tornado <https://www.tornadoweb.org/en/stable/>`_. ``repoze.bfg`` has a good deal of functionality that most microframeworks lack, so this is hopefully a "best of both worlds" feature. @@ -2131,8 +2131,8 @@ Internals current ``repoze.bfg`` registry. They fall back to obtaining the registry from the threadlocal API. -Backwards Incompatibilites --------------------------- +Backwards Incompatibilities +--------------------------- - Unit tests which use ``zope.testing.cleanup.cleanUp`` for the purpose of isolating tests from one another may now begin to fail @@ -2323,7 +2323,7 @@ Deprecations the paster templates, code samples, and documentation now make reference to ``settings`` rather than ``options``. This change/deprecation was mainly made for purposes of clarity and - symmetry with the ``get_settings()`` API and dicussions of + symmetry with the ``get_settings()`` API and discussions of "settings" in various places in the docs: we want to use the same name to refer to the same thing everywhere. @@ -2866,7 +2866,7 @@ Features e.g. ``repoze.bfg.url.route_url`` in unit tests. - The ``notfound`` and ``forbidden`` ZCML directives now accept the - following addtional attributes: ``attr``, ``renderer``, and + following additional attributes: ``attr``, ``renderer``, and ``wrapper``. These have the same meaning as they do in the context of a ZCML ``view`` directive. @@ -2976,7 +2976,7 @@ Documentation ``repoze.bfg`` application. - Added a tutorial which explains how to run a ``repoze.bfg`` - application under `mod_wsgi <http://code.google.com/p/modwsgi/>`_. + application under `mod_wsgi <https://modwsgi.readthedocs.io/en/develop/>`_. See "Running a repoze.bfg Application under mod_wsgi" in the tutorials section of the documentation. @@ -3214,7 +3214,7 @@ Features ``view_permission``. Any attribute which starts with ``view_`` can now be spelled without the ``view_`` prefix, so ``view_for`` can be spelled as ``for`` now, etc. Both forms are documented in the - urldispatch narraitve documentation chapter. + urldispatch narrative documentation chapter. - The ``request_param`` ZCML view directive attribute (and its ``bfg_view`` decorator cousin) can now specify both a key and a @@ -3406,7 +3406,7 @@ Backwards Incompatibilities - Added a workaround for a bug in Python 2.6, 2.6.1, and 2.6.2 having to do with a recursion error in the mimetypes module when trying to serve static files from Paste's FileApp: - http://bugs.python.org/issue5853. Symptom: File + https://bugs.python.org/issue5853. Symptom: File "/usr/lib/python2.6/mimetypes.py", line 244, in guess_type return guess_type(url, strict) RuntimeError: maximum recursion depth exceeded. Thanks to Armin Ronacher for identifying the symptom and @@ -3498,7 +3498,7 @@ Deprecations ``remoteuserauthenticationpolicy`` and ``authtktauthenticationpolicy``) and the `aclauthorizationpolicy`` authorization policy directive as described in the changes to the - "Security" narrative documenation chapter and the wiki tutorials. + "Security" narrative documentation chapter and the wiki tutorials. Features -------- @@ -3800,7 +3800,7 @@ Backwards Incompatibilities authentication policies named ``RepozeWho1AuthenticationPolicy``, ``RemoteUserAuthenticationPolicy``, and ``AuthTktAuthenticationPolicy`` now must accept two positional - arguments: the orginal argument accepted by each (userid or + arguments: the original argument accepted by each (userid or identity) plus a second argument, which will be the current request. Apologies, this is required to service finding groups when there is no "global" database connection. @@ -3894,7 +3894,7 @@ Features defined ``route`` statement. When it is specified, the view will only be called when that route matches during a request. -- It is now possible to perfom traversal *after* a route has matched. +- It is now possible to perform traversal *after* a route has matched. Use the pattern ``*traverse`` in a ``<route>`` ``path`` attribute within ZCML, and the path remainder which it matches will be used as a traversal path. @@ -4610,8 +4610,7 @@ Bug Fixes To resolve this issue, the urldispatch module was fixed, and a fork of the Routes trunk was put into the "dev" index named ``Routes-1.11dev-chrism-home``. The source for the fork exists at - `http://bitbucket.org/chrism/routes-home/ - <http://bitbucket.org/chrism/routes-home/>`_ (broken link); + ``http://bitbucket.org/chrism/routes-home/`` (broken link); its contents have been merged into the Routes trunk (what will be Routes 1.11). @@ -4752,8 +4751,7 @@ Incompatibilities related to making ``repoze.bfg`` "C-free": opposed to pure Python) and the ``repoze.bfg`` core is "C-free" as of this release. You may get Genshi-style Chameleon support back by installing the ``repoze.bfg.chameleon_genshi`` package availalable - from http://svn.repoze.org/repoze.bfg.chameleon_genshi (also - available in the index at http://dist.repoze.org/bfg/0.8/simple). + from https://pypi.org/project/repoze.bfg.chameleon_genshi/. All existing code that depended on the ``chameleon_genshi`` module prior to this release of ``repoze.bfg`` should work without change after this addon is installed. @@ -4763,8 +4761,10 @@ Incompatibilities related to making ``repoze.bfg`` "C-free": which is implemented in C, and the ``repoze.bfg`` core is "C-free" as of this release. You bay get XSL templating back by installing the ``repoze.bfg.xslt`` package available from - http://svn.repoze.org/repoze.bfg.xslt/ (also available in the index - at http://dist.repoze.org/bfg/0.8/simple). All existing code that + ``http://svn.repoze.org/repoze.bfg.xslt/`` (broken link) + (also available in the index + at ``http://dist.repoze.org/bfg/0.8/simple)`` (broken link). + All existing code that depended upon the ``xslt`` module prior to this release of ``repoze.bfg`` should work without modification after this addon is installed. @@ -4796,10 +4796,10 @@ Index-Related ------------- - The canonical package index location for ``repoze.bfg`` has changed. - The "old" index (http://dist.repoze.org/lemonade/dev/simple) has - been superseded by a new index location - (`http://dist.repoze.org/bfg/current/simple - <http://dist.repoze.org/bfg/current/simple>`_). The installation + The "old" index (``http://dist.repoze.org/lemonade/dev/simple``) (broken link) + has been superseded by a new index location + ``http://dist.repoze.org/bfg/current/simple`` (broken link). + The installation documentation has been updated as well as the ``setup.cfg`` file in this package. The "lemonade" index still exists, but it is not guaranteed to have the latest BFG software in it, nor will it be @@ -4927,7 +4927,7 @@ Backwards Incompatibilities default ``ModelGraphTraverser``. To use this feature, you will need to install the ``repoze.bfg.traversalwrapper`` package (an add-on package, available at - http://svn.repoze.org/repoze.bfg.traversalwrapper) Then change your + https://pypi.org/project/repoze.bfg.traversalwrapper/) Then change your application's ``configure.zcml`` to include the following stanza: <adapter @@ -5077,7 +5077,7 @@ Backwards Incompatibilities e.g. ``/foo /bar``. Now it returns a string, where each segment is a UTF-8 encoded and URL-quoted element e.g. ``/foo%20/bar``. This change was (as discussed briefly on the repoze-dev maillist) - necessary to accomodate model objects which themselves have + necessary to accommodate model objects which themselves have ``__name__`` attributes that contain the ``/`` character. For people that have no models that have high-order Unicode @@ -5356,7 +5356,7 @@ Features - URL-dispatch has been overhauled: it is no longer necessary to manually create a RoutesMapper in your application's entry point callable in order to use URL-dispatch (aka `Routes - <http://routes.groovie.org>`_). A new ``route`` directive has been + <https://routes.readthedocs.io/en/latest/>`_). A new ``route`` directive has been added to the available list of ZCML directives. Each ``route`` directive inserted into your application's ``configure.zcml`` establishes a Routes mapper connection. If any ``route`` @@ -5498,7 +5498,7 @@ Features requests (and this is indeed the default). All requests implement ``IRequest``. The HTTP-verb-matching idea was pioneered by `repoze.bfg.restrequest - <http://pypi.python.org/pypi/repoze.bfg.restrequest/1.0.1>`_ . That + <https://pypi.org/project/repoze.bfg.restrequest/1.0.1/>`_ . That package is no longer required, but still functions fine. Bug Fixes @@ -5606,8 +5606,8 @@ Features keyword argument named ``query``. The value of this argument will be used to compose a query string, which will be attached to the generated URL before it is returned. See the API docs (in - the docs directory or `on the web - <http://static.repoze.org/bfgdocs>`_) for more information. + the docs directory or on the web + ``http://static.repoze.org/bfgdocs``) (broken URL) for more information. 0.6 (2008-12-26) ================ @@ -5618,7 +5618,7 @@ Backwards Incompatibilities - Rather than prepare the "stock" implementations of the ZCML directives from the ``zope.configuration`` package for use under ``repoze.bfg``, ``repoze.bfg`` now makes available the implementations of directives - from the ``repoze.zcml`` package (see http://static.repoze.org/zcmldocs). + from the ``repoze.zcml`` package (see https://pypi.org/project/repoze.zcml/). As a result, the ``repoze.bfg`` package now depends on the ``repoze.zcml`` package, and no longer depends directly on the ``zope.component``, ``zope.configuration``, ``zope.interface``, or @@ -5642,7 +5642,7 @@ Backwards Incompatibilities package="zope.component" file="meta.zcml">``) and include the ``zope.security`` package as an ``install_requires`` dependency or 2) change the ZCML in their applications to use the declarations from - `repoze.zcml <http://static.repoze.org/zcmldocs/>`_ instead of the stock + `repoze.zcml <https://pypi.org/project/repoze.zcml/>`_ instead of the stock declarations. ``repoze.zcml`` only makes available the ``adapter``, ``subscriber`` and ``utility`` directives. @@ -5720,7 +5720,7 @@ Backwards Incompatibilities will contain UTF-8 encoded path segments as necessary, so any URL generated by BFG itself will be decodeable by the traverser. If another application generates URLs to a BFG application, to be resolved - successully, it should generate the URL with UTF-8 encoded path segments + successfully, it should generate the URL with UTF-8 encoded path segments to be successfully resolved. The decoder is not at all magical: if a non-UTF-8-decodeable path segment (e.g. one encoded using UTF-16 or some other insanity) is passed in the URL, BFG will raise a ``TypeError`` with @@ -5774,7 +5774,7 @@ Features ``testing.registerDummyRenderer`` is used, it instead registers a dummy implementation using ``ITemplateRenderer`` interface, which is checked for when the built-in templating facilities do rendering. This change - also allows developers to make explcit named utility registrations in + also allows developers to make explicit named utility registrations in the ZCML registry against ``ITemplateRenderer``; these will be found before any on-disk template is looked up. diff --git a/CHANGES.rst b/CHANGES.rst index afac078b0..c52da1b76 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -35,6 +35,17 @@ Features provided by WebOb. This allows the attribute to now be settable. See https://github.com/Pylons/pyramid/pull/3447 +- Improve debugging info from ``pyramid.view.view_config`` decorator. + See https://github.com/Pylons/pyramid/pull/3483 + +- A new parameter, ``allow_no_origin``, was added to + ``pyramid.config.Configurator.set_default_csrf_options`` as well as + ``pyramid.csrf.check_csrf_origin``. This option controls whether a + request is rejected if it has no ``Origin`` or ``Referer`` header - + often the result of a user configuring their browser not to send a + ``Referer`` header for privacy reasons. + See https://github.com/Pylons/pyramid/pull/3512 + Deprecations ------------ @@ -88,6 +99,10 @@ Backward Incompatibilities documentation for more information about why this change was made. See https://github.com/Pylons/pyramid/pull/3413 +- ``pyramid.request.Request.invoke_exception_view`` will no longer be called + by the default execution policy. + See https://github.com/Pylons/pyramid/pull/3496 + Documentation Changes --------------------- diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt index 33218cbbd..c01dd49b2 100644 --- a/CONTRIBUTORS.txt +++ b/CONTRIBUTORS.txt @@ -342,3 +342,5 @@ Contributors - Arijit Basu, 2019/02/19 - Theron Luhn, 2019/03/30 + +- Mandar Vaze, 2019/07/20 diff --git a/HISTORY.rst b/HISTORY.rst index 36f1f52de..4fd13119d 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -123,7 +123,7 @@ Bug Fixes Deprecations ------------ -- The ``pyramid.intefaces.ISession`` interface will move to require +- The ``pyramid.interfaces.ISession`` interface will move to require JSON-serializable objects in Pyramid 2.0. See "Upcoming Changes to ISession in Pyramid 2.0" in the "Sessions" chapter of the documentation for more information about this change. @@ -550,10 +550,10 @@ Features other settings. See https://github.com/Pylons/pyramid/pull/2823 - ``pserve --reload`` now uses the - `hupper <http://docs.pylonsproject.org/projects/hupper/en/latest/>` + `hupper <https://docs.pylonsproject.org/projects/hupper/en/latest/>`_ library to monitor file changes. This comes with many improvements: - - If the `watchdog <http://pythonhosted.org/watchdog/>`_ package is + - If the `watchdog <https://pythonhosted.org/watchdog/>`_ package is installed then monitoring will be done using inotify instead of cpu and disk-intensive polling. @@ -686,7 +686,7 @@ Documentation Changes https://github.com/Pylons/pyramid/pull/2838 - Add `pyramid_nacl_session - <http://docs.pylonsproject.org/projects/pyramid-nacl-session/en/latest/>`_ + <https://docs.pylonsproject.org/projects/pyramid-nacl-session/en/latest/>`_ to session factories. See https://github.com/Pylons/pyramid/issues/2791 - Update ``HACKING.txt`` from stale branch that was never merged to master. @@ -1000,7 +1000,7 @@ Bug Fixes - Ensure that ``IAssetDescriptor.abspath`` always returns an absolute path. There were cases depending on the process CWD that a relative path would - be returned. See https://github.com/Pylons/pyramid/issues/2188 + be returned. See https://github.com/Pylons/pyramid/pull/2188 1.6b2 (2015-10-15) ================== @@ -1066,7 +1066,7 @@ Bug Fixes - ``pshell`` will now preserve the capitalization of variables in the ``[pshell]`` section of the INI file. This makes exposing classes to the - shell a little more straightfoward. + shell a little more straightforward. See https://github.com/Pylons/pyramid/pull/1883 - Fixed usage of ``pserve --monitor-restart --daemon`` which would fail in @@ -1204,7 +1204,7 @@ Features override_with='/abs/path/')``. The ``myapp:static`` asset spec is completely made up and does not need to exist - it is used for generating urls via ``request.static_url('myapp:static/foo.png')``. - See https://github.com/Pylons/pyramid/issues/1252 + See https://github.com/Pylons/pyramid/pull/1252 - Added ``pyramid.config.Configurator.set_response_factory`` and the ``response_factory`` keyword argument to the ``Configurator`` for defining @@ -1218,7 +1218,7 @@ Features - ``pserve`` can now take a ``-b`` or ``--browser`` option to open the server URL in a web browser. See https://github.com/Pylons/pyramid/pull/1533 -- Overall improvments for the ``proutes`` command. Added ``--format`` and +- Overall improvements for the ``proutes`` command. Added ``--format`` and ``--glob`` arguments to the command, introduced the ``method`` column for displaying available request methods, and improved the ``view`` output by showing the module instead of just ``__repr__``. @@ -1523,7 +1523,7 @@ Bug Fixes - Remove unused ``renderer`` argument from ``Configurator.add_route``. -- Allow the ``BasicAuthenticationPolicy`` to work with non-ascii usernames +- Allow the ``BasicAuthenticationPolicy`` to work with non-ASCII usernames and passwords. The charset is not passed as part of the header and different browsers alternate between UTF-8 and Latin-1, so the policy now attempts to decode with UTF-8 first, and will fallback to Latin-1. @@ -1774,7 +1774,7 @@ Backwards Incompatibilities since Pyramid 1.1. Use methods of ``request.environ`` (a real dictionary) instead. -- Removed ancient backwards compatibily hack in +- Removed ancient backwards compatibility hack in ``pyramid.traversal.DefaultRootFactory`` which populated the ``__dict__`` of the factory with the matchdict values for compatibility with BFG 0.9. @@ -2432,7 +2432,7 @@ Features whole-path match. It's useful when you want to always potentially show a view when some object is traversed to, but you can't be sure about what kind of object it will be, so you can't use the ``context`` predicate. The - individual path elements inbetween slash characters or in tuple elements + individual path elements in between slash characters or in tuple elements should be the Unicode representation of the name of the resource and should not be encoded in any way. @@ -2489,7 +2489,7 @@ Bug Fixes it back to an asset spec. Normally occurs with inherited templates or included components. https://github.com/Pylons/pyramid/issues/606 - https://github.com/Pylons/pyramid/issues/607 + https://github.com/Pylons/pyramid/pull/607 - In Mako Templates lookup, check for absolute uri (using mako directories) when mixing up inheritance with asset specs. @@ -2501,7 +2501,7 @@ Bug Fixes https://github.com/Pylons/pyramid/pull/620 - Forward-port from 1.3 branch: when registering multiple views with an - ``accept`` predicate in a Pyramid application runing under Python 3, you + ``accept`` predicate in a Pyramid application running under Python 3, you might have received a ``TypeError: unorderable types: function() < function()`` exception. @@ -2980,7 +2980,7 @@ Features argument, which can be a string, a callable, or a list consisting of strings and/or callables. This feature allows submodules, subpackages, and global objects from being scanned. See - http://readthedocs.org/docs/venusian/en/latest/#ignore-scan-argument for + https://venusian.readthedocs.io/en/latest/#ignore-scan-argument for more information about how to use the ``ignore`` argument to ``scan``. - Better error messages when a view callable returns a value that cannot be @@ -3138,7 +3138,7 @@ Features - Responses generated by Pyramid's ``static_view`` now use a ``wsgi.file_wrapper`` (see - http://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling) + https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling) when one is provided by the web server. Bug Fixes @@ -3292,7 +3292,7 @@ Documentation - Removed the "Running Pyramid on Google App Engine" tutorial from the main docs. It survives on in the Cookbook - (http://docs.pylonsproject.org/projects/pyramid_cookbook/en/latest/deployment/gae.html). + (https://docs.pylonsproject.org/projects/pyramid_cookbook/en/latest/deployment/gae.html). Rationale: it provides the correct info for the Python 2.5 version of GAE only, and this version of Pyramid does not support Python 2.5. @@ -3873,7 +3873,7 @@ Backwards Incompatibilities config.add_view('my.pkg.someview', route_name='foo') This won't effect "normal" users, only people who have legacy BFG codebases - that used an autommitting configurator and possibly tests that use the + that used an autocommitting configurator and possibly tests that use the configurator API (the configurator returned by ``pyramid.testing.setUp`` is an autocommitting configurator). The right way to get around this is to use a non-autocommitting configurator (the default), which does not have @@ -3944,7 +3944,7 @@ Scaffolds package at all; configuration in the ``production.ini`` file which used to require its ``error_catcher`` middleware has been removed. Configuring error catching / email sending is now the domain of the ``pyramid_exclog`` - package (see http://docs.pylonsproject.org/projects/pyramid_exclog/en/latest/). + package (see https://docs.pylonsproject.org/projects/pyramid_exclog/en/latest/). Bug Fixes --------- @@ -4400,7 +4400,7 @@ Documentation - The term "template" used to refer to both "paster templates" and "rendered templates" (templates created by a rendering engine. i.e. Mako, Chameleon, - Jinja, etc.). "Paster templates" will now be refered to as "scaffolds", + Jinja, etc.). "Paster templates" will now be referred to as "scaffolds", whereas the name for "rendered templates" will remain as "templates." - The ``wiki`` (ZODB+Traversal) tutorial was updated slightly. @@ -4561,7 +4561,7 @@ Bug Fixes ``/{foo:\d{1,2}}`` would fail to match ``/1`` or ``/11``. One level of inner squiggly brackets is now recognized so that the prior two patterns given as examples now work. See also - https://github.com/Pylons/pyramid/issues/#issue/123. + https://github.com/Pylons/pyramid/issues/123. - Don't send port numbers along with domain information in cookies set by AuthTktCookieHelper (see https://github.com/Pylons/pyramid/issues/131). @@ -4576,11 +4576,11 @@ Bug Fixes - Don't quote ``:@&+$,`` symbols in ``*elements`` passed to ``pyramid.url.route_url`` or ``pyramid.url.resource_url`` (see - https://github.com/Pylons/pyramid/issues#issue/141). + https://github.com/Pylons/pyramid/pull/141). - Include SCRIPT_NAME in redirects issued by ``pyramid.view.append_slash_notfound_view`` (see - https://github.com/Pylons/pyramid/issues#issue/149). + https://github.com/Pylons/pyramid/issues/149). - Static views registered with ``config.add_static_view`` which also included a ``permission`` keyword argument would not work as expected, because @@ -4802,7 +4802,7 @@ Documentation - Moved "Using ZODB With ZEO" and "Using repoze.catalog Within Pyramid" tutorials out of core documentation and into the Pyramid Tutorials site - (http://docs.pylonsproject.org/projects/pyramid_tutorials/en/latest/). + (https://docs.pylonsproject.org/projects/pyramid_tutorials/en/latest/). - Changed "Cleaning up After a Request" section in the URL Dispatch chapter to use ``request.add_finished_callback`` instead of jamming an object with @@ -4878,19 +4878,19 @@ Bug Fixes ``{{project}}`` variable, causing applications created with uppercase letters e.g. ``paster create -t pyramid_routesalchemy Dibbus`` to fail to start when ``paster serve development.ini`` was used against the result. - See https://github.com/Pylons/pyramid/issues/#issue/107 + See https://github.com/Pylons/pyramid/issues/107 - The ``render_view`` method of ``pyramid.renderers.RendererHelper`` passed an incorrect value into the renderer for ``renderer_info``. It now passes an instance of ``RendererHelper`` instead of a dictionary, which is consistent with other usages. See - https://github.com/Pylons/pyramid/issues#issue/106 + https://github.com/Pylons/pyramid/issues/106 - A bug existed in the ``pyramid.authentication.AuthTktCookieHelper`` which would break any usage of an AuthTktAuthenticationPolicy when one was configured to reissue its tokens (``reissue_time`` < ``timeout`` / ``max_age``). Symptom: ``ValueError: ('Invalid token %r', '')``. See - https://github.com/Pylons/pyramid/issues#issue/108. + https://github.com/Pylons/pyramid/issues/108. 1.0b1 (2011-01-21) ================== @@ -4908,7 +4908,7 @@ Features sets a cookie with a wildcard domain will be turned off. - Add a ``MANIFEST.in`` file to each paster template. See - https://github.com/Pylons/pyramid/issues#issue/95 + https://github.com/Pylons/pyramid/issues/95 Bug Fixes --------- @@ -4973,7 +4973,7 @@ Backwards Incompatibilities react to ``403 Forbidden``. - The default value for the ``cookie_on_exception`` parameter to - ``pyramid.session.UnencyrptedCookieSessionFactory`` is now ``True``. This + ``pyramid.session.UnencryptedCookieSessionFactory`` is now ``True``. This means that when view code causes an exception to be raised, and the session has been mutated, a cookie will be sent back in the response. Previously its default value was ``False``. @@ -4986,7 +4986,7 @@ Paster Templates ``repoze.tm2`` transaction manager in ``development.ini``. This prevents a transaction from being committed when the response status code is within the 400 or 500 ranges. See also - http://docs.repoze.org/tm2/#using-a-commit-veto. + https://repozetm2.readthedocs.io/en/latest/index.html#using-a-commit-veto. 1.0a10 (2011-01-18) =================== @@ -5004,7 +5004,7 @@ Backwards Incompatibilities Pyramid core. Handlers are now a feature of the ``pyramid_handlers`` package, which can be downloaded from PyPI. Documentation for the package should be available via - http://docs.pylonsproject.org/projects/pyramid_handlers/en/latest/, + https://docs.pylonsproject.org/projects/pyramid_handlers/en/latest/, which describes how to add a configuration statement to your ``main`` block to reobtain this method. You will also need to add an ``install_requires`` dependency upon @@ -5014,7 +5014,7 @@ Backwards Incompatibilities Pyramid core. Loading ZCML is now a feature of the ``pyramid_zcml`` package, which can be downloaded from PyPI. Documentation for the package should be available via - http://docs.pylonsproject.org/projects/pyramid_zcml/en/latest/, + https://docs.pylonsproject.org/projects/pyramid_zcml/en/latest/, which describes how to add a configuration statement to your ``main`` block to reobtain this method. You will also need to add an ``install_requires`` dependency upon @@ -5212,7 +5212,7 @@ Documentation - The "Resource Location and View Lookup" chapter has been replaced with a variant of Rob Miller's "Much Ado About Traversal" (originally published at - http://blog.nonsequitarian.org/2010/much-ado-about-traversal/). + https://web.archive.org/web/20150321110754/http://blog.nonsequitarian.org/2010/much-ado-about-traversal/). - Many minor wording tweaks and refactorings (merged Casey Duncan's docs fork, in which he is working on general editing). @@ -5427,7 +5427,7 @@ Terminology Changes Bug Fixes --------- -- Make it possible to succesfully run all tests via ``nosetests`` command +- Make it possible to successfully run all tests via ``nosetests`` command directly (rather than indirectly via ``python setup.py nosetests``). - When a configuration conflict is encountered during scanning, the conflict @@ -5534,7 +5534,7 @@ Features - The ``pyramid.testing.setUp`` function now accepts an ``autocommit`` keyword argument, which defaults to ``True``. If it is passed ``False``, - the Config object returned by ``setUp`` will be a non-autocommiting Config + the Config object returned by ``setUp`` will be a non-autocommitting Config object. - Add logging configuration to all paster templates. @@ -5554,7 +5554,7 @@ Features - New boolean Mako settings variable ``mako.strict_undefined``. See `Mako Context Variables - <http://www.makotemplates.org/docs/runtime.html#context-variables>`_ for + <https://docs.makotemplates.org/en/latest/runtime.html#context-variables>`_ for its meaning. Dependencies diff --git a/docs/api/view.rst b/docs/api/view.rst index e41212012..fe4b80acb 100644 --- a/docs/api/view.rst +++ b/docs/api/view.rst @@ -14,8 +14,7 @@ .. autoclass:: view_config :members: - .. autoclass:: view_defaults - :members: + .. autofunction:: view_defaults .. autoclass:: notfound_view_config :members: diff --git a/docs/conf.py b/docs/conf.py index 8fdebf53d..9f2b56225 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -448,4 +448,5 @@ epub_tocdepth = 3 linkcheck_ignore = [ r'http://localhost:\d+', r'http://localhost', + r'https://webchat.freenode.net/#pyramid', # JavaScript "anchor" ] diff --git a/docs/copyright.rst b/docs/copyright.rst index 3631fe5a3..c021d5db5 100644 --- a/docs/copyright.rst +++ b/docs/copyright.rst @@ -30,7 +30,7 @@ similar license to this one. Creative Commons Attribution-Nonconmmercial-Share Alike 3.0 United States License, the :app:`Pyramid` *software* is offered under a `less restrictive (BSD-like) license - <http://repoze.org/license.html>`_ . + <https://web.archive.org/web/20190401024809/http://repoze.org/license.html>`_ . All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. However, use of a @@ -80,7 +80,7 @@ Print Production ---------------- The print version of this book was produced using the `Sphinx -<http://www.sphinx-doc.org/en/master/>`_ documentation generation system and +<https://www.sphinx-doc.org/en/master/>`_ documentation generation system and the `LaTeX <https://www.latex-project.org/>`_ typesetting system. Contacting The Publisher diff --git a/docs/designdefense.rst b/docs/designdefense.rst index 566ad1f5e..967a1aaed 100644 --- a/docs/designdefense.rst +++ b/docs/designdefense.rst @@ -988,7 +988,7 @@ the following: traverses by registering one or more adapters. As a result of being able to either replace the larger component entirely or turn knobs on the default implementation of the larger component, no one understands when (or - whether) they should ever override the larger component entrirely. This + whether) they should ever override the larger component entirely. This results, over time, in a rusting together of the larger "replaceable" component and the framework itself because people come to depend on the availability of the default component in order just to turn its knobs. The @@ -1006,12 +1006,12 @@ Microframeworks have smaller Hello World programs ------------------------------------------------- Self-described "microframeworks" exist. `Bottle -<http://bottlepy.org/docs/dev/index.html>`_ and `Flask -<http://flask.pocoo.org/>`_ are two that are becoming popular. `Bobo +<https://bottlepy.org/docs/dev/>`_ and `Flask +<https://palletsprojects.com/p/flask/>`_ are two that are becoming popular. `Bobo <https://bobo.readthedocs.io/en/latest/>`_ doesn't describe itself as a microframework, but its intended user base is much the same. Many others exist. We've even (only as a teaching tool, not as any sort of official project) -`created one using Pyramid <http://static.repoze.org/casts/videotags.html>`_. +`created one using Pyramid <https://web.archive.org/web/20190118040819/http://static.repoze.org/casts/videotags.html>`_. The videos use BFG, a precursor to Pyramid, but the resulting code is `available for Pyramid too <https://github.com/Pylons/groundhog>`_). Microframeworks are small frameworks with one common feature: each allows its @@ -1657,7 +1657,7 @@ Pyramid has over 1200 pages of documentation (printed), covering topics from the very basic to the most advanced. *Nothing* is left undocumented, quite literally. It also has an *awesome*, very helpful community. Visit the `#pyramid IRC channel on freenode.net -<https://webchat.freenode.net/?channels=pyramid>`_ and see. +<https://webchat.freenode.net/#pyramid>`_ and see. Hate Zope +++++++++ diff --git a/docs/glossary.rst b/docs/glossary.rst index 36272f08c..2d2595592 100644 --- a/docs/glossary.rst +++ b/docs/glossary.rst @@ -38,9 +38,9 @@ Glossary "Repoze" is essentially a "brand" of software developed by `Agendaless Consulting <https://agendaless.com>`_ and a set of contributors. The term has no special intrinsic meaning. The project's `website - <http://repoze.org>`_ has more information. The software developed + <https://web.archive.org/web/20190127155548/http://repoze.org/>`_ has more information. The software developed "under the brand" is available in a `Subversion repository - <http://svn.repoze.org>`_. Pyramid was originally known as + <https://web.archive.org/web/20190103024221/http://svn.repoze.org/>`_. Pyramid was originally known as :mod:`repoze.bfg`. Setuptools @@ -352,7 +352,7 @@ Glossary server, a WSGI application, with a set of :term:`middleware` in-between. Zope - `The Z Object Publishing Framework <http://www.zope.org/en/latest/>`_, a + `The Z Object Publishing Framework <https://www.zope.org/>`_, a full-featured Python web framework. Grok @@ -397,12 +397,12 @@ Glossary the box in ZPT and text flavors. ZPT - The `Zope Page Template <https://zope.readthedocs.io/en/latest/zope2book/ZPT.html>`_ + The `Zope Page Template <https://zope.readthedocs.io/en/latest/zopebook/ZPT.html>`_ templating language. METAL `Macro Expansion for TAL - <https://zope.readthedocs.io/en/latest/zope2book/AppendixC.html#metal-overview>`_, a + <https://zope.readthedocs.io/en/latest/zopebook/AppendixC.html#metal-overview>`_, a part of :term:`ZPT` which makes it possible to share common look and feel between templates. @@ -411,7 +411,7 @@ Glossary by Christopher Lenz. Jinja2 - A `text templating language <http://jinja.pocoo.org/>`_ by Armin Ronacher. + A `text templating language <https://palletsprojects.com/p/jinja/>`_ by Armin Ronacher. Routes A `system by Ben Bangert <https://routes.readthedocs.io/en/latest/>`_ @@ -503,13 +503,13 @@ Glossary repoze.lemonade Zope2 CMF-like `data structures and helper facilities - <http://docs.repoze.org/lemonade>`_ for CA-and-ZODB-based + <https://web.archive.org/web/20180903140246/http://docs.repoze.org/lemonade/>`_ for CA-and-ZODB-based applications useful within :app:`Pyramid` applications. repoze.catalog An indexing and search facility (fielded and full-text) based on `zope.index <https://pypi.org/project/zope.index/>`_. See `the - documentation <http://docs.repoze.org/catalog>`_ for more + documentation <https://web.archive.org/web/20181214215757/http://docs.repoze.org/catalog/>`_ for more information. repoze.who @@ -519,7 +519,7 @@ Glossary repoze.workflow `Barebones workflow for Python apps - <http://docs.repoze.org/workflow>`_ . It can be used by + <https://web.archive.org/web/20181117003329/http://docs.repoze.org/workflow/>`_ . It can be used by :app:`Pyramid` to form a workflow system. virtual root @@ -732,7 +732,7 @@ Glossary See also `Agendaless Consulting <https://agendaless.com>`_. Jython - A `Python implementation <http://www.jython.org/>`_ written for + A `Python implementation <https://www.jython.org/>`_ written for the Java Virtual Machine. Python diff --git a/docs/index.rst b/docs/index.rst index 13ece925a..c1f6db81a 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -6,7 +6,7 @@ The Pyramid Web Framework :app:`Pyramid` is a small, fast, down-to-earth Python web framework. It is developed as part of the `Pylons Project <https://pylonsproject.org>`_. -It is licensed under a `BSD-like license <http://repoze.org/license.html>`_. +It is licensed under a `BSD-like license <https://web.archive.org/web/20190401024809/http://repoze.org/license.html>`_. Here is one of the simplest :app:`Pyramid` applications you can make: @@ -77,7 +77,7 @@ If you've got questions that aren't answered by this documentation, contact the `Pylons-discuss maillist <https://groups.google.com/forum/#!forum/pylons-discuss>`_ or join the `#pyramid IRC channel -<https://webchat.freenode.net/?channels=pyramid>`_. +<https://webchat.freenode.net/#pyramid>`_. Browse and check out tagged and trunk versions of :app:`Pyramid` via the `Pyramid GitHub repository <https://github.com/Pylons/pyramid/>`_. To check out diff --git a/docs/narr/advanced-features.rst b/docs/narr/advanced-features.rst index 431b4f030..8d99f7291 100644 --- a/docs/narr/advanced-features.rst +++ b/docs/narr/advanced-features.rst @@ -84,7 +84,7 @@ Speaking of the :app:`Pyramid` structured :meth:`~pyramid.config.Configurator.in If you need, you can extend or override the configuration of an existing application by including its configuration in your own and then modifying it. -For example, if you want to reuse an existing application that already has a bunch of routes, you can just use the ``include`` statement with a ``route_prefix``. All the routes of that application will be availabe, prefixed as you requested: +For example, if you want to reuse an existing application that already has a bunch of routes, you can just use the ``include`` statement with a ``route_prefix``. All the routes of that application will be available, prefixed as you requested: .. code-block:: python :linenos: @@ -116,7 +116,7 @@ authorization patterns. Build Trees of Resources ------------------------ -:app:`Pyramid` supports :term:`traversal`, a way of mapping URLs to a concrete :term:`resource tree`. If your application naturally consists of an arbitrary heirarchy of different types of content (like a CMS or a Document Management System), traversal is for you. If you have a requirement for a highly granular security model ("Jane can edit documents in *this* folder, but not *that* one"), traversal can be a powerful approach. +:app:`Pyramid` supports :term:`traversal`, a way of mapping URLs to a concrete :term:`resource tree`. If your application naturally consists of an arbitrary hierarchy of different types of content (like a CMS or a Document Management System), traversal is for you. If you have a requirement for a highly granular security model ("Jane can edit documents in *this* folder, but not *that* one"), traversal can be a powerful approach. .. seealso:: diff --git a/docs/narr/commandline.rst b/docs/narr/commandline.rst index 21b2a0839..0c5189903 100644 --- a/docs/narr/commandline.rst +++ b/docs/narr/commandline.rst @@ -452,7 +452,7 @@ For example: route_and_view_attached / app1.standard_views.route_and_view_attached * method_conflicts /conflicts app1.standard_conflicts <route mismatch> multiview /multiview app1.standard_views.multiview GET,PATCH - not_post /not_post app1.standard_views.multview !POST,* + not_post /not_post app1.standard_views.multiview !POST,* ``proutes`` generates a table with four columns: *Name*, *Pattern*, *View*, and *Method*. The items listed in the Name column are route names, the items diff --git a/docs/narr/firstapp.rst b/docs/narr/firstapp.rst index 49d9b467f..9bc79ac1b 100644 --- a/docs/narr/firstapp.rst +++ b/docs/narr/firstapp.rst @@ -38,9 +38,9 @@ On Windows: %VENV%\Scripts\python helloworld.py This command will not return and nothing will be printed to the console. When -port 6543 is visited by a browser on the URL ``/hello/world``, the server will +port 6543 is visited by a browser on the URL ``/``, the server will simply serve up the text "Hello world!". If your application is running on -your local system, using `<http://localhost:6543/hello/world>`_ in a browser +your local system, using `<http://localhost:6543/>`_ in a browser will show this result. Each time you visit a URL served by the application in a browser, a logging diff --git a/docs/narr/hooks.rst b/docs/narr/hooks.rst index 3c02c2653..1ca5c3a6d 100644 --- a/docs/narr/hooks.rst +++ b/docs/narr/hooks.rst @@ -1335,7 +1335,7 @@ Specifying neither ``over`` nor ``under`` is equivalent to specifying If all options for ``under`` (or ``over``) cannot be found in the current configuration, it is an error. If some options are specified purely for -compatibilty with other tweens, just add a fallback of ``MAIN`` or ``INGRESS``. +compatibility with other tweens, just add a fallback of ``MAIN`` or ``INGRESS``. For example, ``under=('someothertween', 'someothertween2', INGRESS)``. This constraint will require the tween to be located under the ``someothertween`` tween, the ``someothertween2`` tween, and ``INGRESS``. If any of these is not @@ -1412,7 +1412,7 @@ time. Displaying Tween Ordering ~~~~~~~~~~~~~~~~~~~~~~~~~ -The ``ptweens`` command-line utility can be used to report the current implict +The ``ptweens`` command-line utility can be used to report the current implicit and explicit tween chains used by an application. See :ref:`displaying_tweens`. diff --git a/docs/narr/hybrid.rst b/docs/narr/hybrid.rst index 1238601ed..58c3e82e8 100644 --- a/docs/narr/hybrid.rst +++ b/docs/narr/hybrid.rst @@ -495,7 +495,7 @@ the above call to ``request.resource_path`` would generate ``/mysection/``. See :ref:`virtual_root_support` for more information. If the route you're trying to use needs simple dynamic part values to be filled -in to succesfully generate the URL, you can pass these as the ``route_kw`` +in to successfully generate the URL, you can pass these as the ``route_kw`` argument to ``resource_url`` and ``resource_path``. For example, assuming that the route definition is like so: diff --git a/docs/narr/introduction.rst b/docs/narr/introduction.rst index 41a5638e3..f62e28905 100644 --- a/docs/narr/introduction.rst +++ b/docs/narr/introduction.rst @@ -35,7 +35,7 @@ Reliability :app:`Pyramid` is developed conservatively and tested exhaustively. Our motto is: "If it ain't tested, it's broke". Openness - As with Python, the :app:`Pyramid` software is distributed under a `permissive open source license <http://repoze.org/license.html>`_. + As with Python, the :app:`Pyramid` software is distributed under a `permissive open source license <https://web.archive.org/web/20190401024809/http://repoze.org/license.html>`_. .. _why_pyramid: @@ -52,7 +52,7 @@ Modern Tested ~~~~~~ -Untested code is broken by design. The :app:`Pyramid` community has a strong testing culture and our framework reflects that. Every release of :app:`Pyramid` has 100% statement coverage (as measured by `coverage <https://coverage.readthedocs.io/en/latest/>`_) and 95% decision/condition coverage. (as measured by `instrumental <https://instrumental.readthedocs.io/en/latest/intro.html>`_) It is automatically tested using `Travis <https://travis-ci.org/Pylons/pyramid>`_ and `Jenkins <http://jenkins.pylonsproject.org/job/pyramid/>`_ on supported versions of Python after each commit to its GitHub repository. `Official Pyramid add-ons <https://trypyramid.com/extending-pyramid.html>`_ are held to a similar testing standard. +Untested code is broken by design. The :app:`Pyramid` community has a strong testing culture and our framework reflects that. Every release of :app:`Pyramid` has 100% statement coverage (as measured by `coverage <https://coverage.readthedocs.io/en/latest/>`_) and 95% decision/condition coverage. (as measured by `instrumental <https://instrumental.readthedocs.io/en/latest/intro.html>`_) It is automatically tested using `Travis <https://travis-ci.org/Pylons/pyramid>`_ and Jenkins on supported versions of Python after each commit to its GitHub repository. `Official Pyramid add-ons <https://trypyramid.com/extending-pyramid.html>`_ are held to a similar testing standard. We still find bugs in :app:`Pyramid`, but we've noticed we find a lot fewer of them while working on projects with a solid testing regime. @@ -70,7 +70,7 @@ You can get help quickly with :app:`Pyramid`. It's our goal that no :app:`Pyrami .. seealso:: - See also our `#pyramid IRC channel <https://webchat.freenode.net/?channels=pyramid>`_, our `pylons-discuss mailing list <https://groups.google.com/forum/#!forum/pylons-discuss>`_, and :ref:`support-and-development`. + See also our `#pyramid IRC channel <https://webchat.freenode.net/#pyramid>`_, our `pylons-discuss mailing list <https://groups.google.com/forum/#!forum/pylons-discuss>`_, and :ref:`support-and-development`. .. _what_makes_pyramid_unique: @@ -245,7 +245,7 @@ When you use a :term:`renderer` with your view callable, you are freed from need .. index:: pair: renderer; explicitly calling - pair: view renderer; explictly calling + pair: view renderer; explicitly calling .. _example_render_to_response_call: diff --git a/docs/narr/renderers.rst b/docs/narr/renderers.rst index 6b4982e4b..21cfa0497 100644 --- a/docs/narr/renderers.rst +++ b/docs/narr/renderers.rst @@ -357,9 +357,9 @@ When a view is called that uses a JSONP renderer: Javscript library AJAX functionality will help you make JSONP requests. For example, JQuery has a `getJSON function -<http://api.jquery.com/jQuery.getJSON/>`_, and has equivalent (but more +<https://api.jquery.com/jQuery.getJSON/>`_, and has equivalent (but more complicated) functionality in its `ajax function -<http://api.jquery.com/jQuery.ajax/>`_. +<https://api.jquery.com/jQuery.ajax/>`_. For example (JavaScript): diff --git a/docs/narr/security.rst b/docs/narr/security.rst index b49958b85..2a7034a19 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -715,7 +715,7 @@ Preventing Cross-Site Request Forgery Attacks `Cross-site request forgery <https://en.wikipedia.org/wiki/Cross-site_request_forgery>`_ attacks are a -phenomenon whereby a user who is logged in to your website might inadvertantly +phenomenon whereby a user who is logged in to your website might inadvertently load a URL because it is linked from, or embedded in, an attacker's website. If the URL is one that may modify or delete data, the consequences can be dire. @@ -887,7 +887,9 @@ that it matches one of the trusted origins. By default the only trusted origin is the current host, however additional origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (and ports if they are non-standard). If a host in the list of domains starts with a ``.`` then -that will allow all subdomains as well as the domain without the ``.``. +that will allow all subdomains as well as the domain without the ``.``. If no +``Referer`` or ``Origin`` header is present in an HTTPS request, the CSRF check +will fail unless ``allow_no_origin`` is set. If CSRF checks fail then a :class:`pyramid.exceptions.BadCSRFToken` or :class:`pyramid.exceptions.BadCSRFOrigin` exception will be raised. This diff --git a/docs/narr/templates.rst b/docs/narr/templates.rst index e5244e1ad..34d9a115c 100644 --- a/docs/narr/templates.rst +++ b/docs/narr/templates.rst @@ -452,7 +452,7 @@ templating languages including the following: .. _pyramid_chameleon: https://docs.pylonsproject.org/projects/pyramid-chameleon/en/latest/ -.. _Jinja2: http://jinja.pocoo.org/docs/dev/ +.. _Jinja2: https://jinja.palletsprojects.com/en/2.10.x/ .. _pyramid_jinja2: https://docs.pylonsproject.org/projects/pyramid-jinja2/en/latest/ diff --git a/docs/narr/testing.rst b/docs/narr/testing.rst index 8048ca62c..883bb7c7b 100644 --- a/docs/narr/testing.rst +++ b/docs/narr/testing.rst @@ -50,7 +50,7 @@ The suggested mechanism for unit and integration testing of a :app:`Pyramid` application is the Python :mod:`unittest` module. Although this module is named :mod:`unittest`, it is actually capable of driving both unit and integration tests. A good :mod:`unittest` tutorial is available within `Dive -Into Python <http://www.diveintopython.net/unit_testing/index.html>`_ by Mark +Into Python 3 <https://diveinto.org/python3/unit-testing.html>`_ by Mark Pilgrim. :app:`Pyramid` provides a number of facilities that make unit, integration, and diff --git a/docs/narr/upgrading.rst b/docs/narr/upgrading.rst index 87e4647c3..af552741c 100644 --- a/docs/narr/upgrading.rst +++ b/docs/narr/upgrading.rst @@ -103,7 +103,7 @@ a newer Pyramid release is always to read the :ref:`changelog` to find the deprecations and removals for each release between the release you're currently running and the one to which you wish to upgrade. The change history notes every deprecation within a ``Deprecation`` section and every removal within a -``Backwards Incompatibilies`` section for each release. +``Backwards Incompatibilities`` section for each release. The change history often contains instructions for changing your code to avoid deprecation warnings and how to change docs-deprecated spellings to newer ones. diff --git a/docs/narr/viewconfig.rst b/docs/narr/viewconfig.rst index da2c41409..465477b4d 100644 --- a/docs/narr/viewconfig.rst +++ b/docs/narr/viewconfig.rst @@ -196,7 +196,7 @@ Non-Predicate Arguments ``require_csrf`` CSRF checks will affect any request method that is not defined as a "safe" - method by RFC2616. In pratice this means that GET, HEAD, OPTIONS, and TRACE + method by RFC2616. In practice this means that GET, HEAD, OPTIONS, and TRACE methods will pass untouched and all others methods will require CSRF. This option is used in combination with the ``pyramid.require_default_csrf`` setting to control which request parameters are checked for CSRF tokens. diff --git a/docs/quick_tour.rst b/docs/quick_tour.rst index 471820ef6..a428a77c3 100644 --- a/docs/quick_tour.rst +++ b/docs/quick_tour.rst @@ -95,7 +95,7 @@ explanation: As shown in this example, the :term:`configurator` plays a central role in Pyramid development. Building an application from loosely-coupled parts via :doc:`../narr/configuration` is a central idea in Pyramid, one that we will -revisit regurlarly in this *Quick Tour*. +revisit regularly in this *Quick Tour*. .. seealso:: See also: :ref:`Quick Tutorial Hello World <qtut_hello_world>`, @@ -337,7 +337,7 @@ passed the view response through the ``pyramid_jinja2`` renderer. .. seealso:: See also: :ref:`Quick Tutorial Jinja2 <qtut_jinja2>`, `Jinja2 homepage - <http://jinja.pocoo.org/>`_, and :ref:`pyramid_jinja2 Overview + <https://palletsprojects.com/p/jinja/>`_, and :ref:`pyramid_jinja2 Overview <jinja2:overview>`. @@ -823,7 +823,7 @@ Now make a "factory" and pass it to the :term:`configurator`'s :emphasize-lines: 2-3 Pyramid's :term:`request` object now has a ``session`` attribute that we can -use in our view code in ``views.py``: +use in our view code in ``views/default.py``: .. literalinclude:: quick_tour/sessions/hello_world/views/default.py :language: python diff --git a/docs/quick_tutorial/jinja2.rst b/docs/quick_tutorial/jinja2.rst index ed9acd955..a8b562fe7 100644 --- a/docs/quick_tutorial/jinja2.rst +++ b/docs/quick_tutorial/jinja2.rst @@ -97,5 +97,5 @@ Extra credit :term:`Configurator` to load ``pyramid_jinja2``'s configuration. What is another way we could include it into the config? -.. seealso:: `Jinja2 homepage <http://jinja.pocoo.org/>`_, and +.. seealso:: `Jinja2 homepage <https://palletsprojects.com/p/jinja/>`_, and :ref:`pyramid_jinja2 Overview <jinja2:overview>` diff --git a/docs/quick_tutorial/routing.rst b/docs/quick_tutorial/routing.rst index a6538a75f..71fb2a4d7 100644 --- a/docs/quick_tutorial/routing.rst +++ b/docs/quick_tutorial/routing.rst @@ -31,7 +31,7 @@ Previously we saw the basics of routing URLs to views in Pyramid. explicit in ordering. Pyramid also gives facilities to avoid the problem. It's relatively easy to build a system that uses implicit route ordering with Pyramid too. See `The Groundhog series of screencasts - <http://static.repoze.org/casts/videotags.html>`_ if you're interested in + <https://web.archive.org/web/20190118040819/http://static.repoze.org/casts/videotags.html>`_ if you're interested in doing so. diff --git a/docs/tutorials/wiki2/definingviews.rst b/docs/tutorials/wiki2/definingviews.rst index 8600a0cea..a434039ca 100644 --- a/docs/tutorials/wiki2/definingviews.rst +++ b/docs/tutorials/wiki2/definingviews.rst @@ -350,7 +350,7 @@ template inheritance via blocks. - We have defined two placeholders in the layout template where a child template can override the content. These blocks are named ``subtitle`` (line 11) and ``content`` (line 36). -- Please refer to the `Jinja2 documentation <http://jinja.pocoo.org/>`_ for more information about template +- Please refer to the `Jinja2 documentation <https://palletsprojects.com/p/jinja/>`_ for more information about template inheritance. diff --git a/docs/whatsnew-1.2.rst b/docs/whatsnew-1.2.rst index 8572f04f5..8b1943822 100644 --- a/docs/whatsnew-1.2.rst +++ b/docs/whatsnew-1.2.rst @@ -232,7 +232,7 @@ Backwards Incompatibilities config.add_view('my.pkg.someview', route_name='foo') This won't effect "normal" users, only people who have legacy BFG codebases - that used an autommitting configurator and possibly tests that use the + that used an autocommitting configurator and possibly tests that use the configurator API (the configurator returned by :func:`pyramid.testing.setUp` is an autocommitting configurator). The right way to get around this is to use a default non-autocommitting diff --git a/docs/whatsnew-1.5.rst b/docs/whatsnew-1.5.rst index a477ce5ec..753dfd355 100644 --- a/docs/whatsnew-1.5.rst +++ b/docs/whatsnew-1.5.rst @@ -276,7 +276,7 @@ The feature additions in Pyramid 1.5 follow. - You can now generate "hybrid" urldispatch/traversal URLs more easily by using the new ``route_name``, ``route_kw`` and ``route_remainder_name`` arguments to :meth:`~pyramid.request.Request.resource_url` and - :meth:`~pyuramid.request.Request.resource_path`. See + :meth:`~pyramid.request.Request.resource_path`. See :ref:`generating_hybrid_urls`. - A new http exception superclass named @@ -371,7 +371,7 @@ The feature additions in Pyramid 1.5 follow. Other Backwards Incompatibilities --------------------------------- -- Modified the :meth:`~pyramid.request.Reuqest.current_route_url` method. The +- Modified the :meth:`~pyramid.request.Request.current_route_url` method. The method previously returned the URL without the query string by default, it now does attach the query string unless it is overriden. @@ -441,7 +441,7 @@ Other Backwards Incompatibilities since Pyramid 1.1. Use methods of ``request.environ`` (a real dictionary) instead. -- Removed ancient backwards compatibily hack in +- Removed ancient backwards compatibility hack in ``pyramid.traversal.DefaultRootFactory`` which populated the ``__dict__`` of the factory with the matchdict values for compatibility with BFG 0.9. @@ -12,7 +12,6 @@ # ############################################################################## from setuptools import find_packages, setup -from pkg_resources import parse_version def readfile(name): @@ -54,11 +53,11 @@ docs_extras = [ testing_extras = tests_require + ['coverage', 'nose'] -base_version = parse_version(VERSION).base_version +branch_version = ".".join(VERSION.split(".")[:2]) # black is refusing to make anything under 80 chars so just splitting it up docs_fmt = 'https://docs.pylonsproject.org/projects/pyramid/en/{}-branch/' -docs_url = docs_fmt.format(base_version) +docs_url = docs_fmt.format(branch_version) setup( name='pyramid', @@ -87,7 +86,7 @@ setup( url="https://trypyramid.com", project_urls={ 'Documentation': docs_url, - 'Changelog': '{}whatsnew-{}.html'.format(docs_url, base_version), + 'Changelog': '{}whatsnew-{}.html'.format(docs_url, branch_version), 'Issue Tracker': 'https://github.com/Pylons/pyramid/issues', }, license="BSD-derived (http://www.repoze.org/LICENSE.txt)", diff --git a/src/pyramid/config/actions.py b/src/pyramid/config/actions.py index 4a526e242..29d06d716 100644 --- a/src/pyramid/config/actions.py +++ b/src/pyramid/config/actions.py @@ -168,7 +168,7 @@ class ActionState(object): Return True if processing is needed and False otherwise. If the callable needs to be processed, it will be marked as - processed, assuming that the caller will procces the callable if + processed, assuming that the caller will process the callable if it needs to be processed. """ if spec in self._seen_files: diff --git a/src/pyramid/config/security.py b/src/pyramid/config/security.py index 8f0a108c5..32b4db03c 100644 --- a/src/pyramid/config/security.py +++ b/src/pyramid/config/security.py @@ -254,6 +254,7 @@ class SecurityConfiguratorMixin(object): token='csrf_token', header='X-CSRF-Token', safe_methods=('GET', 'HEAD', 'OPTIONS', 'TRACE'), + allow_no_origin=False, callback=None, ): """ @@ -278,6 +279,9 @@ class SecurityConfiguratorMixin(object): never be automatically checked for CSRF tokens. Default: ``('GET', 'HEAD', 'OPTIONS', TRACE')``. + ``allow_no_origin`` is a boolean. If false, a request lacking both an + ``Origin`` and ``Referer`` header will fail the CSRF check. + If ``callback`` is set, it must be a callable accepting ``(request)`` and returning ``True`` if the request should be checked for a valid CSRF token. This callback allows an application to support @@ -293,9 +297,17 @@ class SecurityConfiguratorMixin(object): .. versionchanged:: 1.8 Added the ``callback`` option. + .. versionchanged:: 2.0 + Added the ``allow_no_origin`` option. + """ options = DefaultCSRFOptions( - require_csrf, token, header, safe_methods, callback + require_csrf=require_csrf, + token=token, + header=header, + safe_methods=safe_methods, + allow_no_origin=allow_no_origin, + callback=callback, ) def register(): @@ -344,9 +356,18 @@ class SecurityConfiguratorMixin(object): @implementer(IDefaultCSRFOptions) class DefaultCSRFOptions(object): - def __init__(self, require_csrf, token, header, safe_methods, callback): + def __init__( + self, + require_csrf, + token, + header, + safe_methods, + allow_no_origin, + callback, + ): self.require_csrf = require_csrf self.token = token self.header = header self.safe_methods = frozenset(safe_methods) + self.allow_no_origin = allow_no_origin self.callback = callback diff --git a/src/pyramid/config/tweens.py b/src/pyramid/config/tweens.py index c85639d14..feb4a3230 100644 --- a/src/pyramid/config/tweens.py +++ b/src/pyramid/config/tweens.py @@ -73,7 +73,7 @@ class TweensConfiguratorMixin(object): If all options for ``under`` (or ``over``) cannot be found in the current configuration, it is an error. If some options are specified - purely for compatibilty with other tweens, just add a fallback of + purely for compatibility with other tweens, just add a fallback of MAIN or INGRESS. For example, ``under=('mypkg.someothertween', 'mypkg.someothertween2', INGRESS)``. This constraint will require the tween to be located under both the 'mypkg.someothertween' tween, diff --git a/src/pyramid/config/views.py b/src/pyramid/config/views.py index ac531ecb2..1abff0579 100644 --- a/src/pyramid/config/views.py +++ b/src/pyramid/config/views.py @@ -751,7 +751,7 @@ class ViewsConfiguratorMixin(object): It's useful when you want to always potentially show a view when some object is traversed to, but you can't be sure about what kind of object it will be, so you can't use the ``context`` predicate. The - individual path elements inbetween slash characters or in tuple + individual path elements in between slash characters or in tuple elements should be the Unicode representation of the name of the resource and should not be encoded in any way. @@ -859,7 +859,7 @@ class ViewsConfiguratorMixin(object): else: raise ConfigurationError( - '"view" was not specified and ' 'no "renderer" specified' + '"view" was not specified and no "renderer" specified' ) if request_type is not None: diff --git a/src/pyramid/csrf.py b/src/pyramid/csrf.py index 26c628acc..b352ada71 100644 --- a/src/pyramid/csrf.py +++ b/src/pyramid/csrf.py @@ -97,9 +97,9 @@ class SessionCSRFStoragePolicy(object): class CookieCSRFStoragePolicy(object): """ An alternative CSRF implementation that stores its information in unauthenticated cookies, known as the 'Double Submit Cookie' method in the - `OWASP CSRF guidelines <https://www.owasp.org/index.php/ - Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet# - Double_Submit_Cookie>`_. This gives some additional flexibility with + `OWASP CSRF guidelines + <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_. + This gives some additional flexibility with regards to scaling as the tokens can be generated and verified by a front-end server. @@ -247,7 +247,9 @@ def check_csrf_token( return True -def check_csrf_origin(request, trusted_origins=None, raises=True): +def check_csrf_origin( + request, trusted_origins=None, allow_no_origin=False, raises=True +): """ Check the ``Origin`` of the request to see if it is a cross site request or not. @@ -302,9 +304,13 @@ def check_csrf_origin(request, trusted_origins=None, raises=True): if origin is None: origin = request.referrer - # Fail if we were not able to locate an origin at all + # If we can't find an origin, fail or pass immediately depending on + # ``allow_no_origin`` if not origin: - return _fail("Origin checking failed - no Origin or Referer.") + if allow_no_origin: + return True + else: + return _fail("Origin checking failed - no Origin or Referer.") # Parse our origin so we we can extract the required information from # it. diff --git a/src/pyramid/httpexceptions.py b/src/pyramid/httpexceptions.py index 56797dc88..c9fdfe04b 100644 --- a/src/pyramid/httpexceptions.py +++ b/src/pyramid/httpexceptions.py @@ -367,7 +367,7 @@ class HTTPRedirection(HTTPException): This is an abstract base class for 3xx redirection. It indicates that further action needs to be taken by the user agent in order - to fulfill the request. It does not necessarly signal an error + to fulfill the request. It does not necessarily signal an error condition. """ @@ -914,9 +914,7 @@ class HTTPConflict(HTTPClientError): code = 409 title = 'Conflict' - explanation = ( - 'There was a conflict when trying to complete ' 'your request.' - ) + explanation = 'There was a conflict when trying to complete your request.' class HTTPGone(HTTPClientError): @@ -1040,7 +1038,7 @@ class HTTPExpectationFailed(HTTPClientError): """ subclass of :class:`~HTTPClientError` - This indidcates that the expectation given in an Expect + This indicates that the expectation given in an Expect request-header field could not be met by this server. code: 417, title: Expectation Failed diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index d97c3811b..2d8b1ac40 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -426,7 +426,7 @@ class IRendererInfo(Interface): ) type = Attribute('The renderer type name') registry = Attribute( - 'The "current" application registry when the ' 'renderer was created' + 'The "current" application registry when the renderer was created' ) settings = Attribute( 'The deployment settings dictionary related ' @@ -1100,6 +1100,10 @@ class IDefaultCSRFOptions(Interface): header = Attribute('The header to be matched with the CSRF token.') safe_methods = Attribute('A set of safe methods that skip CSRF checks.') callback = Attribute('A callback to disable CSRF checks per-request.') + allow_no_origin = Attribute( + 'Boolean. If false, a request lacking both an ``Origin`` and ' + '``Referer`` header will fail the CSRF check.' + ) class ISessionFactory(Interface): @@ -1319,7 +1323,7 @@ class IIntrospectable(Interface): ) category_name = Attribute('introspection category name') discriminator = Attribute( - 'introspectable discriminator (within category) ' '(must be hashable)' + 'introspectable discriminator (within category) (must be hashable)' ) discriminator_hash = Attribute('an integer hash of the discriminator') action_info = Attribute( @@ -1460,7 +1464,7 @@ class IViewDeriverInfo(Interface): :term:`view deriver` during configuration.""" registry = Attribute( - 'The "current" application registry where the ' 'view was created' + 'The "current" application registry where the view was created' ) package = Attribute( 'The "current package" where the view ' diff --git a/src/pyramid/router.py b/src/pyramid/router.py index 19641aecd..fa1a9ebf7 100644 --- a/src/pyramid/router.py +++ b/src/pyramid/router.py @@ -273,7 +273,4 @@ class Router(object): def default_execution_policy(environ, router): with router.request_context(environ) as request: - try: - return router.invoke_request(request) - except Exception: - return request.invoke_exception_view(reraise=True) + return router.invoke_request(request) diff --git a/src/pyramid/scripts/prequest.py b/src/pyramid/scripts/prequest.py index eb2032419..759978936 100644 --- a/src/pyramid/scripts/prequest.py +++ b/src/pyramid/scripts/prequest.py @@ -18,7 +18,7 @@ class PRequestCommand(object): description = """\ Submit a HTTP request to a web application. - This command makes an artifical request to a web application that uses a + This command makes an artificial request to a web application that uses a PasteDeploy (.ini) configuration file for the server and application. Use "prequest config.ini /path" to request "/path". diff --git a/src/pyramid/scripts/proutes.py b/src/pyramid/scripts/proutes.py index 78c2295d5..09b550cef 100644 --- a/src/pyramid/scripts/proutes.py +++ b/src/pyramid/scripts/proutes.py @@ -268,9 +268,11 @@ class PRoutesCommand(object): 'config_vars', nargs='*', default=(), - help="Variables required by the config file. For example, " - "`http_port=%%(http_port)s` would expect `http_port=8080` to be " - "passed here.", + help=( + "Variables required by the config file. For example, " + "`http_port=%%(http_port)s` would expect `http_port=8080` to be " + "passed here." + ), ) def __init__(self, argv, quiet=False): @@ -285,7 +287,7 @@ class PRoutesCommand(object): if fmt not in self.available_formats: invalid_formats.append(fmt) - msg = 'You provided invalid formats %s, ' 'Available formats are %s' + msg = 'You provided invalid formats %s. Available formats are %s' if invalid_formats: msg = msg % (invalid_formats, self.available_formats) diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index 4bf6d281f..3bf3f1898 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -154,7 +154,7 @@ class DummyResource: should be an interface object or tuple of interface objects that will be attached to the resulting resource via :func:`zope.interface.alsoProvides`. Any extra keywords passed - in the ``kw`` argumnent will be set as direct attributes of + in the ``kw`` argument will be set as direct attributes of the resource object. .. note:: For backwards compatibility purposes, this class can also diff --git a/src/pyramid/view.py b/src/pyramid/view.py index 944ad93ea..7e54a40f6 100644 --- a/src/pyramid/view.py +++ b/src/pyramid/view.py @@ -1,5 +1,6 @@ import itertools import sys +import inspect import venusian @@ -216,6 +217,14 @@ class view_config(object): if settings.get('context') is None: settings['context'] = settings['for_'] self.__dict__.update(settings) + self._get_info() + + def _get_info(self): + depth = self.__dict__.get('_depth', 0) + frame = sys._getframe(depth + 2) + frameinfo = inspect.getframeinfo(frame) + sourceline = frameinfo[3][0].strip() + self._info = frameinfo[0], frameinfo[1], frameinfo[2], sourceline def __call__(self, wrapped): settings = self.__dict__.copy() @@ -237,14 +246,13 @@ class view_config(object): if settings.get('attr') is None: settings['attr'] = wrapped.__name__ - settings['_info'] = info.codeinfo # fbo "action_method" return wrapped bfg_view = view_config # bw compat (forever) -class view_defaults(view_config): +def view_defaults(**settings): """ A class :term:`decorator` which, when applied to a class, will provide defaults for all view configurations that use the class. This decorator accepts all the arguments accepted by @@ -253,10 +261,12 @@ class view_defaults(view_config): See :ref:`view_defaults` for more information. """ - def __call__(self, wrapped): - wrapped.__view_defaults__ = self.__dict__.copy() + def wrap(wrapped): + wrapped.__view_defaults__ = settings return wrapped + return wrap + class AppendSlashNotFoundViewFactory(object): """ There can only be one :term:`Not Found view` in any diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py index 22659d2a3..95c223e61 100644 --- a/src/pyramid/viewderivers.py +++ b/src/pyramid/viewderivers.py @@ -484,12 +484,14 @@ def csrf_view(view, info): token = 'csrf_token' header = 'X-CSRF-Token' safe_methods = frozenset(["GET", "HEAD", "OPTIONS", "TRACE"]) + allow_no_origin = False callback = None else: default_val = defaults.require_csrf token = defaults.token header = defaults.header safe_methods = defaults.safe_methods + allow_no_origin = defaults.allow_no_origin callback = defaults.callback enabled = ( @@ -508,7 +510,9 @@ def csrf_view(view, info): if request.method not in safe_methods and ( callback is None or callback(request) ): - check_csrf_origin(request, raises=True) + check_csrf_origin( + request, raises=True, allow_no_origin=allow_no_origin + ) check_csrf_token(request, token, header, raises=True) return view(context, request) diff --git a/tests/test_config/test_security.py b/tests/test_config/test_security.py index f2b4ba8e5..0ae199239 100644 --- a/tests/test_config/test_security.py +++ b/tests/test_config/test_security.py @@ -158,6 +158,7 @@ class ConfiguratorSecurityMethodsTests(unittest.TestCase): list(sorted(result.safe_methods)), ['GET', 'HEAD', 'OPTIONS', 'TRACE'], ) + self.assertFalse(result.allow_no_origin) self.assertTrue(result.callback is None) def test_changing_set_default_csrf_options(self): @@ -173,6 +174,7 @@ class ConfiguratorSecurityMethodsTests(unittest.TestCase): token='DUMMY', header=None, safe_methods=('PUT',), + allow_no_origin=True, callback=callback, ) result = config.registry.getUtility(IDefaultCSRFOptions) @@ -180,4 +182,5 @@ class ConfiguratorSecurityMethodsTests(unittest.TestCase): self.assertEqual(result.token, 'DUMMY') self.assertEqual(result.header, None) self.assertEqual(list(sorted(result.safe_methods)), ['PUT']) + self.assertTrue(result.allow_no_origin) self.assertTrue(result.callback is callback) diff --git a/tests/test_csrf.py b/tests/test_csrf.py index d1b569c32..f93a1afde 100644 --- a/tests/test_csrf.py +++ b/tests/test_csrf.py @@ -363,6 +363,12 @@ class Test_check_csrf_origin(unittest.TestCase): request.registry.settings = {} self.assertTrue(self._callFUT(request)) + def test_success_with_allow_no_origin(self): + request = testing.DummyRequest() + request.scheme = "https" + request.referrer = None + self.assertTrue(self._callFUT(request, allow_no_origin=True)) + def test_fails_with_wrong_host(self): from pyramid.exceptions import BadCSRFOrigin diff --git a/tests/test_router.py b/tests/test_router.py index 3e66757f6..722f4286c 100644 --- a/tests/test_router.py +++ b/tests/test_router.py @@ -1561,7 +1561,7 @@ class TestRouter(unittest.TestCase): self.assertEqual(resp.status_code, 200) self.assertEqual(resp.body, b'foo') - def test_execution_policy_handles_exception(self): + def test_execution_policy_bubbles_exception(self): from pyramid.interfaces import IViewClassifier from pyramid.interfaces import IExceptionViewClassifier from pyramid.interfaces import IRequest @@ -1591,8 +1591,7 @@ class TestRouter(unittest.TestCase): environ = self._makeEnviron(PATH_INFO='/archives/action1/article1') start_response = DummyStartResponse() router = self._makeOne() - result = router(environ, start_response) - self.assertEqual(result, ["Hello, world"]) + self.assertRaises(Exception2, lambda: router(environ, start_response)) def test_request_context_with_statement(self): from pyramid.threadlocal import get_current_request diff --git a/tests/test_scripts/test_proutes.py b/tests/test_scripts/test_proutes.py index 5e3f359f6..b5a083272 100644 --- a/tests/test_scripts/test_proutes.py +++ b/tests/test_scripts/test_proutes.py @@ -687,7 +687,7 @@ class TestPRoutesCommand(unittest.TestCase): command.out = L.append command.bootstrap = dummy.DummyBootstrap(registry=config.registry) expected = ( - "You provided invalid formats ['predicates'], " + "You provided invalid formats ['predicates']. " "Available formats are ['name', 'pattern', 'view', 'method']" ) result = command.run() diff --git a/tests/test_testing.py b/tests/test_testing.py index 874d9f11b..ebeafe21d 100644 --- a/tests/test_testing.py +++ b/tests/test_testing.py @@ -192,7 +192,7 @@ class TestDummyRequest(unittest.TestCase): self.assertEqual(request.method, 'POST') self.assertEqual(request.POST, POST) # N.B.: Unlike a normal request, passing 'post' should *not* put - # explict POST data into params: doing so masks a possible + # explicit POST data into params: doing so masks a possible # XSS bug in the app. Tests for apps which don't care about # the distinction should just use 'params'. self.assertEqual(request.params, {}) diff --git a/tests/test_view.py b/tests/test_view.py index de40df1d5..5411e57c0 100644 --- a/tests/test_view.py +++ b/tests/test_view.py @@ -507,7 +507,25 @@ class TestViewConfigDecorator(unittest.TestCase): def test_create_defaults(self): decorator = self._makeOne() - self.assertEqual(decorator.__dict__, {}) + self.assertEqual(list(decorator.__dict__.keys()), ['_info']) + + def test_create_info(self): + target = self._getTargetClass() + decorator = target() + info = decorator._info + self.assertEqual(info[2], 'test_create_info') + self.assertEqual(info[3], 'decorator = target()') + + def test_create_info_depth(self): + target = self._getTargetClass() + + def make(): + return target(_depth=1) + + decorator = make() + info = decorator._info + self.assertEqual(info[2], 'test_create_info_depth') + self.assertEqual(info[3], 'decorator = make()') def test_create_context_trumps_for(self): decorator = self._makeOne(context='123', for_='456') @@ -560,7 +578,6 @@ class TestViewConfigDecorator(unittest.TestCase): self.assertEqual(len(settings[0]), 3) self.assertEqual(settings[0]['venusian'], venusian) self.assertEqual(settings[0]['view'], None) # comes from call_venusian - self.assertEqual(settings[0]['_info'], 'codeinfo') def test_call_class(self): decorator = self._makeOne() @@ -580,7 +597,6 @@ class TestViewConfigDecorator(unittest.TestCase): self.assertEqual(settings[0]['venusian'], venusian) self.assertEqual(settings[0]['view'], None) # comes from call_venusian self.assertEqual(settings[0]['attr'], 'foo') - self.assertEqual(settings[0]['_info'], 'codeinfo') def test_call_class_attr_already_set(self): decorator = self._makeOne(attr='abc') @@ -600,7 +616,6 @@ class TestViewConfigDecorator(unittest.TestCase): self.assertEqual(settings[0]['venusian'], venusian) self.assertEqual(settings[0]['view'], None) # comes from call_venusian self.assertEqual(settings[0]['attr'], 'abc') - self.assertEqual(settings[0]['_info'], 'codeinfo') def test_stacking(self): decorator1 = self._makeOne(name='1') diff --git a/tests/test_viewderivers.py b/tests/test_viewderivers.py index 9a61ea9f1..12a903eaa 100644 --- a/tests/test_viewderivers.py +++ b/tests/test_viewderivers.py @@ -1414,6 +1414,27 @@ class TestDeriveView(unittest.TestCase): result = view(None, request) self.assertTrue(result is response) + def test_csrf_view_allow_no_origin(self): + response = DummyResponse() + + def inner_view(request): + return response + + self.config.set_default_csrf_options( + require_csrf=True, allow_no_origin=True + ) + request = self._makeRequest() + request.scheme = "https" + request.domain = "example.com" + request.host_port = "443" + request.referrer = None + request.method = 'POST' + request.session = DummySession({'csrf_token': 'foo'}) + request.POST = {'csrf_token': 'foo'} + view = self.config._derive_view(inner_view, require_csrf=True) + result = view(None, request) + self.assertTrue(result is response) + def test_csrf_view_fails_on_bad_PUT_header(self): from pyramid.exceptions import BadCSRFToken @@ -17,7 +17,6 @@ setenv = [testenv:lint] skip_install = true -basepython = python3.6 commands = flake8 src/pyramid tests setup.py black --check --diff src/pyramid tests setup.py @@ -30,8 +29,6 @@ deps = check-manifest [testenv:docs] -# pin to 3.5 to match what RTD uses -basepython = python3.5 whitelist_externals = make commands = make -C docs doctest html epub BUILDDIR={envdir} "SPHINXOPTS=-W -E" @@ -39,7 +36,6 @@ extras = docs [testenv:pdf] -basepython = python3.5 whitelist_externals = make commands = make -C docs latexpdf BUILDDIR={envdir} "SPHINXOPTS=-W -E" @@ -48,7 +44,6 @@ extras = [testenv:coverage] skip_install = true -basepython = python3.6 commands = coverage combine coverage xml @@ -60,7 +55,6 @@ setenv = [testenv:black] skip_install = true -basepython = python3.6 commands = black src/pyramid tests setup.py deps = @@ -68,7 +62,6 @@ deps = [testenv:build] skip_install = true -basepython = python3.6 commands = # clean up build/ and dist/ folders python -c 'import shutil; shutil.rmtree("dist", ignore_errors=True)' |