diff options
| -rw-r--r-- | CHANGES.rst | 307 | ||||
| -rw-r--r-- | HISTORY.rst | 314 | ||||
| -rw-r--r-- | setup.py | 2 |
3 files changed, 319 insertions, 304 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index 16a724557..4bb847a25 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,313 +1,14 @@ -2.0 (2021-02-28) -================ - -- No changes from 2.0b1. - -2.0b1 (2021-02-20) -================== - -- Break potential reference cycle between ``request`` and ``context``. - See https://github.com/Pylons/pyramid/pull/3649 - -- Remove ``update_wrapper`` from ``pyramid.decorator.reify``. - See https://github.com/Pylons/pyramid/pull/3657 - -2.0b0 (2020-12-15) -================== - -- Overhaul tutorials and update cookiecutter to de-emphasize ``request.user`` - in favor of ``request.identity`` for common use cases. - See https://github.com/Pylons/pyramid/pull/3629 - -- Improve documentation and patterns with builtin fixtures shipped in the - cookiecutters. - See https://github.com/Pylons/pyramid/pull/3629 - -2.0a0 (2020-11-29) -================== +unreleased +========== Features -------- -- Add support for Python 3.9. - See https://github.com/Pylons/pyramid/issues/3622 - -- The ``aslist`` method now handles non-string objects when flattening. - See https://github.com/Pylons/pyramid/pull/3594 - -- It is now possible to pass multiple values to the ``header`` predicate - for route and view configuration. - See https://github.com/Pylons/pyramid/pull/3576 - -- Add support for Python 3.8. - See https://github.com/Pylons/pyramid/pull/3547 - -- New security APIs have been added to support a massive overhaul of the - authentication and authorization system. Read - "Upgrading Authentication/Authorization" in the "What's New in Pyramid 2.0" - chapter of the documentation for information about using this new system. - - - ``pyramid.config.Configurator.set_security_policy``. - - ``pyramid.interfaces.ISecurityPolicy`` - - ``pyramid.request.Request.identity``. - - ``pyramid.request.Request.is_authenticated`` - - ``pyramid.authentication.SessionAuthenticationHelper`` - - ``pyramid.authorization.ACLHelper`` - - ``is_authenticated=True/False`` predicate for route and view configs - - See https://github.com/Pylons/pyramid/pull/3465 and - https://github.com/Pylons/pyramid/pull/3598 - -- Changed the default ``serializer`` on - ``pyramid.session.SignedCookieSessionFactory`` to use - ``pyramid.session.JSONSerializer`` instead of - ``pyramid.session.PickleSerializer``. Read - "Upgrading Session Serialization" in the "What's New in Pyramid 2.0" chapter - of the documentation for more information about why this change was made. - See https://github.com/Pylons/pyramid/pull/3413 - -- It is now possible to control whether a route pattern contains a trailing - slash when it is composed with a route prefix using - ``config.include(..., route_prefix=...)`` or - ``with config.route_prefix_context(...)``. This can be done by specifying - an empty pattern and setting the new argument - ``inherit_slash=True``. For example: - - .. code-block:: python - - with config.route_prefix_context('/users'): - config.add_route('users', '', inherit_slash=True) - - In the example, the resulting pattern will be ``/users``. Similarly, if the - route prefix were ``/users/`` then the final pattern would be ``/users/``. - If the ``pattern`` was ``'/'``, then the final pattern would always be - ``/users/``. This new setting is only available if the pattern supplied - to ``add_route`` is the empty string (``''``). - See https://github.com/Pylons/pyramid/pull/3420 - -- No longer define ``pyramid.request.Request.json_body`` which is already - provided by WebOb. This allows the attribute to now be settable. - See https://github.com/Pylons/pyramid/pull/3447 - -- Improve debugging info from ``pyramid.view.view_config`` decorator. - See https://github.com/Pylons/pyramid/pull/3483 - -- A new parameter, ``allow_no_origin``, was added to - ``pyramid.config.Configurator.set_default_csrf_options`` as well as - ``pyramid.csrf.check_csrf_origin``. This option controls whether a - request is rejected if it has no ``Origin`` or ``Referer`` header - - often the result of a user configuring their browser not to send a - ``Referer`` header for privacy reasons even on same-domain requests. - The default is to reject requests without a known origin. It is also - possible to allow the special ``Origin: null`` header by adding it to the - ``pyramid.csrf_trusted_origins`` list in the settings. - See https://github.com/Pylons/pyramid/pull/3512 - and https://github.com/Pylons/pyramid/pull/3518 - -- A new parameter, ``check_origin``, was added to - ``pyramid.config.Configurator.set_default_csrf_options`` which disables - origin checking entirely. - See https://github.com/Pylons/pyramid/pull/3518 - -- Added ``pyramid.interfaces.IPredicateInfo`` which defines the object passed - to predicate factories as their second argument. - See https://github.com/Pylons/pyramid/pull/3514 - -- Added support for serving pre-compressed static assets by using the - ``content_encodings`` argument of - ``pyramid.config.Configurator.add_static_view`` and - ``pyramid.static.static_view``. - See https://github.com/Pylons/pyramid/pull/3537 - -- Fix ``DeprecationWarning`` emitted by using the ``imp`` module. - See https://github.com/Pylons/pyramid/pull/3553 - -- Properties created via ``config.add_request_method(..., property=True)`` or - ``request.set_property`` used to be readonly. They can now be overridden - via ``request.foo = ...`` and until the value is deleted it will return - the overridden value. This is most useful when mocking request properties - in testing. - See https://github.com/Pylons/pyramid/pull/3559 - -- Finished callbacks are now executed as part of the ``closer`` that is - invoked as part of ``pyramid.scripting.prepare`` and - ``pyramid.paster.bootstrap``. - See https://github.com/Pylons/pyramid/pull/3561 - -- Added ``pyramid.request.RequestLocalCache`` which can be used to create - simple objects that are shared across requests and can be used to store - per-request data. This is useful when the source of data is external to - the request itself. Often a reified property is used on a request via - ``pyramid.config.Configurator.add_request_method``, or - ``pyramid.decorator.reify``, and these work great when the data is - generated on-demand when accessing the request property. However, often - the case is that the data is generated when accessing some other system - and then we want to cache the data for the duration of the request. - See https://github.com/Pylons/pyramid/pull/3561 - -- Exposed ``pyramid.authorization.ALL_PERMISSIONS`` and - ``pyramid.authorization.DENY_ALL`` such that all of the ACL-related constants - are now importable from the ``pyramid.authorization`` namespace. - See https://github.com/Pylons/pyramid/pull/3563 - -- ``pserve`` now outputs verbose messaging to `stderr` instead of `stdout` - to circumvent buffering issues that exist by default on `stdout`. - See https://github.com/Pylons/pyramid/pull/3593 - -Deprecations ------------- - -- Deprecated the authentication and authorization interfaces and - principal-based support. See "Upgrading Authentication/Authorization" in - the "What's New in Pyramid 2.0" chapter of the documentation for information - on equivalent APIs and notes on upgrading. The following APIs are deprecated - as a result of this change: - - - ``pyramid.config.Configurator.set_authentication_policy`` - - ``pyramid.config.Configurator.set_authorization_policy`` - - ``pyramid.interfaces.IAuthenticationPolicy`` - - ``pyramid.interfaces.IAuthorizationPolicy`` - - ``pyramid.request.Request.effective_principals`` - - ``pyramid.request.Request.unauthenticated_userid`` - - ``pyramid.authentication.AuthTktAuthenticationPolicy`` - - ``pyramid.authentication.RemoteUserAuthenticationPolicy`` - - ``pyramid.authentication.RepozeWho1AuthenticationPolicy`` - - ``pyramid.authentication.SessionAuthenticationPolicy`` - - ``pyramid.authentication.BasicAuthAuthenticationPolicy`` - - ``pyramid.authorization.ACLAuthorizationPolicy`` - - The ``effective_principals`` view and route predicates. - - See https://github.com/Pylons/pyramid/pull/3465 - -- Deprecated ``pyramid.security.principals_allowed_by_permission``. This - method continues to work with the deprecated - ``pyramid.interfaces.IAuthorizationPolicy`` interface but will not work with - the new ``pyramid.interfaces.ISecurityPolicy``. - See https://github.com/Pylons/pyramid/pull/3465 - -- Deprecated several ACL-related aspects of ``pyramid.security``. Equivalent - objects should now be imported from the ``pyramid.authorization`` namespace. - This includes: - - - ``pyramid.security.Everyone`` - - ``pyramid.security.Authenticated`` - - ``pyramid.security.ALL_PERMISSIONS`` - - ``pyramid.security.DENY_ALL`` - - ``pyramid.security.ACLAllowed`` - - ``pyramid.security.ACLDenied`` - - See https://github.com/Pylons/pyramid/pull/3563 - -- Deprecated ``pyramid.session.PickleSerializer``. - See https://github.com/pylons/pyramid/issues/2709, - and https://github.com/pylons/pyramid/pull/3353, - and https://github.com/pylons/pyramid/pull/3413 +Bug Fixes +--------- Backward Incompatibilities -------------------------- -- Drop support for Python 2.7, 3.4, and 3.5. - See https://github.com/Pylons/pyramid/pull/3421, - and https://github.com/Pylons/pyramid/pull/3547, - and https://github.com/Pylons/pyramid/pull/3634 - -- Removed the ``pyramid.compat`` module. Integrators should use the ``six`` - module or vendor shims they are using into their own codebases going forward. - https://github.com/Pylons/pyramid/pull/3421 - -- ``pcreate`` and the builtin scaffolds have been removed in favor of - using the ``cookiecutter`` tool and the ``pyramid-cookiecutter-starter`` - cookiecutter. The script and scaffolds were deprecated in Pyramid 1.8. - See https://github.com/Pylons/pyramid/pull/3406 - -- Changed the default ``hashalg`` on - ``pyramid.authentication.AuthTktCookieHelper`` to ``sha512``. - See https://github.com/Pylons/pyramid/pull/3557 - -- Removed ``pyramid.interfaces.ITemplateRenderer``. This interface was - deprecated since Pyramid 1.5 and was an interface - used by libraries like ``pyramid_mako`` and ``pyramid_chameleon`` but - provided no functionality within Pyramid itself. - See https://github.com/Pylons/pyramid/pull/3409 - -- Removed ``pyramid.security.has_permission``, - ``pyramid.security.authenticated_userid``, - ``pyramid.security.unauthenticated_userid``, and - ``pyramid.security.effective_principals``. These methods were deprecated - in Pyramid 1.5 and all have equivalents available as properties on the - request. For example, ``request.authenticated_userid``. - See https://github.com/Pylons/pyramid/pull/3410 - -- Removed support for supplying a media range to the ``accept`` predicate of - both ``pyramid.config.Configurator.add_view`` and - ``pyramid.config.Configurator.add_route``. These options were deprecated - in Pyramid 1.10 and WebOb 1.8 because they resulted in uncontrollable - matching that was not compliant with the RFC. - See https://github.com/Pylons/pyramid/pull/3411 - -- Removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig``. This - session factory was replaced with - ``pyramid.session.SignedCookieSessionFactory`` in Pyramid 1.5 and has been - deprecated since then. - See https://github.com/Pylons/pyramid/pull/3412 - -- Removed ``pyramid.session.signed_serialize``, and - ``pyramid.session.signed_deserialize``. These methods were only used by - the now-removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` - and were coupled to the vulnerable pickle serialization format which could - lead to remove code execution if the secret key is compromised. - See https://github.com/Pylons/pyramid/pull/3412 - -- Changed the default ``serializer`` on - ``pyramid.session.SignedCookieSessionFactory`` to use - ``pyramid.session.JSONSerializer`` instead of - ``pyramid.session.PickleSerializer``. Read "Upgrading Session Serialization" - in the "What's New in Pyramid 2.0" chapter of the documentation for more - information about why this change was made. - See https://github.com/Pylons/pyramid/pull/3413 - -- ``pyramid.request.Request.invoke_exception_view`` will no longer be called - by the default execution policy. - See https://github.com/Pylons/pyramid/pull/3496 - -- ``pyramid.config.Configurator.scan`` will no longer, by default, execute - Venusian decorator callbacks registered for categories other than - ``'pyramid'``. To find any decorator regardless of category, specify - ``config.scan(..., categories=None)``. - See https://github.com/Pylons/pyramid/pull/3510 - -- The second argument to predicate factories has been changed from ``config`` - to ``info``, an instance of ``pyramid.interfaces.IPredicateInfo``. This - limits the data available to predicates but still provides the package, - registry, settings and dotted-name resolver which should cover most use - cases and is largely backward compatible. - See https://github.com/Pylons/pyramid/pull/3514 - -- Removed the ``check_csrf`` predicate. Instead, use - ``pyramid.config.Configurator.set_default_csrf_options`` and the - ``require_csrf`` view option to enable automatic CSRF checking. - See https://github.com/Pylons/pyramid/pull/3521 - -- Update the default behavior of - ``pyramid.authenticationAuthTktAuthenticationPolicy`` and - ``pyramid.authentication.AuthTktCookieHelper`` to only set a single cookie - without a domain parameter when no other domain constraints are specified. - Prior to this change, ``wild_domain=False`` (the default) was effectively - treated the same as ``wild_domain=True``, in which a cookie was defined - such that browsers would use it both for the request's domain, as well as - any subdomain. In the new behavior, cookies will only affect the current - domain, and not subdomains, by default. - See https://github.com/Pylons/pyramid/pull/3587 - Documentation Changes --------------------- - -- Restore build of PDF on Read The Docs. - See https://github.com/Pylons/pyramid/issues/3290 - -- Fix docs build for Sphinx 2.0. - See https://github.com/Pylons/pyramid/pull/3480 - -- Significant updates to the wiki, wiki2 tutorials to demonstrate the new - security policy usage as well as a much more production-ready test harness. - See https://github.com/Pylons/pyramid/pull/3557 diff --git a/HISTORY.rst b/HISTORY.rst index 8b0028065..7bda92fa4 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -1,3 +1,317 @@ +2.0 (2021-02-28) +================ + +- No changes from 2.0b1. + +2.0b1 (2021-02-20) +================== + +- Break potential reference cycle between ``request`` and ``context``. + See https://github.com/Pylons/pyramid/pull/3649 + +- Remove ``update_wrapper`` from ``pyramid.decorator.reify``. + See https://github.com/Pylons/pyramid/pull/3657 + +2.0b0 (2020-12-15) +================== + +- Overhaul tutorials and update cookiecutter to de-emphasize ``request.user`` + in favor of ``request.identity`` for common use cases. + See https://github.com/Pylons/pyramid/pull/3629 + +- Improve documentation and patterns with builtin fixtures shipped in the + cookiecutters. + See https://github.com/Pylons/pyramid/pull/3629 + +2.0a0 (2020-11-29) +================== + +Features +-------- + +- Add support for Python 3.9. + See https://github.com/Pylons/pyramid/issues/3622 + +- The ``aslist`` method now handles non-string objects when flattening. + See https://github.com/Pylons/pyramid/pull/3594 + +- It is now possible to pass multiple values to the ``header`` predicate + for route and view configuration. + See https://github.com/Pylons/pyramid/pull/3576 + +- Add support for Python 3.8. + See https://github.com/Pylons/pyramid/pull/3547 + +- New security APIs have been added to support a massive overhaul of the + authentication and authorization system. Read + "Upgrading Authentication/Authorization" in the "What's New in Pyramid 2.0" + chapter of the documentation for information about using this new system. + + - ``pyramid.config.Configurator.set_security_policy``. + - ``pyramid.interfaces.ISecurityPolicy`` + - ``pyramid.request.Request.identity``. + - ``pyramid.request.Request.is_authenticated`` + - ``pyramid.authentication.SessionAuthenticationHelper`` + - ``pyramid.authorization.ACLHelper`` + - ``is_authenticated=True/False`` predicate for route and view configs + + See https://github.com/Pylons/pyramid/pull/3465 and + https://github.com/Pylons/pyramid/pull/3598 + +- Changed the default ``serializer`` on + ``pyramid.session.SignedCookieSessionFactory`` to use + ``pyramid.session.JSONSerializer`` instead of + ``pyramid.session.PickleSerializer``. Read + "Upgrading Session Serialization" in the "What's New in Pyramid 2.0" chapter + of the documentation for more information about why this change was made. + See https://github.com/Pylons/pyramid/pull/3413 + +- It is now possible to control whether a route pattern contains a trailing + slash when it is composed with a route prefix using + ``config.include(..., route_prefix=...)`` or + ``with config.route_prefix_context(...)``. This can be done by specifying + an empty pattern and setting the new argument + ``inherit_slash=True``. For example: + + .. code-block:: python + + with config.route_prefix_context('/users'): + config.add_route('users', '', inherit_slash=True) + + In the example, the resulting pattern will be ``/users``. Similarly, if the + route prefix were ``/users/`` then the final pattern would be ``/users/``. + If the ``pattern`` was ``'/'``, then the final pattern would always be + ``/users/``. This new setting is only available if the pattern supplied + to ``add_route`` is the empty string (``''``). + See https://github.com/Pylons/pyramid/pull/3420 + +- No longer define ``pyramid.request.Request.json_body`` which is already + provided by WebOb. This allows the attribute to now be settable. + See https://github.com/Pylons/pyramid/pull/3447 + +- Improve debugging info from ``pyramid.view.view_config`` decorator. + See https://github.com/Pylons/pyramid/pull/3483 + +- A new parameter, ``allow_no_origin``, was added to + ``pyramid.config.Configurator.set_default_csrf_options`` as well as + ``pyramid.csrf.check_csrf_origin``. This option controls whether a + request is rejected if it has no ``Origin`` or ``Referer`` header - + often the result of a user configuring their browser not to send a + ``Referer`` header for privacy reasons even on same-domain requests. + The default is to reject requests without a known origin. It is also + possible to allow the special ``Origin: null`` header by adding it to the + ``pyramid.csrf_trusted_origins`` list in the settings. + See https://github.com/Pylons/pyramid/pull/3512 + and https://github.com/Pylons/pyramid/pull/3518 + +- A new parameter, ``check_origin``, was added to + ``pyramid.config.Configurator.set_default_csrf_options`` which disables + origin checking entirely. + See https://github.com/Pylons/pyramid/pull/3518 + +- Added ``pyramid.interfaces.IPredicateInfo`` which defines the object passed + to predicate factories as their second argument. + See https://github.com/Pylons/pyramid/pull/3514 + +- Added support for serving pre-compressed static assets by using the + ``content_encodings`` argument of + ``pyramid.config.Configurator.add_static_view`` and + ``pyramid.static.static_view``. + See https://github.com/Pylons/pyramid/pull/3537 + +- Fix ``DeprecationWarning`` emitted by using the ``imp`` module. + See https://github.com/Pylons/pyramid/pull/3553 + +- Properties created via ``config.add_request_method(..., property=True)`` or + ``request.set_property`` used to be readonly. They can now be overridden + via ``request.foo = ...`` and until the value is deleted it will return + the overridden value. This is most useful when mocking request properties + in testing. + See https://github.com/Pylons/pyramid/pull/3559 + +- Finished callbacks are now executed as part of the ``closer`` that is + invoked as part of ``pyramid.scripting.prepare`` and + ``pyramid.paster.bootstrap``. + See https://github.com/Pylons/pyramid/pull/3561 + +- Added ``pyramid.request.RequestLocalCache`` which can be used to create + simple objects that are shared across requests and can be used to store + per-request data. This is useful when the source of data is external to + the request itself. Often a reified property is used on a request via + ``pyramid.config.Configurator.add_request_method``, or + ``pyramid.decorator.reify``, and these work great when the data is + generated on-demand when accessing the request property. However, often + the case is that the data is generated when accessing some other system + and then we want to cache the data for the duration of the request. + See https://github.com/Pylons/pyramid/pull/3561 + +- Exposed ``pyramid.authorization.ALL_PERMISSIONS`` and + ``pyramid.authorization.DENY_ALL`` such that all of the ACL-related constants + are now importable from the ``pyramid.authorization`` namespace. + See https://github.com/Pylons/pyramid/pull/3563 + +- ``pserve`` now outputs verbose messaging to `stderr` instead of `stdout` + to circumvent buffering issues that exist by default on `stdout`. + See https://github.com/Pylons/pyramid/pull/3593 + +Deprecations +------------ + +- Deprecated the authentication and authorization interfaces and + principal-based support. See "Upgrading Authentication/Authorization" in + the "What's New in Pyramid 2.0" chapter of the documentation for information + on equivalent APIs and notes on upgrading. The following APIs are deprecated + as a result of this change: + + - ``pyramid.config.Configurator.set_authentication_policy`` + - ``pyramid.config.Configurator.set_authorization_policy`` + - ``pyramid.interfaces.IAuthenticationPolicy`` + - ``pyramid.interfaces.IAuthorizationPolicy`` + - ``pyramid.request.Request.effective_principals`` + - ``pyramid.request.Request.unauthenticated_userid`` + - ``pyramid.authentication.AuthTktAuthenticationPolicy`` + - ``pyramid.authentication.RemoteUserAuthenticationPolicy`` + - ``pyramid.authentication.RepozeWho1AuthenticationPolicy`` + - ``pyramid.authentication.SessionAuthenticationPolicy`` + - ``pyramid.authentication.BasicAuthAuthenticationPolicy`` + - ``pyramid.authorization.ACLAuthorizationPolicy`` + - The ``effective_principals`` view and route predicates. + + See https://github.com/Pylons/pyramid/pull/3465 + +- Deprecated ``pyramid.security.principals_allowed_by_permission``. This + method continues to work with the deprecated + ``pyramid.interfaces.IAuthorizationPolicy`` interface but will not work with + the new ``pyramid.interfaces.ISecurityPolicy``. + See https://github.com/Pylons/pyramid/pull/3465 + +- Deprecated several ACL-related aspects of ``pyramid.security``. Equivalent + objects should now be imported from the ``pyramid.authorization`` namespace. + This includes: + + - ``pyramid.security.Everyone`` + - ``pyramid.security.Authenticated`` + - ``pyramid.security.ALL_PERMISSIONS`` + - ``pyramid.security.DENY_ALL`` + - ``pyramid.security.ACLAllowed`` + - ``pyramid.security.ACLDenied`` + + See https://github.com/Pylons/pyramid/pull/3563 + +- Deprecated ``pyramid.session.PickleSerializer``. + See https://github.com/pylons/pyramid/issues/2709, + and https://github.com/pylons/pyramid/pull/3353, + and https://github.com/pylons/pyramid/pull/3413 + +Backward Incompatibilities +-------------------------- + +- Drop support for Python 2.7, 3.4, and 3.5. + See https://github.com/Pylons/pyramid/pull/3421, + and https://github.com/Pylons/pyramid/pull/3547, + and https://github.com/Pylons/pyramid/pull/3634 + +- Removed the ``pyramid.compat`` module. Integrators should use the ``six`` + module or vendor shims they are using into their own codebases going forward. + https://github.com/Pylons/pyramid/pull/3421 + +- ``pcreate`` and the builtin scaffolds have been removed in favor of + using the ``cookiecutter`` tool and the ``pyramid-cookiecutter-starter`` + cookiecutter. The script and scaffolds were deprecated in Pyramid 1.8. + See https://github.com/Pylons/pyramid/pull/3406 + +- Changed the default ``hashalg`` on + ``pyramid.authentication.AuthTktCookieHelper`` to ``sha512``. + See https://github.com/Pylons/pyramid/pull/3557 + +- Removed ``pyramid.interfaces.ITemplateRenderer``. This interface was + deprecated since Pyramid 1.5 and was an interface + used by libraries like ``pyramid_mako`` and ``pyramid_chameleon`` but + provided no functionality within Pyramid itself. + See https://github.com/Pylons/pyramid/pull/3409 + +- Removed ``pyramid.security.has_permission``, + ``pyramid.security.authenticated_userid``, + ``pyramid.security.unauthenticated_userid``, and + ``pyramid.security.effective_principals``. These methods were deprecated + in Pyramid 1.5 and all have equivalents available as properties on the + request. For example, ``request.authenticated_userid``. + See https://github.com/Pylons/pyramid/pull/3410 + +- Removed support for supplying a media range to the ``accept`` predicate of + both ``pyramid.config.Configurator.add_view`` and + ``pyramid.config.Configurator.add_route``. These options were deprecated + in Pyramid 1.10 and WebOb 1.8 because they resulted in uncontrollable + matching that was not compliant with the RFC. + See https://github.com/Pylons/pyramid/pull/3411 + +- Removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig``. This + session factory was replaced with + ``pyramid.session.SignedCookieSessionFactory`` in Pyramid 1.5 and has been + deprecated since then. + See https://github.com/Pylons/pyramid/pull/3412 + +- Removed ``pyramid.session.signed_serialize``, and + ``pyramid.session.signed_deserialize``. These methods were only used by + the now-removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` + and were coupled to the vulnerable pickle serialization format which could + lead to remove code execution if the secret key is compromised. + See https://github.com/Pylons/pyramid/pull/3412 + +- Changed the default ``serializer`` on + ``pyramid.session.SignedCookieSessionFactory`` to use + ``pyramid.session.JSONSerializer`` instead of + ``pyramid.session.PickleSerializer``. Read "Upgrading Session Serialization" + in the "What's New in Pyramid 2.0" chapter of the documentation for more + information about why this change was made. + See https://github.com/Pylons/pyramid/pull/3413 + +- ``pyramid.request.Request.invoke_exception_view`` will no longer be called + by the default execution policy. + See https://github.com/Pylons/pyramid/pull/3496 + +- ``pyramid.config.Configurator.scan`` will no longer, by default, execute + Venusian decorator callbacks registered for categories other than + ``'pyramid'``. To find any decorator regardless of category, specify + ``config.scan(..., categories=None)``. + See https://github.com/Pylons/pyramid/pull/3510 + +- The second argument to predicate factories has been changed from ``config`` + to ``info``, an instance of ``pyramid.interfaces.IPredicateInfo``. This + limits the data available to predicates but still provides the package, + registry, settings and dotted-name resolver which should cover most use + cases and is largely backward compatible. + See https://github.com/Pylons/pyramid/pull/3514 + +- Removed the ``check_csrf`` predicate. Instead, use + ``pyramid.config.Configurator.set_default_csrf_options`` and the + ``require_csrf`` view option to enable automatic CSRF checking. + See https://github.com/Pylons/pyramid/pull/3521 + +- Update the default behavior of + ``pyramid.authenticationAuthTktAuthenticationPolicy`` and + ``pyramid.authentication.AuthTktCookieHelper`` to only set a single cookie + without a domain parameter when no other domain constraints are specified. + Prior to this change, ``wild_domain=False`` (the default) was effectively + treated the same as ``wild_domain=True``, in which a cookie was defined + such that browsers would use it both for the request's domain, as well as + any subdomain. In the new behavior, cookies will only affect the current + domain, and not subdomains, by default. + See https://github.com/Pylons/pyramid/pull/3587 + +Documentation Changes +--------------------- + +- Restore build of PDF on Read The Docs. + See https://github.com/Pylons/pyramid/issues/3290 + +- Fix docs build for Sphinx 2.0. + See https://github.com/Pylons/pyramid/pull/3480 + +- Significant updates to the wiki, wiki2 tutorials to demonstrate the new + security policy usage as well as a much more production-ready test harness. + See https://github.com/Pylons/pyramid/pull/3557 + 1.10 (2018-10-31) ================= @@ -22,7 +22,7 @@ def readfile(name): README = readfile('README.rst') CHANGES = readfile('CHANGES.rst') -VERSION = '2.0' +VERSION = '2.1.dev0' install_requires = [ 'hupper >= 1.5', # ignore_files support |