diff options
| -rw-r--r-- | CHANGES.txt | 126 | ||||
| -rw-r--r-- | HISTORY.txt | 140 |
2 files changed, 142 insertions, 124 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index d316594bc..c0681053d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,136 +4,14 @@ unreleased Backward Incompatibilities -------------------------- -- Following the Pyramid deprecation period (1.4 -> 1.6), - AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5 - to sha512. If you are using the authentication policy and need to continue - using md5, please explicitly set hashalg to 'md5'. - - This change does mean that any existing auth tickets (and associated cookies) - will no longer be valid, and users will no longer be logged in, and have to - login to their accounts again. - - See https://github.com/Pylons/pyramid/pull/2496 - -- The ``check_csrf_token`` function no longer validates a csrf token in the - query string of a request. Only headers and request bodies are supported. - See https://github.com/Pylons/pyramid/pull/2500 - Features -------- -- Added a new setting, ``pyramid.require_default_csrf`` which may be used - to turn on CSRF checks globally for every POST request in the application. - This should be considered a good default for websites built on Pyramid. - It is possible to opt-out of CSRF checks on a per-view basis by setting - ``require_csrf=False`` on those views. - See https://github.com/Pylons/pyramid/pull/2413 - -- Added a ``require_csrf`` view option which will enforce CSRF checks on any - request with an unsafe method as defined by RFC2616. If the CSRF check fails - a ``BadCSRFToken`` exception will be raised and may be caught by exception - views (the default response is a ``400 Bad Request``). This option should be - used in place of the deprecated ``check_csrf`` view predicate which would - normally result in unexpected ``404 Not Found`` response to the client - instead of a catchable exception. See - https://github.com/Pylons/pyramid/pull/2413 and - https://github.com/Pylons/pyramid/pull/2500 - -- Added an additional CSRF validation that checks the origin/referrer of a - request and makes sure it matches the current ``request.domain``. This - particular check is only active when accessing a site over HTTPS as otherwise - browsers don't always send the required information. If this additional CSRF - validation fails a ``BadCSRFOrigin`` exception will be raised and may be - caught by exception views (the default response is ``400 Bad Request``). - Additional allowed origins may be configured by setting - ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on - a non standard port) to allow. Subdomains are not allowed unless the domain - name has been prefixed with a ``.``. See - https://github.com/Pylons/pyramid/pull/2501 - -- Added a new ``pyramid.session.check_csrf_origin`` API for validating the - origin or referrer headers against the request's domain. - See https://github.com/Pylons/pyramid/pull/2501 - -- Pyramid HTTPExceptions will now take into account the best match for the - clients Accept header, and depending on what is requested will return - text/html, application/json or text/plain. The default for */* is still - text/html, but if application/json is explicitly mentioned it will now - receive a valid JSON response. See - https://github.com/Pylons/pyramid/pull/2489 - -- A new event and interface (BeforeTraversal) has been introduced that will - notify listeners before traversal starts in the router. See - https://github.com/Pylons/pyramid/pull/2469 and - https://github.com/Pylons/pyramid/pull/1876 - -- Add a new "view deriver" concept to Pyramid to allow framework authors to - inject elements into the standard Pyramid view pipeline and affect all - views in an application. This is similar to a decorator except that it - has access to options passed to ``config.add_view`` and can affect other - stages of the pipeline such as the raw response from a view or prior to - security checks. See https://github.com/Pylons/pyramid/pull/2021 - -- Allow a leading ``=`` on the key of the request param predicate. - For example, '=abc=1' is equivalent down to - ``request.params['=abc'] == '1'``. - See https://github.com/Pylons/pyramid/pull/1370 - -- A new ``request.invoke_exception_view(...)`` method which can be used to - invoke an exception view and get back a response. This is useful for - rendering an exception view outside of the context of the excview tween - where you may need more control over the request. - See https://github.com/Pylons/pyramid/pull/2393 - -- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s`` - for logging sections of the .ini file and populate these variables from - the ``pserve`` command line -- e.g.: - ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG`` - See https://github.com/Pylons/pyramid/pull/2399 - -Documentation Changes ---------------------- - -- A complete overhaul of the docs: - - - Use pip instead of easy_install. - - Become opinionated by preferring Python 3.4 or greater to simplify - installation of Python and its required packaging tools. - - Use venv for the tool, and virtual environment for the thing created, - instead of virtualenv. - - Use py.test and pytest-cov instead of nose and coverage. - - Further updates to the scaffolds as well as tutorials and their src files. - - See https://github.com/Pylons/pyramid/pull/2468 - -- A complete overhaul of the ``alchemy`` scaffold as well as the - Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features - into the usage of SQLAlchemy with Pyramid and provide a better starting - point for new projects. - See https://github.com/Pylons/pyramid/pull/2024 - Bug Fixes --------- -- Fix ``pserve --browser`` to use the ``--server-name`` instead of the - app name when selecting a section to use. This was only working for people - who had server and app sections with the same name, for example - ``[app:main]`` and ``[server:main]``. - See https://github.com/Pylons/pyramid/pull/2292 - Deprecations ------------ -- The ``check_csrf`` view predicate has been deprecated. Use the - new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting - to ensure that the ``BadCSRFToken`` exception is raised. - See https://github.com/Pylons/pyramid/pull/2413 - -- Support for Python 3.3 will be removed in Pyramid 1.8. - https://github.com/Pylons/pyramid/issues/2477 - -- Python 2.6 is no longer supported by Pyramid. See - https://github.com/Pylons/pyramid/issues/2368 - -- Dropped Python 3.2 support. - See https://github.com/Pylons/pyramid/pull/2256 +Documentation Changes +--------------------- diff --git a/HISTORY.txt b/HISTORY.txt index b7f30ff86..53a17a4d3 100644 --- a/HISTORY.txt +++ b/HISTORY.txt @@ -1,3 +1,143 @@ +1.7a1 (2016-04-16) +================== + +Backward Incompatibilities +-------------------------- + +- Following the Pyramid deprecation period (1.4 -> 1.6), + AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5 + to sha512. If you are using the authentication policy and need to continue + using md5, please explicitly set hashalg to 'md5'. + + This change does mean that any existing auth tickets (and associated cookies) + will no longer be valid, and users will no longer be logged in, and have to + login to their accounts again. + + See https://github.com/Pylons/pyramid/pull/2496 + +- The ``check_csrf_token`` function no longer validates a csrf token in the + query string of a request. Only headers and request bodies are supported. + See https://github.com/Pylons/pyramid/pull/2500 + +Features +-------- + +- Added a new setting, ``pyramid.require_default_csrf`` which may be used + to turn on CSRF checks globally for every POST request in the application. + This should be considered a good default for websites built on Pyramid. + It is possible to opt-out of CSRF checks on a per-view basis by setting + ``require_csrf=False`` on those views. + See https://github.com/Pylons/pyramid/pull/2413 + +- Added a ``require_csrf`` view option which will enforce CSRF checks on any + request with an unsafe method as defined by RFC2616. If the CSRF check fails + a ``BadCSRFToken`` exception will be raised and may be caught by exception + views (the default response is a ``400 Bad Request``). This option should be + used in place of the deprecated ``check_csrf`` view predicate which would + normally result in unexpected ``404 Not Found`` response to the client + instead of a catchable exception. See + https://github.com/Pylons/pyramid/pull/2413 and + https://github.com/Pylons/pyramid/pull/2500 + +- Added an additional CSRF validation that checks the origin/referrer of a + request and makes sure it matches the current ``request.domain``. This + particular check is only active when accessing a site over HTTPS as otherwise + browsers don't always send the required information. If this additional CSRF + validation fails a ``BadCSRFOrigin`` exception will be raised and may be + caught by exception views (the default response is ``400 Bad Request``). + Additional allowed origins may be configured by setting + ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on + a non standard port) to allow. Subdomains are not allowed unless the domain + name has been prefixed with a ``.``. See + https://github.com/Pylons/pyramid/pull/2501 + +- Added a new ``pyramid.session.check_csrf_origin`` API for validating the + origin or referrer headers against the request's domain. + See https://github.com/Pylons/pyramid/pull/2501 + +- Pyramid HTTPExceptions will now take into account the best match for the + clients Accept header, and depending on what is requested will return + text/html, application/json or text/plain. The default for */* is still + text/html, but if application/json is explicitly mentioned it will now + receive a valid JSON response. See + https://github.com/Pylons/pyramid/pull/2489 + +- A new event and interface (BeforeTraversal) has been introduced that will + notify listeners before traversal starts in the router. See + https://github.com/Pylons/pyramid/pull/2469 and + https://github.com/Pylons/pyramid/pull/1876 + +- Add a new "view deriver" concept to Pyramid to allow framework authors to + inject elements into the standard Pyramid view pipeline and affect all + views in an application. This is similar to a decorator except that it + has access to options passed to ``config.add_view`` and can affect other + stages of the pipeline such as the raw response from a view or prior to + security checks. See https://github.com/Pylons/pyramid/pull/2021 + +- Allow a leading ``=`` on the key of the request param predicate. + For example, '=abc=1' is equivalent down to + ``request.params['=abc'] == '1'``. + See https://github.com/Pylons/pyramid/pull/1370 + +- A new ``request.invoke_exception_view(...)`` method which can be used to + invoke an exception view and get back a response. This is useful for + rendering an exception view outside of the context of the excview tween + where you may need more control over the request. + See https://github.com/Pylons/pyramid/pull/2393 + +- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s`` + for logging sections of the .ini file and populate these variables from + the ``pserve`` command line -- e.g.: + ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG`` + See https://github.com/Pylons/pyramid/pull/2399 + +Documentation Changes +--------------------- + +- A complete overhaul of the docs: + + - Use pip instead of easy_install. + - Become opinionated by preferring Python 3.4 or greater to simplify + installation of Python and its required packaging tools. + - Use venv for the tool, and virtual environment for the thing created, + instead of virtualenv. + - Use py.test and pytest-cov instead of nose and coverage. + - Further updates to the scaffolds as well as tutorials and their src files. + + See https://github.com/Pylons/pyramid/pull/2468 + +- A complete overhaul of the ``alchemy`` scaffold as well as the + Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features + into the usage of SQLAlchemy with Pyramid and provide a better starting + point for new projects. + See https://github.com/Pylons/pyramid/pull/2024 + +Bug Fixes +--------- + +- Fix ``pserve --browser`` to use the ``--server-name`` instead of the + app name when selecting a section to use. This was only working for people + who had server and app sections with the same name, for example + ``[app:main]`` and ``[server:main]``. + See https://github.com/Pylons/pyramid/pull/2292 + +Deprecations +------------ + +- The ``check_csrf`` view predicate has been deprecated. Use the + new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting + to ensure that the ``BadCSRFToken`` exception is raised. + See https://github.com/Pylons/pyramid/pull/2413 + +- Support for Python 3.3 will be removed in Pyramid 1.8. + https://github.com/Pylons/pyramid/issues/2477 + +- Python 2.6 is no longer supported by Pyramid. See + https://github.com/Pylons/pyramid/issues/2368 + +- Dropped Python 3.2 support. + See https://github.com/Pylons/pyramid/pull/2256 + 1.6 (2016-01-03) ================ |