diff options
| -rw-r--r-- | HISTORY.txt | 101 | ||||
| -rw-r--r-- | docs/whatsnew-1.7.rst | 34 |
2 files changed, 127 insertions, 8 deletions
diff --git a/HISTORY.txt b/HISTORY.txt index 53a17a4d3..5de5b20bd 100644 --- a/HISTORY.txt +++ b/HISTORY.txt @@ -1,3 +1,104 @@ +1.7 (2016-05-19) +================ + +- Fix a bug in the wiki2 tutorial where bcrypt is always expecting byte + strings. See https://github.com/Pylons/pyramid/pull/2576 + +- Simplify windows detection code and remove some duplicated data. + See https://github.com/Pylons/pyramid/pull/2585 and + https://github.com/Pylons/pyramid/pull/2586 + +1.7b4 (2016-05-12) +================== + +- Fixed the exception view tween to re-raise the original exception if + no exception view could be found to handle the exception. This better + allows tweens further up the chain to handle exceptions that were + left unhandled. Previously they would be converted into a + ``PredicateMismatch`` exception if predicates failed to allow the view to + handle the exception. + See https://github.com/Pylons/pyramid/pull/2567 + +- Exposed the ``pyramid.interfaces.IRequestFactory`` interface to mirror + the public ``pyramid.interfaces.IResponseFactory`` interface. + +1.7b3 (2016-05-10) +================== + +- Fix ``request.invoke_exception_view`` to raise an ``HTTPNotFound`` + exception if no view is matched. Previously ``None`` would be returned + if no views were matched and a ``PredicateMismatch`` would be raised if + a view "almost" matched (a view was found matching the context). + See https://github.com/Pylons/pyramid/pull/2564 + +- Add defaults for py.test configuration and coverage to all three scaffolds, + and update documentation accordingly. + See https://github.com/Pylons/pyramid/pull/2550 + +- Add ``linkcheck`` to ``Makefile`` for Sphinx. To check the documentation for + broken links, use the command ``make linkcheck + SPHINXBUILD=$VENV/bin/sphinx-build``. Also removed and fixed dozens of broken + external links. + +- Fix the internal runner for scaffold tests to ensure they work with pip + and py.test. + See https://github.com/Pylons/pyramid/pull/2565 + +1.7b2 (2016-05-01) +================== + +- Removed inclusion of pyramid_tm in development.ini for alchemy scaffold + See https://github.com/Pylons/pyramid/issues/2538 + +- A default permission set via ``config.set_default_permission`` will no + longer be enforced on an exception view. This has been the case for a while + with the default exception views (``config.add_notfound_view`` and + ``config.add_forbidden_view``), however for any other exception view a + developer had to remember to set ``permission=NO_PERMISSION_REQUIRED`` or + be surprised when things didn't work. It is still possible to force a + permission check on an exception view by setting the ``permission`` argument + manually to ``config.add_view``. This behavior is consistent with the new + CSRF features added in the 1.7 series. + See https://github.com/Pylons/pyramid/pull/2534 + +1.7b1 (2016-04-25) +================== + +- This release announces the beta period for 1.7. + +- Fix an issue where some files were being included in the alchemy scafffold + which had been removed from the 1.7 series. + See https://github.com/Pylons/pyramid/issues/2525 + +1.7a2 (2016-04-19) +================== + +Features +-------- + +- Automatic CSRF checks are now disabled by default on exception views. They + can be turned back on by setting the appropriate `require_csrf` option on + the view. + See https://github.com/Pylons/pyramid/pull/2517 + +- The automatic CSRF API was reworked to use a config directive for + setting the options. The ``pyramid.require_default_csrf`` setting is + no longer supported. Instead, a new ``config.set_default_csrf_options`` + directive has been introduced that allows the developer to specify + the default value for ``require_csrf`` as well as change the CSRF token, + header and safe request methods. The ``pyramid.csrf_trusted_origins`` + setting is still supported. + See https://github.com/Pylons/pyramid/pull/2518 + +Bug fixes +--------- + +- CSRF origin checks had a bug causing the checks to always fail. + See https://github.com/Pylons/pyramid/pull/2512 + +- Fix the test suite to pass on windows. + See https://github.com/Pylons/pyramid/pull/2520 + 1.7a1 (2016-04-16) ================== diff --git a/docs/whatsnew-1.7.rst b/docs/whatsnew-1.7.rst index fd144a24a..398b12f01 100644 --- a/docs/whatsnew-1.7.rst +++ b/docs/whatsnew-1.7.rst @@ -32,6 +32,11 @@ Backwards Incompatibilities csrf token in the query string of a request. Only headers and request bodies are supported. See https://github.com/Pylons/pyramid/pull/2500 +- A global permission set via + :meth:`pyramid.config.Configurator.set_default_permission` will no longer + affect exception views. A permission must be set explicitly on the view for + it to be enforced. See https://github.com/Pylons/pyramid/pull/2534 + Feature Additions ----------------- @@ -42,14 +47,6 @@ Feature Additions other stages of the pipeline such as the raw response from a view or prior to security checks. See https://github.com/Pylons/pyramid/pull/2021 -- Added a new setting, ``pyramid.require_default_csrf`` which may be used - to turn on CSRF checks globally for every request in the application. - This should be considered a good default for websites built on Pyramid. - It is possible to opt-out of CSRF checks on a per-view basis by setting - ``require_csrf=False`` on those views. - See :ref:`auto_csrf_checking` and - https://github.com/Pylons/pyramid/pull/2413 - - Added a ``require_csrf`` view option which will enforce CSRF checks on requests with an unsafe method as defined by RFC2616. If the CSRF check fails a ``BadCSRFToken`` exception will be raised and may be caught by exception @@ -60,6 +57,17 @@ Feature Additions https://github.com/Pylons/pyramid/pull/2413 and https://github.com/Pylons/pyramid/pull/2500 +- Added a new method, + :meth:`pyramid.config.Configurator.set_csrf_default_options`, + for configuring CSRF checks used by the ``require_csrf=True`` view option. + This method can be used to turn on CSRF checks globally for every view + in the application. This should be considered a good default for websites + built on Pyramid. It is possible to opt-out of CSRF checks on a per-view + basis by setting ``require_csrf=False`` on those views. + See :ref:`auto_csrf_checking` and + https://github.com/Pylons/pyramid/pull/2413 and + https://github.com/Pylons/pyramid/pull/2518 + - Added an additional CSRF validation that checks the origin/referrer of a request and makes sure it matches the current ``request.domain``. This particular check is only active when accessing a site over HTTPS as otherwise @@ -96,6 +104,11 @@ Feature Additions ``EXCVIEW`` tween where you may need more control over the request. See https://github.com/Pylons/pyramid/pull/2393 +- A global permission set via + :meth:`pyramid.config.Configurator.set_default_permission` will no longer + affect exception views. A permission must be set explicitly on the view for + it to be enforced. See https://github.com/Pylons/pyramid/pull/2534 + - Allow a leading ``=`` on the key of the request param predicate. For example, ``'=abc=1'`` is equivalent down to ``request.params['=abc'] == '1'``. @@ -111,6 +124,11 @@ Feature Additions :func:`pyramid.paster.setup_logging`. See https://github.com/Pylons/pyramid/pull/2399 +- The :attr:`pyramid.tweens.EXCVIEW` tween will now re-raise the original + exception if no exception view could be found to handle it. This allows + the exception to be handled upstream by another tween or middelware. + See https://github.com/Pylons/pyramid/pull/2567 + Deprecations ------------ |