1 files changed, 59 insertions, 1 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index df4ada7e9..0ef1a0593 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,9 +1,45 @@
 Next release
 ============
 
+Features
+--------
+
+- Added an ``effective_principals`` route and view predicate.
+
+- Do not allow the userid returned from the ``authenticated_userid`` or the
+  userid that is one of the list of principals returned by
+  ``effective_principals`` to be either of the strings ``system.Everyone`` or
+  ``system.Authenticated`` when any of the built-in authorization policies that
+  live in ``pyramid.authentication`` are in use.  These two strings are
+  reserved for internal usage by Pyramid and they will not be accepted as valid
+  userids.
+
+- Slightly better debug logging from RepozeWho1AuthenticationPolicy.
+
+- ``pyramid.security.view_execution_permitted`` used to return `True` if no
+  view could be found. It now raises a ``TypeError`` exception in that case, as
+  it doesn't make sense to assert that a nonexistent view is
+  execution-permitted. See https://github.com/Pylons/pyramid/issues/299.
+
+Bug Fixes
+---------
+
+- In the past if a renderer returned ``None``, the body of the resulting
+  response would be set explicitly to the empty string.  Instead, now, the body
+  is left unchanged, which allows the renderer to set a body itself by using
+  e.g. ``request.response.body = b'foo'``.  The body set by the renderer will
+  be unmolested on the way out.  See
+  https://github.com/Pylons/pyramid/issues/709
+
+1.4a3 (2012-10-26)
+==================
+
 Bug Fixes
 ---------
 
+- The match_param predicate's text method was fixed to sort its values.
+  Part of https://github.com/Pylons/pyramid/pull/705
+
 - 1.4a ``pyramid.scripting.prepare`` behaved differently than 1.3 series
   function of same name.  In particular, if passed a request, it would not
   set the ``registry`` attribute of the request like 1.3 did.  A symptom
@@ -17,13 +53,23 @@ Bug Fixes
 - When registering a view configuration that named a Chameleon ZPT renderer
   with a macro name in it (e.g. ``renderer='some/template#somemacro.pt``) as
   well as a view configuration without a macro name it it that pointed to the
-  same template (e.g. ``renderer='some/template.pt'), internal caching could
+  same template (e.g. ``renderer='some/template.pt'``), internal caching could
   confuse the two, and your code might have rendered one instead of the
   other.
 
 Features
 --------
 
+- Allow multiple values to be specified to the ``request_param`` view/route
+  predicate as a sequence.  Previously only a single string value was allowed.
+  See https://github.com/Pylons/pyramid/pull/705
+
+- Comments with references to documentation sections placed in scaffold
+  ``.ini`` files.
+
+- Added an HTTP Basic authentication policy
+  at ``pyramid.authentication.BasicAuthAuthenticationPolicy``.
+
 - The Configurator ``testing_securitypolicy`` method now returns the policy
   object it creates.
 
@@ -40,6 +86,18 @@ Features
   ``remembered`` value on the policy, which is the value of the ``principal``
   argument it's called with when its ``remember`` method is called.
 
+- New ``physical_path`` view predicate.  If specified, this value should be a
+  string or a tuple representing the physical traversal path of the context
+  found via traversal for this predicate to match as true.  For example:
+  ``physical_path='/'`` or ``physical_path='/a/b/c'`` or ``physical_path=('',
+  'a', 'b', 'c')``.  This is not a path prefix match or a regex, it's a
+  whole-path match.  It's useful when you want to always potentially show a
+  view when some object is traversed to, but you can't be sure about what kind
+  of object it will be, so you can't use the ``context`` predicate.  The
+  individual path elements inbetween slash characters or in tuple elements
+  should be the Unicode representation of the name of the resource and should
+  not be encoded in any way.
+
 1.4a2 (2012-09-27)
 ==================