| Age | Commit message (Collapse) | Author |
|---|
|
setuptools 0.6c9.
- Turn ``view_execution_permitted`` from the :mod:`repoze.bfg.view`
module into a documented API.
- Doc cleanups.
|
|
|
|
- Rather than prepare the "stock" implementations of the ZCML
directives from the ``zope.configuration`` package for use under
:mod:`repoze.bfg`, :mod:`repoze.bfg` now makes available the
implementations of directives from the ``repoze.zcml`` package
(see http://static.repoze.org/zcmldocs). As a result, the
:mod:`repoze.bfg` package now depends on the ``repoze.zcml``
package, and no longer depends directly on the ``zope.component``,
``zope.configuration``, ``zope.interface``, or ``zope.proxy``
packages.
The primary reason for this change is to enable us to eventually
reduce the number of inappropriate :mod:`repoze.bfg` Zope package
dependencies, as well as to shed features of dependent package
directives that don't make sense for :mod:`repoze.bfg`.
Note that currently the set of requirements necessary to use bfg
has not changed. This is due to inappropriate Zope package
requirements in ``chameleon.zpt``, which will hopefully be
remedied soon.
- BFG applications written prior to this release which expect the
"stock" ``zope.component`` ZCML directive implementations
(e.g. ``adapter``, ``subscriber``, or ``utility``) to function now
must either 1) include the ``meta.zcml`` file from
``zope.component`` manually (e.g. ``<include
package="zope.component" file="meta.zcml">``) and include the
``zope.security`` package as an ``install_requires`` dependency or
2) change the ZCML in their applications to use the declarations
from `repoze.zcml <http://static.repoze.org/zcmldocs/>`_ instead
of the stock declarations. ``repoze.zcml`` only makes available
the ``adapter``, ``subscriber`` and ``utility`` directives.
- The ``http://namespaces.repoze.org/bfg`` XML namespace is now the
default XML namespace in ZCML for paster-generated applications.
- The copies of BFG's ``meta.zcml`` and ``configure.zcml`` were
removed from the root of the ``repoze.bfg`` package. In 0.3.6, a
new package named ``repoze.bfg.includes`` was added, which
contains the "correct" copies of these ZCML files; the ones that
were removed were for backwards compatibility purposes.
Other
- The minimum requirement for ``chameleon.core`` is now 1.0b13. The
minimum requirement for ``chameleon.zpt`` is now 1.0b7. The
minimum requirement for ``chameleon.genshi`` is now 1.0b2.
|
|
|
|
|
|
quoting function instead of Python's ``urllib.quote``, by caching
URL path segment quoting and encoding results, and by disusing
Python's ``urlparse.urljoin`` in favor of a simple string
concatenation.
|
|
|
|
default traverser) always passed each URL path segment to any
``__getitem__`` method of a model object as a byte string (a
``str`` object). Now, by default the ModelGraphTraverser attempts
to decode the path segment to Unicode (a ``unicode`` object) using
the UTF-8 encoding before passing it to the ``__getitem__`` method
of a model object. This makes it possible for model objects to be
dumber in ``__getitem__`` when trying to resolve a subobject, as
model objects themselves no longer need to try to divine whether
or not to try to decode the path segment passed by the
traverser.
Note that since 0.5.4, URLs generated by repoze.bfg's
``model_url`` API will contain UTF-8 encoded path segments as
necessary, so any URL generated by BFG itself will be decodeable
by the traverser. If another application generates URLs to a BFG
application, to be resolved successully, it should generate the
URL with UTF-8 encoded path segments to be successfully resolved.
The decoder is not at all magical: if a non-UTF-8-decodeable path
segment (e.g. one encoded using UTF-16 or some other insanity) is
passed in the URL, BFG will raise a ``TypeError`` with a message
indicating it could not decode the path segment.
To turn on the older behavior, where path segments were not
decoded to Unicode before being passed to model object
``__getitem__`` by the traverser, and were passed as a raw byte
string, set the ``unicode_path_segments`` configuration setting to
a false value in your BFG application's section of the paste .ini
file, for example::
unicode_path_segments = False
Or start the application using the ``BFG_UNICODE_PATH_SEGMENT``
envvar set to a false value::
BFG_UNICODE_PATH_SEGMENTS=0
|
|
|
|
- URL-quote "extra" element names passed in as ``**elements`` to the
``traversal.model_url`` API. If any of these names is a Unicode
string, encode it to UTF-8 before URL-quoting. This is a slight
backwards incompatibility that will impact you if you were already
UTF-8 encoding or URL-quoting the values you passed in as
``elements`` to this API.
Bugfixes
- UTF-8 encode each segment in the model path used to generate a URL
before url-quoting it within the ``traversal.model_url`` API.
This is a bugfix, as Unicode cannot always be successfully
URL-quoted.
|
|
|
|
|
|
|
|
``testing.registerDummyRenderer`` is used, it now registers a
dummy implementation using ``ITemplateRenderer`` interface, which
is checked for when the built-in templating facilities do
rendering. This change also allows developers to make explcit
named utility registrations in the ZCML registry against
``ITemplateRenderer``; these will be found before any on-disk
template.
|
|
|
|
scheme (see zope.component.adaptedBy); the change-log entry has detailed information.
|
|
within traversal machinery.
|
|
|
|
|
|
``testing.DummyModel``.
|
|
``__parent__`` of an object that claims it implements ILocation
during traversal even if the ``__name__`` or ``__parent__`` of the
object traversed does not match the name used in the traversal
step or the or the traversal parent . Rationale: it was insane to
do so. This bug was only found due to a misconfiguration in an
application that mistakenly had intermediate persistent
non-ILocation objects; traversal was causing a persistent write on
every request under this setup.
- ``repoze.bfg.location.locate`` now unconditionally sets
``__name__`` and ``__parent__`` on objects which provide ILocation
(it previously only set them conditionally if they didn't match
attributes already present on the object via equality).
Prep for 0.5.0.
|
|
where the template does not need to be wrapped in any containing
XML).
Prep for 0.4.9.
|
|
|
|
|
|
|
|
subscriber function in the events narrative documentation.
|
|
against a class rather than an interface.
|
|
``repoze.bfg.convention`` in context.
|
|
Retain old test as an integration test. Update documentation.
|
|
all generated URLs unless further elements are passed in as the
third and following arguments. Rationale: views often use
``model_url`` without the third-and-following arguments in order
to generate a URL for a model in order to point at the default
view of a model. The URL that points to the default view of the
*root* model is technically ``http://mysite/`` as opposed to
``http://mysite`` (browsers happen to ask for '/' implicitly in
the GET request). Because URLs are never automatically generated
for anything *except* models by ``model_url``, and because the
root model is not really special, we continue this pattern. The
impact of this change is minimal (at most you will have too many
slashes in your URL, which BFG deals with gracefully anyway).
Prep for 0.4.8.
|
|
style "object events" (subscribers accept more than a single event
argument). We extend the list with the arguments, rather than
append.
Prep for 0.4.7.
|
|
wrong value for the root object (e.g. ``model_path`` returned
``''`` for the root object, while it should have been returning
``'/'``).
Prep for 0.4.6.
|
|
- Added a ``clone`` method and a ``__contains__`` method to the
DummyModel testing object.
- Allow DummyModel objects to receive extra keyword arguments, which
will be attached as attributes.
- The DummyTemplateRenderer now returns ``self`` as its implementation.
|
|
|
|
|
|
- Added a ``repoze.bfg.testing`` module to attempt to make it
slightly easier to write unittest-based automated tests of BFG
applications. Information about this class is in the
documentation.
- The default template renderer now supports testing better by
looking for ``ITestingTemplateRenderer`` using a relative
pathname. This is exposed indirectly through the API named
``registerTemplate`` in ``repoze.bfg.testing``.
Deprecations
- The names ``repoze.bfg.interfaces.ITemplate`` ,
``repoze.bfg.interfaces.ITemplateFactory`` and
``repoze.bfg.interfaces.INodeTemplate`` have been deprecated.
These should now be imported as
``repoze.bfg.interfaces.ITemplateRenderer`` and
``repoze.bfg.interfaces.ITemplateRendererFactory``, and
``INodeTemplateRenderer`` respectively.
- The name ``repoze.bfg.chameleon_zpt.ZPTTemplateFactory`` is
deprecated. Use ``repoze.bfg.chameleon_zpt.ZPTTemplateRenderer``.
- The name ``repoze.bfg.chameleon_genshi.GenshiTemplateFactory`` is
deprecated. Use
``repoze.bfg.chameleon_genshi.GenshiTemplateRenderer``.
- The name ``repoze.bfg.xslt.XSLTemplateFactory`` is deprecated.
Use ``repoze.bfg.xslt.XSLTemplateRenderer``.
|
|
|
|
TypeError (use ``ACLDenied`` instead of ``Denied``).
|
|
|
|
make_app could cause attribute errors when attempting to look up
settings against the ISettings object (internal). Fixed by giving
the Settings objects defaults for ``debug_authorization`` and
``debug_notfound``.
|
|
|
|
- The ``BFG_DEBUG_AUTHORIZATION`` envvar and the
``debug_authorization`` config file value now only imply debugging
of view-invoked security checks. Previously, information was
printed for every call to ``has_permission`` as well, which made
output confusing. To debug ``has_permission`` checks and other
manual permission checks, use the debugger and print statements in
your own code.
- Authorization debugging info is now only present in the HTTP
response body oif ``debug_authorization`` is true.
- The format of authorization debug messages was improved.
- A new ``BFG_DEBUG_NOTFOUND`` envvar was added and a symmetric
``debug_notfound`` config file value was added. When either is
true, and a NotFound response is returned by the BFG router
(because a view could not be found), debugging information is
printed to stderr. When this value is set true, the body of
HTTPNotFound responses will also contain the same debugging
information.
- ``Allowed`` and ``Denied`` responses from the security machinery
are now specialized into two types: ACL types, and non-ACL types.
The ACL-related responses are instances of
``repoze.bfg.security.ACLAllowed`` and
``repoze.bfg.security.ACLDenied``. The non-ACL-related responses
are ``repoze.bfg.security.Allowed`` and
``repoze.bfg.security.Denied``. The allowed-type responses
continue to evaluate equal to things that themselves evaluate
equal to the ``True`` boolean, while the denied-type responses
continue to evaluate equal to things that themselves evaluate
equal to the ``False`` boolean. The only difference between the
two types is the information attached to them for debugging
purposes.
- Added a new ``BFG_DEBUG_ALL`` envvar and a symmetric ``debug_all``
config file value. When either is true, all other debug-related
flags are set true unconditionally (e.g. ``debug_notfound`` and
``debug_authorization``).
Documentation
- Added info about debug flag changes.
- Added a section to the security chapter named "Debugging
Imperative Authorization Failures" (for e.g. ``has_permssion``).
|
|
this logger is registered unconditionally and is used by the
authorization debug machinery. Applications may also make use of
it as necessary rather than inventing their own logger, for
convenience.
|
|
|
|
server rather than ``PasteScript#cherrpy`` server. The cherrypy
server has a security risk in it when ``REMOTE_USER`` is trusted
by the downstream application.
|
|
view was found and called, but it returned something that did not
implement IResponse, the error would pass by unflagged. This was
noticed when I created a view function that essentially returned
None, but received a NotFound error rather than a ValueError when
the view was rendered. This was fixed.
|
|
- An "Environment and Configuration" chapter was added to the narrative
portion of the documentation.
Features
- Ensure bfg doesn't generate warnings when running under Python
2.6.
- The environment variable ``BFG_RELOAD_TEMPLATES`` is now available
(serves the same purpose as ``reload_templates`` in the config file).
- A new configuration file option ``debug_authorization`` was added.
This turns on printing of security authorization debug statements
to ``sys.stderr``. The ``BFG_DEBUG_AUTHORIZATION`` environment
variable was also added; this performs the same duty.
Bug Fixes
- The environment variable ``BFG_SECURITY_DEBUG`` did not always work.
It has been renamed to ``BFG_DEBUG_AUTHORIZATION`` and fixed.
Deprecations
- A deprecation warning is now issued when old API names from the
``repoze.bfg.templates`` module are imported.
Backwards incompatibilities
- The ``BFG_SECURITY_DEBUG`` environment variable was renamed to
``BFG_DEBUG_AUTHORIZATION``.
|
|
|
|
``repoze.bfg.templates`` module are imported.
|
|
- A ``repoze.bfg.location`` API module was added.
Backwards incompatibilities
- Applications must now use the ``repoze.bfg.interfaces.ILocation``
interface rather than ``zope.location.interfaces.ILocation`` to
represent that a model object is "location-aware". We've removed
a dependency on ``zope.location`` for cleanliness purposes: as
new versions of zope libraries are released which have improved
dependency information, getting rid of our dependence on
``zope.location`` will prevent a newly installed repoze.bfg
application from requiring the ``zope.security``, egg, which not
truly used at all in a "stock" repoze.bfg setup. These
dependencies are still required by the stack at this time; this
is purely a futureproofing move.
The security and model documentation for previous versions of
``repoze.bfg`` recommended using the
``zope.location.interfaces.ILocation`` interface to represent
that a model object is "location-aware". This documentation has
been changed to reflect that this interface should now be
imported from ``repoze.bfg.interfaces.ILocation`` instead.
|
