| Age | Commit message (Collapse) | Author |
|---|
|
on the "current" route (if any) and its matchdict values.
|
|
This class can be used by third-party authentication policy developers to
help in the mechanics of authentication cookie-setting.
|
|
``unauthenticated_userid`` method. This method supports an important
optimization required by people who are using persistent storages which do
not support object caching and whom want to create a "user object" as a
request attribute.
- A new API has been added to the ``pyramid.security`` module named
``unauthenticated_userid``. This API function calls the
``unauthenticated_userid`` method of the effective security policy.
- An ``unauthenticated_userid`` method has been added to the dummy
authentication policy returned by
``pyramid.config.Configurator.testing_securitypolicy``. It returns the
same thing as that the dummy authentication policy's
``authenticated_userid`` method.
- Since the ``pyramid.interfaces.IAuthenticationPolicy`` interface now
specifies that a policy implementation must implement an
``unauthenticated_userid`` method, all third-party custom authentication
policies now must implement this method. It, however, will only be called
when the global function named ``pyramid.security.unauthenticated_userid``
is invoked, so if you're not invoking that, you will not notice any issues.
- The (non-API) method of all internal authentication policy implementations
previously named ``_get_userid`` is now named ``unauthenticated_userid``,
promoted to an API method. If you were overriding this method, you'll now
need to override it as ``unauthenticated_userid`` instead.
|
|
|
|
|
|
"Preventing Cross-Site Request Forgery Attacks".
|
|
|
|
documentation chapter.
|
|
|
|
|
|
|
|
|
|
|
|
chapter (has ``implementation()`` method, required to be used when getting
at Chameleon macros).
|
|
URLs. Calling ``route_path`` is the same as calling
``pyramid.url.route_url`` with the argument ``_app_url`` equal to the empty
string.
- Add a ``pyramid.request.Request.route_path`` API. This is a convenience
method of the request which calls ``pyramid.url.route_url``.
|
|
|
|
``route_url``. These are simple passthroughs for their respective
functions in ``pyramid.url``.
- Documented the ``matchdict`` and ``matched_route`` attributes of the
request object in the Request API documentation.
|
|
|
|
to :app:`Pyramid`. A custom role setting was added to ``docs/conf.py`` to
allow for this. (internal)
|
|
|
|
|
|
|
|
that it is imported from pyramid. API docs can mention its inheritance from
webob (aka "Provide a webob.Response class facade for forward compat").
|
|
is sent as an event before a renderer is invoked (but after the
application-level renderer globals factory added via
``pyramid.configurator.configuration.set_renderer_globals_factory``, if any,
has injected its own keys). Applications may now subscribe to the
``IBeforeRender`` event type in order to introspect the and modify the set of
renderer globals before they are passed to a renderer. The event object
iself has a dictionary-like interface that can be used for this purpose. For
example::
from repoze.events import subscriber
from pyramid.interfaces import IRendererGlobalsEvent
@subscriber(IRendererGlobalsEvent)
def add_global(event):
event['mykey'] = 'foo'
If a subscriber attempts to add a key that already exist in the renderer
globals dictionary, a ``KeyError`` is raised. This limitation is due to the
fact that subscribers cannot be ordered relative to each other. The set of
keys added to the renderer globals dictionary by all subscribers and
app-level globals factories must be unique.
|
|
|
|
``signed_deserialize``.
|
|
|
|
|
|
|
|
that uses cookies
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
--------
- Compatibility with WebOb 1.0.
Requirements
------------
- Now requires WebOb >= 1.0.
Backwards Incompatibilities
---------------------------
- Due to changes introduced WebOb 1.0, the
``repoze.bfg.request.make_request_ascii`` event subscriber no longer
works, so it has been removed. This subscriber was meant to be used
in a deployment so that code written before BFG 0.7.0 could run
unchanged. At this point, such code will need to be rewritten to
expect Unicode from ``request.GET``, ``request.POST`` and
``request.params`` or it will need to be changed to use
``request.str_POST``, ``request.str_GET`` and/or
``request.str_params`` instead of the non-``str`` versions of same,
as the non-``str`` versions of the same APIs always now perform
decoding to Unicode.
|
|
``pregenerator`` argument. The pregenerator for the resulting route
is called by ``route_url`` in order to adjust the set of arguments
passed to it by the user for special purposes, such as Pylons
'subdomain' support. It will influence the URL returned by
``route_url``. See the ``repoze.bfg.interfaces.IRoutePregenerator``
interface for more information.
|
|
--------
- A ``request.matched_route`` attribute is now added to the request
when a route has matched. Its value is the "route" object that
matched (see the ``IRoute`` interface within
``repoze.bfg.interfaces`` API documentation for the API of a route
object).
- The ``exception`` attribute of the request is now set slightly
earlier and in a slightly different set of scenarios, for benefit of
"finished callbacks" and "response callbacks". In previous
versions, the ``exception`` attribute of the request was not set at
all if an exception view was not found. In this version, the
``request.exception`` attribute is set immediately when an exception
is caught by the router, even if an exception view could not be
found.
Backwards Incompatibilities
---------------------------
- The router no longer sets the value ``wsgiorg.routing_args`` into
the environ when a route matches. The value used to be something
like ``((), matchdict)``. This functionality was only ever
obliquely referred to in change logs; it was never documented as an
API.
- The ``exception`` attribute of the request now defaults to ``None``.
In prior versions, the ``request.exception`` attribute did not exist
if an exception was not raised by user code during request
processing; it only began existence once an exception view was
found.
Deprecations
------------
- References to the WSGI environment values ``bfg.routes.matchdict``
and ``bfg.routes.route`` were removed from documentation. These
will stick around internally for several more releases, but it is
``request.matchdict`` and ``request.matched_route`` are now the
"official" way to obtain the matchdict and the route object which
resulted in the match.
Documentation
-------------
- Added two sections to the "Hooks" chapter of the documentation:
"Using Response Callbacks" and "Using Finished Callbacks".
- Added documentation of the ``request.exception`` attribute to the
``repoze.bfg.request.Request`` API documentation.
- Added glossary entries for "response callback" and "finished
callback".
- The "Request Processing" narrative chapter has been updated to note
finished and response callback steps.
|
|
|
|
end of request processing:
``repoze.bfg.interfaces.IFinishedRequest``. This event is meant to
be used when it is necessary to perform unconditional cleanup after
request processing. See the ``repoze.bfg.events.FinishedRequest``
class documentation for more information.
- The ``repoze.bfg.interfaces.IWSGIApplicationCreatedEvent`` event
interface was renamed to
``repoze.bfg.interfaces.IApplicationCreated``. Likewise, the
``repoze.bfg.events.WSGIApplicationCreatedEvent`` class was renamed
to ``repoze.bfg.events.ApplicationCreated``. The older aliases will
continue to work indefinitely.
- The ``repoze.bfg.interfaces.IAfterTraversal`` event interface was
renamed to ``repoze.bfg.interfaces.IContextFound``. Likewise, the
``repoze.bfg.events.AfterTraveral`` class was renamed to
``repoze.bfg.events.ContextFound``. The older aliases will continue
to work indefinitely.
|
|
--------
- In support of making it easier to configure applications which are
"secure by default", a default permission feature was added. If
supplied, the default permission is used as the permission string to
all view registrations which don't otherwise name a permission.
These APIs are in support of that:
- A new constructor argument was added to the Configurator:
``default_permission``.
- A new method was added to the Configurator:
``set_default_permission``.
- A new ZCML directive was added: ``default_permission``.
Documentation
-------------
- Added documentation for the ``default_permission`` ZCML directive.
- Added documentation for the ``default_permission`` constructor value
and the ``set_default_permission`` method in the Configurator API
documentation.
- Added a new section to the "security" chapter named "Setting a
Default Permission".
- Document ``renderer_globals_factory`` and ``request_factory``
arguments to Configurator constructor.
|
|
|
|
via ``repoze.sphinx.autointerface``.
- The URL Dispatch narrative chapter now refers to the ``interfaces``
chapter to explain the API of an ``IRoute`` object.
- ``tests_require`` now includes ``repoze.sphinx.autointerface`` as a
dependency.
|
|
-------------
- Add an API chapter for the ``repoze.bfg.request`` module, which
includes documentation for the ``repoze.bfg.request.Request`` class
(the "request object").
- Modify the "Request and Response" narrative chapter to reference the
new ``repoze.bfg.request`` API chapter. Some content was moved from
this chapter into the API documentation itself.
Features
--------
- A new ``repoze.bfg.request.Request.add_response_callback`` API has
been added. This method is documented in the new
``repoze.bfg.request`` API chapter. It can be used to influence
response values before a concrete response object has been created.
Internal
--------
- The (internal) feature which made it possible to attach a
``global_response_headers`` attribute to the request (which was
assumed to contain a sequence of header key/value pairs which would
later be added to the response by the router), has been removed.
The functionality of
``repoze.bfg.request.Request.add_response_callback`` takes its
place.
|
|
:meth"`repoze.bfg.configuration.Configurator.absolute_resource_spec`
method resolves a potentially relative :term:`resource
specification` string into an absolute version.
|
|
a ``package`` constructor argument. The ``package`` argument was
previously required to be a package *object* (not a dotted name
string).
- The ``repoze.bfg.configuration.Configurator.with_package`` method
was added. This method returns a new Configurator using the same
application registry as the configurator object it is called
upon. The new configurator is created afresh with its ``package``
constructor argument set to the value passed to ``with_package``.
This feature will make it easier for future BFG versions to allow
dotted names as arguments in places where currently only object
references are allowed (the work to allow dotted names isntead of
object references everywhere has not yet been done, however).
- The ``repoze.bfg.configuration.Configurator.maybe_dotted`` method
resolves a Python dotted name string supplied as its ``dotted``
argument to a global Python object. If the value cannot be
resolved, a ``repoze.bfg.configuration.ConfigurationError`` is
raised. If the value supplied as ``dotted`` is not a string, the
value is returned unconditionally without any resolution attempted.
|
|
This interface is provided by all internal exception classes (such
as ``repoze.bfg.exceptions.NotFound`` and
``repoze.bfg.exceptions.Forbidden``), instances of which are both
exception objects and can behave as WSGI response objects. This
interface is made public so that exception classes which are also
valid WSGI response factories can be configured to implement them
or exception instances which are also or response instances can be
configured to provide them.
- New API class: ``repoze.bfg.view.AppendSlashNotFoundViewFactory`` (undoes
previous custom_notfound_view on request passsed to
append_slash_notfound_view).
- Previously, two default view functions were registered at
Configurator setup (one for ``repoze.bfg.exceptions.NotFound`` named
``default_notfound_view`` and one for
``repoze.bfg.exceptions.Forbidden`` named
``default_forbidden_view``) to render internal exception responses.
Those default view functions have been removed, replaced with a
generic default view function which is registered at Configurator
setup for the ``repoze.bfg.interfaces.IExceptionResponse`` interface
that simply returns the exception instance; the ``NotFound` and
``Forbidden`` classes are now still exception factories but they are
also response factories which generate instances that implement the
new ``repoze.bfg.interfaces.IExceptionResponse`` interface.
|
|
decorator decorates module-scope functions, which are then treated
as event listeners after a scan() is performed. See the Events
narrative documentation chapter and the ``repoze.bfg.events`` module
documentation for more information.
|
