| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2019-10-17 | support Origin: null in csrf_trusted_origins and check_origin=False | Michael Merickel | |
| 2019-10-17 | Merge pull request #3521 from mmerickel/remove-check-csrf-predicate | Michael Merickel | |
| remove check_csrf view predicate | |||
| 2019-10-17 | move the interface docs to api/interfaces | Michael Merickel | |
| 2019-10-17 | remove check_csrf view predicate | Michael Merickel | |
| 2019-09-30 | Merge pull request #3465 from luhn/security-policy | Michael Merickel | |
| Security policy implementation | |||
| 2019-09-23 | Doc fixes from @Deimos | Theron Luhn | |
| 2019-09-19 | Document CSRF allow_no_origin option. | Theron Luhn | |
| 2019-08-26 | Doc fix via @mmerickel | Theron Luhn | |
| Co-Authored-By: Michael Merickel <github@m.merickel.org> | |||
| 2019-07-27 | Fix typos | Min ho Kim | |
| 2019-07-13 | Improve security docs. | Theron Luhn | |
| 2019-06-08 | First draft of upgrade docs. | Theron Luhn | |
| 2019-05-26 | First draft of narrative docs. | Theron Luhn | |
| 2019-05-12 | Narrative docs WIP | Theron Luhn | |
| 2018-10-14 | Update documentation for implementing custom authz policy | Bert JW Regeer | |
| 2018-08-18 | Clean up code-blocks in security | Steve Piercy | |
| 2017-10-18 | csrf documentation change | Ben Fagin | |
| 2017-04-30 | standardize "non-standard" | Steve Piercy | |
| 2017-04-29 | final cleanup of csrf decoupling in #2854 | Michael Merickel | |
| - Renamed `SessionCSRFStoragePolicy` to `LegacySessionCSRFStoragePolicy` for the version that uses the legacy `ISession.get_csrf_token` and `ISession.new_csrf_token` apis and set that as the default. - Added new `SessionCSRFStoragePolicy` that stores data in the session similar to how the `SessionAuthenticationPolicy` works. - `CookieCSRFStoragePolicy` did not properly return the newly generated token from `get_csrf_token` after calling `new_csrf_token`. It needed to cache the new value since the response callback does not affect the current request. - `CookieCSRFStoragePolicy` was not forwarding the `domain` value to the `CookieProfile` causing that setting to be ignored. - Removed `check_csrf_token` from the `ICSRFStoragePolicy` interface to simplify implementations of storage policies. - Added an introspectable item for the configured storage policy so that it appears on the debugtoolbar. - Added a change note on `ISession` that it no longer required the csrf methods. - Leave deprecated shims in ``pyramid.session`` for ``check_csrf_origin`` and ``check_csrf_token``. | |||
| 2017-04-26 | Apply drafting changes to documentation. | Matthew Wilkes | |
| 2017-04-12 | Use the webob CookieProfile in the Cookie implementation, rename some ↵ | Matthew Wilkes | |
| implemenations based on feedback, split CSRF implementation and option configuration and make the csrf token function exposed as a system default rather than a renderer event. | |||
| 2017-04-12 | Rename implementation to ICSRFStoragePolicy | Matthew Wilkes | |
| 2017-04-12 | Fix tests and documentation in various places, and feedback following review | Jure Cerjak | |
| regarding naming of variables and code cleanup. | |||
| 2017-04-12 | Create a new ICSRF implementation for getting CSRF tokens, split out from ↵ | Matthew Wilkes | |
| the session machinery. Adds configuration of this to the csrf_options configurator commands. Make the default implementation a fallback to the old one. Documentation patches for new best practices given updates CSRF implementation. | |||
| 2016-06-09 | grammar, spelling, wrapping fix | Steve Piercy | |
| 2016-06-08 | Adding a warning discouraging use of __acl__ properties attributes | Julien MIOTTE | |
| 2015-10-31 | minor grammar, rewrap to 79 columns | Steve Piercy | |
| 2015-02-17 | enhance security docs with an example of subclassing a builtin policy | Michael Merickel | |
| 2015-02-17 | grammar | Michael Merickel | |
| 2014-08-13 | some tweaks to the usage of userid in the docs | Michael Merickel | |
| 2014-08-12 | Docs: Switched first 2 paragraphs of security overview. | Karl O. Pinc | |
| 2014-08-12 | Docs: Add resource tree into security overview. | Karl O. Pinc | |
| 2014-08-12 | Docs: Include the concept of credentials in the high level security overview. | Karl O. Pinc | |
| 2014-08-12 | Docs: Make "userid" link to the glossary term. | Karl O. Pinc | |
| 2014-08-12 | Security: Change "principal" argument in security.remember() to "userid". | Karl O. Pinc | |
| Make the change througout the authentication policies, etc. as well. | |||
| 2014-08-12 | Docs: Make clear that a userid need not be a principal. | Karl O. Pinc | |
| 2014-02-10 | - Garden PR #1121 | Steve Piercy | |
| 2013-10-27 | Security APIs on pyramid.request.Request | Matt Russell | |
| The pyramid.security Authorization API function has_permission is made available on the request. The pyramid.security Authentication API functions are now available as properties (unauthenticated_userid, authenticated_userid, effective_principals) and methods (remember_userid, forget_userid) on pyramid.request.Request. Backwards compatibility: For each of the APIs moved to request method or property, the original API in the pyramid.security module proxies to the request. Reworked tests to check module level b/c wrappers call through to mixins for each API. Tests that check no reg on request now do the right thing. Use a response callback to set the request headers for forget_userid and remember_userid. Update docs. Attempt to improve a documentation section referencing the pyramid.security.has_permission function in docs/narr/resources.rst Ensures backwards compatiblity for `pyramid.security.forget` and `pyramid.security.remember`. | |||
| 2013-10-19 | mon | Chris McDonough | |
| 2013-10-19 | add admonishment against secret sharing | Chris McDonough | |
| 2013-04-05 | fix some cross-references | Tshepang Lekhonkhobe | |
| 2013-03-22 | remove unused ignore-next-block directive | Tshepang Lekhonkhobe | |
| 2013-03-18 | reorder some imports to be alphabetical | Michael Merickel | |
| 2013-03-18 | support acl as a callable | Michael Merickel | |
| 2013-03-13 | consistency: use $VENV whenever virtualenv binaries are used | Tshepang Lekhonkhobe | |
| 2013-03-10 | Merge pull request #903 from tshepang/patch-4 | Tres Seaver | |
| capitalize | |||
| 2013-03-10 | Merge pull request #902 from tshepang/patch-3 | Tres Seaver | |
| change awkward sentence | |||
| 2013-03-10 | capitalize | Tshepang Lekhonkhobe | |
| 2013-03-10 | change awkward sentence | Tshepang Lekhonkhobe | |
| 2013-03-09 | grammar | Tshepang Lekhonkhobe | |
| 2012-11-04 | merged SHA512AuthTktAuthenticationPolicy into AuthTktAuthenticationPolicy | Michael Merickel | |
| AuthTktAuthenticationPolicy now accepts a hashalg parameter and is no longer deprecated. Docs recommend overriding hashalg and using 'sha512'. | |||
 |
index : pyramid | |
| Pyramid web framework (fork of https://github.com/Pylons/pyramid). | Daniel |
| summaryrefslogtreecommitdiff |