| Age | Commit message (Collapse) | Author |
|---|
|
--------
- It is now possible to register a custom
``repoze.bfg.interfaces.INotFoundView`` for a given application.
This feature replaces the
``repoze.bfg.interfaces.INotFoundAppFactory`` feature previously
described in the Hooks chapter. The INotFoundView will be called
when the framework detects that a view lookup done as a result of a
reqest fails; it should accept a context object and a request
object; it should return an IResponse object (a webob response,
basically). See the Hooks narrative chapter of the BFG docs for
more info.
Deprecations
------------
- The ``repoze.bfg.interfaces.IUnauthorizedAppFactory`` interface has
been deprecated in favor of using the new
``repoze.bfg.interfaces.IForbiddenResponseFactory`` mechanism.
|
|
``repoze.bfg.interfaces.IForbiddenView``.
|
|
|
|
I'll do this work on the authchanges branch first.
|
|
``forbidden``) works properly.
|
|
|
|
|
|
--------
- It is now possible to write a custom security policy that returns a
customized ``Forbidden`` WSGI application when BFG cannot authorize
an invocation of a view. To this end, ISecurityPolicy objects must
now have a ``forbidden`` method. This method should return a WSGI
application. The returned WSGI application should generate a
response which is appropriate when access to a view resource was
forbidden by the security policy (e.g. perhaps a login page).
``repoze.bfg`` is willing to operate with a custom security policy
that does not have a ``forbidden`` method, but it will issue a
warning; eventually security policies without a ``forbidden`` method
will cease to work under ``repoze.bfg``.
Note that the ``forbidden`` WSGI application returned by the
security policy is not used if a developer has registered an
IForbiddenAppFactory (see the "Hooks" narrative chapter); the
explicitly registered IForbiddenAppFactory will be preferred over
the (more general) security policy forbidden app factory.
- All default security policies now have a ``forbidden`` callable
attached to them. This particular callable returns a WSGI
application which generates a ``401 Unauthorized`` response for
backwards compatibility (had backwards compatibility not been an
issue, this callable would have returned a WSGI app that generated a
``403 Forbidden`` response).
Backwards Incompatibilities
---------------------------
- Custom NotFound and Forbidden (nee' Unauthorized) WSGI applications
(registered a a utility for INotFoundAppFactory and
IUnauthorizedAppFactory) could rely on an environment key named
``message`` describing the circumstance of the response. This key
has been renamed to ``repoze.bfg.message`` (as per the WSGI spec,
which requires environment extensions to contain dots).
Deprecations
------------
- The ``repoze.bfg.interfaces.IUnauthorizedAppFactory`` interface has
been renamed to ``repoze.bfg.interfaces.IForbiddenAppFactory``.
|
|
--------
- Added a ``traverse`` function to the ``repoze.bfg.traversal``
module. This function may be used to retrieve certain values
computed during path resolution. See the Traversal API chapter of
the documentation for more information about this function.
Deprecations
------------
- Internal: ``ITraverser`` callables should now return a dictionary
rather than a tuple. Up until 0.7.0, all ITraversers were assumed
to return a 3-tuple. In 0.7.1, ITraversers were assumed to return a
6-tuple. As (by evidence) it's likely we'll need to add further
information to the return value of an ITraverser callable, 0.8
assumes that an ITraverser return a dictionary with certain elements
in it. See the ``repoze.bfg.interfaces.ITraverser`` interface for
the list of keys that should be present in the dictionary.
``ITraversers`` which return tuples will still work, although a
deprecation warning will be issued.
Backwards Incompatibilities
---------------------------
- If your code used the ITraverser interface directly (not via an API
function such as ``find_model``) via an adapter lookup, you'll need
to change your code to expect a dictionary rather than a 3- or
6-tuple if your code ever gets return values from the default
ModelGraphTraverser or RoutesModelTraverser adapters.
|
|
and cleanUp functions in repoze.bfg.testing. Our dependencies still rely on zope.testing, however.
|
|
built-in implementations that implement the interface
(``repoze.bfg.traversal.ModelGraphTraverser``, and
``repoze.bfg.urldispatch.RoutesModelTraverser``) now expect the
``__call__`` method of an ITraverser to return 3 additional
arguments: ``traversed``, ``virtual_root``, and
``virtual_root_path`` (the old contract was that the ``__call__``
method of an ITraverser returned; three arguments, the contract new
is that it returns six). ``traversed`` will be a sequence of
Unicode names that were traversed (including the virtual root path,
if any) or ``None`` if no traversal was performed, ``virtual_root``
will be a model object representing the virtual root (or the
physical root if traversal was not performed), and
``virtual_root_path`` will be a sequence representing the virtual
root path (a sequence of Unicode names) or ``None`` if traversal was
not performed.
Six arguments are now returned from BFG ITraversers. They are
returned in this order: ``context``, ``view_name``, ``subpath``,
``traversed``, ``virtual_root``, and ``virtual_root_path``.
Places in the BFG code which called an ITraverser continue to accept
a 3-argument return value, although BFG will generate and log a
warning when one is encountered.
- The request object now has the following attributes: ``traversed``
(the sequence of names traversed or ``None`` if traversal was not
performed), ``virtual_root`` (the model object representing the
virtual root, including the virtual root path if any), and
``virtual_root_path`` (the seuquence of names representing the
virtual root path or ``None`` if traversal was not performed).
- A new decorator named ``wsgiapp2`` was added to the
``repoze.bfg.wsgi`` module. This decorator performs the same
function as ``repoze.bfg.wsgi.wsgiapp`` except it fixes up the
``SCRIPT_NAME``, and ``PATH_INFO`` environment values before
invoking the WSGI subapplication.
- The ``repoze.bfg.testing.DummyRequest`` object now has default
attributes for ``traversed``, ``virtual_root``, and
``virtual_root_path``.
- The RoutesModelTraverser now behaves more like the Routes
"RoutesMiddleware" object when an element in the match dict is named
``path_info`` (usually when there's a pattern like
``http://foo/*path_info``). When this is the case, the
``PATH_INFO`` environment variable is set to the value in the match
dict, and the ``SCRIPT_NAME`` is appended to with the prefix of the
original ``PATH_INFO`` not including the value of the new variable.
- The notfound debug now shows the traversed path, the virtual root,
and the virtual root path too.
|
|
|
|
|
|
----------------
- The ``repoze.bfg.view.render_view_to_response`` API will no longer
raise a ValueError if an object returned by a view function it calls
does not possess certain attributes (``headerlist``, ``app_iter``,
``status``). This API used to attempt to perform a check using the
``is_response`` function in ``repoze.bfg.view``, and raised a
``ValueError`` if the ``is_response`` check failed. The
responsibility is now the caller's to ensure that the return value
from a view function is a "real" response.
- WSGI environ dicts passed to ``repoze.bfg`` 's Router must now
contain a REQUEST_METHOD key/value; if they do not, a KeyError will
be raised (speed).
Implementation Changes
----------------------
- Various speed micro-tweaks.
|
|
instead of using imported ZCA APIs, use the same APIs directly
against the registry that is an attribute of the Router. As a
result, the registry used by BFG is now a subclass of
``zope.component.registry.Components`` (defined as
``repoze.bfg.registry.Registry``); it has a ``notify`` method.
|
|
|
|
|
|
|
|
factory" (e.g. in the ``Router`` class) and ``webob.Response`` and
the "response factory" (e.g. in ``render_template_to_response``),
allow both to be overridden via a ZCML utility hook. See the "Using
ZCML Hooks" chapter of the documentation for more information.
|
|
attached to each request object on ingress. The HTTP-verb-related
interfaces are defined in ``repoze.bfg.interfaces`` and are
``IGETRequest``, ``IPOSTRequest``, ``IPUTRequest``,
``IDELETERequest`` and ``IHEADRequest``. These interfaces can be
specified as the ``request_type`` attribute of a bfg view
declaration. A view naming a specific HTTP-verb-matching interface
will be found only if the view is defined with a request_type that
matches the HTTP verb in the incoming request. The more general
``IRequest`` interface can be used as the request_type to catch all
requests (and this is indeed the default). All requests implement
``IRequest``. The HTTP-verb-matching idea was pioneered by
`repoze.bfg.restrequest
<http://pypi.python.org/pypi/repoze.bfg.restrequest/1.0.1>`_ . That
package is no longer required, but still functions fine.
|
|
of registries in order to make it possible to call one BFG
application from inside another.
|
|
Bug Fixes
---------
- Fix a bug where the Paste configuration's ``unicode_path_segments``
(and os.environ's ``BFG_UNICODE_PATH_SEGMENTS``) may have been
defaulting to false in some circumstances. It now always defaults
to true, matching the documentation and intent.
- The ``repoze.bfg.traversal.find_model`` API did not work properly
when passed a ``path`` argument which was unicode and contained
high-order bytes when the ``unicode_path_segments`` or
``BFG_UNICODE_PATH_SEGMENTS`` configuration variables were "true".
- A new module was added: ``repoze.bfg.settings``. This contains
deployment-settings-related code.
Behavior Changes
----------------
- The ``make_app`` callable within ``repoze.bfg.router`` now registers
the ``root_policy`` argument as a utility (unnamed, using the new
``repoze.bfg.interfaces.IRootFactory`` as a provides interface)
rather than passing it as the first argument to the
``repoze.bfg.router.Router`` class. As a result the
``repoze.bfg.router.Router`` router class only accepts a single
argument: ``registry``. The ``repoze.bfg.router.Router`` class
retrieves the root policy via a utility lookup now. The
``repoze.bfg.router.make_app`` API also now performs some important
application registrations that were previously handled inside
``repoze.bfg.registry.makeRegistry``.
- The ``repoze.bfg.settings.Settings`` class (an instance of which is
registered as a utility providing
``repoze.bfg.interfaces.ISettings`` when any application is started)
now automatically calls ``repoze.bfg.settings.get_options`` on the
options passed to its constructor. This means that usage of
``get_options`` within an application's ``make_app`` function is no
longer required (the "raw" ``options`` dict or None may be passed).
Deprecations
------------
- Moved the ``repoze.bfg.registry.Settings`` class. This has been
moved to ``repoze.bfg.settings.Settings``. A deprecation warning is
issued when it is imported from the older location.
- Moved the ``repoze.bfg.registry.get_options`` function This has been
moved to ``repoze.bfg.settings.get_options``. A deprecation warning
is issued when it is imported from the older location.
- The ``repoze.bfg.interfaces.IRootPolicy`` interface was renamed
within the interfaces package. It has been renamed to
``IRootFactory``. A deprecation warning is issued when it is
imported from the older location.
|
|
|
|
- The ``BFG_DEBUG_AUTHORIZATION`` envvar and the
``debug_authorization`` config file value now only imply debugging
of view-invoked security checks. Previously, information was
printed for every call to ``has_permission`` as well, which made
output confusing. To debug ``has_permission`` checks and other
manual permission checks, use the debugger and print statements in
your own code.
- Authorization debugging info is now only present in the HTTP
response body oif ``debug_authorization`` is true.
- The format of authorization debug messages was improved.
- A new ``BFG_DEBUG_NOTFOUND`` envvar was added and a symmetric
``debug_notfound`` config file value was added. When either is
true, and a NotFound response is returned by the BFG router
(because a view could not be found), debugging information is
printed to stderr. When this value is set true, the body of
HTTPNotFound responses will also contain the same debugging
information.
- ``Allowed`` and ``Denied`` responses from the security machinery
are now specialized into two types: ACL types, and non-ACL types.
The ACL-related responses are instances of
``repoze.bfg.security.ACLAllowed`` and
``repoze.bfg.security.ACLDenied``. The non-ACL-related responses
are ``repoze.bfg.security.Allowed`` and
``repoze.bfg.security.Denied``. The allowed-type responses
continue to evaluate equal to things that themselves evaluate
equal to the ``True`` boolean, while the denied-type responses
continue to evaluate equal to things that themselves evaluate
equal to the ``False`` boolean. The only difference between the
two types is the information attached to them for debugging
purposes.
- Added a new ``BFG_DEBUG_ALL`` envvar and a symmetric ``debug_all``
config file value. When either is true, all other debug-related
flags are set true unconditionally (e.g. ``debug_notfound`` and
``debug_authorization``).
Documentation
- Added info about debug flag changes.
- Added a section to the security chapter named "Debugging
Imperative Authorization Failures" (for e.g. ``has_permssion``).
|
|
named ``render_view_to_response``, ``render_view_to_iterable`` and
``is_response``, which are documented in the API docs. These features
aid programmatic (non-request-driven) view execution.
|
|
|
|
|
|
- Remove dependency on FormEncode (only needed by sampleapp).
- Fix paster template generation so that case-sensitivity is
preserved for project vs. package name.
- Depend on ``z3c.pt`` version 1.0a1 (which requires the ``[lxml]``
extra currently).
|
|
|
|
events.rst chapter in the documentation's ``api`` directory.
|
|
calling a view, which is a callable that returns a response
directly (as opposed to returning a view). As a result, the
``factory`` attribute in the bfg:view ZCML statement has been
renamed to ``view``. Various interface names were changed also.
- ``render_template`` and ``render_transform`` no longer return a
Response object. Instead, these return strings. The old behavior
can be obtained by using ``render_template_to_response`` and
``render_transform_to_response``.
|
|
|
|
|
|
|
|
|
|
context), so we can later enable an app-local component registry.
|
|
|
|
|
|
Rejigger sample app, adding more templates.
|
|
|
|
|
|
Return a NotFound when we can't adapt.
|
|
The router is not middleware.
|
