From 6ec5a699bbd24e2d493418c3ada39390f943d517 Mon Sep 17 00:00:00 2001 From: Alex Volkov Date: Tue, 13 Nov 2012 18:20:20 -0500 Subject: My fix for Issue #721. Made view.py - render_view to convert iterable input into bytestring and joing it with bytestring. --- pyramid/tests/test_view.py | 22 +++++++++++++++++++--- pyramid/view.py | 4 +++- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/pyramid/tests/test_view.py b/pyramid/tests/test_view.py index 0af941e0d..42cfea37b 100644 --- a/pyramid/tests/test_view.py +++ b/pyramid/tests/test_view.py @@ -230,6 +230,22 @@ class RenderViewToIterableTests(BaseTest, unittest.TestCase): iterable = self._callFUT(context, request, name='registered', secure=False) self.assertEqual(iterable, ['anotherview']) + def test_verify_output_bytestring(self): + from pyramid.request import Request + from pyramid.config import Configurator + from pyramid.view import render_view + from webob.compat import text_type + config = Configurator(settings={}) + def view(request): + request.response.text = text_type('') + return request.response + + config.add_view(name='test', view=view) + config.commit() + + r = Request({}) + r.registry = config.registry + self.assertEqual(render_view(object(), r, 'test'), b'') def test_call_request_has_no_registry(self): request = self._makeRequest() @@ -261,7 +277,7 @@ class RenderViewTests(BaseTest, unittest.TestCase): view = make_view(response) self._registerView(request.registry, view, 'registered') s = self._callFUT(context, request, name='registered', secure=True) - self.assertEqual(s, '') + self.assertEqual(s, b'') def test_call_view_registered_insecure_no_call_permissive(self): context = self._makeContext() @@ -270,7 +286,7 @@ class RenderViewTests(BaseTest, unittest.TestCase): view = make_view(response) self._registerView(request.registry, view, 'registered') s = self._callFUT(context, request, name='registered', secure=False) - self.assertEqual(s, '') + self.assertEqual(s, b'') def test_call_view_registered_insecure_with_call_permissive(self): context = self._makeContext() @@ -282,7 +298,7 @@ class RenderViewTests(BaseTest, unittest.TestCase): view.__call_permissive__ = anotherview self._registerView(request.registry, view, 'registered') s = self._callFUT(context, request, name='registered', secure=False) - self.assertEqual(s, 'anotherview') + self.assertEqual(s, b'anotherview') class TestIsResponse(unittest.TestCase): def setUp(self): diff --git a/pyramid/view.py b/pyramid/view.py index 835982e79..972877fea 100644 --- a/pyramid/view.py +++ b/pyramid/view.py @@ -2,6 +2,8 @@ import venusian from zope.interface import providedBy from zope.deprecation import deprecated +from webob.compat import text_type + from pyramid.interfaces import ( IRoutesMapper, @@ -136,7 +138,7 @@ def render_view(context, request, name='', secure=True): iterable = render_view_to_iterable(context, request, name, secure) if iterable is None: return None - return ''.join(iterable) + return b''.join((x.encode('utf-8') if isinstance(x, text_type) else x for x in iterable)) class view_config(object): """ A function, class or method :term:`decorator` which allows a -- cgit v1.2.3 From 0a8ea94e81e3edc68d8175eb3666a7bfc9904913 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Tue, 13 Nov 2012 21:44:26 -0600 Subject: simplfied change as response.app_iter must contain bytes per pep 3333 --- pyramid/tests/test_view.py | 7 ++++--- pyramid/view.py | 3 +-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pyramid/tests/test_view.py b/pyramid/tests/test_view.py index 42cfea37b..a78b0cbab 100644 --- a/pyramid/tests/test_view.py +++ b/pyramid/tests/test_view.py @@ -224,12 +224,13 @@ class RenderViewToIterableTests(BaseTest, unittest.TestCase): response = DummyResponse() view = make_view(response) def anotherview(context, request): - return DummyResponse('anotherview') + return DummyResponse(b'anotherview') view.__call_permissive__ = anotherview self._registerView(request.registry, view, 'registered') iterable = self._callFUT(context, request, name='registered', secure=False) - self.assertEqual(iterable, ['anotherview']) + self.assertEqual(iterable, [b'anotherview']) + def test_verify_output_bytestring(self): from pyramid.request import Request from pyramid.config import Configurator @@ -294,7 +295,7 @@ class RenderViewTests(BaseTest, unittest.TestCase): response = DummyResponse() view = make_view(response) def anotherview(context, request): - return DummyResponse('anotherview') + return DummyResponse(b'anotherview') view.__call_permissive__ = anotherview self._registerView(request.registry, view, 'registered') s = self._callFUT(context, request, name='registered', secure=False) diff --git a/pyramid/view.py b/pyramid/view.py index 972877fea..dd01d9d20 100644 --- a/pyramid/view.py +++ b/pyramid/view.py @@ -2,7 +2,6 @@ import venusian from zope.interface import providedBy from zope.deprecation import deprecated -from webob.compat import text_type from pyramid.interfaces import ( @@ -138,7 +137,7 @@ def render_view(context, request, name='', secure=True): iterable = render_view_to_iterable(context, request, name, secure) if iterable is None: return None - return b''.join((x.encode('utf-8') if isinstance(x, text_type) else x for x in iterable)) + return b''.join(iterable) class view_config(object): """ A function, class or method :term:`decorator` which allows a -- cgit v1.2.3 From f89cfcdd50a8beba17a6d02854f4153961ff478c Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Tue, 13 Nov 2012 21:50:05 -0600 Subject: updated changelog --- CHANGES.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES.txt b/CHANGES.txt index e40312c34..16e3d8586 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -61,6 +61,10 @@ Bug Fixes ``physical_path`` predicate implementations; instead of raising an exception, return False. +- :func:`pyramid.view.render_view` was not functioning properly under + Python 3.x due to a byte/unicode discrepancy. See + http://github.com/Pylons/pyramid/issues/721 + Deprecations ------------ -- cgit v1.2.3 From 23de5bafdc074a01541a2a3dd3fa9e20e5801d57 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Tue, 13 Nov 2012 23:38:50 -0600 Subject: indicate render_view returns a bytestring (see #725) --- pyramid/view.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyramid/view.py b/pyramid/view.py index dd01d9d20..021d6ff79 100644 --- a/pyramid/view.py +++ b/pyramid/view.py @@ -117,7 +117,7 @@ def render_view(context, request, name='', secure=True): configuration` that matches the :term:`view name` ``name`` registered against the specified ``context`` and ``request`` and unwind the view response's ``app_iter`` (see - :ref:`the_response`) into a single string. This function will + :ref:`the_response`) into a single bytestring. This function will return ``None`` if a corresponding :term:`view callable` cannot be found (when no :term:`view configuration` matches the combination of ``name`` / ``context`` / and ``request``). Additionally, this -- cgit v1.2.3 From 3d2dd3e0ee13ccad97b48775d135d765b3d22195 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Wed, 14 Nov 2012 00:56:59 -0500 Subject: ref #725; indicate how to join the result of render_view_to_iterable --- pyramid/view.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pyramid/view.py b/pyramid/view.py index 021d6ff79..1a66c9e9c 100644 --- a/pyramid/view.py +++ b/pyramid/view.py @@ -94,8 +94,8 @@ def render_view_to_iterable(context, request, name='', secure=True): :exc:`ValueError` if a view function is found and called but the view function's result does not have an ``app_iter`` attribute. - You can usually get the string representation of the return value - of this function by calling ``''.join(iterable)``, or just use + You can usually get the bytestring representation of the return value of + this function by calling ``b''.join(iterable)``, or just use :func:`pyramid.view.render_view` instead. If ``secure`` is ``True``, and the view is protected by a permission, the -- cgit v1.2.3 From a5b23b06b9dcd6157b9e97bfd65ff9ced0299afd Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Wed, 14 Nov 2012 01:09:40 -0500 Subject: remove duplicate whatsnew entry (forward port from 1.3 branch --- docs/whatsnew-1.3.rst | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/whatsnew-1.3.rst b/docs/whatsnew-1.3.rst index 14db1fe15..f32053202 100644 --- a/docs/whatsnew-1.3.rst +++ b/docs/whatsnew-1.3.rst @@ -289,13 +289,6 @@ Minor Feature Additions not a new feature, it just provides an API for adding a resource url adapter without needing to use the ZCA API. -- The :meth:`pyramid.config.Configurator.scan` method can now be passed an - ``ignore`` argument, which can be a string, a callable, or a list - consisting of strings and/or callables. This feature allows submodules, - subpackages, and global objects from being scanned. See - http://readthedocs.org/docs/venusian/en/latest/#ignore-scan-argument for - more information about how to use the ``ignore`` argument to ``scan``. - - Better error messages when a view callable returns a value that cannot be converted to a response (for example, when a view callable returns a dictionary without a renderer defined, or doesn't return any value at all). -- cgit v1.2.3 From 39ef68dbc196824f66796fa91ea1eeeaa96d7471 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Wed, 14 Nov 2012 02:39:08 -0500 Subject: rearrange deck chairs --- CHANGES.txt | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 16e3d8586..16dad95f1 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -6,7 +6,8 @@ Features - ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to support newer hashing algorithms such as ``sha512``. Existing applications - should consider updating if possible. + should consider updating if possible for improved security over the default + md5 hashing. - Added an ``effective_principals`` route and view predicate. @@ -21,18 +22,11 @@ Features - Slightly better debug logging from ``pyramid.authentication.RepozeWho1AuthenticationPolicy``. -- ``pyramid.security.view_execution_permitted`` used to return `True` if no +- ``pyramid.security.view_execution_permitted`` used to return ``True`` if no view could be found. It now raises a ``TypeError`` exception in that case, as it doesn't make sense to assert that a nonexistent view is execution-permitted. See https://github.com/Pylons/pyramid/issues/299. -- Get rid of shady monkeypatching of ``pyramid.request.Request`` and - ``pyramid.response.Response`` done within the ``__init__.py`` of Pyramid. - Webob no longer relies on this being done. Instead, the ResponseClass - attribute of the Pyramid Request class is assigned to the Pyramid response - class; that's enough to satisfy WebOb and behave as it did before with the - monkeypatching. - - Allow a ``_depth`` argument to ``pyramid.view.view_config``, which will permit limited composition reuse of the decorator by other software that wants to provide custom decorators that are much like view_config. @@ -61,18 +55,26 @@ Bug Fixes ``physical_path`` predicate implementations; instead of raising an exception, return False. -- :func:`pyramid.view.render_view` was not functioning properly under - Python 3.x due to a byte/unicode discrepancy. See +- ``pyramid.view.render_view`` was not functioning properly under Python 3.x + due to a byte/unicode discrepancy. See http://github.com/Pylons/pyramid/issues/721 Deprecations ------------ -- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning - if an application is using the policy without explicitly setting the - ``hashalg``. This is because the default is "md5" which is considered - insecure. If you really want "md5" then you must specify it explicitly to - get rid of the warning. +- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a warning if + an application is using the policy without explicitly passing a ``hashalg`` + argument. This is because the default is "md5" which is considered + theoretically subject to collision attacks. If you really want "md5" then you + must specify it explicitly to get rid of the warning. + +Documentation +------------- + +- All of the tutorials that use + ``pyramid.authentication.AuthTktAuthenticationPolicy`` now explicitly pass + ``sha512`` as a ``hashalg`` argument. + Internals --------- @@ -85,6 +87,13 @@ Internals because that package should never be imported from non-Pyramid code. TopologicalSorter is still not an API, but may become one. +- Get rid of shady monkeypatching of ``pyramid.request.Request`` and + ``pyramid.response.Response`` done within the ``__init__.py`` of Pyramid. + Webob no longer relies on this being done. Instead, the ResponseClass + attribute of the Pyramid Request class is assigned to the Pyramid response + class; that's enough to satisfy WebOb and behave as it did before with the + monkeypatching. + 1.4a3 (2012-10-26) ================== -- cgit v1.2.3 From 2063ed6d4882ad69257ce90bdc44c2e883b09c61 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Wed, 14 Nov 2012 02:47:54 -0500 Subject: update for release --- docs/whatsnew-1.4.rst | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/docs/whatsnew-1.4.rst b/docs/whatsnew-1.4.rst index 59e1f7a96..5da28bb03 100644 --- a/docs/whatsnew-1.4.rst +++ b/docs/whatsnew-1.4.rst @@ -77,6 +77,11 @@ Subrequest Support Minor Feature Additions ----------------------- +- :class:`pyramid.authentication.AuthTktAuthenticationPolicy` has been updated + to support newer hashing algorithms such as ``sha512``. Existing applications + should consider updating if possible for improved security over the default + md5 hashing. + - :meth:`pyramid.config.Configurator.add_directive` now accepts arbitrary callables like partials or objects implementing ``__call__`` which don't have ``__name__`` and ``__doc__`` attributes. See @@ -182,7 +187,6 @@ Minor Feature Additions :meth:`pyramid.config.testing_securitypolicy` now sets a ``forgotten`` value on the policy (the value ``True``) when its ``forget`` method is called. - - The DummySecurityPolicy created by :meth:`pyramid.config.testing_securitypolicy` now sets a ``remembered`` value on the policy, which is the value of the ``principal`` @@ -196,6 +200,31 @@ Minor Feature Additions view when some object is traversed to, but you can't be sure about what kind of object it will be, so you can't use the ``context`` predicate. +- Added an ``effective_principals`` route and view predicate. + +- Do not allow the userid returned from the + :func:`pyramid.security.authenticated_userid` or the userid that is one of the + list of principals returned by :func:`pyramid.security.effective_principals` + to be either of the strings ``system.Everyone`` or ``system.Authenticated`` + when any of the built-in authorization policies that live in + :mod:`pyramid.authentication` are in use. These two strings are reserved for + internal usage by Pyramid and they will no longer be accepted as valid + userids. + +- Allow a ``_depth`` argument to :class:`pyramid.view.view_config`, which will + permit limited composition reuse of the decorator by other software that + wants to provide custom decorators that are much like view_config. + +- Allow an iterable of decorators to be passed to + :meth:`pyramid.config.Configurator.add_view`. This allows views to be wrapped + by more than one decorator without requiring combining the decorators + yourself. + +- :func:`pyramid.security.view_execution_permitted` used to return `True` if no + view could be found. It now raises a :exc:`TypeError` exception in that case, + as it doesn't make sense to assert that a nonexistent view is + execution-permitted. See https://github.com/Pylons/pyramid/issues/299. + Backwards Incompatibilities --------------------------- @@ -289,6 +318,12 @@ Deprecations used in its place (it has all of the same capabilities but can also extend the request object with methods). +- :class:`pyramid.authentication.AuthTktAuthenticationPolicy` will emit a + deprecation warning if an application is using the policy without explicitly + passing a ``hashalg`` argument. This is because the default is "md5" which is + considered theoretically subject to collision attacks. If you really want + "md5" then you must specify it explicitly to get rid of the warning. + Documentation Enhancements -------------------------- @@ -299,6 +334,10 @@ Documentation Enhancements - Added a :ref:`subrequest_chapter` chapter to the narrative documentation. +- All of the tutorials that use + :class:`pyramid.authentication.AuthTktAuthenticationPolicy` now explicitly + pass ``sha512`` as a ``hashalg`` argument. + - Many cleanups and improvements to narrative and API docs. Dependency Changes -- cgit v1.2.3 From 948068688561806a321a17bfc15c87446a577b5b Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Wed, 14 Nov 2012 02:49:16 -0500 Subject: prep for release --- CHANGES.txt | 4 ++-- docs/conf.py | 2 +- setup.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 16dad95f1..9f5ce064f 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,5 +1,5 @@ -Next release -============ +1.4a4 (2012-11-14) +================== Features -------- diff --git a/docs/conf.py b/docs/conf.py index 9bda4c798..5e17de18a 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -81,7 +81,7 @@ copyright = '%s, Agendaless Consulting' % datetime.datetime.now().year # other places throughout the built documents. # # The short X.Y version. -version = '1.4a3' +version = '1.4a4' # The full version, including alpha/beta/rc tags. release = version diff --git a/setup.py b/setup.py index 4ea63a3ee..2356e76ac 100644 --- a/setup.py +++ b/setup.py @@ -68,7 +68,7 @@ testing_extras = tests_require + [ ] setup(name='pyramid', - version='1.4a3', + version='1.4a4', description=('The Pyramid web application development framework, a ' 'Pylons project'), long_description=README + '\n\n' + CHANGES, -- cgit v1.2.3