From 682a9b9df6f42f8261daa077f04b47b65bf00c34 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Sat, 29 Apr 2017 01:43:38 -0500
Subject: final cleanup of csrf decoupling in #2854

- Renamed `SessionCSRFStoragePolicy` to `LegacySessionCSRFStoragePolicy` for
  the version that uses the legacy `ISession.get_csrf_token` and
  `ISession.new_csrf_token` apis and set that as the default.

- Added new `SessionCSRFStoragePolicy` that stores data in the session
  similar to how the `SessionAuthenticationPolicy` works.

- `CookieCSRFStoragePolicy` did not properly return the newly generated
  token from `get_csrf_token` after calling `new_csrf_token`. It needed
  to cache the new value since the response callback does not affect
  the current request.

- `CookieCSRFStoragePolicy` was not forwarding the `domain` value to the
  `CookieProfile` causing that setting to be ignored.

- Removed `check_csrf_token` from the `ICSRFStoragePolicy` interface
  to simplify implementations of storage policies.

- Added an introspectable item for the configured storage policy so that
  it appears on the debugtoolbar.

- Added a change note on `ISession` that it no longer required the csrf methods.

- Leave deprecated shims in ``pyramid.session`` for
``check_csrf_origin`` and ``check_csrf_token``.
---
 CHANGES.txt | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'CHANGES.txt')

diff --git a/CHANGES.txt b/CHANGES.txt
index 762550053..7d70abbb8 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -24,12 +24,13 @@ Features
   can be alleviated by invoking ``config.begin()`` and ``config.end()``
   appropriately. See https://github.com/Pylons/pyramid/pull/2989
 
-- A new CSRF implementation, :class:`pyramid.csrf.SessionCSRF` has been added,
-  which delegates all CSRF generation to the current session, following the
-  old API for this. A ``get_csrf_token()`` method is now available in template
-  global scope, to make it easy for template developers to get the current CSRF
-  token without adding it to Python code.
-  See https://github.com/Pylons/pyramid/pull/2854
+- A new CSRF implementation, ``pyramid.csrf.SessionCSRFStoragePolicy``,
+  has been added which delegates all CSRF generation to the current session,
+  following the old API for this. A ``pyramid.csrf.get_csrf_token()`` api is now
+  available in template global scope, to make it easy for template developers
+  to get the current CSRF token without adding it to Python code.
+  See https://github.com/Pylons/pyramid/pull/2854 and
+  https://github.com/Pylons/pyramid/pull/3019
 
 
 Bug Fixes
-- 
cgit v1.2.3