From cb98a90c3dcc40dc42813143a601ef631249f5f4 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 28 Feb 2016 15:06:30 -0600 Subject: add changelog for #1370 --- CHANGES.txt | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index ffa5f51e0..84a62837c 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -10,6 +10,11 @@ unreleased ``[app:main]`` and ``[server:main]``. See https://github.com/Pylons/pyramid/pull/2292 +- Allow a leading ``=`` on the key of the request param predicate. + For example, '=abc=1' is equivalent down to + ``request.params['=abc'] == '1'``. + See https://github.com/Pylons/pyramid/pull/1370 + 1.6 (2015-04-14) ================ -- cgit v1.2.3 From d5c361d8bccb57e3b6969a91209511cc4a45134a Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Mon, 29 Feb 2016 13:05:04 -0600 Subject: update changelog for #2024 --- CHANGES.txt | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 84a62837c..3a1305c95 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,12 @@ unreleased ========== +- A complete overhaul of the ``alchemy`` scaffold as well as the + Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features + into the usage of SQLAlchemy with Pyramid and provide a better starting + point for new projects. + See https://github.com/Pylons/pyramid/pull/2024 + - Dropped Python 3.2 support. See https://github.com/Pylons/pyramid/pull/2256 -- cgit v1.2.3 From 4d4688b7053ddfcfd91b36bf9504c1db76a92763 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Mon, 14 Mar 2016 13:27:14 -0500 Subject: add changelog for #2393 --- CHANGES.txt | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 3a1305c95..a17f4aab5 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -21,6 +21,12 @@ unreleased ``request.params['=abc'] == '1'``. See https://github.com/Pylons/pyramid/pull/1370 +- A new ``request.invoke_exception_view(...)`` method which can be used to + invoke an exception view and get back a response. This is useful for + rendering an exception view outside of the context of the excview tween + where you may need more control over the request. + See https://github.com/Pylons/pyramid/pull/2393 + 1.6 (2015-04-14) ================ -- cgit v1.2.3 From 1514ea003dfe39fa79a0ec07bbbc14f239cb4eb2 Mon Sep 17 00:00:00 2001 From: Marc Abramowitz Date: Mon, 7 Mar 2016 08:20:39 -0800 Subject: Pass vars to logging.config.fileConfig This allows one to set up a logging configuration that is parameterized based on variables specified on the command-line. e.g.: the application .ini file could have: ```ini [logger_root] level = %(LOGGING_LOGGER_ROOT_LEVEL)s handlers = console [handler_console] class = StreamHandler args = (sys.stderr,) level = %(LOGGING_HANDLER_CONSOLE_LEVEL)s formatter = generic ``` This app could be launched with: ``` pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG LOGGING_HANDLER_CONSOLE_LEVEL=DEBUG ``` --- CHANGES.txt | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index a17f4aab5..4a61dbffa 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -27,6 +27,12 @@ unreleased where you may need more control over the request. See https://github.com/Pylons/pyramid/pull/2393 +- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s`` + for logging sections of the .ini file and populate these variables from + the ``pserve`` command line -- e.g.: + ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG`` + See https://github.com/Pylons/pyramid/pull/2399 + 1.6 (2015-04-14) ================ -- cgit v1.2.3 From fa43952e617ad68c52447da28fc7f5be23ff4b10 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sun, 10 Apr 2016 22:09:29 -0500 Subject: add changelog for #2021 --- CHANGES.txt | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 4a61dbffa..2b3db8644 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -33,6 +33,13 @@ unreleased ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG`` See https://github.com/Pylons/pyramid/pull/2399 +- Add a new "view deriver" concept to Pyramid to allow framework authors to + inject elements into the standard Pyramid view pipeline and affect all + views in an application. This is similar to a decorator except that it + has access to options passed to ``config.add_view`` and can affect other + stages of the pipeline such as the raw response from a view or prior to + security checks. See https://github.com/Pylons/pyramid/pull/2021 + 1.6 (2015-04-14) ================ -- cgit v1.2.3 From 47ebf00dab1f448dc927182b22fbb35d231ca5b3 Mon Sep 17 00:00:00 2001 From: Steve Piercy Date: Tue, 12 Apr 2016 15:43:56 -0700 Subject: - add changelog entry to CHANGES.txt --- CHANGES.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 2b3db8644..ceb3207df 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,18 @@ unreleased ========== +- A complete overhaul of the docs: + + - Use pip instead of easy_install. + - Become opinionated by preferring Python 3.4 or greater to simplify + installation of Python and its required packaging tools. + - Use venv for the tool, and virtual environment for the thing created, + instead of virtualenv. + - Use py.test and pytest-cov instead of nose and coverage. + - Further updates to the scaffolds as well as tutorials and their src files. + + See https://github.com/Pylons/pyramid/pull/2468 + - A complete overhaul of the ``alchemy`` scaffold as well as the Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features into the usage of SQLAlchemy with Pyramid and provide a better starting -- cgit v1.2.3 From 16bdbb86955cdf1b372f257bd70b1dbc530205d5 Mon Sep 17 00:00:00 2001 From: Bert JW Regeer Date: Sun, 10 Apr 2016 20:53:57 -0600 Subject: Update CHANGES.txt --- CHANGES.txt | 3 +++ 1 file changed, 3 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index ceb3207df..fd8c636a0 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,9 @@ unreleased ========== +- Python 2.6 is no longer supported by Pyramid. See + https://github.com/Pylons/pyramid/issues/2368 + - A complete overhaul of the docs: - Use pip instead of easy_install. -- cgit v1.2.3 From 17905a39040b8a2f4b57341909eef9d0fac218f5 Mon Sep 17 00:00:00 2001 From: Bert JW Regeer Date: Tue, 12 Apr 2016 18:05:30 -0600 Subject: Add CHANGES for BeforeTraversal --- CHANGES.txt | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index fd8c636a0..488c38c7b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,11 @@ unreleased ========== +- A new event and interface (BeforeTraversal) has been introduced that will + notify listeners before traversal starts in the router. See + https://github.com/Pylons/pyramid/pull/2469 and + https://github.com/Pylons/pyramid/pull/1876 + - Python 2.6 is no longer supported by Pyramid. See https://github.com/Pylons/pyramid/issues/2368 -- cgit v1.2.3 From ce91e9303b61523789dea2d075c951ad30f8d82a Mon Sep 17 00:00:00 2001 From: Steve Piercy Date: Wed, 13 Apr 2016 00:41:13 -0700 Subject: - Deprecated support for Python 3.3. See #2477 --- CHANGES.txt | 3 +++ 1 file changed, 3 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 488c38c7b..00232abc3 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,9 @@ unreleased ========== +- Deprecated support for Python 3.3. + https://github.com/Pylons/pyramid/issues/2477 + - A new event and interface (BeforeTraversal) has been introduced that will notify listeners before traversal starts in the router. See https://github.com/Pylons/pyramid/pull/2469 and -- cgit v1.2.3 From a51ca284503910e4090973a4d8991fee92f3381b Mon Sep 17 00:00:00 2001 From: Steve Piercy Date: Wed, 13 Apr 2016 16:01:45 -0700 Subject: update deprecation log entry --- CHANGES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 00232abc3..da59c3e6f 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,7 +1,7 @@ unreleased ========== -- Deprecated support for Python 3.3. +- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8. https://github.com/Pylons/pyramid/issues/2477 - A new event and interface (BeforeTraversal) has been introduced that will -- cgit v1.2.3 From 4c6592734ffb5eace320d8e92e33c5866f111749 Mon Sep 17 00:00:00 2001 From: Bert JW Regeer Date: Thu, 14 Apr 2016 10:43:10 -0600 Subject: Update CHANGES --- CHANGES.txt | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index fd8c636a0..d5640ee0b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,13 @@ unreleased ========== +- Pyramid HTTPExceptions will now take into account the best match for the + clients Accept header, and depending on what is requested will return + text/html, application/json or text/plain. The default for */* is still + text/html, but if application/json is explicitly mentioned it will now + receive a valid JSON response. See: + https://github.com/Pylons/pyramid/pull/2489 + - Python 2.6 is no longer supported by Pyramid. See https://github.com/Pylons/pyramid/issues/2368 -- cgit v1.2.3 From 1cf1323a25c32099c2c371c5a5fce536a5b3c2b4 Mon Sep 17 00:00:00 2001 From: Bert JW Regeer Date: Thu, 14 Apr 2016 21:12:47 -0600 Subject: Add CHANGES.txt entry, and re-organise --- CHANGES.txt | 81 ++++++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 54 insertions(+), 27 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 96d8d8236..ead9eb4b9 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,22 @@ unreleased ========== +Backward Incompatibilities +-------------------------- + +- Following the Pyramid deprecation period (1.4 -> 1.6), + AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5 + to sha512. If you are using the authentication policy and need to continue + using md5, please explicitly set hashalg to 'md5'. + + This change does mean that any existing auth tickets (and associated cookies) + will no longer be valid, and users will no longer be logged in, and have to + login to their accounts again. No other backwards incompatible changes have + been made. + +Features +-------- + - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html, application/json or text/plain. The default for */* is still @@ -8,16 +24,38 @@ unreleased receive a valid JSON response. See: https://github.com/Pylons/pyramid/pull/2489 -- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8. - https://github.com/Pylons/pyramid/issues/2477 - - A new event and interface (BeforeTraversal) has been introduced that will notify listeners before traversal starts in the router. See https://github.com/Pylons/pyramid/pull/2469 and https://github.com/Pylons/pyramid/pull/1876 -- Python 2.6 is no longer supported by Pyramid. See - https://github.com/Pylons/pyramid/issues/2368 +- Add a new "view deriver" concept to Pyramid to allow framework authors to + inject elements into the standard Pyramid view pipeline and affect all + views in an application. This is similar to a decorator except that it + has access to options passed to ``config.add_view`` and can affect other + stages of the pipeline such as the raw response from a view or prior to + security checks. See https://github.com/Pylons/pyramid/pull/2021 + + +- Allow a leading ``=`` on the key of the request param predicate. + For example, '=abc=1' is equivalent down to + ``request.params['=abc'] == '1'``. + See https://github.com/Pylons/pyramid/pull/1370 + +- A new ``request.invoke_exception_view(...)`` method which can be used to + invoke an exception view and get back a response. This is useful for + rendering an exception view outside of the context of the excview tween + where you may need more control over the request. + See https://github.com/Pylons/pyramid/pull/2393 + +- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s`` + for logging sections of the .ini file and populate these variables from + the ``pserve`` command line -- e.g.: + ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG`` + See https://github.com/Pylons/pyramid/pull/2399 + +Documentation Changes +--------------------- - A complete overhaul of the docs: @@ -37,8 +75,8 @@ unreleased point for new projects. See https://github.com/Pylons/pyramid/pull/2024 -- Dropped Python 3.2 support. - See https://github.com/Pylons/pyramid/pull/2256 +Bug Fixes +--------- - Fix ``pserve --browser`` to use the ``--server-name`` instead of the app name when selecting a section to use. This was only working for people @@ -46,29 +84,18 @@ unreleased ``[app:main]`` and ``[server:main]``. See https://github.com/Pylons/pyramid/pull/2292 -- Allow a leading ``=`` on the key of the request param predicate. - For example, '=abc=1' is equivalent down to - ``request.params['=abc'] == '1'``. - See https://github.com/Pylons/pyramid/pull/1370 +Deprecations +------------ -- A new ``request.invoke_exception_view(...)`` method which can be used to - invoke an exception view and get back a response. This is useful for - rendering an exception view outside of the context of the excview tween - where you may need more control over the request. - See https://github.com/Pylons/pyramid/pull/2393 +- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8. + https://github.com/Pylons/pyramid/issues/2477 -- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s`` - for logging sections of the .ini file and populate these variables from - the ``pserve`` command line -- e.g.: - ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG`` - See https://github.com/Pylons/pyramid/pull/2399 +- Python 2.6 is no longer supported by Pyramid. See + https://github.com/Pylons/pyramid/issues/2368 + +- Dropped Python 3.2 support. + See https://github.com/Pylons/pyramid/pull/2256 -- Add a new "view deriver" concept to Pyramid to allow framework authors to - inject elements into the standard Pyramid view pipeline and affect all - views in an application. This is similar to a decorator except that it - has access to options passed to ``config.add_view`` and can affect other - stages of the pipeline such as the raw response from a view or prior to - security checks. See https://github.com/Pylons/pyramid/pull/2021 1.6 (2015-04-14) ================ -- cgit v1.2.3 From 2945f739480a31b3e260b3efdbf17cda2e97142a Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Fri, 15 Apr 2016 00:33:20 -0500 Subject: curate the changelog --- CHANGES.txt | 350 +++++------------------------------------------------------- 1 file changed, 24 insertions(+), 326 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index ead9eb4b9..bc4b1aa79 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -11,12 +11,28 @@ Backward Incompatibilities This change does mean that any existing auth tickets (and associated cookies) will no longer be valid, and users will no longer be logged in, and have to - login to their accounts again. No other backwards incompatible changes have - been made. + login to their accounts again. + + See https://github.com/Pylons/pyramid/pull/2496 Features -------- +- Added a new setting, ``pyramid.require_default_csrf`` which may be used + to turn on CSRF checks globally for every POST request in the application. + This should be considered a good default for websites built on Pyramid. + It is possible to opt-out of CSRF checks on a per-view basis by setting + ``require_csrf=False`` on those views. + See https://github.com/Pylons/pyramid/pull/2413 + +- Added a ``require_csrf`` view option which will enforce CSRF checks on POST + requests. If the CSRF check fails a ``BadCSRFToken`` exception will be + raised and may be caught by exception views (the default response is a + ``400 Bad Request``). This option should be used in place of the deprecated + ``check_csrf`` view predicate which would normally result in unexpected + ``404 Not Found`` response to the client instead of a catchable exception. + See https://github.com/Pylons/pyramid/pull/2413 + - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html, application/json or text/plain. The default for */* is still @@ -36,7 +52,6 @@ Features stages of the pipeline such as the raw response from a view or prior to security checks. See https://github.com/Pylons/pyramid/pull/2021 - - Allow a leading ``=`` on the key of the request param predicate. For example, '=abc=1' is equivalent down to ``request.params['=abc'] == '1'``. @@ -87,7 +102,12 @@ Bug Fixes Deprecations ------------ -- (Deprecation) Support for Python 3.3 will be removed in Pyramid 1.8. +- The ``check_csrf`` view predicate has been deprecated. Use the + new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting + to ensure that the ``BadCSRFToken`` exception is raised. + See https://github.com/Pylons/pyramid/pull/2413 + +- Support for Python 3.3 will be removed in Pyramid 1.8. https://github.com/Pylons/pyramid/issues/2477 - Python 2.6 is no longer supported by Pyramid. See @@ -95,325 +115,3 @@ Deprecations - Dropped Python 3.2 support. See https://github.com/Pylons/pyramid/pull/2256 - - -1.6 (2015-04-14) -================ - -Backward Incompatibilities --------------------------- - -- IPython and BPython support have been removed from pshell in the core. - To continue using them on Pyramid 1.6+ you must install the binding - packages explicitly:: - - $ pip install pyramid_ipython - - or - - $ pip install pyramid_bpython - -Features --------- - -- pcreate will now ask for confirmation if invoked with - an argument for a project name that already exists or - is importable in the current environment. - See https://github.com/Pylons/pyramid/issues/1357 and - https://github.com/Pylons/pyramid/pull/1837 - -- Make it possible to subclass ``pyramid.request.Request`` and also use - ``pyramid.request.Request.add_request.method``. See - https://github.com/Pylons/pyramid/issues/1529 - -- The ``pyramid.config.Configurator`` has grown the ability to allow - actions to call other actions during a commit-cycle. This enables much more - logic to be placed into actions, such as the ability to invoke other actions - or group them for improved conflict detection. We have also exposed and - documented the config phases that Pyramid uses in order to further assist - in building conforming addons. - See https://github.com/Pylons/pyramid/pull/1513 - -- Add ``pyramid.request.apply_request_extensions`` function which can be - used in testing to apply any request extensions configured via - ``config.add_request_method``. Previously it was only possible to test - the extensions by going through Pyramid's router. - See https://github.com/Pylons/pyramid/pull/1581 - -- pcreate when run without a scaffold argument will now print information on - the missing flag, as well as a list of available scaffolds. - See https://github.com/Pylons/pyramid/pull/1566 and - https://github.com/Pylons/pyramid/issues/1297 - -- Added support / testing for 'pypy3' under Tox and Travis. - See https://github.com/Pylons/pyramid/pull/1469 - -- Automate code coverage metrics across py2 and py3 instead of just py2. - See https://github.com/Pylons/pyramid/pull/1471 - -- Cache busting for static resources has been added and is available via a new - ``pyramid.config.Configurator.add_cache_buster`` API. Core APIs are shipped - for both cache busting via query strings and via asset manifests for - integrating into custom asset pipelines. - See https://github.com/Pylons/pyramid/pull/1380 and - https://github.com/Pylons/pyramid/pull/1583 and - https://github.com/Pylons/pyramid/pull/2171 - -- Add ``pyramid.config.Configurator.root_package`` attribute and init - parameter to assist with includeable packages that wish to resolve - resources relative to the package in which the ``Configurator`` was created. - This is especially useful for addons that need to load asset specs from - settings, in which case it is may be natural for a developer to define - imports or assets relative to the top-level package. - See https://github.com/Pylons/pyramid/pull/1337 - -- Added line numbers to the log formatters in the scaffolds to assist with - debugging. See https://github.com/Pylons/pyramid/pull/1326 - -- Add new HTTP exception objects for status codes - ``428 Precondition Required``, ``429 Too Many Requests`` and - ``431 Request Header Fields Too Large`` in ``pyramid.httpexceptions``. - See https://github.com/Pylons/pyramid/pull/1372/files - -- The ``pshell`` script will now load a ``PYTHONSTARTUP`` file if one is - defined in the environment prior to launching the interpreter. - See https://github.com/Pylons/pyramid/pull/1448 - -- Make it simple to define notfound and forbidden views that wish to use - the default exception-response view but with altered predicates and other - configuration options. The ``view`` argument is now optional in - ``config.add_notfound_view`` and ``config.add_forbidden_view``.. - See https://github.com/Pylons/pyramid/issues/494 - -- Greatly improve the readability of the ``pcreate`` shell script output. - See https://github.com/Pylons/pyramid/pull/1453 - -- Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and - the ``SignedCookieSessionFactory`` classes by using the stdlib's - ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). - See https://github.com/Pylons/pyramid/pull/1457 - -- Assets can now be overidden by an absolute path on the filesystem when using - the ``config.override_asset`` API. This makes it possible to fully support - serving up static content from a mutable directory while still being able - to use the ``request.static_url`` API and ``config.add_static_view``. - Previously it was not possible to use ``config.add_static_view`` with an - absolute path **and** generate urls to the content. This change replaces - the call, ``config.add_static_view('/abs/path', 'static')``, with - ``config.add_static_view('myapp:static', 'static')`` and - ``config.override_asset(to_override='myapp:static/', - override_with='/abs/path/')``. The ``myapp:static`` asset spec is completely - made up and does not need to exist - it is used for generating urls - via ``request.static_url('myapp:static/foo.png')``. - See https://github.com/Pylons/pyramid/issues/1252 - -- Added ``pyramid.config.Configurator.set_response_factory`` and the - ``response_factory`` keyword argument to the ``Configurator`` for defining - a factory that will return a custom ``Response`` class. - See https://github.com/Pylons/pyramid/pull/1499 - -- Allow an iterator to be returned from a renderer. Previously it was only - possible to return bytes or unicode. - See https://github.com/Pylons/pyramid/pull/1417 - -- ``pserve`` can now take a ``-b`` or ``--browser`` option to open the server - URL in a web browser. See https://github.com/Pylons/pyramid/pull/1533 - -- Overall improvments for the ``proutes`` command. Added ``--format`` and - ``--glob`` arguments to the command, introduced the ``method`` - column for displaying available request methods, and improved the ``view`` - output by showing the module instead of just ``__repr__``. - See https://github.com/Pylons/pyramid/pull/1488 - -- Support keyword-only arguments and function annotations in views in - Python 3. See https://github.com/Pylons/pyramid/pull/1556 - -- ``request.response`` will no longer be mutated when using the - ``pyramid.renderers.render_to_response()`` API. It is now necessary to - pass in a ``response=`` argument to ``render_to_response`` if you wish to - supply the renderer with a custom response object for it to use. If you - do not pass one then a response object will be created using the - application's ``IResponseFactory``. Almost all renderers - mutate the ``request.response`` response object (for example, the JSON - renderer sets ``request.response.content_type`` to ``application/json``). - However, when invoking ``render_to_response`` it is not expected that the - response object being returned would be the same one used later in the - request. The response object returned from ``render_to_response`` is now - explicitly different from ``request.response``. This does not change the - API of a renderer. See https://github.com/Pylons/pyramid/pull/1563 - -- The ``append_slash`` argument of ```Configurator().add_notfound_view()`` will - now accept anything that implements the ``IResponse`` interface and will use - that as the response class instead of the default ``HTTPFound``. See - https://github.com/Pylons/pyramid/pull/1610 - -- Additional shells for ``pshell`` can now be registered as entrypoints. See - https://github.com/Pylons/pyramid/pull/1891 and - https://github.com/Pylons/pyramid/pull/2012 - -- The variables injected into ``pshell`` are now displayed with their - docstrings instead of the default ``str(obj)`` when possible. - See https://github.com/Pylons/pyramid/pull/1929 - -- ``pserve --reload`` will no longer crash on syntax errors!!! - See https://github.com/Pylons/pyramid/pull/2044 - -Bug Fixes ---------- - -- Work around an issue where ``pserve --reload`` would leave terminal echo - disabled if it reloaded during a pdb session. - See https://github.com/Pylons/pyramid/pull/1577, - https://github.com/Pylons/pyramid/pull/1592 - -- ``pyramid.wsgi.wsgiapp`` and ``pyramid.wsgi.wsgiapp2`` now raise - ``ValueError`` when accidentally passed ``None``. - See https://github.com/Pylons/pyramid/pull/1320 - -- Fix an issue whereby predicates would be resolved as maybe_dotted in the - introspectable but not when passed for registration. This would mean that - ``add_route_predicate`` for example can not take a string and turn it into - the actual callable function. - See https://github.com/Pylons/pyramid/pull/1306 - -- Fix ``pyramid.testing.setUp`` to return a ``Configurator`` with a proper - package. Previously it was not possible to do package-relative includes - using the returned ``Configurator`` during testing. There is now a - ``package`` argument that can override this behavior as well. - See https://github.com/Pylons/pyramid/pull/1322 - -- Fix an issue where a ``pyramid.response.FileResponse`` may apply a charset - where it does not belong. See https://github.com/Pylons/pyramid/pull/1251 - -- Work around a bug introduced in Python 2.7.7 on Windows where - ``mimetypes.guess_type`` returns Unicode rather than str for the content - type, unlike any previous version of Python. See - https://github.com/Pylons/pyramid/issues/1360 for more information. - -- ``pcreate`` now normalizes the package name by converting hyphens to - underscores. See https://github.com/Pylons/pyramid/pull/1376 - -- Fix an issue with the final response/finished callback being unable to - add another callback to the list. See - https://github.com/Pylons/pyramid/pull/1373 - -- Fix a failing unittest caused by differing mimetypes across various OSs. - See https://github.com/Pylons/pyramid/issues/1405 - -- Fix route generation for static view asset specifications having no path. - See https://github.com/Pylons/pyramid/pull/1377 - -- Allow the ``pyramid.renderers.JSONP`` renderer to work even if there is no - valid request object. In this case it will not wrap the object in a - callback and thus behave just like the ``pyramid.renderers.JSON`` renderer. - See https://github.com/Pylons/pyramid/pull/1561 - -- Prevent "parameters to load are deprecated" ``DeprecationWarning`` - from setuptools>=11.3. See https://github.com/Pylons/pyramid/pull/1541 - -- Avoiding sharing the ``IRenderer`` objects across threads when attached to - a view using the `renderer=` argument. These renderers were instantiated - at time of first render and shared between requests, causing potentially - subtle effects like `pyramid.reload_templates = true` failing to work - in `pyramid_mako`. See https://github.com/Pylons/pyramid/pull/1575 - and https://github.com/Pylons/pyramid/issues/1268 - -- Avoiding timing attacks against CSRF tokens. - See https://github.com/Pylons/pyramid/pull/1574 - -- ``request.finished_callbacks`` and ``request.response_callbacks`` now - default to an iterable instead of ``None``. It may be checked for a length - of 0. This was the behavior in 1.5. - -- ``pyramid.httpexceptions.HTTPException`` now defaults to - ``520 Unknown Error`` instead of ``None None`` to conform with changes in - WebOb 1.5. - See https://github.com/Pylons/pyramid/pull/1865 - -- ``pshell`` will now preserve the capitalization of variables in the - ``[pshell]`` section of the INI file. This makes exposing classes to the - shell a little more straightfoward. - See https://github.com/Pylons/pyramid/pull/1883 - -- Fix an issue when user passes unparsed strings to ``pyramid.session.CookieSession`` - and ``pyramid.authentication.AuthTktCookieHelper`` for time related parameters - ``timeout``, ``reissue_time``, ``max_age`` that expect an integer value. - See https://github.com/Pylons/pyramid/pull/2050 - -- Fixed usage of ``pserve --monitor-restart --daemon`` which would fail in - horrible ways. See https://github.com/Pylons/pyramid/pull/2118 - -- Explicitly prevent ``pserve --reload --daemon`` from being used. It's never - been supported but would work and fail in weird ways. - See https://github.com/Pylons/pyramid/pull/2119 - -- Fix an issue on Windows when running ``pserve --reload`` in which the - process failed to fork because it could not find the pserve script to - run. See https://github.com/Pylons/pyramid/pull/2137 - -- Ensure that ``IAssetDescriptor.abspath`` always returns an absolute path. - There were cases depending on the process CWD that a relative path would - be returned. See https://github.com/Pylons/pyramid/issues/2187 - - -Deprecations ------------- - -- The ``pserve`` command's daemonization features have been deprecated as well - as ``--monitor-restart``. This includes the ``[start,stop,restart,status]`` - subcommands as well as the ``--daemon``, ``--stop-daemon``, ``--pid-file``, - ``--status``, ``--user`` and ``--group`` flags. - See https://github.com/Pylons/pyramid/pull/2120 - and https://github.com/Pylons/pyramid/pull/2189 - and https://github.com/Pylons/pyramid/pull/1641 - - Please use a real process manager in the future instead of relying on the - ``pserve`` to daemonize itself. Many options exist including your Operating - System's services such as Systemd or Upstart, as well as Python-based - solutions like Circus and Supervisor. - - See https://github.com/Pylons/pyramid/pull/1641 - and https://github.com/Pylons/pyramid/pull/2120 - -- Renamed the ``principal`` argument to ``pyramid.security.remember()`` to - ``userid`` in order to clarify its intended purpose. - See https://github.com/Pylons/pyramid/pull/1399 - -Docs ----- - -- Moved the documentation for ``accept`` on ``Configurator.add_view`` to no - longer be part of the predicate list. See - https://github.com/Pylons/pyramid/issues/1391 for a bug report stating - ``not_`` was failing on ``accept``. Discussion with @mcdonc led to the - conclusion that it should not be documented as a predicate. - See https://github.com/Pylons/pyramid/pull/1487 for this PR - -- Removed logging configuration from Quick Tutorial ini files except for - scaffolding- and logging-related chapters to avoid needing to explain it too - early. - -- Clarify a previously-implied detail of the ``ISession.invalidate`` API - documentation. - -- Improve and clarify the documentation on what Pyramid defines as a - ``principal`` and a ``userid`` in its security APIs. - See https://github.com/Pylons/pyramid/pull/1399 - -- Add documentation of command line programs (``p*`` scripts). See - https://github.com/Pylons/pyramid/pull/2191 - -Scaffolds ---------- - -- Update scaffold generating machinery to return the version of pyramid and - pyramid docs for use in scaffolds. Updated starter, alchemy and zodb - templates to have links to correctly versioned documentation and reflect - which pyramid was used to generate the scaffold. - -- Removed non-ascii copyright symbol from templates, as this was - causing the scaffolds to fail for project generation. - -- You can now run the scaffolding func tests via ``tox py2-scaffolds`` and - ``tox py3-scaffolds``. - -- cgit v1.2.3 From 1799be9dd8666d10d6b4a04a9b75fc57f8626c6f Mon Sep 17 00:00:00 2001 From: Bert JW Regeer Date: Fri, 15 Apr 2016 16:44:55 -0600 Subject: Update CHANGES/whatsnew-1.7 for updated require_csrf --- CHANGES.txt | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index bc4b1aa79..0a7bdef1a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -25,13 +25,15 @@ Features ``require_csrf=False`` on those views. See https://github.com/Pylons/pyramid/pull/2413 -- Added a ``require_csrf`` view option which will enforce CSRF checks on POST - requests. If the CSRF check fails a ``BadCSRFToken`` exception will be - raised and may be caught by exception views (the default response is a - ``400 Bad Request``). This option should be used in place of the deprecated - ``check_csrf`` view predicate which would normally result in unexpected - ``404 Not Found`` response to the client instead of a catchable exception. - See https://github.com/Pylons/pyramid/pull/2413 +- Added a ``require_csrf`` view option which will enforce CSRF checks on any + request with an unsafe method as defined by RFC2616. If the CSRF check fails + a ``BadCSRFToken`` exception will be raised and may be caught by exception + views (the default response is a ``400 Bad Request``). This option should be + used in place of the deprecated ``check_csrf`` view predicate which would + normally result in unexpected ``404 Not Found`` response to the client + instead of a catchable exception. See + https://github.com/Pylons/pyramid/pull/2413 and + https://github.com/Pylons/pyramid/pull/2500 - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return -- cgit v1.2.3 From 65dee6e4ca0c0c607e97db0c9e55768f10591a58 Mon Sep 17 00:00:00 2001 From: Donald Stufft Date: Fri, 15 Apr 2016 20:42:20 -0400 Subject: In addition to CSRF token, verify the origin too Add an additional layer of protection against CSRF by verifying the actual origin of the request in addition to the CSRF token. We only do this check on sites hosted behind HTTPS because only HTTPS sites have evidence to show that the Referrer header is not being spuriously removed by random middleware boxes. --- CHANGES.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 0a7bdef1a..0cd2c0c9a 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -35,6 +35,18 @@ Features https://github.com/Pylons/pyramid/pull/2413 and https://github.com/Pylons/pyramid/pull/2500 +- Added an additional CSRF validation that checks the origin/referrer of a + request and makes sure it matches the current ``request.domain``. This + particular check is only active when accessing a site over HTTPS as otherwise + browsers don't always send the required information. If this additional CSRF + validation fails a ``BadCSRFOrigin`` exception will be raised and may be + caught by exception views (the default response is ``400 Bad Request``). + Additional allowed origins may be configured by setting + ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on + a non standard port) to allow. Subdomains are not allowed unless the domain + name has been prefixed with a ``.``. See: + https://github.com/Pylons/pyramid/pull/2501 + - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html, application/json or text/plain. The default for */* is still -- cgit v1.2.3 From 8ceb14f9fe014fd18a12ec3f3da7099cbed15c28 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Sat, 16 Apr 2016 15:32:11 -0500 Subject: add docs and backward incompatibility notices for #2501 --- CHANGES.txt | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index 0cd2c0c9a..d316594bc 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -15,6 +15,10 @@ Backward Incompatibilities See https://github.com/Pylons/pyramid/pull/2496 +- The ``check_csrf_token`` function no longer validates a csrf token in the + query string of a request. Only headers and request bodies are supported. + See https://github.com/Pylons/pyramid/pull/2500 + Features -------- @@ -44,14 +48,18 @@ Features Additional allowed origins may be configured by setting ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on a non standard port) to allow. Subdomains are not allowed unless the domain - name has been prefixed with a ``.``. See: + name has been prefixed with a ``.``. See https://github.com/Pylons/pyramid/pull/2501 +- Added a new ``pyramid.session.check_csrf_origin`` API for validating the + origin or referrer headers against the request's domain. + See https://github.com/Pylons/pyramid/pull/2501 + - Pyramid HTTPExceptions will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html, application/json or text/plain. The default for */* is still text/html, but if application/json is explicitly mentioned it will now - receive a valid JSON response. See: + receive a valid JSON response. See https://github.com/Pylons/pyramid/pull/2489 - A new event and interface (BeforeTraversal) has been introduced that will -- cgit v1.2.3