forked from Pylons/pyramid
-
Notifications
You must be signed in to change notification settings - Fork 0
/
HISTORY.txt
5269 lines (3970 loc) · 217 KB
/
HISTORY.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1.7 (2016-05-19)
================
- Fix a bug in the wiki2 tutorial where bcrypt is always expecting byte
strings. See https://github.com/Pylons/pyramid/pull/2576
- Simplify windows detection code and remove some duplicated data.
See https://github.com/Pylons/pyramid/pull/2585 and
https://github.com/Pylons/pyramid/pull/2586
1.7b4 (2016-05-12)
==================
- Fixed the exception view tween to re-raise the original exception if
no exception view could be found to handle the exception. This better
allows tweens further up the chain to handle exceptions that were
left unhandled. Previously they would be converted into a
``PredicateMismatch`` exception if predicates failed to allow the view to
handle the exception.
See https://github.com/Pylons/pyramid/pull/2567
- Exposed the ``pyramid.interfaces.IRequestFactory`` interface to mirror
the public ``pyramid.interfaces.IResponseFactory`` interface.
1.7b3 (2016-05-10)
==================
- Fix ``request.invoke_exception_view`` to raise an ``HTTPNotFound``
exception if no view is matched. Previously ``None`` would be returned
if no views were matched and a ``PredicateMismatch`` would be raised if
a view "almost" matched (a view was found matching the context).
See https://github.com/Pylons/pyramid/pull/2564
- Add defaults for py.test configuration and coverage to all three scaffolds,
and update documentation accordingly.
See https://github.com/Pylons/pyramid/pull/2550
- Add ``linkcheck`` to ``Makefile`` for Sphinx. To check the documentation for
broken links, use the command ``make linkcheck
SPHINXBUILD=$VENV/bin/sphinx-build``. Also removed and fixed dozens of broken
external links.
- Fix the internal runner for scaffold tests to ensure they work with pip
and py.test.
See https://github.com/Pylons/pyramid/pull/2565
1.7b2 (2016-05-01)
==================
- Removed inclusion of pyramid_tm in development.ini for alchemy scaffold
See https://github.com/Pylons/pyramid/issues/2538
- A default permission set via ``config.set_default_permission`` will no
longer be enforced on an exception view. This has been the case for a while
with the default exception views (``config.add_notfound_view`` and
``config.add_forbidden_view``), however for any other exception view a
developer had to remember to set ``permission=NO_PERMISSION_REQUIRED`` or
be surprised when things didn't work. It is still possible to force a
permission check on an exception view by setting the ``permission`` argument
manually to ``config.add_view``. This behavior is consistent with the new
CSRF features added in the 1.7 series.
See https://github.com/Pylons/pyramid/pull/2534
1.7b1 (2016-04-25)
==================
- This release announces the beta period for 1.7.
- Fix an issue where some files were being included in the alchemy scafffold
which had been removed from the 1.7 series.
See https://github.com/Pylons/pyramid/issues/2525
1.7a2 (2016-04-19)
==================
Features
--------
- Automatic CSRF checks are now disabled by default on exception views. They
can be turned back on by setting the appropriate `require_csrf` option on
the view.
See https://github.com/Pylons/pyramid/pull/2517
- The automatic CSRF API was reworked to use a config directive for
setting the options. The ``pyramid.require_default_csrf`` setting is
no longer supported. Instead, a new ``config.set_default_csrf_options``
directive has been introduced that allows the developer to specify
the default value for ``require_csrf`` as well as change the CSRF token,
header and safe request methods. The ``pyramid.csrf_trusted_origins``
setting is still supported.
See https://github.com/Pylons/pyramid/pull/2518
Bug fixes
---------
- CSRF origin checks had a bug causing the checks to always fail.
See https://github.com/Pylons/pyramid/pull/2512
- Fix the test suite to pass on windows.
See https://github.com/Pylons/pyramid/pull/2520
1.7a1 (2016-04-16)
==================
Backward Incompatibilities
--------------------------
- Following the Pyramid deprecation period (1.4 -> 1.6),
AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
to sha512. If you are using the authentication policy and need to continue
using md5, please explicitly set hashalg to 'md5'.
This change does mean that any existing auth tickets (and associated cookies)
will no longer be valid, and users will no longer be logged in, and have to
login to their accounts again.
See https://github.com/Pylons/pyramid/pull/2496
- The ``check_csrf_token`` function no longer validates a csrf token in the
query string of a request. Only headers and request bodies are supported.
See https://github.com/Pylons/pyramid/pull/2500
Features
--------
- Added a new setting, ``pyramid.require_default_csrf`` which may be used
to turn on CSRF checks globally for every POST request in the application.
This should be considered a good default for websites built on Pyramid.
It is possible to opt-out of CSRF checks on a per-view basis by setting
``require_csrf=False`` on those views.
See https://github.com/Pylons/pyramid/pull/2413
- Added a ``require_csrf`` view option which will enforce CSRF checks on any
request with an unsafe method as defined by RFC2616. If the CSRF check fails
a ``BadCSRFToken`` exception will be raised and may be caught by exception
views (the default response is a ``400 Bad Request``). This option should be
used in place of the deprecated ``check_csrf`` view predicate which would
normally result in unexpected ``404 Not Found`` response to the client
instead of a catchable exception. See
https://github.com/Pylons/pyramid/pull/2413 and
https://github.com/Pylons/pyramid/pull/2500
- Added an additional CSRF validation that checks the origin/referrer of a
request and makes sure it matches the current ``request.domain``. This
particular check is only active when accessing a site over HTTPS as otherwise
browsers don't always send the required information. If this additional CSRF
validation fails a ``BadCSRFOrigin`` exception will be raised and may be
caught by exception views (the default response is ``400 Bad Request``).
Additional allowed origins may be configured by setting
``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on
a non standard port) to allow. Subdomains are not allowed unless the domain
name has been prefixed with a ``.``. See
https://github.com/Pylons/pyramid/pull/2501
- Added a new ``pyramid.session.check_csrf_origin`` API for validating the
origin or referrer headers against the request's domain.
See https://github.com/Pylons/pyramid/pull/2501
- Pyramid HTTPExceptions will now take into account the best match for the
clients Accept header, and depending on what is requested will return
text/html, application/json or text/plain. The default for */* is still
text/html, but if application/json is explicitly mentioned it will now
receive a valid JSON response. See
https://github.com/Pylons/pyramid/pull/2489
- A new event and interface (BeforeTraversal) has been introduced that will
notify listeners before traversal starts in the router. See
https://github.com/Pylons/pyramid/pull/2469 and
https://github.com/Pylons/pyramid/pull/1876
- Add a new "view deriver" concept to Pyramid to allow framework authors to
inject elements into the standard Pyramid view pipeline and affect all
views in an application. This is similar to a decorator except that it
has access to options passed to ``config.add_view`` and can affect other
stages of the pipeline such as the raw response from a view or prior to
security checks. See https://github.com/Pylons/pyramid/pull/2021
- Allow a leading ``=`` on the key of the request param predicate.
For example, '=abc=1' is equivalent down to
``request.params['=abc'] == '1'``.
See https://github.com/Pylons/pyramid/pull/1370
- A new ``request.invoke_exception_view(...)`` method which can be used to
invoke an exception view and get back a response. This is useful for
rendering an exception view outside of the context of the excview tween
where you may need more control over the request.
See https://github.com/Pylons/pyramid/pull/2393
- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
for logging sections of the .ini file and populate these variables from
the ``pserve`` command line -- e.g.:
``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
See https://github.com/Pylons/pyramid/pull/2399
Documentation Changes
---------------------
- A complete overhaul of the docs:
- Use pip instead of easy_install.
- Become opinionated by preferring Python 3.4 or greater to simplify
installation of Python and its required packaging tools.
- Use venv for the tool, and virtual environment for the thing created,
instead of virtualenv.
- Use py.test and pytest-cov instead of nose and coverage.
- Further updates to the scaffolds as well as tutorials and their src files.
See https://github.com/Pylons/pyramid/pull/2468
- A complete overhaul of the ``alchemy`` scaffold as well as the
Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features
into the usage of SQLAlchemy with Pyramid and provide a better starting
point for new projects.
See https://github.com/Pylons/pyramid/pull/2024
Bug Fixes
---------
- Fix ``pserve --browser`` to use the ``--server-name`` instead of the
app name when selecting a section to use. This was only working for people
who had server and app sections with the same name, for example
``[app:main]`` and ``[server:main]``.
See https://github.com/Pylons/pyramid/pull/2292
Deprecations
------------
- The ``check_csrf`` view predicate has been deprecated. Use the
new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting
to ensure that the ``BadCSRFToken`` exception is raised.
See https://github.com/Pylons/pyramid/pull/2413
- Support for Python 3.3 will be removed in Pyramid 1.8.
https://github.com/Pylons/pyramid/issues/2477
- Python 2.6 is no longer supported by Pyramid. See
https://github.com/Pylons/pyramid/issues/2368
- Dropped Python 3.2 support.
See https://github.com/Pylons/pyramid/pull/2256
1.6 (2016-01-03)
================
Deprecations
------------
- Continue removal of ``pserve`` daemon/process management features
by deprecating ``--user`` and ``--group`` options.
See https://github.com/Pylons/pyramid/pull/2190
1.6b3 (2015-12-17)
==================
Backward Incompatibilities
--------------------------
- Remove the ``cachebust`` option from ``config.add_static_view``. See
``config.add_cache_buster`` for the new way to attach cache busters to
static assets.
See https://github.com/Pylons/pyramid/pull/2186
- Modify the ``pyramid.interfaces.ICacheBuster`` API to be a simple callable
instead of an object with ``match`` and ``pregenerate`` methods. Cache
busters are now focused solely on generation. Matching has been dropped.
Note this affects usage of ``pyramid.static.QueryStringCacheBuster`` and
``pyramid.static.ManifestCacheBuster``.
See https://github.com/Pylons/pyramid/pull/2186
Features
--------
- Add a new ``config.add_cache_buster`` API for attaching cache busters to
static assets. See https://github.com/Pylons/pyramid/pull/2186
Bug Fixes
---------
- Ensure that ``IAssetDescriptor.abspath`` always returns an absolute path.
There were cases depending on the process CWD that a relative path would
be returned. See https://github.com/Pylons/pyramid/issues/2188
1.6b2 (2015-10-15)
==================
Features
--------
- Allow asset specifications to be supplied to
``pyramid.static.ManifestCacheBuster`` instead of requiring a
filesystem path.
1.6b1 (2015-10-15)
==================
Backward Incompatibilities
--------------------------
- IPython and BPython support have been removed from pshell in the core.
To continue using them on Pyramid 1.6+ you must install the binding
packages explicitly::
$ pip install pyramid_ipython
or
$ pip install pyramid_bpython
- Remove default cache busters introduced in 1.6a1 including
``PathSegmentCacheBuster``, ``PathSegmentMd5CacheBuster``, and
``QueryStringMd5CacheBuster``.
See https://github.com/Pylons/pyramid/pull/2116
Features
--------
- Additional shells for ``pshell`` can now be registered as entrypoints. See
https://github.com/Pylons/pyramid/pull/1891 and
https://github.com/Pylons/pyramid/pull/2012
- The variables injected into ``pshell`` are now displayed with their
docstrings instead of the default ``str(obj)`` when possible.
See https://github.com/Pylons/pyramid/pull/1929
- Add new ``pyramid.static.ManifestCacheBuster`` for use with external
asset pipelines as well as examples of common usages in the narrative.
See https://github.com/Pylons/pyramid/pull/2116
- Fix ``pserve --reload`` to not crash on syntax errors!!!
See https://github.com/Pylons/pyramid/pull/2125
- Fix an issue when user passes unparsed strings to ``pyramid.session.CookieSession``
and ``pyramid.authentication.AuthTktCookieHelper`` for time related parameters
``timeout``, ``reissue_time``, ``max_age`` that expect an integer value.
See https://github.com/Pylons/pyramid/pull/2050
Bug Fixes
---------
- ``pyramid.httpexceptions.HTTPException`` now defaults to
``520 Unknown Error`` instead of ``None None`` to conform with changes in
WebOb 1.5.
See https://github.com/Pylons/pyramid/pull/1865
- ``pshell`` will now preserve the capitalization of variables in the
``[pshell]`` section of the INI file. This makes exposing classes to the
shell a little more straightfoward.
See https://github.com/Pylons/pyramid/pull/1883
- Fixed usage of ``pserve --monitor-restart --daemon`` which would fail in
horrible ways. See https://github.com/Pylons/pyramid/pull/2118
- Explicitly prevent ``pserve --reload --daemon`` from being used. It's never
been supported but would work and fail in weird ways.
See https://github.com/Pylons/pyramid/pull/2119
- Fix an issue on Windows when running ``pserve --reload`` in which the
process failed to fork because it could not find the pserve script to
run. See https://github.com/Pylons/pyramid/pull/2138
Deprecations
------------
- Deprecate ``pserve --monitor-restart`` in favor of user's using a real
process manager such as Systemd or Upstart as well as Python-based
solutions like Circus and Supervisor.
See https://github.com/Pylons/pyramid/pull/2120
1.6a2 (2015-06-30)
==================
Bug Fixes
---------
- Ensure that ``pyramid.httpexceptions.exception_response`` returns the
appropriate "concrete" class for ``400`` and ``500`` status codes.
See https://github.com/Pylons/pyramid/issues/1832
- Fix an infinite recursion bug introduced in 1.6a1 when
``pyramid.view.render_view_to_response`` was called directly or indirectly.
See https://github.com/Pylons/pyramid/issues/1643
- Further fix the JSONP renderer by prefixing the returned content with
a comment. This should mitigate attacks from Flash (See CVE-2014-4671).
See https://github.com/Pylons/pyramid/pull/1649
- Allow periods and brackets (``[]``) in the JSONP callback. The original
fix was overly-restrictive and broke Angular.
See https://github.com/Pylons/pyramid/pull/1649
1.6a1 (2015-04-15)
==================
Features
--------
- pcreate will now ask for confirmation if invoked with
an argument for a project name that already exists or
is importable in the current environment.
See https://github.com/Pylons/pyramid/issues/1357 and
https://github.com/Pylons/pyramid/pull/1837
- Make it possible to subclass ``pyramid.request.Request`` and also use
``pyramid.request.Request.add_request.method``. See
https://github.com/Pylons/pyramid/issues/1529
- The ``pyramid.config.Configurator`` has grown the ability to allow
actions to call other actions during a commit-cycle. This enables much more
logic to be placed into actions, such as the ability to invoke other actions
or group them for improved conflict detection. We have also exposed and
documented the config phases that Pyramid uses in order to further assist
in building conforming addons.
See https://github.com/Pylons/pyramid/pull/1513
- Add ``pyramid.request.apply_request_extensions`` function which can be
used in testing to apply any request extensions configured via
``config.add_request_method``. Previously it was only possible to test
the extensions by going through Pyramid's router.
See https://github.com/Pylons/pyramid/pull/1581
- pcreate when run without a scaffold argument will now print information on
the missing flag, as well as a list of available scaffolds.
See https://github.com/Pylons/pyramid/pull/1566 and
https://github.com/Pylons/pyramid/issues/1297
- Added support / testing for 'pypy3' under Tox and Travis.
See https://github.com/Pylons/pyramid/pull/1469
- Automate code coverage metrics across py2 and py3 instead of just py2.
See https://github.com/Pylons/pyramid/pull/1471
- Cache busting for static resources has been added and is available via a new
argument to ``pyramid.config.Configurator.add_static_view``: ``cachebust``.
Core APIs are shipped for both cache busting via query strings and
path segments and may be extended to fit into custom asset pipelines.
See https://github.com/Pylons/pyramid/pull/1380 and
https://github.com/Pylons/pyramid/pull/1583
- Add ``pyramid.config.Configurator.root_package`` attribute and init
parameter to assist with includeable packages that wish to resolve
resources relative to the package in which the ``Configurator`` was created.
This is especially useful for addons that need to load asset specs from
settings, in which case it is may be natural for a developer to define
imports or assets relative to the top-level package.
See https://github.com/Pylons/pyramid/pull/1337
- Added line numbers to the log formatters in the scaffolds to assist with
debugging. See https://github.com/Pylons/pyramid/pull/1326
- Add new HTTP exception objects for status codes
``428 Precondition Required``, ``429 Too Many Requests`` and
``431 Request Header Fields Too Large`` in ``pyramid.httpexceptions``.
See https://github.com/Pylons/pyramid/pull/1372/files
- The ``pshell`` script will now load a ``PYTHONSTARTUP`` file if one is
defined in the environment prior to launching the interpreter.
See https://github.com/Pylons/pyramid/pull/1448
- Make it simple to define notfound and forbidden views that wish to use
the default exception-response view but with altered predicates and other
configuration options. The ``view`` argument is now optional in
``config.add_notfound_view`` and ``config.add_forbidden_view``..
See https://github.com/Pylons/pyramid/issues/494
- Greatly improve the readability of the ``pcreate`` shell script output.
See https://github.com/Pylons/pyramid/pull/1453
- Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and
the ``SignedCookieSessionFactory`` classes by using the stdlib's
``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+).
See https://github.com/Pylons/pyramid/pull/1457
- Assets can now be overidden by an absolute path on the filesystem when using
the ``config.override_asset`` API. This makes it possible to fully support
serving up static content from a mutable directory while still being able
to use the ``request.static_url`` API and ``config.add_static_view``.
Previously it was not possible to use ``config.add_static_view`` with an
absolute path **and** generate urls to the content. This change replaces
the call, ``config.add_static_view('/abs/path', 'static')``, with
``config.add_static_view('myapp:static', 'static')`` and
``config.override_asset(to_override='myapp:static/',
override_with='/abs/path/')``. The ``myapp:static`` asset spec is completely
made up and does not need to exist - it is used for generating urls
via ``request.static_url('myapp:static/foo.png')``.
See https://github.com/Pylons/pyramid/issues/1252
- Added ``pyramid.config.Configurator.set_response_factory`` and the
``response_factory`` keyword argument to the ``Configurator`` for defining
a factory that will return a custom ``Response`` class.
See https://github.com/Pylons/pyramid/pull/1499
- Allow an iterator to be returned from a renderer. Previously it was only
possible to return bytes or unicode.
See https://github.com/Pylons/pyramid/pull/1417
- ``pserve`` can now take a ``-b`` or ``--browser`` option to open the server
URL in a web browser. See https://github.com/Pylons/pyramid/pull/1533
- Overall improvments for the ``proutes`` command. Added ``--format`` and
``--glob`` arguments to the command, introduced the ``method``
column for displaying available request methods, and improved the ``view``
output by showing the module instead of just ``__repr__``.
See https://github.com/Pylons/pyramid/pull/1488
- Support keyword-only arguments and function annotations in views in
Python 3. See https://github.com/Pylons/pyramid/pull/1556
- ``request.response`` will no longer be mutated when using the
``pyramid.renderers.render_to_response()`` API. It is now necessary to
pass in a ``response=`` argument to ``render_to_response`` if you wish to
supply the renderer with a custom response object for it to use. If you
do not pass one then a response object will be created using the
application's ``IResponseFactory``. Almost all renderers
mutate the ``request.response`` response object (for example, the JSON
renderer sets ``request.response.content_type`` to ``application/json``).
However, when invoking ``render_to_response`` it is not expected that the
response object being returned would be the same one used later in the
request. The response object returned from ``render_to_response`` is now
explicitly different from ``request.response``. This does not change the
API of a renderer. See https://github.com/Pylons/pyramid/pull/1563
- The ``append_slash`` argument of ```Configurator().add_notfound_view()`` will
now accept anything that implements the ``IResponse`` interface and will use
that as the response class instead of the default ``HTTPFound``. See
https://github.com/Pylons/pyramid/pull/1610
Bug Fixes
---------
- The JSONP renderer created JavaScript code in such a way that a callback
variable could be used to arbitrarily inject javascript into the response
object. https://github.com/Pylons/pyramid/pull/1627
- Work around an issue where ``pserve --reload`` would leave terminal echo
disabled if it reloaded during a pdb session.
See https://github.com/Pylons/pyramid/pull/1577,
https://github.com/Pylons/pyramid/pull/1592
- ``pyramid.wsgi.wsgiapp`` and ``pyramid.wsgi.wsgiapp2`` now raise
``ValueError`` when accidentally passed ``None``.
See https://github.com/Pylons/pyramid/pull/1320
- Fix an issue whereby predicates would be resolved as maybe_dotted in the
introspectable but not when passed for registration. This would mean that
``add_route_predicate`` for example can not take a string and turn it into
the actual callable function.
See https://github.com/Pylons/pyramid/pull/1306
- Fix ``pyramid.testing.setUp`` to return a ``Configurator`` with a proper
package. Previously it was not possible to do package-relative includes
using the returned ``Configurator`` during testing. There is now a
``package`` argument that can override this behavior as well.
See https://github.com/Pylons/pyramid/pull/1322
- Fix an issue where a ``pyramid.response.FileResponse`` may apply a charset
where it does not belong. See https://github.com/Pylons/pyramid/pull/1251
- Work around a bug introduced in Python 2.7.7 on Windows where
``mimetypes.guess_type`` returns Unicode rather than str for the content
type, unlike any previous version of Python. See
https://github.com/Pylons/pyramid/issues/1360 for more information.
- ``pcreate`` now normalizes the package name by converting hyphens to
underscores. See https://github.com/Pylons/pyramid/pull/1376
- Fix an issue with the final response/finished callback being unable to
add another callback to the list. See
https://github.com/Pylons/pyramid/pull/1373
- Fix a failing unittest caused by differing mimetypes across various OSs.
See https://github.com/Pylons/pyramid/issues/1405
- Fix route generation for static view asset specifications having no path.
See https://github.com/Pylons/pyramid/pull/1377
- Allow the ``pyramid.renderers.JSONP`` renderer to work even if there is no
valid request object. In this case it will not wrap the object in a
callback and thus behave just like the ``pyramid.renderers.JSON`` renderer.
See https://github.com/Pylons/pyramid/pull/1561
- Prevent "parameters to load are deprecated" ``DeprecationWarning``
from setuptools>=11.3. See https://github.com/Pylons/pyramid/pull/1541
- Avoiding sharing the ``IRenderer`` objects across threads when attached to
a view using the `renderer=` argument. These renderers were instantiated
at time of first render and shared between requests, causing potentially
subtle effects like `pyramid.reload_templates = true` failing to work
in `pyramid_mako`. See https://github.com/Pylons/pyramid/pull/1575
and https://github.com/Pylons/pyramid/issues/1268
- Avoiding timing attacks against CSRF tokens.
See https://github.com/Pylons/pyramid/pull/1574
- ``request.finished_callbacks`` and ``request.response_callbacks`` now
default to an iterable instead of ``None``. It may be checked for a length
of 0. This was the behavior in 1.5.
Deprecations
------------
- The ``pserve`` command's daemonization features have been deprecated. This
includes the ``[start,stop,restart,status]`` subcommands as well as the
``--daemon``, ``--stop-server``, ``--pid-file``, and ``--status`` flags.
Please use a real process manager in the future instead of relying on the
``pserve`` to daemonize itself. Many options exist including your Operating
System's services such as Systemd or Upstart, as well as Python-based
solutions like Circus and Supervisor.
See https://github.com/Pylons/pyramid/pull/1641
- Renamed the ``principal`` argument to ``pyramid.security.remember()`` to
``userid`` in order to clarify its intended purpose.
See https://github.com/Pylons/pyramid/pull/1399
Docs
----
- Moved the documentation for ``accept`` on ``Configurator.add_view`` to no
longer be part of the predicate list. See
https://github.com/Pylons/pyramid/issues/1391 for a bug report stating
``not_`` was failing on ``accept``. Discussion with @mcdonc led to the
conclusion that it should not be documented as a predicate.
See https://github.com/Pylons/pyramid/pull/1487 for this PR
- Removed logging configuration from Quick Tutorial ini files except for
scaffolding- and logging-related chapters to avoid needing to explain it too
early.
- Clarify a previously-implied detail of the ``ISession.invalidate`` API
documentation.
- Improve and clarify the documentation on what Pyramid defines as a
``principal`` and a ``userid`` in its security APIs.
See https://github.com/Pylons/pyramid/pull/1399
- Add documentation of command line programs (``p*`` scripts). See
https://github.com/Pylons/pyramid/pull/2191
Scaffolds
---------
- Update scaffold generating machinery to return the version of pyramid and
pyramid docs for use in scaffolds. Updated starter, alchemy and zodb
templates to have links to correctly versioned documentation and reflect
which pyramid was used to generate the scaffold.
- Removed non-ascii copyright symbol from templates, as this was
causing the scaffolds to fail for project generation.
- You can now run the scaffolding func tests via ``tox py2-scaffolds`` and
``tox py3-scaffolds``.
1.5 (2014-04-08)
================
- Python 3.4 compatibility.
- Avoid crash in ``pserve --reload`` under Py3k, when iterating over possibly
mutated ``sys.modules``.
- ``UnencryptedCookieSessionFactoryConfig`` failed if the secret contained
higher order characters. See https://github.com/Pylons/pyramid/issues/1246
- Fixed a bug in ``UnencryptedCookieSessionFactoryConfig`` and
``SignedCookieSessionFactory`` where ``timeout=None`` would cause a new
session to always be created. Also in ``SignedCookieSessionFactory`` a
``reissue_time=None`` would cause an exception when modifying the session.
See https://github.com/Pylons/pyramid/issues/1247
- Updated docs and scaffolds to keep in step with new 2.0 release of
``Lingua``. This included removing all ``setup.cfg`` files from scaffolds
and documentation environments.
1.5b1 (2014-02-08)
==================
Features
--------
- We no longer eagerly clear ``request.exception`` and ``request.exc_info`` in
the exception view tween. This makes it possible to inspect exception
information within a finished callback. See
https://github.com/Pylons/pyramid/issues/1223.
1.5a4 (2014-01-28)
==================
Features
--------
- Updated scaffolds with new theme, fixed documentation and sample project.
Bug Fixes
---------
- Depend on a newer version of WebOb so that we pull in some crucial bug-fixes
that were showstoppers for functionality in Pyramid.
- Add a trailing semicolon to the JSONP response. This fixes JavaScript syntax
errors for old IE versions. See https://github.com/Pylons/pyramid/pull/1205
- Fix a memory leak when the configurator's ``set_request_property`` method was
used or when the configurator's ``add_request_method`` method was used with
the ``property=True`` attribute. See
https://github.com/Pylons/pyramid/issues/1212 .
1.5a3 (2013-12-10)
==================
Features
--------
- An authorization API has been added as a method of the
request: ``request.has_permission``.
``request.has_permission`` is a method-based alternative to the
``pyramid.security.has_permission`` API and works exactly the same. The
older API is now deprecated.
- Property API attributes have been added to the request for easier access to
authentication data: ``request.authenticated_userid``,
``request.unauthenticated_userid``, and ``request.effective_principals``.
These are analogues, respectively, of
``pyramid.security.authenticated_userid``,
``pyramid.security.unauthenticated_userid``, and
``pyramid.security.effective_principals``. They operate exactly the same,
except they are attributes of the request instead of functions accepting a
request. They are properties, so they cannot be assigned to. The older
function-based APIs are now deprecated.
- Pyramid's console scripts (``pserve``, ``pviews``, etc) can now be run
directly, allowing custom arguments to be sent to the python interpreter
at runtime. For example::
python -3 -m pyramid.scripts.pserve development.ini
- Added a specific subclass of ``HTTPBadRequest`` named
``pyramid.exceptions.BadCSRFToken`` which will now be raised in response
to failures in ``check_csrf_token``.
See https://github.com/Pylons/pyramid/pull/1149
- Added a new ``SignedCookieSessionFactory`` which is very similar to the
``UnencryptedCookieSessionFactoryConfig`` but with a clearer focus on signing
content. The custom serializer arguments to this function should only focus
on serializing, unlike its predecessor which required the serializer to also
perform signing. See https://github.com/Pylons/pyramid/pull/1142 . Note
that cookies generated using ``SignedCookieSessionFactory`` are not
compatible with cookies generated using ``UnencryptedCookieSessionFactory``,
so existing user session data will be destroyed if you switch to it.
- Added a new ``BaseCookieSessionFactory`` which acts as a generic cookie
factory that can be used by framework implementors to create their own
session implementations. It provides a reusable API which focuses strictly
on providing a dictionary-like object that properly handles renewals,
timeouts, and conformance with the ``ISession`` API.
See https://github.com/Pylons/pyramid/pull/1142
- The anchor argument to ``pyramid.request.Request.route_url`` and
``pyramid.request.Request.resource_url`` and their derivatives will now be
escaped via URL quoting to ensure minimal conformance. See
https://github.com/Pylons/pyramid/pull/1183
- Allow sending of ``_query`` and ``_anchor`` options to
``pyramid.request.Request.static_url`` when an external URL is being
generated.
See https://github.com/Pylons/pyramid/pull/1183
- You can now send a string as the ``_query`` argument to
``pyramid.request.Request.route_url`` and
``pyramid.request.Request.resource_url`` and their derivatives. When a
string is sent instead of a list or dictionary. it is URL-quoted however it
does not need to be in ``k=v`` form. This is useful if you want to be able
to use a different query string format than ``x-www-form-urlencoded``. See
https://github.com/Pylons/pyramid/pull/1183
- ``pyramid.testing.DummyRequest`` now has a ``domain`` attribute to match the
new WebOb 1.3 API. Its value is ``example.com``.
Bug Fixes
---------
- Fix the ``pcreate`` script so that when the target directory name ends with a
slash it does not produce a non-working project directory structure.
Previously saying ``pcreate -s starter /foo/bar/`` produced different output
than saying ``pcreate -s starter /foo/bar``. The former did not work
properly.
- Fix the ``principals_allowed_by_permission`` method of
``ACLAuthorizationPolicy`` so it anticipates a callable ``__acl__``
on resources. Previously it did not try to call the ``__acl__``
if it was callable.
- The ``pviews`` script did not work when a url required custom request
methods in order to perform traversal. Custom methods and descriptors added
via ``pyramid.config.Configurator.add_request_method`` will now be present,
allowing traversal to continue.
See https://github.com/Pylons/pyramid/issues/1104
- Remove unused ``renderer`` argument from ``Configurator.add_route``.
- Allow the ``BasicAuthenticationPolicy`` to work with non-ascii usernames
and passwords. The charset is not passed as part of the header and different
browsers alternate between UTF-8 and Latin-1, so the policy now attempts
to decode with UTF-8 first, and will fallback to Latin-1.
See https://github.com/Pylons/pyramid/pull/1170
- The ``@view_defaults`` now apply to notfound and forbidden views
that are defined as methods of a decorated class.
See https://github.com/Pylons/pyramid/issues/1173
Documentation
-------------
- Added a "Quick Tutorial" to go with the Quick Tour
- Removed mention of ``pyramid_beaker`` from docs. Beaker is no longer
maintained. Point people at ``pyramid_redis_sessions`` instead.
- Add documentation for ``pyramid.interfaces.IRendererFactory`` and
``pyramid.interfaces.IRenderer``.
Backwards Incompatibilities
---------------------------
- The key/values in the ``_query`` parameter of ``request.route_url`` and the
``query`` parameter of ``request.resource_url`` (and their variants), used
to encode a value of ``None`` as the string ``'None'``, leaving the resulting
query string to be ``a=b&key=None``. The value is now dropped in this
situation, leaving a query string of ``a=b&key=``.
See https://github.com/Pylons/pyramid/issues/1119
Deprecations
------------
- Deprecate the ``pyramid.interfaces.ITemplateRenderer`` interface. It was
ill-defined and became unused when Mako and Chameleon template bindings were
split into their own packages.
- The ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` API has been
deprecated and is superseded by the
``pyramid.session.SignedCookieSessionFactory``. Note that while the cookies
generated by the ``UnencryptedCookieSessionFactoryConfig``
are compatible with cookies generated by old releases, cookies generated by
the SignedCookieSessionFactory are not. See
https://github.com/Pylons/pyramid/pull/1142
- The ``pyramid.security.has_permission`` API is now deprecated. Instead, use
the newly-added ``has_permission`` method of the request object.
- The ``pyramid.security.effective_principals`` API is now deprecated.
Instead, use the newly-added ``effective_principals`` attribute of the
request object.
- The ``pyramid.security.authenticated_userid`` API is now deprecated.
Instead, use the newly-added ``authenticated_userid`` attribute of the
request object.
- The ``pyramid.security.unauthenticated_userid`` API is now deprecated.
Instead, use the newly-added ``unauthenticated_userid`` attribute of the
request object.
Dependencies
------------
- Pyramid now depends on WebOb>=1.3 (it uses ``webob.cookies.CookieProfile``
from 1.3+).
1.5a2 (2013-09-22)
==================
Features
--------
- Users can now provide dotted Python names to as the ``factory`` argument
the Configurator methods named ``add_{view,route,subscriber}_predicate``
(instead of passing the predicate factory directly, you can pass a
dotted name which refers to the factory).
Bug Fixes
---------
- Fix an exception in ``pyramid.path.package_name`` when resolving the package
name for namespace packages that had no ``__file__`` attribute.
Backwards Incompatibilities
---------------------------
- Pyramid no longer depends on or configures the Mako and Chameleon templating
system renderers by default. Disincluding these templating systems by
default means that the Pyramid core has fewer dependencies and can run on
future platforms without immediate concern for the compatibility of its
templating add-ons. It also makes maintenance slightly more effective, as
different people can maintain the templating system add-ons that they
understand and care about without needing commit access to the Pyramid core,
and it allows users who just don't want to see any packages they don't use
come along for the ride when they install Pyramid.
This means that upon upgrading to Pyramid 1.5a2+, projects that use either
of these templating systems will see a traceback that ends something like
this when their application attempts to render a Chameleon or Mako template::
ValueError: No such renderer factory .pt
Or::
ValueError: No such renderer factory .mako
Or::
ValueError: No such renderer factory .mak
Support for Mako templating has been moved into an add-on package named
``pyramid_mako``, and support for Chameleon templating has been moved into
an add-on package named ``pyramid_chameleon``. These packages are drop-in
replacements for the old built-in support for these templating langauges.
All you have to do is install them and make them active in your configuration
to register renderer factories for ``.pt`` and/or ``.mako`` (or ``.mak``) to
make your application work again.
To re-add support for Chameleon and/or Mako template renderers into your
existing projects, follow the below steps.
If you depend on Mako templates:
* Make sure the ``pyramid_mako`` package is installed. One way to do this
is by adding ``pyramid_mako`` to the ``install_requires`` section of your
package's ``setup.py`` file and afterwards rerunning ``setup.py develop``::
setup(
#...
install_requires=[
'pyramid_mako', # new dependency
'pyramid',
#...
],
)
* Within the portion of your application which instantiates a Pyramid
``pyramid.config.Configurator`` (often the ``main()`` function in
your project's ``__init__.py`` file), tell Pyramid to include the
``pyramid_mako`` includeme::
config = Configurator(.....)
config.include('pyramid_mako')
If you depend on Chameleon templates:
* Make sure the ``pyramid_chameleon`` package is installed. One way to do
this is by adding ``pyramid_chameleon`` to the ``install_requires`` section
of your package's ``setup.py`` file and afterwards rerunning
``setup.py develop``::
setup(
#...
install_requires=[
'pyramid_chameleon', # new dependency
'pyramid',
#...
],
)
* Within the portion of your application which instantiates a Pyramid
``~pyramid.config.Configurator`` (often the ``main()`` function in
your project's ``__init__.py`` file), tell Pyramid to include the
``pyramid_chameleon`` includeme::
config = Configurator(.....)
config.include('pyramid_chameleon')
Note that it's also fine to install these packages into *older* Pyramids for
forward compatibility purposes. Even if you don't upgrade to Pyramid 1.5
immediately, performing the above steps in a Pyramid 1.4 installation is
perfectly fine, won't cause any difference, and will give you forward
compatibility when you eventually do upgrade to Pyramid 1.5.
With the removal of Mako and Chameleon support from the core, some
unit tests that use the ``pyramid.renderers.render*`` methods may begin to
fail. If any of your unit tests are invoking either
``pyramid.renderers.render()`` or ``pyramid.renderers.render_to_response()``
with either Mako or Chameleon templates then the
``pyramid.config.Configurator`` instance in effect during
the unit test should be also be updated to include the addons, as shown
above. For example::
class ATest(unittest.TestCase):
def setUp(self):
self.config = pyramid.testing.setUp()
self.config.include('pyramid_mako')
def test_it(self):
result = pyramid.renderers.render('mypkg:templates/home.mako', {})
Or::
class ATest(unittest.TestCase):