| commit | author | age | ||
| 7141c7 | 1 | repoze.who Changelog |
| TS | 2 | ==================== |
| aa8755 | 3 | |
| d39627 | 4 | 2.3.1 (unreleased) |
| TS | 5 | ------------------ |
| 6 | ||
| 7 | - TBD | |
| 8 | ||
| 404eba | 9 | 2.3 (2016-05-31) |
| c46a74 | 10 | ---------------- |
| TS | 11 | |
| 90fd1c | 12 | - Add support for Python 3.4, Python 3.5, and PyPy3. |
| c46a74 | 13 | |
| TS | 14 | - Drop support for Python 2.6 and 3.2. |
| 4f3525 | 15 | |
| 455778 | 16 | - ``middleware``: avoid passing extracted ``identity`` to ``remember`` |
| TS | 17 | during egress (the app may have called ``api.forget()``). See #21. |
| 18 | ||
| 41468f | 19 | - ``_auth_tkt`` / ``plugins.auth_tkt``: add support for any hash algorithm |
| TS | 20 | supported by the ``hashlib`` module in Python's standard library. |
| 21 | Fixes #22 via #23. | |
| 22 | ||
| 0a07fc | 23 | - ``plugins.auth_tkt``: Fix storage of "userdata" to save dict. Fixes |
| 41468f | 24 | #14 via #18. |
| 7b0a91 | 25 | |
| 19d219 | 26 | - middleware: avoid UnboundLocalError when wrapped generater yields no |
| TS | 27 | items. See: http://bugs.repoze.org/issue184 |
| 28 | ||
| 4f3525 | 29 | - Make cookie expiration date RFC-2616 compliant (independent of locale, |
| 41468f | 30 | including 'GMT' zone). See #11. |
| 4f3525 | 31 | |
| 9cd0f8 | 32 | 2.2 (2013-05-17) |
| a4b584 | 33 | ---------------- |
| TS | 34 | |
| 1d7c19 | 35 | - Parse INI-file configuration using ``SafeConfigParser``: allows |
| TS | 36 | escaping the ``'%'`` so that e.g. a query template using for a DB-API |
| 37 | connection using ``pyformat`` preserves the template. | |
| 38 | ||
| a4b584 | 39 | - Added support for Python 3.3, PyPy. |
| TS | 40 | |
| d96616 | 41 | |
| 717490 | 42 | 2.1 (2013-03-20) |
| c72bfe | 43 | ---------------- |
| TS | 44 | |
| 5ecc71 | 45 | - ``_compat`` module: tolerate missing ``CONTENT_TYPE`` key in the WSGI |
| TS | 46 | environment. Thanks to Dag Hoidal for the patch. |
| 47 | ||
| d96616 | 48 | - ``htpasswd`` plugin: add a ``sha1_check`` checker function (the ``crypt`` |
| TS | 49 | module is not available on Windows). Thanks to Chandrashekar Jayaraman |
| 50 | for the patch. | |
| 51 | ||
| c72bfe | 52 | - Documentation typo fixes from Carlos de la Guardia and Atsushi Odagiri. |
| TS | 53 | |
| 0cfb1a | 54 | |
| TS | 55 | 2.1b1 (2012-11-05) |
| 56 | ------------------ | |
| d9f6f4 | 57 | |
| TS | 58 | - Ported to Py3k using the "compatible subset" mode. |
| 59 | - Dropped support for Python < 2.6.x. | |
| 60 | - Dropped dependency on Paste (forking some code from it). | |
| 61 | - Added dependency on WebOb instead. | |
| 62 | Thanks to Atsushi Odagiri (aodag) for the initial effort. | |
| 63 | ||
| 64 | ||
| d03c94 | 65 | 2.0 (2011-09-28) |
| 493726 | 66 | ---------------- |
| TS | 67 | |
| 7f9907 | 68 | - ``auth_tkt`` plugin: strip any port number from the 'Domain' of generated |
| TS | 69 | cookies. http://bugs.repoze.org/issue66 |
| 70 | ||
| 493726 | 71 | - Further harden middleware, calling ``close()`` on the iterable even if |
| TS | 72 | raising an exception for a missing challenger. |
| 73 | http://bugs.repoze.org/issue174 | |
| 74 | ||
| 75 | ||
| 1b2443 | 76 | 2.0b1 (2011-05-24) |
| TS | 77 | ------------------ |
| f8ef81 | 78 | |
| d6b53f | 79 | - Enabled standard use of logging module's configuration mechanism. |
| TS | 80 | See http://docs.python.org/dev/howto/logging.html#configuring-logging-for-a-library |
| 81 | Thanks to jgoldsmith for the patch: http://bugs.repoze.org/issue178 | |
| 82 | ||
| 83 | ||
| f8ef81 | 84 | - ``repoze.who.plugins.htpasswd``: defend against timing-based attacks. |
| TS | 85 | |
| 86 | ||
| 2b9b1f | 87 | 2.0a4 (2011-02-02) |
| TS | 88 | ------------------ |
| 9a8e60 | 89 | |
| b01f44 | 90 | - Ensure that the middleware calls ``close()`` (if it exists) on the |
| TS | 91 | iterable returned from thw wrapped application, as required by PEP 333. |
| 92 | http://bugs.repoze.org/issue174 | |
| 93 | ||
| 03fba8 | 94 | - Make ``make_api_factory_with_config`` tolerant of invalid filenames / |
| TS | 95 | content for the config file: in such cases, the API factory will have |
| 96 | *no* configured plugins or policies: it will only be useful for retrieving | |
| 97 | the API from an environment populated by middleware. | |
| 98 | ||
| c61031 | 99 | - Fix bug in ``repoze.who.api`` where the ``remember()`` or ``forget()`` |
| TS | 100 | methods could return a None if the identifier plugin returned a None. |
| cfe26c | 101 | |
| c61031 | 102 | - Fix ``auth_tkt`` plugin to not hand over tokens as strings to paste. See |
| fc9a88 | 103 | http://lists.repoze.org/pipermail/repoze-dev/2010-November/003680.html |
| BS | 104 | |
| c61031 | 105 | - Fix ``auth_tkt`` plugin to add "secure" and "HttpOnly" to cookies when |
| TS | 106 | configured with ``secure=True``: these attributes prevent the browser from |
| 107 | sending cookies over insecure channels, which could be vulnerable to some | |
| 3b5782 | 108 | XSS attacks. |
| d7e647 | 109 | |
| 15e365 | 110 | - Avoid propagating unicode 'max_age' value into cookie headers. See |
| TS | 111 | https://bugs.launchpad.net/bugs/674123 . |
| 112 | ||
| e8080a | 113 | - Added a single-file example BFG application demonstrating the use of |
| TS | 114 | the new 'login' and 'logout' methods of the API object. |
| 115 | ||
| 924f24 | 116 | - Add ``login`` and ``logout`` methods to the ``repoze.who.api.API`` object, |
| TS | 117 | as a convenience for application-driven login / logout code, which would |
| 95f147 | 118 | otherwise need to use private methods of the API, and reach down into |
| TS | 119 | its plugins. |
| f8ef81 | 120 | |
| 9a8e60 | 121 | |
| 2c742e | 122 | 2.0a3 (2010-09-30) |
| eb7071 | 123 | ------------------ |
| f80021 | 124 | |
| a446d6 | 125 | - Deprecated the following plugins, moving their modules, tests, and docs |
| ff604c | 126 | to a new project, ``repoze.who.deprecatedplugins``: |
| a446d6 | 127 | |
| TS | 128 | - ``repoze.who.plugins.cookie.InsecureCookiePlugin`` |
| 129 | ||
| 630a05 | 130 | - ``repoze.who.plugins.form.FormPlugin`` |
| a446d6 | 131 | |
| 630a05 | 132 | - ``repoze.who.plugins.form.RedirectingFormPlugin`` |
| a446d6 | 133 | |
| TS | 134 | - Made the ``repoze.who.plugins.cookie.InsecureCookiePlugin`` take a |
| 76e951 | 135 | ``charset`` argument, and use to to encode / decode login and password. |
| TS | 136 | See http://bugs.repoze.org/issue155 |
| 137 | ||
| a446d6 | 138 | - Updated ``repoze.who.restrict`` to return headers as a list, to keep |
| TS | 139 | ``wsgiref`` from complaining. |
| 5b6365 | 140 | |
| a446d6 | 141 | - Helped default request classifier cope with xml submissions with an |
| 6b7b34 | 142 | explicit charset defined: http://bugs.repoze.org/issue145 (Lorenzo |
| CM | 143 | M. Catucci) |
| 144 | ||
| a446d6 | 145 | - Corrected the handling of type and subtype when matching an XML post |
| 6b7b34 | 146 | to ``xmlpost`` in the default classifier, which, according to RFC |
| CM | 147 | 2045, must be matched case-insensitively: |
| 148 | http://bugs.repoze.org/issue145 (Lorenzo M. Catucci) | |
| 149 | ||
| a349a2 | 150 | - Added ``repoze.who.config:make_api_factory_with_config``, a convenience |
| TS | 151 | method for applications which want to set up their own API Factory from |
| 152 | a configuration file. | |
| 153 | ||
| f80021 | 154 | - Fixed example call to ``repoze.who.config:make_middleware_with_config`` |
| TS | 155 | (added missing ``global_config`` argument). See |
| 156 | http://bugs.repoze.org/issue114 | |
| 157 | ||
| f8ef81 | 158 | |
| c186ae | 159 | 2.0a2 (2010-03-25) |
| TS | 160 | ------------------ |
| 52bc23 | 161 | |
| TS | 162 | Bugs Fixed |
| 163 | ~~~~~~~~~~ | |
| 164 | ||
| 165 | - Fixed failure to pass substution values in log message string formatting | |
| 166 | for ``repoze.who.api:API.challenge``. Fix included adding tests for all | |
| 167 | logging done by the API object. See http://bugs.repoze.org/issue122 | |
| 168 | ||
| 169 | Backward Incompatibilities | |
| 170 | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 171 | ||
| 172 | - Adjusted logging level for some lower-level details from ``info`` | |
| 173 | to ``debug``. | |
| f8ef81 | 174 | |
| 52bc23 | 175 | |
| TS | 176 | |
| e25b84 | 177 | 2.0a1 (2010-02-24) |
| 993216 | 178 | ------------------ |
| TS | 179 | |
| b4b8ee | 180 | Features |
| TS | 181 | ~~~~~~~~ |
| 62cd25 | 182 | |
| c9c1c6 | 183 | - Restored the ability to create the middleware using the old ``classifier`` |
| TS | 184 | argument. That argument is now a deprecated-but-will-work-forever alias for |
| 185 | ``request_classifier``. | |
| cbc983 | 186 | |
| b0f81f | 187 | - The ``auth_tkt`` plugin now implements the ``IAuthenticator`` interface, |
| TS | 188 | and should normally be used both as an ``IIdentifier`` and an |
| 189 | ``IAuthenticator``. | |
| 190 | ||
| 993216 | 191 | - Factored out the API of the middleware object to make it useful from |
| TS | 192 | within the application. Applications using ``repoze.who``` now fall into |
| 193 | one of three catgeories: | |
| 194 | ||
| 195 | - "middleware-only" applications are configured with middleware, and | |
| 196 | use either ``REMOTE_USER`` or ``repoze.who.identity`` from the environment | |
| 197 | to determing the authenticated user. | |
| 198 | ||
| 199 | - "bare metal" applications use no ``repoze.who`` middleware at all: | |
| 200 | instead, they configure and an ``APIFactory`` object at startup, and | |
| 201 | use it to create an ``API`` object when needed on a per-request basis. | |
| 202 | ||
| 203 | - "hybrid" applications are configured with ``repoze.who`` middleware, | |
| 204 | but use a new library function to fetch the ``API`` object from the | |
| c9c1c6 | 205 | environ, e.g. to permit calling ``remember`` after a signup or successful |
| TS | 206 | login. |
| 993216 | 207 | |
| b4b8ee | 208 | Bugs Fixed |
| TS | 209 | ~~~~~~~~~~ |
| 210 | ||
| 211 | - Fix http://bugs.repoze.org/issue102: when no challengers existed, | |
| 212 | logging would cause an exception. | |
| 213 | ||
| 214 | - Remove ``ez_setup.py`` and dependency on it in setup.py (support | |
| 215 | distribute). | |
| 216 | ||
| 217 | Backward Incompatibilities | |
| 218 | ~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 219 | ||
| b213af | 220 | - The middleware used to allow identifier plugins to "pre-authenticate" |
| TS | 221 | an identity. This feature is no longer supported: the ``auth_tkt`` |
| 222 | plugin, which used to use the feature, is now configured to work as | |
| c9c1c6 | 223 | an authenticator plugin (as well as an identifier). |
| b213af | 224 | |
| b4b8ee | 225 | - The ``repoze.who.middleware:PluggableAuthenticationMiddleware`` class |
| TS | 226 | no longer has the following (non-API) methods (now made API methods |
| 227 | of the ``repoze.who.api:API`` class): | |
| 228 | ||
| 229 | - ``add_metadata`` | |
| 230 | - ``authenticate`` | |
| 231 | - ``challenge`` | |
| 232 | - ``identify`` | |
| 233 | ||
| 234 | - The following (non-API) functions moved from ``repoze.who.middleware`` to | |
| 235 | ``repoze.who.api``: | |
| 236 | ||
| 237 | - ``make_registries`` | |
| 238 | - ``match_classification`` | |
| 239 | - ``verify`` | |
| 240 | ||
| 241 | ||
| f8ef81 | 242 | |
| 060054 | 243 | 1.0.18 (2009-11-05) |
| TS | 244 | ------------------- |
| 798feb | 245 | |
| TS | 246 | - Issue #104: AuthTkt plugin was passing an invalid cookie value in |
| 247 | headers from ``forget``, and was not setting the ``Max-Age`` and | |
| 248 | ``Expires`` attributes of those cookies. | |
| 249 | ||
| b4b8ee | 250 | |
| f8ef81 | 251 | |
| 6e136f | 252 | 1.0.17 (2009-11-05) |
| TS | 253 | ------------------- |
| e0d138 | 254 | |
| TS | 255 | - Fixed the ``repoze.who.plugins.form.make_plugin`` factory's ``formcallable`` |
| 256 | argument handling, to allow passing in a dotted name (e.g., from a config | |
| 257 | file). | |
| 258 | ||
| b4b8ee | 259 | |
| f8ef81 | 260 | |
| 6b15ee | 261 | 1.0.16 (2009-11-04) |
| 028e4d | 262 | ------------------- |
| 1ec83d | 263 | |
| 8dd881 | 264 | - Exposed ``formcallable`` argument for ``repoze.who.plugins.form.FormPlugin`` |
| TS | 265 | to the callers of the ``repoze.who.plugins.form.make_plugin`` factory. |
| 266 | Thanks to Roland Hedburg for the report. | |
| 21a9c5 | 267 | |
| 8dd881 | 268 | - Fixed an issue that caused the following symptom when using the |
| TS | 269 | ini configuration parser:: |
| 270 | ||
| 271 | TypeError: _makePlugin() got multiple values for keyword argument 'name' | |
| 21a9c5 | 272 | |
| CM | 273 | See http://bugs.repoze.org/issue92 for more details. Thanks to vaab |
| 274 | for the bug report and initial fix. | |
| 275 | ||
| 1ec83d | 276 | |
| 7141c7 | 277 | 1.0.15 (2009-06-25) |
| TS | 278 | ------------------- |
| 299b4c | 279 | |
| a14163 | 280 | - If the form post value ``max_age`` exists while in the ``identify`` |
| CM | 281 | method is handling the ``login_handler_path``, pass the max_age |
| 282 | value in the returned identity dictionary as ``max_age``. See the | |
| 283 | below bullet point for why. | |
| 284 | ||
| 299b4c | 285 | - If the ``identity`` dict passed to the ``auth_tkt`` ``remember`` |
| CM | 286 | method contains a ``max_age`` key with a string (or integer) value, |
| 287 | treat it as a cue to set the ``Max-Age`` and ``Expires`` headers in | |
| 288 | the returned cookies. The cookie ``Max-Age`` is set to the value | |
| 289 | and the ``Expires`` is computed from the current time. | |
| 290 | ||
| 7141c7 | 291 | |
| TS | 292 | 1.0.14 (2009-06-17) |
| 293 | ------------------- | |
| 9318dd | 294 | |
| 1810b2 | 295 | - Fix test breakage on Windows. See http://bugs.repoze.org/issue79 . |
| TS | 296 | |
| 00a6d9 | 297 | - Documented issue with using ``include_ip`` setting in the ``auth_tkt`` |
| TS | 298 | plugin. See http://bugs.repoze.org/issue81 . |
| 299 | ||
| 0dd808 | 300 | - Added 'passthrough_challenge_decider', which avoids re-challenging 401 |
| TS | 301 | responses which have been "pre-challenged" by the application. |
| 302 | ||
| 9318dd | 303 | - One-hundred percent unit test coverage. |
| TS | 304 | |
| a6f6dc | 305 | - Add ``timeout`` and ``reissue_time`` arguments to the auth_tkt |
| CM | 306 | identifier plugin, courtesty of Paul Johnston. |
| 307 | ||
| 308 | - Add a ``userid_checker`` argument to the auth_tkt identifier plugin, | |
| 309 | courtesty of Gustavo Narea. | |
| 310 | ||
| 311 | If ``userid_checker`` is provided, it must be a dotted Python name | |
| 312 | that resolves to a function which accepts a userid and returns a | |
| 313 | boolean True or False, indicating whether that user exists in a | |
| 314 | database. This is a workaround. Due to a design bug in repoze.who, | |
| 315 | the only way who can check for user existence is to use one or more | |
| 316 | IAuthenticator plugin ``authenticate`` methods. If an | |
| 317 | IAuthenticator's ``authenticate`` method returns true, it means that | |
| 318 | the user exists. However most IAuthenticator plugins expect *both* | |
| 319 | a username and a password, and will return False unconditionally if | |
| 320 | both aren't supplied. This means that an authenticator can't be | |
| 321 | used to check if the user "only" exists. The identity provided by | |
| 322 | an auth_tkt does not contain a password to check against. The | |
| 323 | actual design bug in repoze.who is this: when a user presents | |
| 324 | credentials from an auth_tkt, he is considered "preauthenticated". | |
| 325 | IAuthenticator.authenticate is just never called for a | |
| 326 | "preauthenticated" identity, which works fine, but it means that the | |
| 327 | user will be considered authenticated even if you deleted the user's | |
| 328 | record from whatever database you happen to be using. However, if | |
| 329 | you use a userid_checker, you can ensure that a user exists for the | |
| 330 | auth_tkt supplied userid. If the userid_checker returns False, the | |
| 331 | auth_tkt credentials are considered "no good". | |
| 332 | ||
| 7141c7 | 333 | |
| TS | 334 | 1.0.13 (2009-04-24) |
| 335 | ------------------- | |
| 64ba13 | 336 | |
| TS | 337 | - Added a paragraph to ``IAuthenticator`` docstring, documenting that plugins |
| 338 | are allowed to add keys to the ``identity`` dictionary (e.g., to save a | |
| ced7bd | 339 | second database query in an ``IMetadataProvider`` plugin). |
| 64ba13 | 340 | |
| 08b2ae | 341 | - Patch supplied for issue #71 (http://bugs.repoze.org/issue71) |
| CM | 342 | whereby a downstream app can return a generator, relying on an |
| 343 | upstream component to call start_response. We do this because the | |
| 344 | challenge decider needs the status and headers to decide what to do. | |
| 345 | ||
| 56d0c5 | 346 | |
| 7141c7 | 347 | 1.0.12 (2009-04-19) |
| TS | 348 | ------------------- |
| 56d0c5 | 349 | - auth_tkt plugin tried to append REMOTE_USER_TOKENS data to |
| CM | 350 | existing tokens data returned by auth_tkt.parse_tkt; this was |
| 351 | incorrect; just overwrite. | |
| 0ee58d | 352 | |
| TS | 353 | - Extended auth_tkt plugin factory to allow passing secret in a separate |
| 354 | file from the main config file. See http://bugs.repoze.org/issue40 . | |
| 355 | ||
| 7141c7 | 356 | |
| TS | 357 | 1.0.11 (2009-04-10) |
| 358 | ------------------- | |
| afbbcd | 359 | |
| 8c20ba | 360 | - Fix auth_tkt plugin; cookie values are now quoted, making it possible |
| CM | 361 | to put spaces and other whitespace, etc in usernames. (thanks to Michael |
| 95736b | 362 | Pedersen). |
| 8c20ba | 363 | |
| afbbcd | 364 | - Fix corner case issue of an exception raised when attempting to log |
| CM | 365 | when there are no identifiers or authenticators. |
| 366 | ||
| 7141c7 | 367 | |
| TS | 368 | 1.0.10 (2009-01-23) |
| 369 | ------------------- | |
| 7b931d | 370 | |
| CM | 371 | - The RedirectingFormPlugin now passes along SetCookie headers set |
| 372 | into the response by the application within the NotFound response | |
| 373 | (fixes TG2 "flash" issue). | |
| 374 | ||
| 7141c7 | 375 | |
| TS | 376 | 1.0.9 (2008-12-18) |
| 377 | ------------------ | |
| 30ab69 | 378 | |
| 9238cd | 379 | - The RedirectingFormPlugin now attempts to find a header named |
| CM | 380 | ``X-Authentication-Failure-Reason`` among the response headers set |
| 381 | by the application when a challenge is issued. If a value for this | |
| 382 | header exists (and is non-blank), the value is attached to the | |
| 383 | redirect URL's query string as the ``reason`` parameter (or a | |
| 384 | user-settable key). This makes it possible for downstream | |
| 385 | applications to issue a response that initiates a challenge with | |
| 386 | this header and subsequently display the reason in the login form | |
| 387 | rendered as a result of the challenge. | |
| 30ab69 | 388 | |
| 7141c7 | 389 | |
| TS | 390 | 1.0.8 (2008-12-13) |
| 391 | ------------------ | |
| 186ff6 | 392 | |
| 9238cd | 393 | - The ``PluggableAuthenticationMiddleware`` constructor accepts a |
| CM | 394 | ``log_stream`` argument, which is typically a file. After this |
| 395 | release, it can also be a PEP 333 ``Logger`` instance; if it is a | |
| 396 | PEP 333 ``Logger`` instance, this logger will be used as the | |
| 397 | repoze.who logger (instead of one being constructed by the | |
| 398 | middleware, as was previously always the case). When the | |
| 399 | ``log_stream`` argument is a PEP 333 Logger object, the | |
| 400 | ``log_level`` argument is ignored. | |
| 186ff6 | 401 | |
| 7141c7 | 402 | |
| TS | 403 | 1.0.7 (2008-08-28) |
| 404 | ------------------ | |
| 37de44 | 405 | |
| 9238cd | 406 | - ``repoze.who`` and ``repoze.who.plugins`` were not added to the |
| CM | 407 | ``namespace_packages`` list in setup.py, potentially making 1.0.6 a |
| 408 | brownbag release, given that making these packages namespace | |
| 409 | packages was the only reason for its release. | |
| 37de44 | 410 | |
| 7141c7 | 411 | |
| TS | 412 | 1.0.6 (2008-08-28) |
| 413 | ------------------ | |
| facdf8 | 414 | |
| 9238cd | 415 | - Make repoze.who and repoze.who.plugins into namespace packages |
| CM | 416 | mainly so we can allow plugin authors to distribute packages in the |
| 417 | repoze.who.plugins namespace. | |
| facdf8 | 418 | |
| 7141c7 | 419 | |
| TS | 420 | 1.0.5 (2008-08-23) |
| 421 | ------------------ | |
| 519300 | 422 | |
| 9238cd | 423 | - Fix auth_tkt plugin to set the same cookies in its ``remember`` |
| CM | 424 | method that it does in its ``forget`` method. Previously, logging |
| 425 | out and relogging back in to a site that used auth_tkt identifier | |
| 426 | plugin was slightly dicey and would only work sometimes. | |
| facdf8 | 427 | |
| 9238cd | 428 | - The FormPlugin plugin has grown a redirect-on-unauthorized feature. |
| CM | 429 | Any response from a downstream application that causes a challenge |
| 430 | and includes a Location header will cause a redirect to the value of | |
| 431 | the Location header. | |
| dee08c | 432 | |
| 7141c7 | 433 | |
| TS | 434 | 1.0.4 (2008-08-22) |
| 435 | ------------------ | |
| b95a59 | 436 | |
| 9238cd | 437 | - Added a key to the '[general]' config section: ``remote_user_key``. |
| CM | 438 | If you use this key in the config file, it tells who to 1) not |
| 439 | perform any authentication if it exists in the environment during | |
| 440 | ingress and 2) to set the key in the environment for the downstream | |
| 441 | app to use as the REMOTE_USER variable. The default is | |
| 442 | ``REMOTE_USER``. | |
| b95a59 | 443 | |
| 9238cd | 444 | - Using unicode user ids in combination with the auth_tkt plugin would |
| CM | 445 | cause problems under mod_wsgi. |
| 55dc7a | 446 | |
| 9238cd | 447 | - Allowed 'cookie_path' argument to InsecureCookiePlugin (and config |
| CM | 448 | constructor). Thanks to Gustavo Narea. |
| 55dc7a | 449 | |
| 7141c7 | 450 | |
| TS | 451 | 1.0.3 (2008-08-16) |
| 452 | ------------------ | |
| f693fe | 453 | |
| 9238cd | 454 | - A bug in the middleware's ``authenticate`` method made it impossible |
| CM | 455 | to authenticate a user with a userid that was null (e.g. 0, False), |
| 456 | which are valid identifiers. The only invalid userid is now None. | |
| c7e12d | 457 | |
| 9238cd | 458 | - Applied patch from Olaf Conradi which logs an error when an invalid |
| CM | 459 | filename is passed to the HTPasswdPlugin. |
| c7e12d | 460 | |
| 7141c7 | 461 | |
| TS | 462 | 1.0.2 (2008-06-16) |
| 463 | ------------------ | |
| cad90d | 464 | |
| 9238cd | 465 | - Fix bug found by Chris Perkins: the auth_tkt plugin's "remember" |
| CM | 466 | method didn't handle userids which are Python "long" instances |
| 467 | properly. Symptom: TypeError: cannot concatenate 'str' and 'long' | |
| 468 | objects in "paste.auth.auth_tkt". | |
| a2c030 | 469 | |
| 9238cd | 470 | - Added predicate-based "restriction" middleware support |
| CM | 471 | (repoze.who.restrict), allowing configuratio-driven authorization as |
| 472 | a WSGI filter. One example predicate, 'authenticated_predicate', is | |
| 473 | supplied, which requires that the user be authenticated either via | |
| 474 | 'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to | |
| 475 | restrict access:: | |
| cad90d | 476 | |
| TS | 477 | [filter:authenticated_only] |
| 478 | use = egg:repoze.who#authenticated | |
| 479 | ||
| 480 | or:: | |
| 481 | ||
| 482 | [filter:some_predicate] | |
| 483 | use = egg:repoze.who#predicate | |
| 484 | predicate = my.module:some_predicate | |
| 485 | some_option = a value | |
| 486 | ||
| 7141c7 | 487 | |
| TS | 488 | 1.0.1 (2008-05-24) |
| 489 | ------------------ | |
| 8199a1 | 490 | |
| 9238cd | 491 | - Remove dependency-link to dist.repoze.org to prevent easy_install |
| CM | 492 | from inserting that path into its search paths (the dependencies are |
| 493 | available from PyPI). | |
| 8199a1 | 494 | |
| 7141c7 | 495 | |
| TS | 496 | 1.0 (2008-05-04) |
| 497 | ----------------- | |
| 419946 | 498 | |
| 9238cd | 499 | - The plugin at plugins.form.FormPlugin didn't redirect properly after |
| CM | 500 | collecting identification information. Symptom: a downstream app |
| 501 | would receive a POST request with a blank body, which would | |
| 502 | sometimes result in a Bad Request error. | |
| f39349 | 503 | |
| 9238cd | 504 | - Fixed interface declarations of |
| CM | 505 | 'classifiers.default_request_classifier' and |
| 506 | 'classifiers.default_password_compare'. | |
| 515c69 | 507 | |
| 9238cd | 508 | - Added actual config-driven middleware factory, |
| CM | 509 | 'config.make_middleware_with_config' |
| 515c69 | 510 | |
| 9238cd | 511 | - Removed fossilized 'who_conf' argument from plugin factory functions. |
| 515c69 | 512 | |
| 7141c7 | 513 | - Added ConfigParser-based WhoConfig, implementing the spec outlined at |
| 9238cd | 514 | http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file, |
| CM | 515 | with the following changes: |
| 419946 | 516 | |
| 7141c7 | 517 | - "Bare" plugins (requiring no configuration options) may be specified |
| 419946 | 518 | as either egg entry points (e.g., 'egg:distname#entry_point_name') or |
| TS | 519 | as dotted-path-with-colon (e.g., 'dotted.name:object_id'). |
| 520 | ||
| 7141c7 | 521 | - Therefore, the separator between a plugin and its classifier is now |
| TS | 522 | a semicolon, rather than a colon. E.g.:: |
| 419946 | 523 | |
| TS | 524 | [plugins:id_plugin] |
| 525 | use = egg:another.package#identify_with_frobnatz | |
| 526 | frobnatz = baz | |
| 527 | ||
| 528 | [identifiers] | |
| 529 | plugins = | |
| 530 | egg:my.egg#identify;browser | |
| 531 | dotted.name:identifier | |
| 532 | id_plugin | |
| 533 | ||
| 7141c7 | 534 | |
| 779caf | 535 | 0.9.1 (2008-04-27) |
| 7141c7 | 536 | ------------------ |
| 779caf | 537 | |
| 9238cd | 538 | - Fix auth_tkt plugin to be able to encode and decode integer user |
| CM | 539 | ids. |
| 779caf | 540 | |
| 7141c7 | 541 | |
| 88e646 | 542 | 0.9 (2008-04-01) |
| 7141c7 | 543 | ---------------- |
| 88e646 | 544 | |
| 9238cd | 545 | - Fix bug introduced in FormPlugin in 0.8 release (rememberer headers |
| CM | 546 | not set). |
| 88e646 | 547 | |
| 9238cd | 548 | - Add PATH_INFO to started and ended log info. |
| d9f046 | 549 | |
| 9238cd | 550 | - Add a SQLMetadataProviderPlugin (in plugins/sql). |
| d9f046 | 551 | |
| 9238cd | 552 | - Change constructor of SQLAuthenticatorPlugin: it now accepts only |
| CM | 553 | "query", "conn_factory", and "compare_fn". The old constructor |
| 554 | accepted a DSN, but some database systems don't use DBAPI DSNs. The | |
| 555 | new constructor accepts no DSN; the conn_factory is assumed to do | |
| 556 | all the work to make a connection, including knowing the DSN if one | |
| 557 | is required. The "conn_factory" should return something that, when | |
| 558 | called with no arguments, returns a database connection. | |
| d9f046 | 559 | |
| 9238cd | 560 | - The "make_plugin" helper in plugins/sql has been renamed |
| CM | 561 | "make_authenticator_plugin". When called, this helper will return a |
| 562 | SQLAuthenticatorPlugin. A bit of helper logic in the | |
| 563 | "make_authenticator_plugin" allows a connection factory to be | |
| 564 | computed. The top-level callable referred to by conn_factory in | |
| 565 | this helper should return a function that, when called with no | |
| 566 | arguments, returns a datbase connection. The top-level callable | |
| 567 | itself is called with "who_conf" (global who configuration) and any | |
| 568 | number of non-top-level keyword arguments as they are passed into | |
| 569 | the helper, to allow for a DSN or URL or whatever to be passed in. | |
| d9f046 | 570 | |
| 9238cd | 571 | - A "make_metatata_plugin" helper has been added to plugins/sql. When |
| CM | 572 | called, this will make a SQLMetadataProviderPlugin. See the |
| 573 | implementation for details. It is similar to the | |
| 574 | "make_authenticator_plugin" helper. | |
| d9f046 | 575 | |
| 7141c7 | 576 | |
| cbe4e3 | 577 | 0.8 (2008-03-27) |
| 7141c7 | 578 | ---------------- |
| b5a331 | 579 | |
| 9238cd | 580 | - Add a RedirectingFormIdentifier plugin. This plugin is willing to |
| CM | 581 | redirect to an external (or downstream application) login form to |
| 582 | perform identification. The external login form must post to the | |
| 583 | "login_handler_path" of the plugin (optimally with a "came_from" | |
| 584 | value to tell the plugin where to redirect the response to if the | |
| 585 | authentication works properly). The "logout_handler_path" of this | |
| 586 | plugin can be visited to perform a logout. The "came_from" value | |
| 587 | also works there. | |
| a400b0 | 588 | |
| 9238cd | 589 | - Identifier plugins are now permitted to set a key in the environment |
| CM | 590 | named 'repoze.who.application' on ingress (in 'identify'). If an |
| 591 | identifier plugin does so, this application is used instead of the | |
| 592 | "normal" downstream application. This feature was added to more | |
| 593 | simply support the redirecting form identifier plugin. | |
| a400b0 | 594 | |
| 7141c7 | 595 | |
| a400b0 | 596 | 0.7 (2008-03-26) |
| 7141c7 | 597 | ---------------- |
| a400b0 | 598 | |
| 9238cd | 599 | - Change the IMetadataProvider interface: this interface used to have |
| CM | 600 | a "metadata" method which returned a dictionary. This method is not |
| 601 | part of that API anymore. It's been replaced with an "add_metadata" | |
| 602 | method which has the signature:: | |
| b5a331 | 603 | |
| CM | 604 | def add_metadata(environ, identity): |
| 605 | """ | |
| 606 | Add metadata to the identity (which is a dictionary) | |
| 607 | """ | |
| 608 | ||
| 609 | The return value is ignored. IMetadataProvider plugins are now | |
| 610 | assumed to be responsible for 'scribbling' directly on the identity | |
| 611 | that is passed in (it's a dictionary). The user id can always be | |
| 612 | retrieved from the identity via identity['repoze.who.userid'] for | |
| 613 | metadata plugins that rely on that value. | |
| 614 | ||
| 7141c7 | 615 | |
| a400b0 | 616 | 0.6 (2008-03-20) |
| 7141c7 | 617 | ---------------- |
| e35c64 | 618 | |
| 9238cd | 619 | - Renaming: repoze.pam is now repoze.who |
| cb5426 | 620 | |
| 9238cd | 621 | - Bump ez_setup.py version. |
| e35c64 | 622 | |
| 9238cd | 623 | - Add IMetadataProvider plugin type. Chris says 'Whit rules'. |
| fa9581 | 624 | |
| 7141c7 | 625 | |
| 3b67e9 | 626 | 0.5 (2008-03-09) |
| 7141c7 | 627 | ---------------- |
| db4cf5 | 628 | |
| 9238cd | 629 | - Allow "remote user key" (default: REMOTE_USER) to be overridden |
| CM | 630 | (pass in remote_user_key to middleware constructor). |
| db4cf5 | 631 | |
| 9238cd | 632 | - Allow form plugin to override the default form. |
| db4cf5 | 633 | |
| 9238cd | 634 | - API change: IIdentifiers are no longer required to put both 'login' |
| CM | 635 | and 'password' in a returned identity dictionary. Instead, an |
| 636 | IIdentifier can place arbitrary key/value pairs in the identity | |
| 637 | dictionary (or return an empty dictionary). | |
| 40a968 | 638 | |
| 9238cd | 639 | - API return value change: the "failure" identity which IIdentifiers |
| CM | 640 | return is now None rather than an empty dictionary. |
| 40a968 | 641 | |
| 9238cd | 642 | - The IAuthenticator interface now specifies that IAuthenticators must |
| CM | 643 | not raise an exception when evaluating an identity that does not |
| 644 | have "expected" key/value pairs (e.g. when an IAuthenticator that | |
| 645 | expects login and password inspects an identity returned by an | |
| 646 | IP-based auth system which only puts the IP address in the | |
| 647 | identity); instead they fail gracefully by returning None. | |
| 40a968 | 648 | |
| 9238cd | 649 | - Add (cookie) "auth_tkt" identification plugin. |
| a5b033 | 650 | |
| 9238cd | 651 | - Stamp identity dictionaries with a userid by placing a key named |
| CM | 652 | 'repoze.pam.userid' into the identity for each authenticated |
| 653 | identity. | |
| a5b033 | 654 | |
| 9238cd | 655 | - If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the |
| CM | 656 | identity dictionary, consider this identity "preauthenticated". No |
| 657 | authenticator plugins will be asked to authenticate this identity. | |
| 658 | This is designed for things like the recently added auth_tkt plugin, | |
| 659 | which embeds the user id into the ticket. This effectively alllows | |
| 660 | an IIdentifier plugin to become an IAuthenticator plugin when | |
| 661 | breaking apart the responsibility into two separate plugins is | |
| 662 | "make-work". Preauthenticated identities will be selected first | |
| 663 | when deciding which identity to use for any given request. | |
| a5b033 | 664 | |
| 9238cd | 665 | - Insert a 'repoze.pam.identity' key into the WSGI environment on |
| CM | 666 | ingress if an identity is found. Its value will be the identity |
| 667 | dictionary related to the identity selected by repoze.pam on | |
| 668 | ingress. Downstream consumers are allowed to mutate this | |
| 669 | dictionary; this value is passed to "remember" and "forget", so its | |
| 670 | main use is to do a "credentials reset"; e.g. a user has changed his | |
| 671 | username or password within the application, but we don't want to | |
| 672 | force him to log in again after he does so. | |
| a5b033 | 673 | |
| 7141c7 | 674 | |
| 247f34 | 675 | 0.4 (03-07-2008) |
| 7141c7 | 676 | ---------------- |
| 247f34 | 677 | |
| 9238cd | 678 | - Allow plugins to specify a classifiers list per interface (instead |
| CM | 679 | of a single classifiers list per plugin). |
| 247f34 | 680 | |
| 7141c7 | 681 | |
| fb510d | 682 | 0.3 (03-05-2008) |
| 7141c7 | 683 | ---------------- |
| fb510d | 684 | |
| 9238cd | 685 | - Make SQLAuthenticatorPlugin's default_password_compare use hexdigest |
| CM | 686 | sha instead of base64'ed binary sha for simpler conversion. |
| fb510d | 687 | |
| 7141c7 | 688 | |
| 196bc2 | 689 | 0.2 (03-04-2008) |
| 7141c7 | 690 | ---------------- |
| 196bc2 | 691 | |
| 9238cd | 692 | - Added SQLAuthenticatorPlugin (see plugins/sql.py). |
| 196bc2 | 693 | |
| 7141c7 | 694 | |
| 318832 | 695 | 0.1 (02-27-2008) |
| 7141c7 | 696 | ---------------- |
| 318832 | 697 | |
| 9238cd | 698 | - Initial release (no configuration file support yet). |
