What's New in Pyramid 1.7
|
=========================
|
|
This article explains the new features in :app:`Pyramid` version 1.7 as
|
compared to its predecessor, :app:`Pyramid` 1.6. It also documents backwards
|
incompatibilities between the two versions and deprecations added to
|
:app:`Pyramid` 1.7, as well as software dependency changes and notable
|
documentation additions.
|
|
Backwards Incompatibilities
|
---------------------------
|
|
- The default hash algorithm for
|
:class:`pyramid.authentication.AuthTktAuthenticationPolicy` has changed from
|
``md5`` to ``sha512``. If you are using the authentication policy and need to
|
continue using ``md5``, please explicitly set ``hashalg='md5'``.
|
|
If you are not currently specifying the ``hashalg`` option in your apps, then
|
this change means any existing auth tickets (and associated cookies) will no
|
longer be valid, users will be logged out, and have to login to their
|
accounts again.
|
|
This change has been issuing a DeprecationWarning since :app:`Pyramid` 1.4.
|
|
See https://github.com/Pylons/pyramid/pull/2496
|
|
- Python 2.6 and 3.2 are no longer supported by Pyramid. See
|
https://github.com/Pylons/pyramid/issues/2368 and
|
https://github.com/Pylons/pyramid/pull/2256
|
|
- The :func:`pyramid.session.check_csrf_token` function no longer validates a
|
csrf token in the query string of a request. Only headers and request bodies
|
are supported. See https://github.com/Pylons/pyramid/pull/2500
|
|
- A global permission set via
|
:meth:`pyramid.config.Configurator.set_default_permission` will no longer
|
affect exception views. A permission must be set explicitly on the view for
|
it to be enforced. See https://github.com/Pylons/pyramid/pull/2534
|
|
Feature Additions
|
-----------------
|
|
- A new :ref:`view_derivers` concept has been added to Pyramid to allow
|
framework authors to inject elements into the standard Pyramid view pipeline
|
and affect all views in an application. This is similar to a decorator except
|
that it has access to options passed to ``config.add_view`` and can affect
|
other stages of the pipeline such as the raw response from a view or prior
|
to security checks. See https://github.com/Pylons/pyramid/pull/2021
|
|
- Added a ``require_csrf`` view option which will enforce CSRF checks on
|
requests with an unsafe method as defined by RFC2616. If the CSRF check fails
|
a ``BadCSRFToken`` exception will be raised and may be caught by exception
|
views (the default response is a ``400 Bad Request``). This option should be
|
used in place of the deprecated ``check_csrf`` view predicate which would
|
normally result in unexpected ``404 Not Found`` response to the client
|
instead of a catchable exception. See :ref:`auto_csrf_checking`,
|
https://github.com/Pylons/pyramid/pull/2413 and
|
https://github.com/Pylons/pyramid/pull/2500
|
|
- Added a new method,
|
:meth:`pyramid.config.Configurator.set_csrf_default_options`,
|
for configuring CSRF checks used by the ``require_csrf=True`` view option.
|
This method can be used to turn on CSRF checks globally for every view
|
in the application. This should be considered a good default for websites
|
built on Pyramid. It is possible to opt-out of CSRF checks on a per-view
|
basis by setting ``require_csrf=False`` on those views.
|
See :ref:`auto_csrf_checking` and
|
https://github.com/Pylons/pyramid/pull/2413 and
|
https://github.com/Pylons/pyramid/pull/2518
|
|
- Added an additional CSRF validation that checks the origin/referrer of a
|
request and makes sure it matches the current ``request.domain``. This
|
particular check is only active when accessing a site over HTTPS as otherwise
|
browsers don't always send the required information. If this additional CSRF
|
validation fails a ``BadCSRFOrigin`` exception will be raised and may be
|
caught by exception views (the default response is ``400 Bad Request``).
|
Additional allowed origins may be configured by setting
|
``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on
|
a non standard port) to allow. Subdomains are not allowed unless the domain
|
name has been prefixed with a ``.``. See
|
https://github.com/Pylons/pyramid/pull/2501
|
|
- Added a new :func:`pyramid.session.check_csrf_origin` API for validating the
|
origin or referrer headers against the request's domain.
|
See https://github.com/Pylons/pyramid/pull/2501
|
|
- Subclasses of :class:`pyramid.httpexceptions.HTTPException` will now take
|
into account the best match for the clients ``Accept`` header, and depending
|
on what is requested will return ``text/html``, ``application/json`` or
|
``text/plain``. The default for ``*/*`` is still ``text/html``, but if
|
``application/json`` is explicitly mentioned it will now receive a valid
|
JSON response. See https://github.com/Pylons/pyramid/pull/2489
|
|
- A new event, :class:`pyramid.events.BeforeTraversal`, and interface
|
:class:`pyramid.interfaces.IBeforeTraversal` have been introduced that will
|
notify listeners before traversal starts in the router.
|
See :ref:`router_chapter` as well as
|
https://github.com/Pylons/pyramid/pull/2469 and
|
https://github.com/Pylons/pyramid/pull/1876
|
|
- A new method, :meth:`pyramid.request.Request.invoke_exception_view`, which
|
can be used to invoke an exception view and get back a response. This is
|
useful for rendering an exception view outside of the context of the
|
``EXCVIEW`` tween where you may need more control over the request.
|
See https://github.com/Pylons/pyramid/pull/2393
|
|
- A global permission set via
|
:meth:`pyramid.config.Configurator.set_default_permission` will no longer
|
affect exception views. A permission must be set explicitly on the view for
|
it to be enforced. See https://github.com/Pylons/pyramid/pull/2534
|
|
- Allow a leading ``=`` on the key of the request param predicate.
|
For example, ``'=abc=1'`` is equivalent down to
|
``request.params['=abc'] == '1'``.
|
See https://github.com/Pylons/pyramid/pull/1370
|
|
- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
|
for logging sections of the .ini file and populate these variables from
|
the ``pserve`` command line -- e.g.:
|
|
``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
|
|
This support is thanks to the new ``global_conf`` option on
|
:func:`pyramid.paster.setup_logging`.
|
See https://github.com/Pylons/pyramid/pull/2399
|
|
- The :attr:`pyramid.tweens.EXCVIEW` tween will now re-raise the original
|
exception if no exception view could be found to handle it. This allows
|
the exception to be handled upstream by another tween or middleware.
|
See https://github.com/Pylons/pyramid/pull/2567
|
|
Deprecations
|
------------
|
|
- The ``check_csrf`` view predicate has been deprecated. Use the
|
new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting
|
to ensure that the :class:`pyramid.exceptions.BadCSRFToken` exception is
|
raised. See https://github.com/Pylons/pyramid/pull/2413
|
|
- Support for Python 3.3 will be removed in Pyramid 1.8.
|
https://github.com/Pylons/pyramid/issues/2477
|
|
Scaffolding Enhancements
|
------------------------
|
|
- A complete overhaul of the ``alchemy`` scaffold to show more modern best
|
practices with regards to SQLAlchemy session management, as well as a more
|
modular approach to configuration, separating routes into a separate module
|
to illustrate uses of :meth:`pyramid.config.Configurator.include`.
|
See https://github.com/Pylons/pyramid/pull/2024
|
|
Documentation Enhancements
|
--------------------------
|
|
A massive overhaul of the packaging and tools used in the documentation
|
was completed in https://github.com/Pylons/pyramid/pull/2468. A summary
|
follows:
|
|
- All docs now recommend using ``pip`` instead of ``easy_install``.
|
|
- The installation docs now expect the user to be using Python 3.4 or
|
greater with access to the ``python3 -m venv`` tool to create virtual
|
environments.
|
|
- Tutorials now use ``py.test`` and ``pytest-cov`` instead of ``nose`` and
|
``coverage``.
|
|
- Further updates to the scaffolds as well as tutorials and their src files.
|
|
Along with the overhaul of the ``alchemy`` scaffold came a total overhaul
|
of the :ref:`bfg_sql_wiki_tutorial` tutorial to introduce more modern
|
features into the usage of SQLAlchemy with Pyramid and provide a better
|
starting point for new projects. See
|
https://github.com/Pylons/pyramid/pull/2024 for more. Highlights were:
|
|
- New SQLAlchemy session management without any global ``DBSession``. Replaced
|
by a per-request ``request.dbsession`` property.
|
|
- A new authentication chapter demonstrating how to get simple authentication
|
bootstrapped quickly in an application.
|
|
- Authorization was overhauled to show the use of per-route context factories
|
which demonstrate object-level authorization on top of simple group-level
|
authorization. Did you want to restrict page edits to only the owner but
|
couldn't figure it out before? Here you go!
|
|
- The users and groups are stored in the database now instead of within
|
tutorial-specific global variables.
|
|
- User passwords are stored using ``bcrypt``.
|