1.6a2 (2015-06-30) ================== Bug Fixes --------- - Ensure that ``pyramid.httpexceptions.exception_response`` returns the appropriate "concrete" class for ``400`` and ``500`` status codes. See https://github.com/Pylons/pyramid/issues/1832 - Fix an infinite recursion bug introduced in 1.6a1 when ``pyramid.view.render_view_to_response`` was called directly or indirectly. See https://github.com/Pylons/pyramid/issues/1643 - Further fix the JSONP renderer by prefixing the returned content with a comment. This should mitigate attacks from Flash (See CVE-2014-4671). See https://github.com/Pylons/pyramid/pull/1649 - Allow periods and brackets (``[]``) in the JSONP callback. The original fix was overly-restrictive and broke Angular. See https://github.com/Pylons/pyramid/pull/1649 1.6a1 (2015-04-15) ================== Features -------- - pcreate will now ask for confirmation if invoked with an argument for a project name that already exists or is importable in the current environment. See https://github.com/Pylons/pyramid/issues/1357 and https://github.com/Pylons/pyramid/pull/1837 - Make it possible to subclass ``pyramid.request.Request`` and also use ``pyramid.request.Request.add_request.method``. See https://github.com/Pylons/pyramid/issues/1529 - The ``pyramid.config.Configurator`` has grown the ability to allow actions to call other actions during a commit-cycle. This enables much more logic to be placed into actions, such as the ability to invoke other actions or group them for improved conflict detection. We have also exposed and documented the config phases that Pyramid uses in order to further assist in building conforming addons. See https://github.com/Pylons/pyramid/pull/1513 - Add ``pyramid.request.apply_request_extensions`` function which can be used in testing to apply any request extensions configured via ``config.add_request_method``. Previously it was only possible to test the extensions by going through Pyramid's router. See https://github.com/Pylons/pyramid/pull/1581 - pcreate when run without a scaffold argument will now print information on the missing flag, as well as a list of available scaffolds. See https://github.com/Pylons/pyramid/pull/1566 and https://github.com/Pylons/pyramid/issues/1297 - Added support / testing for 'pypy3' under Tox and Travis. See https://github.com/Pylons/pyramid/pull/1469 - Automate code coverage metrics across py2 and py3 instead of just py2. See https://github.com/Pylons/pyramid/pull/1471 - Cache busting for static resources has been added and is available via a new argument to ``pyramid.config.Configurator.add_static_view``: ``cachebust``. Core APIs are shipped for both cache busting via query strings and path segments and may be extended to fit into custom asset pipelines. See https://github.com/Pylons/pyramid/pull/1380 and https://github.com/Pylons/pyramid/pull/1583 - Add ``pyramid.config.Configurator.root_package`` attribute and init parameter to assist with includeable packages that wish to resolve resources relative to the package in which the ``Configurator`` was created. This is especially useful for addons that need to load asset specs from settings, in which case it is may be natural for a developer to define imports or assets relative to the top-level package. See https://github.com/Pylons/pyramid/pull/1337 - Added line numbers to the log formatters in the scaffolds to assist with debugging. See https://github.com/Pylons/pyramid/pull/1326 - Add new HTTP exception objects for status codes ``428 Precondition Required``, ``429 Too Many Requests`` and ``431 Request Header Fields Too Large`` in ``pyramid.httpexceptions``. See https://github.com/Pylons/pyramid/pull/1372/files - The ``pshell`` script will now load a ``PYTHONSTARTUP`` file if one is defined in the environment prior to launching the interpreter. See https://github.com/Pylons/pyramid/pull/1448 - Make it simple to define notfound and forbidden views that wish to use the default exception-response view but with altered predicates and other configuration options. The ``view`` argument is now optional in ``config.add_notfound_view`` and ``config.add_forbidden_view``.. See https://github.com/Pylons/pyramid/issues/494 - Greatly improve the readability of the ``pcreate`` shell script output. See https://github.com/Pylons/pyramid/pull/1453 - Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See https://github.com/Pylons/pyramid/pull/1457 - Assets can now be overidden by an absolute path on the filesystem when using the ``config.override_asset`` API. This makes it possible to fully support serving up static content from a mutable directory while still being able to use the ``request.static_url`` API and ``config.add_static_view``. Previously it was not possible to use ``config.add_static_view`` with an absolute path **and** generate urls to the content. This change replaces the call, ``config.add_static_view('/abs/path', 'static')``, with ``config.add_static_view('myapp:static', 'static')`` and ``config.override_asset(to_override='myapp:static/', override_with='/abs/path/')``. The ``myapp:static`` asset spec is completely made up and does not need to exist - it is used for generating urls via ``request.static_url('myapp:static/foo.png')``. See https://github.com/Pylons/pyramid/issues/1252 - Added ``pyramid.config.Configurator.set_response_factory`` and the ``response_factory`` keyword argument to the ``Configurator`` for defining a factory that will return a custom ``Response`` class. See https://github.com/Pylons/pyramid/pull/1499 - Allow an iterator to be returned from a renderer. Previously it was only possible to return bytes or unicode. See https://github.com/Pylons/pyramid/pull/1417 - ``pserve`` can now take a ``-b`` or ``--browser`` option to open the server URL in a web browser. See https://github.com/Pylons/pyramid/pull/1533 - Overall improvments for the ``proutes`` command. Added ``--format`` and ``--glob`` arguments to the command, introduced the ``method`` column for displaying available request methods, and improved the ``view`` output by showing the module instead of just ``__repr__``. See https://github.com/Pylons/pyramid/pull/1488 - Support keyword-only arguments and function annotations in views in Python 3. See https://github.com/Pylons/pyramid/pull/1556 - ``request.response`` will no longer be mutated when using the ``pyramid.renderers.render_to_response()`` API. It is now necessary to pass in a ``response=`` argument to ``render_to_response`` if you wish to supply the renderer with a custom response object for it to use. If you do not pass one then a response object will be created using the application's ``IResponseFactory``. Almost all renderers mutate the ``request.response`` response object (for example, the JSON renderer sets ``request.response.content_type`` to ``application/json``). However, when invoking ``render_to_response`` it is not expected that the response object being returned would be the same one used later in the request. The response object returned from ``render_to_response`` is now explicitly different from ``request.response``. This does not change the API of a renderer. See https://github.com/Pylons/pyramid/pull/1563 - The ``append_slash`` argument of ```Configurator().add_notfound_view()`` will now accept anything that implements the ``IResponse`` interface and will use that as the response class instead of the default ``HTTPFound``. See https://github.com/Pylons/pyramid/pull/1610 Bug Fixes --------- - The JSONP renderer created JavaScript code in such a way that a callback variable could be used to arbitrarily inject javascript into the response object. https://github.com/Pylons/pyramid/pull/1627 - Work around an issue where ``pserve --reload`` would leave terminal echo disabled if it reloaded during a pdb session. See https://github.com/Pylons/pyramid/pull/1577, https://github.com/Pylons/pyramid/pull/1592 - ``pyramid.wsgi.wsgiapp`` and ``pyramid.wsgi.wsgiapp2`` now raise ``ValueError`` when accidentally passed ``None``. See https://github.com/Pylons/pyramid/pull/1320 - Fix an issue whereby predicates would be resolved as maybe_dotted in the introspectable but not when passed for registration. This would mean that ``add_route_predicate`` for example can not take a string and turn it into the actual callable function. See https://github.com/Pylons/pyramid/pull/1306 - Fix ``pyramid.testing.setUp`` to return a ``Configurator`` with a proper package. Previously it was not possible to do package-relative includes using the returned ``Configurator`` during testing. There is now a ``package`` argument that can override this behavior as well. See https://github.com/Pylons/pyramid/pull/1322 - Fix an issue where a ``pyramid.response.FileResponse`` may apply a charset where it does not belong. See https://github.com/Pylons/pyramid/pull/1251 - Work around a bug introduced in Python 2.7.7 on Windows where ``mimetypes.guess_type`` returns Unicode rather than str for the content type, unlike any previous version of Python. See https://github.com/Pylons/pyramid/issues/1360 for more information. - ``pcreate`` now normalizes the package name by converting hyphens to underscores. See https://github.com/Pylons/pyramid/pull/1376 - Fix an issue with the final response/finished callback being unable to add another callback to the list. See https://github.com/Pylons/pyramid/pull/1373 - Fix a failing unittest caused by differing mimetypes across various OSs. See https://github.com/Pylons/pyramid/issues/1405 - Fix route generation for static view asset specifications having no path. See https://github.com/Pylons/pyramid/pull/1377 - Allow the ``pyramid.renderers.JSONP`` renderer to work even if there is no valid request object. In this case it will not wrap the object in a callback and thus behave just like the ``pyramid.renderers.JSON`` renderer. See https://github.com/Pylons/pyramid/pull/1561 - Prevent "parameters to load are deprecated" ``DeprecationWarning`` from setuptools>=11.3. See https://github.com/Pylons/pyramid/pull/1541 - Avoiding sharing the ``IRenderer`` objects across threads when attached to a view using the `renderer=` argument. These renderers were instantiated at time of first render and shared between requests, causing potentially subtle effects like `pyramid.reload_templates = true` failing to work in `pyramid_mako`. See https://github.com/Pylons/pyramid/pull/1575 and https://github.com/Pylons/pyramid/issues/1268 - Avoiding timing attacks against CSRF tokens. See https://github.com/Pylons/pyramid/pull/1574 - ``request.finished_callbacks`` and ``request.response_callbacks`` now default to an iterable instead of ``None``. It may be checked for a length of 0. This was the behavior in 1.5. Deprecations ------------ - Renamed the ``principal`` argument to ``pyramid.security.remember()`` to ``userid`` in order to clarify its intended purpose. See https://github.com/Pylons/pyramid/pull/1399 Docs ---- - Moved the documentation for ``accept`` on ``Configurator.add_view`` to no longer be part of the predicate list. See https://github.com/Pylons/pyramid/issues/1391 for a bug report stating ``not_`` was failing on ``accept``. Discussion with @mcdonc led to the conclusion that it should not be documented as a predicate. See https://github.com/Pylons/pyramid/pull/1487 for this PR - Removed logging configuration from Quick Tutorial ini files except for scaffolding- and logging-related chapters to avoid needing to explain it too early. - Clarify a previously-implied detail of the ``ISession.invalidate`` API documentation. - Improve and clarify the documentation on what Pyramid defines as a ``principal`` and a ``userid`` in its security APIs. See https://github.com/Pylons/pyramid/pull/1399 Scaffolds --------- - Update scaffold generating machinery to return the version of pyramid and pyramid docs for use in scaffolds. Updated starter, alchemy and zodb templates to have links to correctly versioned documentation and reflect which pyramid was used to generate the scaffold. - Removed non-ascii copyright symbol from templates, as this was causing the scaffolds to fail for project generation. - You can now run the scaffolding func tests via ``tox py2-scaffolds`` and ``tox py3-scaffolds``.