Pyramid 1.4a4 released
84 views
Skip to first unread message
Chris McDonough
Nov 14, 2012, 2:55:11 AM11/14/12
to pylons-discuss
Pyramid 1.4a4 has been released. Here's what happened since the last
release in the 1.4 series (1.4a3):
1.4a4 (2012-11-14)
==================
Features
--------
- ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been
updated to support newer hashing algorithms such as
``sha512``. Existing applications should consider updating if
possible for improved security over the default md5 hashing.
- Added an ``effective_principals`` route and view predicate.
- Do not allow the userid returned from the ``authenticated_userid``
or the userid that is one of the list of principals returned by
``effective_principals`` to be either of the strings
``system.Everyone`` or ``system.Authenticated`` when any of the
built-in authorization policies that live in
``pyramid.authentication`` are in use. These two strings are
reserved for internal usage by Pyramid and they will not be
accepted as valid userids.
- Slightly better debug logging from
``pyramid.authentication.RepozeWho1AuthenticationPolicy``.
- ``pyramid.security.view_execution_permitted`` used to return
``True`` if no view could be found. It now raises a ``TypeError``
exception in that case, as it doesn't make sense to assert that a
nonexistent view is execution-permitted. See
https://github.com/Pylons/pyramid/issues/299.
- Allow a ``_depth`` argument to ``pyramid.view.view_config``, which
will permit limited composition reuse of the decorator by other
software that wants to provide custom decorators that are much
like view_config.
- Allow an iterable of decorators to be passed to
``pyramid.config.Configurator.add_view``. This allows views to be
wrapped by more than one decorator without requiring combining the
decorators yourself.
Bug Fixes
---------
- In the past if a renderer returned ``None``, the body of the
resulting response would be set explicitly to the empty string.
Instead, now, the body is left unchanged, which allows the
renderer to set a body itself by using
e.g. ``request.response.body = b'foo'``. The body set by the
renderer will be unmolested on the way out. See
https://github.com/Pylons/pyramid/issues/709
- In uncommon cases, the ``pyramid_excview_tween_factory`` might
have inadvertently raised a ``KeyError`` looking for
``request_iface`` as an attribute of the request. It no longer
fails in this case. See
https://github.com/Pylons/pyramid/issues/700
- Be more tolerant of potential error conditions in ``match_param``
and ``physical_path`` predicate implementations; instead of
raising an exception, return False.
- ``pyramid.view.render_view`` was not functioning properly under
Python 3.x due to a byte/unicode discrepancy. See
http://github.com/Pylons/pyramid/issues/721
Deprecations
------------
- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a
warning if an application is using the policy without explicitly
passing a ``hashalg`` argument. This is because the default is
"md5" which is considered theoretically subject to collision
attacks. If you really want "md5" then you must specify it
explicitly to get rid of the warning.
Documentation
-------------
- All of the tutorials that use
``pyramid.authentication.AuthTktAuthenticationPolicy`` now
explicitly pass ``sha512`` as a ``hashalg`` argument.
Internals
---------
- Move ``TopologicalSorter`` from ``pyramid.config.util`` to
``pyramid.util``, move ``CyclicDependencyError`` from
``pyramid.config.util`` to ``pyramid.exceptions``, rename
``Singleton`` to ``Sentinel`` and move from
``pyramid.config.util`` to ``pyramid.util``; this is in an effort
to move that stuff that may be an API one day out of
``pyramid.config.util``, because that package should never be
imported from non-Pyramid code. TopologicalSorter is still not an
API, but may become one.
- Get rid of shady monkeypatching of ``pyramid.request.Request`` and
``pyramid.response.Response`` done within the ``__init__.py`` of
Pyramid. Webob no longer relies on this being done. Instead, the
ResponseClass attribute of the Pyramid Request class is assigned
to the Pyramid response class; that's enough to satisfy WebOb and
behave as it did before with the monkeypatching.
A detailed "What's New in Pyramid 1.4" document is available at
<http://docs.pylonsproject.org/projects/pyramid/en/master/whatsnew-1.4.html>
Pyramid 1.4a4 requires Python 2.6, 2.7, 3.2 or 3.3.
The documentation for the release is available at
http://docs.pylonsproject.org/projects/pyramid/en/1.4-branch/ .
You can install it via PyPI:
easy_install Pyramid==1.4a4
Enjoy, and please report any issues you find to the issue tracker at
https://github.com/Pylons/pyramid/issues
Thanks!
- C
release in the 1.4 series (1.4a3):
1.4a4 (2012-11-14)
==================
Features
--------
- ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been
updated to support newer hashing algorithms such as
``sha512``. Existing applications should consider updating if
possible for improved security over the default md5 hashing.
- Added an ``effective_principals`` route and view predicate.
- Do not allow the userid returned from the ``authenticated_userid``
or the userid that is one of the list of principals returned by
``effective_principals`` to be either of the strings
``system.Everyone`` or ``system.Authenticated`` when any of the
built-in authorization policies that live in
``pyramid.authentication`` are in use. These two strings are
reserved for internal usage by Pyramid and they will not be
accepted as valid userids.
- Slightly better debug logging from
``pyramid.authentication.RepozeWho1AuthenticationPolicy``.
- ``pyramid.security.view_execution_permitted`` used to return
``True`` if no view could be found. It now raises a ``TypeError``
exception in that case, as it doesn't make sense to assert that a
nonexistent view is execution-permitted. See
https://github.com/Pylons/pyramid/issues/299.
- Allow a ``_depth`` argument to ``pyramid.view.view_config``, which
will permit limited composition reuse of the decorator by other
software that wants to provide custom decorators that are much
like view_config.
- Allow an iterable of decorators to be passed to
``pyramid.config.Configurator.add_view``. This allows views to be
wrapped by more than one decorator without requiring combining the
decorators yourself.
Bug Fixes
---------
- In the past if a renderer returned ``None``, the body of the
resulting response would be set explicitly to the empty string.
Instead, now, the body is left unchanged, which allows the
renderer to set a body itself by using
e.g. ``request.response.body = b'foo'``. The body set by the
renderer will be unmolested on the way out. See
https://github.com/Pylons/pyramid/issues/709
- In uncommon cases, the ``pyramid_excview_tween_factory`` might
have inadvertently raised a ``KeyError`` looking for
``request_iface`` as an attribute of the request. It no longer
fails in this case. See
https://github.com/Pylons/pyramid/issues/700
- Be more tolerant of potential error conditions in ``match_param``
and ``physical_path`` predicate implementations; instead of
raising an exception, return False.
- ``pyramid.view.render_view`` was not functioning properly under
Python 3.x due to a byte/unicode discrepancy. See
http://github.com/Pylons/pyramid/issues/721
Deprecations
------------
- ``pyramid.authentication.AuthTktAuthenticationPolicy`` will emit a
warning if an application is using the policy without explicitly
passing a ``hashalg`` argument. This is because the default is
"md5" which is considered theoretically subject to collision
attacks. If you really want "md5" then you must specify it
explicitly to get rid of the warning.
Documentation
-------------
- All of the tutorials that use
``pyramid.authentication.AuthTktAuthenticationPolicy`` now
explicitly pass ``sha512`` as a ``hashalg`` argument.
Internals
---------
- Move ``TopologicalSorter`` from ``pyramid.config.util`` to
``pyramid.util``, move ``CyclicDependencyError`` from
``pyramid.config.util`` to ``pyramid.exceptions``, rename
``Singleton`` to ``Sentinel`` and move from
``pyramid.config.util`` to ``pyramid.util``; this is in an effort
to move that stuff that may be an API one day out of
``pyramid.config.util``, because that package should never be
imported from non-Pyramid code. TopologicalSorter is still not an
API, but may become one.
- Get rid of shady monkeypatching of ``pyramid.request.Request`` and
``pyramid.response.Response`` done within the ``__init__.py`` of
Pyramid. Webob no longer relies on this being done. Instead, the
ResponseClass attribute of the Pyramid Request class is assigned
to the Pyramid response class; that's enough to satisfy WebOb and
behave as it did before with the monkeypatching.
A detailed "What's New in Pyramid 1.4" document is available at
<http://docs.pylonsproject.org/projects/pyramid/en/master/whatsnew-1.4.html>
Pyramid 1.4a4 requires Python 2.6, 2.7, 3.2 or 3.3.
The documentation for the release is available at
http://docs.pylonsproject.org/projects/pyramid/en/1.4-branch/ .
You can install it via PyPI:
easy_install Pyramid==1.4a4
Enjoy, and please report any issues you find to the issue tracker at
https://github.com/Pylons/pyramid/issues
Thanks!
- C
Reply all
Reply to author
Forward
0 new messages