Eve

~~~~~~~~~~~

Released on 6 February, 2017

- New: Add Python 3.6 as a supported interpreter.

- New: ``OPTIMIZE_PAGINATION_FOR_SPEED``. Set this to ``True`` to improve
pagination performance. When optimization is active no count operation, which
can be slow on large collections, is performed on the database. This does
have a few consequences. Firstly, no document count is returned. Secondly,
``HATEOAS`` is less accurate: no last page link is available, and next page
link is always included, even on last page. On big collections, switching
this feature on can greatly improve performance. Defaults to ``False``
(slower performance; document count included; accurate ``HATEOAS``). Closes
944 and 853.


- New: ``Location`` header is returned on ``201 Created`` POST responses. If
will contain the URI to the created document. If bulk inserts are enabled,
only the first document URI is returned. Closes 795.

- New: Pretty printing.You can pretty print the response by specifying a query
parameter named ``?pretty`` (Hasan Pekdemir).

- New: ``AUTO_COLLAPSE_MULTI_KEYS``. If set to ``True``, multiple values sent
with the same key, submitted using the ``application/x-www-form-urlencoded``
or ``multipart/form-data`` content types, will automatically be converted to
a list of values. When using this together with ``AUTO_CREATE_LISTS`` it
becomes possible to use lists of media fields. Defaults to ``False``. Closes
932 (Conrad Burchert).

- New: ``AUTO_CREATE_LISTS``. When submitting a non ``list`` type value for
a field with type ``list``, automatically create a one element list before
running the validators. Defaults to ``False`` (Conrad Burchert).

- New: Flask-PyMongo compatibility for for ``MONGO_CONNECT`` config setting
(Massimo Scamarcia).

- New: Add Python 3.5 as a supported interpreter (Mattias Lundberg).

- New: ``MONGO_OPTIONS`` allows MongoDB arguments to be passed to the
MongoClient object. Defaults to ``{}`` (Massimo Scamarcia).

- New: Regexes are allowed by setting ``X_DOMAINS_RE`` values. This allows CORS
to support websites with dynamic ranges of subdomains. Closes 660 and 974.

- New: If ``ENFORCE_IF_MATCH`` option is active, then all requests are expected
to include the ``If-Match`` or they will be rejected (same as old behavior).
However, if ``ENFORCE_IF_MATCH`` is disabled, then client determines whether
request is conditional. When ``If-Match`` is included, then request is
conditional, otherwise the request is processed with no conditional checks.
Closes 657 (Arthur Burkart).

- New: Allow old document versions to be cache validated using ETags (Nick
Park).

- New: Support weak ETags, commonly applied by servers transmitting gzipped
content (Nick Park).

- New: ``on_oplog_push`` event is fired when OPLOG is about to be updated.
Callbacks receive two arguments: ``resource`` (resource name) and ``entries``
(list of oplog entries which are about to be written).

- New: optional ``extra`` field is available for OPLOG entries. Can be updated
by callbacks hooked to the new ``on_oplog_push`` event.

- New: OPLOG audit now include the username or token when available. Closes
846.

- New ``get_internal`` and ``getitem_internal`` functions can be used for
internal GET calls. These methods are not rate limited, authentication is not
checked and pre-request events are not raised.

- New: Add support for MongoDB ``DBRef`` fields (Roman Gavrilov).

- New: ``MULTIPART_FORM_FIELDS_AS_JSON``. In case you are submitting your
resource as ``multipart/form-data`` all form data fields will be submitted as
strings, breaking any validation rules you might have on the resource fields.
If you want to treat all submitted form data as JSON strings you will have to
activate this setting. Closes 806 (Stratos Gerakakis).

- New: Support for MongoDB Aggregation Framework. Endpoints can respond with
aggregation results. Clients can optionally influence aggregation
results by using the new ``aggregate`` option: ``aggregate={"$year": 2015}``.

- New: Flask views (``app.route``) can now set ``mongo_prefix`` via Flask's
``g`` object: ``g.mongo_prefix = 'MONGO2'`` (Gustavo Vargas).

- New: Query parameters not recognised by Eve are now returned in HATEOAS URLs
(Mugur Rus).

- New: ``OPLOG_CHANGE_METHODS`` is a list of HTTP methods which operations will
include changes into the OpLog (mmizotin).

- Change: Return ``428 Precondition Required`` instead of a generic ``403
Forbidden`` when the ``If-Match`` request header is missing (Arnau Orriols).

- Change: ETag response header now conforms to RFC 7232/2.3 and is surrounded
by double quotes. Closes 794.

- Fix: Better locating of ``settings.py``. On startup, if settings flag is
omitted in constructor, Eve will try to locate file named settings.py, first
in the application folder and then in one of the application's subfolders.
You can choose an alternative filename/path, just pass it as an argument when
you instantiate the application. If the file path is relative, Eve will try
to locate it recursively in one of the folders in your sys.path, therefore
you have to be sure that your application root is appended to it. This is
useful, for example, in testing environments, when settings file is not
necessarily located in the root of your application. Closes 820 (Mario
Kralj).

- Fix: Versioning does not work with User Restricted Resource Access. Closes
967 (Kris Lambrechts)

- Fix: ``test_create_indexes()`` typo. Closes 960.

- Fix: fix crash when attempting to modify a document ``_id`` on MongoDB 3.4
(Giorgos Margaritis)

- Fix: improve serialization of boolean values. Closes 947 (NotSpecial).

- Fix: fix intermittently failing test. Closes 934 (Conrad Burchert).

- Fix: Multiple, fast (within a 1 second window) and neutral (no actual
changes) PATCH requests should not raise ``412 Precondition Failed``.
Closes 920.

- Fix: Resource titles are not properly escaped during the XML rendering of the
root document (Kris Lambrechts).

- Fix: ETag request headers which conform to RFC 7232/2.3 (double quoted value)
are now properly processed. Addresses 794.

- Fix: Deprecation warning from Flask. Closes 898 (George Lestaris).

- Fix: add Support serialization on lists using anyof, oneof, allof, noneof.
Closes 876 (Carles Bruguera).

- Fix: update security example snippets to match with current API (Stanislav
Filin).

- Fix: ``notifications.py`` example snippet crashes due to lack of ``DOMAIN``
setting (Stanislav Filin).

- Docs: clarify documentation for custom validators: Cerberus dependency is
still pinned to version 0.9.2. Upgrade to Cerberus 1.0+ is planned with v0.8.
Closes 796.
- Docs: remove the deprecated ``--ditribute`` virtualenv option (Eugene
Prikazchikov).
- Docs: add date and subdocument fields filtering examples. Closes 924.
- Docs: add Eve-Neo4j to the extensions page (Rodrigo Rodriguez).
- Docs: stress that alternate backends are supported via community extensions.
- Docs: clarify that Redis is an optional dependency (Mateusz Łoskot).

- Update license to 2017. Closes 955.
- Update: Flask 0.12. Closes 945, 904 and 963.
- Update: PyMongo 3.4 is now required. Closes 964.

~~~~~~~~~~~~~

Released on 8 June, 2016

- Fix: Cannot serialize data when a field that has a ``valueschema`` that is of
``dict`` type. Closes 874.
- Fix: Authorization header bearer tokens not parsed correctly. Closes 866
(James Stewart).
- Fix: TokenAuth prevents base64 decoding of Tokens. Closes 840.
- Fix: If datasource source is specified no fields are included by default.
Closes 842.

- Docs: streamline Quickstart guide. Closes 868.
- Docs: fix broken link in Installation page. Closes 861.
- Docs: Resource configuration doesn't mention ``versioning`` override. Closes
845.

~~~~~~~~~~~~~

Released on 16 March, 2016

- Fix: Since 0.6.2, static projections are not honoured. Closes 837.

~~~~~~~~~~~~~

Released on 14 March, 2016

- Fix: ``Access-Control-Allow-Max-Age`` should actually be
``Access-Control-Max-Age``. Closes 829.
- Fix: ``unique`` validation rule is checked against soft deleted documents.
Closes 831.
- Fix: Mongo does not allow ``$`` and ``.`` in field names. Apply this
validation in schemas and dict fields. Closes 780.
- Fix: Remove "ensure uniqueness of (custom) id fields" feature. Addresses
788.
- Fix: ``409 Conflict`` not reported since upgrading to PyMongo 3. Closes 680.
- Fix: when a document is soft deleted, the OPLOG `_updated` field is not the
time of the deletion but the time of the previous last update (Cyril
Bonnard).
- Fix: TokenAuth. When the tokens are passed as "Authorization: " or
"Authorization: Token " headers, werkzeug does not recognize them as valid
authorization header, therefore the ``request.authorization`` field is empty
(Luca Di Gaspero).
- Fix: ``SCHEMA_ENDPOINT`` does not work when schema has lambda function as
``coerce`` rule. Closes 790.
- Fix: CORS pre-flight requests malfunction on ``SCHEMA_ENDPOINT`` endpoint
(Valerie Coffman).
- Fix: do not attempt to parse ``number`` values as strings when they are
numerical (Nick Park).
- Fix: the ``__init__.py`` ``ITEM_URL`` does not match default_settings.py.
Closes 786 (Ralph Smith).
- Fix: startup crash when both ``SOFT_DELETE`` and ``ALLOW_UNKNOWN`` are
enabled. Closes 800.
- Fix: Serialize inside ``of`` and ``of_type`` rules new in Cerberus 0.9.
Closes 692 (Arnau Orriols).
- Fix: In ``put_internal`` Validator is not set when ``skip_validation`` is
``true`` (Wei Guan).
- Fix: In ``patch_internal`` Validator is not set when ``skip_validation`` is
``true`` (Stratos Gerakakis).
- Fix: Add missing serializer for fields of type ``number`` (Arnau Orriols).
- Fix: Skip any null value from serialization (Arnau Orriols).
- Fix: When ``SOFT_DELETE`` is active an exclusive ``datasource.projection``
causes a ``500`` error. Closes 752.

- Update: PyMongo 3.2 is now required.
- Update: Flask-PyMongo 0.4+ is now required.
- Update: Werkzeug up to 0.11.4 is now required
- Change: simplejson v3.8.2 is now required.

- Docs: fix some typos (Manquer, Patrick Decat).
- Docs: add missing imports to authentication docs (Hamdy)
- Update license to 2016 (Prayag Verma)

~~~~~~~~~~~~~

Released on 29 October, 2015

- New: ``BULK_ENABLED`` enables/disables bulk insert. Defaults to ``True``
(Julian Hille).
- New: ``VALIDATE_FILTERS`` enables/disables validating of query filters
against resource schema. Closes 728 (Stratos Gerakakis).
- New: ``TRANSPARENT_SCHEMA_RULES`` enables/disables schema validation globally
and ``transparent_schema_rules`` per resource (Florian Rathgeber).
- New: ``ALLOW_OVERRIDE_HTTP_METHOD`` enables/disables support for overriding
request methods with ``X-HTTP-Method-Override`` headers (Julian Hille).

- Fix: flake8 fails on Python 3. Closes 747 (Simon Schönfeld).
- Fix: recursion for dotted field normalization (Matt Tucker).
- Fix: dependendencies on sub-document fields always return 422. Closes 706.
- Fix: invoking ``post_internal`` with ``skpi_validation = True`` causes
a ``422`` response. Closes 726.
- Fix: explict inclusive datasource projection is ignored. Closes 722.

- Dev: fix rate limiting tests so they don't occasionally fail.
- Dev: make sure connections opened by test suite are properly closed on
teardown.
- Dev: use middleware to parse overrides and eventually update request method
(Julian Hille).
- Dev: optimize versioning by building specific versions without deepcopying
the root document (Nick Park).
- Dev: ``_client_projection`` method has been moved up from the mongo layer to
the base DataLayer class. It is now available for other data layers
implementations, such as Eve-SQLAlchemy (Gonéri Le Bouder).

- Docs: add instructions for installing dependencies and building docs (Florian
Rathgeber).
- Docs: fix link to contributing guidelines (Florian Rathgeber).
- Docs: fix some typos (Stratos Gerakakis, Julian Hille).
- Docs: add Eve-Swagger to Extensions page.
- Docs: fix broken link to Mongo's capped collections (Nathan Reynolds).

~~~~~~~~~~~

Released on 28 September, 2015

- New: support for embedding simple ObjectId fields: you can now use the
``data_relation`` rule on them (Gonéri Le Bouder).
- New: support for multiple layers of embedding (Gonéri Le Bouder).
- New: ``SCHEMA_ENDPOINT`` allows resource schema to be returned from an API
endpoint (Nick Park).
- New: HATEOAS links can be customized from within callback functions (Magdas
Adrian).
- New: ``_INFO``: string value to include an info section, with the given INFO
name, at the Eve homepage (suggested value ``_info``). The info section will
include Eve server version and API version (API_VERSION, if set). ``None``
otherwise, if you do not want to expose any server info. Defaults to ``None``
(Stratos Gerakakis).
- New: ``id_field`` sets a field used to uniquely identify resource items
within the database. Locally overrides ``ID_FIELD`` (Dominik Kellner).
- New: ``UPSERT_ON_PUT`` allows document creation on PUT if the document does
not exist. Defaults to ``True``. See below for details.
- New: PUT attempts to create a document if it does not exist. The URL endpoint
will be used as ``ID_FIELD`` value (if ``ID_FIELD`` is included with the
payload, it will be ignored). Normal validation rules apply. The response
will be a ``201 Created`` on successful creation. Response payload will be
identical the one you would get by performing a single document POST to the
resource endpoint. Set ``UPSET_ON_PUT`` to ``False`` to disable this
behaviour, and get a ``404`` instead. Closes 634.
- New: POST accepts documents which include ``ID_FIELD`` (``_id``) values. This
is in addition to the old behaviour of auto-generating ``ID_FIELD`` values
when the submitted document does not contain it. Please note that, while you
can add ``ID_FIELD`` to the schema (previously not allowed), you don't really
have to, unless its type is different from the ``ObjectId`` default. This
means that in most cases you can start storing ``ID_FIELD``-included
documents right away, without making any changes.
- New: Log MongoDB and HTTP methods exceptions (Sebastien Estienne).
- New: Enhanced Logging.
- New: ``VALIDATION_ERROR_AS_LIST``. If ``True`` even single field errors will
be returned in a list. By default single field errors are returned as strings
while multiple field errors are bundled in a list. If you want to standardize
the field errors output, set this setting to ``True`` and you will always get
a list of field issues. Defaults to ``False``. Closes 536.
- New: ``STANDARD_ERRORS`` is a list of HTTP codes that will be served with the
canonical API response format, which includes a JSON body providing both
error code and description. Addresses 586.
- New: ``anyof`` validation rule allows you to list multiple sets of rules to
validate against.
- New: ``alloff`` validation rule, same as ``anyof`` except that all rule
collections in the list must validate.
- New: ``noneof`` validation rule. Same as ``anyof`` except that it requires no
rule collections in the list to validate.
- New: ``oneof`` validation rule. Same as ``anyof`` except that only one rule
collections in the list can validate.
- New: ``valueschema`` validation rules replaces the now deprecated
``keyschema`` rule.
- New: ``propertyschema`` is the counterpart to ``valueschema`` that validates
the keys of a dict.
- New: ``coerce`` validation rule. Type coercion allows you to apply a callable
to a value before any other validators run.
- New: ``MONGO_AUTHDBNAME`` allows to specify a MongoDB authorization database.
Defaults to ``None`` (David Wood).
- New: ``remove`` method in Mongo data layer now returns the deletion status or
``None`` if write acknowledgement is disabled (Mayur Dhamanwala).
- New: ``unique_to_user`` validation rule allows to validate that a field value
is unique to the user. Different users can share the same value for the
field. This is useful when User Restricted Resource Access is enabled on an
endpoint. If URRA is not active on the endpoint, this rule behaves like
``unique``. Closes 646.
- New: ``MEDIA_BASE_URL`` allows to set a custom base URL to be used when
``RETURN_MEDIA_AS_URL`` is active (Henrique Barroso).
- New: ``SOFT_DELETE`` enables soft deletes when set to ``True`` (Nick Park.)
- New: ``mongo_indexes`` allows for creation of MongoDB indexes at application
launch (Pau Freixes.)
- New: clients can opt out of default embedded fields:
``?embedded={"author":0}`` would cause the embedded author not to be included
with response payload. (Tobias Betz.)
- New: CORS: Support for ``X-ALLOW-CREDENTIALS`` (Cyprien Pannier.)
- New: Support for dot notation in POST, PATCH and PUT methods. Be aware that,
for PATCH and PUT, if dot notation is used even on just one field, the whole
sub-document will be replaced. So if this document is stored:

``{"name": "john", "location": {"city": "New York", "address": "address"}}``

A PATCH like this:

``{"location.city": "Boston"}``

(which is exactly equivalent to:)

``{"location": {"city": "a nested city"}}``

Will update the document to:

``{"name": "john", "location": {"city": "Boston"}}``

- New: JSONP Support (Tim Jacobi.)
- New: Support for multiple MongoDB databases and/or servers.

- ``mongo_prefix`` resource setting allows overriding of the default
``MONGO`` prefix used when retrieving MongoDB settings from configuration.
For example, set a resource ``mongo_prefix`` to ``MONGO2`` to read/write
from the database configured with that prefix in your settings file
(``MONGO2_HOST``, ``MONGO2_DBNAME``, etc.)
- ``set_mongo_prefix()`` and ``get_mongo_prefix()`` have been added to
``BasicAuth`` class and derivates. These can be used to arbitrarily set
the target database depending on the token/client performing the request.

Database connections are cached in order to not to loose performance. Also,
this change only affects the MongoDB engine, so extensions currently
targetting other databases should not need updates (they will not inherit
this feature however.)
- New: Enable ``on_pre_GET`` hook for HEAD requests (Daniel Lytkin.).
- New: Add ``X-Total-Count`` header for collection GET/HEAD requests (Daniel
Lytkin.).
- New: ``RETURN_MEDIA_AS_URL``, ``MEDIA_ENDPOINT`` and ``MEDIA_URL`` allow for
serving files at a dedicated media endpoint while urls are returned in
document media fields (Daniel Lytkin.)
- New: ``etag_ignore_fields``. Resource setting with a list of fields belonging
to the schema that won't be used to compute the ETag value. Defaults to
``None`` (Olivier Carrère.)

- Change: when HATEOAS is off the home endpoint will respond with ``200 OK``
instead of ``404 Not Found`` (Stratos Gerakakis).
- Change: PUT does not return ``404`` if a document URL does not exist. It will
attempt to create the document instead. Set ``UPSET_ON_PUT`` to ``False`` to
disable this behaviour and get a ``404`` instead.
- Change: A PATCH including an ``ID_FIELD`` field which value is different than
the original will get a ``400 Bad Request``, along with an explanation in the
message body that the field is immutable. Previously, it would get an
``unknown field`` validation error.

- Dev: Improve GET perfomance on large versioned documents (Nick Park.)
- Dev: The ``MediaStorage`` base class now accepts the active resource as an
argument for its methods. This allows data-layers to avoid resorting to the
Flask request object to determine the active resource. To preserve backward
compatibility the new ``resource`` argument defaults to ``None`` (Magdas
Adrian).
- Dev: The Mongo data-layer is not dependant on the Flask request object
anymore. It will still fallback to it if the ``resource`` argument is
``None``. Closes 632. (Magdas Adrian).

- Fix: store versions in the same mongo collection when ``datasource`` is used
(Magdas Adrian).
- Fix: Update ``serialize`` to gracefully handle non-dictionary values in dict
type fields (Nick Park).
- Fix: changes to the ``updates`` argument, applied by callbacks hooked to the
``on_updated`` event, were not persisted to the database (Magdas Adrian).
Closes 682.
- Fix: Changes applied to the ``updates`` argument``on_updated`` returns the
whole updated document. Previously, it was only returning the updates sent
with the request. Closes 682.
- Fix: Replace the Cerberus rule ``keyschema``, now deprecated, with the new
``propertyschema`` (Julian Hille).
- Fix: some error message are not filtered out of debug mode anymore, as they
are useful for users and do not leak information. Closes 671 (Sebastien
Estienne).
- Fix: reinforce Content-Type Header handling to avoid possible crash when it
is missing (Sebastien Estienne).
- Fix: some schema errors were not being reported as SchemaError exceptions.
A more generic 'DOMAIN missing or wrong' message was returned instead.
- Fix: When versioning is enabled on a resource with a custom ID_FIELD,
versioning documents will inherit their ID from the versioned document,
making any update of the document result in a DuplicateKeyError (Matthieu
Prat).
- Fix: Filter validation fails to validate query selectors that contain a value
of the list data-type, which is not a list of sub-queries. See 674 (Matthieu
Prat).
- Fix: ``_validate_dependencies`` always returns ``None``.
- Fix: ``412 Precondition Failed`` does not return a JSON body. Closes 661.
- Fix: ``embedded_fields`` may point on a field that come from another embedded
document. For example, ``['a.b.c', 'a.b', 'a']`` (Gonéri Le Bouder).
- Fix: add handling of sub-resource resolving for PUT method (Olivier Poitrey).
- Fix: ``dependencies`` rule would mistakenly validate documents when target
fields happened to also have a ``default`` value.
- Fix: According to RFC2617 the separator should be (=) instead of (:). This
caused at least Chrome not to prompt user for the credentials, and not to
send the Authorization header even when credentials were in the url (Samuli
Tuomola).
- Fix: make sure ``unique`` validation rule is consistent between HTTP methods.
A field value must be unique within the datasource, regardless of the user
who created it. Closes 646.
- Fix: OpLog domain entry is not created if ``OPLOG_ENDPOINT`` is ``None``.
Closes 628.
- Fix: Do not overwrite ``ID_FIELD`` as it is not a sub resource. See 641 for
details (Olivier Poitrey).
- Fix: ETag computation crash when non-standard json serializers are used
(Kevin Roy.)
- Fix: Remove duplicate item in Mongo operators list. Closes 619.
- Fix: Versioning: invalidate cache when ``_latest_version`` changes in
versioned doc (Nick Park.)
- Fix: snippet in account management tutorial (xgddsg.)
- Fix: ``MONGO_REPLICA_SET`` and other significant Flask-PyMongo settings have
been added to the documentation. Closes 615.
- Fix: Serialization of lists of lists (Nick Park.)
- Fix: Make sure ``original`` is not modified during ``PATCH``. Closes 611
(Petr Jašek.)
- Fix: Route parameters are applied to new documents before they are validated.
This ensures that documents with required fields will be populated before
they are validated. Addresses 354. (Matthew Ellison.)
- Fix: ``GridFSMediaStorage`` does not save filename. Closes 605 (Sam Luu).
- Fix: Reinforce GeoJSON validation (Joakim Uddholm.)
- Fix: Geopoint coordinates do not accept integers. Closes 591 (Joakim
Uddholm.)
- Fix: OpLog enabled makes PUT return wrong Etag. Closes 590.

- Update: Cerberus 0.9.2 is now required.
- Update: PyMongo 2.8 is now required (which in turn supports MongoDB 3.0)