Eve

~~~~~~~~~~~

Released on 30 November, 2013.

- [new] Sub-Resources. It is now possible to configure endpoints such as:
``/companies/<company_id>/invoices``. Also, the corresponding item endpoints,
such as ``/companies/<company_id>/invoices/<invoice_id>``, are available. All
CRUD operations on these endpoints are allowed. Closes 156.
- [new] ``resource_title`` allows to customize the endpoint title (HATEOAS).
- [new][dev] ``extra`` cursor property, when present, will be added to ``GET``
responses (with same key). This feature can be used by Eve extensions to
inject proprietary data into the response stream (Petr Jašek).
- [new] ``IF_MATCH`` allows to disable checks for ETag matches on edit, replace
and delete requests. If disabled, requests without an If-Match header will be
honored without returning a 403 error. Defaults to True (enabled by default).
- [new] ``LINKS`` allows to customize the links field. Default to '_links'.
- [new] ``ITEMS`` allows to customize the items field. Default to '_items'.
- [new] ``STATUS`` allows to customize the status field. Default to 'status'.
- [new] ``ISSUES`` allows to customize the issues field. Default to 'issues'.
- [new] Handling custom ID fields tutorial.
- [new] A new ``json_encoder`` initialization argument is available. It allows
to pass custom JSONEncoder or eve.io.BaseJSONEncoder to the Eve instance.
- [new] A new ``url_converters`` initialization argument is available. It
allows to pass custom Flask url converters to the Eve constructor.
- [new] ID_FIELD fields can now be of arbitrary types, not only ObjectIds.
Thanks to Kelvin Hammond for contributing to this one. Closes 136.
- [new] ``pre_<method>`` and ``pre_<method>_<resource>`` event hooks are now
available. They are raised when a request is received and before processing
it. The resource involved and the Flask request object are returned to the
callback function (dccrazyboy).
- [new] ``embedded_fields`` activates default Embedded Resource Serialization
on a list of selected document fields. Eventual embedding requests by clients
will be processed along with default embedding. In order for default
embedding to work, the field must be defined as embeddable, and embedding
must be active for the resource (with help from Christoph Witzany).
- [new] ``default_sort`` option added to the ``datasource`` resource setting.
It allows to set default sorting for the endpoint. Default sorting will be
overriden by a client request that happens to include a ``?sort`` argument
within the query string (with help from Christoph Witzany).
- [new] You can now choose to provide custom settings as a Python dictionary.
- [new] New method ``Eve.register_resource()`` for registering new resource
after initialization of Eve object. This is needed for simpler initialization
API of all ORM/ODM extensions (Stanislav Heller).
- [change] Rely on Flask endpoints to map urls to resources.
- [change] For better consistency with new ``pre_<method>`` hooks,
``on_<method>`` event hooks have been renamed to ``on_post_<method>``.
- [change] Custom authentication classes can now be set at endpoint level. When
set, an endpoint-level auth class will override the eventual global level
auth class. Authentication docs have been updated (and greatly revised)
accordingly. Closes 89.
- [change] JSON encoding is now handled at the DataLayer level allowing for
specialized, granular, data-aware encoding. Also, since the JSON encoder is
now a class attribute, extensions can replace the pre-defined data layer
encoder with their own implementation. Closes 102.
- [fix] HMAC example and docs updated to align with new hmac in Python 2.7.3,
which is only accepting bytes string. Closes 199.
- [fix] Properly escape leaf values in XML responses (Florian Rathgeber).
- [fix] A read-only field with a default value would trigger a validation error
on POST and PUT methods.

~~~~~~~~~~~~~

Released on October 31th, 2013.

- DELETE now uses the original document ID_FIELD when issuing the delete
command to the underlying data layer (Xavi Cubillas).
- Embedded Resource Serialization also available at item endpoints
(``/invoices/<id>/?embedded={'person':1}``),
- ``collection`` (used when setting up a data relation, see Embedded Resource
Serialization) has been renamed to ``resource`` in order to avoid confusion
between the Eve schema and underlying MongoDB collections.
- Nested endpoints. Endpoints with deep paths like ``/contacts/overseas`` can
now function in conjuction with top-level endpoints (``/contacts``).
Endpoints are completely independent: each can allow item lookups
(``/contacts/<id>`` and ``contacts/overseas/<id>``) and different access
methods. Previously, while you could have complex urls, you could not get
nested endpoints to work properly.
- PyMongo 2.6.3 is now supported.
- item-id wrappers have been removed from POST/PATCH/PUT requests and
responses. Requests for single document insertion/edition are now performed
by just submitting the relevant document. Bulk insert requests are performed
by submitting a list of documents. The response to bulk requests is a list
itself in which every list item contains the state of the corresponding
request document. Please note that this is a breaking change. Also be aware
that when the request content-type is ``x-www-form-urlencoded``, single
document insert is performed. Closes 139.
- ObjectId are properly serialized on POST/PATCH/PUT methods.
- Queries on ObjectId and datetime values in nested documents.
- ``auth.user_id`` renamed to ``auth.request_auth_value`` for better
consistency with the ``auth_field`` setting. Closes 132 (Ryan Shea).
- Same behavior as Flask, SERVER_NAME now defaults to None. It allows much
easier development on distant machine that may changes IP (Ronan Delacroix).

- CORS support was not available for ``additional_lookup`` urls (Petr Jašek.)
- 'default' field values that could be assimilated to ``None`` (0, None, "")
would be ignored.
- POST and PUT would fail with 400 if there was no auth class while
``auth_field`` was set for a resource.
- Fix order of string arguments in exception message in
flaskapp.validate_schema() (Roy Smith).

~~~~~~~~~~~

Released on September 30th, 2013.

- ``PUT`` method for completely replace a document while keeping the same
unique identifier. Closes 96.
- Embedded Resource Serialization. If a document field is referencing
a document in another resource, clients can request the referenced document
to be embedded within the requested document (Bryan Cattle). Closes 68.
- "No trailing slash" URLs are now supported. Closes 118.
- HATEOAS is now optional and can be disabled both at global and resource
level.
- ``X-HTTP-Method-Override`` supported for all HTTP Methods. Closes 95.
- HTTP method is now passed into ``authenticate()`` and ``check_auth()`` (Ken
Carpenter). Closes 90 .
- Cleanup and hardening of User-Restricted Resource Access Edit (Bryan Cattle).
- Account Management tutorial updated to reflect the event hooks naming update
introduced in v0.0.9.
- Some more Python 3 refactoring (Dong Wei Ming).
- Events 0.2.0 is now supported.
- PyMongo 2.6.2 is now supported.
- Cerberus 0.4.0 is now supported.

- Item ``GET`` on documents with non-existent 'created' field (because
stored outside of API context) were not returning a default value for the
field.
- Edits on documents with non-existent 'created' or 'updated' fields
(because stored outside of the API context) were returning ``412 Precondition
Failed``. Closes 123.
- ``on_insert`` is raised when a ``PUT`` (replace action) is about to be
performed. Closes 120.
- Installation on Windows with Python 3 was returning encoding errors.
- Fixed 99: malformed XML render when href includes forbidden URI/URL chars.
- Fixed a bug introduced with 0.0.9 and Python 3 support. Filters (``?where``)
on datetime values were not working when running on Python 2.x.
- Fixed some typos and minor grammatical errors all across the documentation
(Ken Carpenter, Jean Boussier, Kracekumar, Francisco Corrales Morales).

~~~~~~~~~~~~~

Released on August 29, 2013

- PyMongo 2.6 is now supported.
- ``FILTERS`` boolean replaced by ``ALLOWED_FILTERS`` list which allows for
explicit whitelisting of filter-enabled fields (Bryan Cattle). Closes 78.
- Custom user ids for User-Restricted Resource Access, allowing for more
flexibility and token revocation with token-based authentication. Closes 73.
- ``AUTH_USERNAME_FIELD`` renamed to ``AUTH_FIELD``.
- ``auth_username_field`` renamed to ``auth_field``.
- BasicAuth and subclasses now support ``user_id`` property.
- Updated the event hooks naming system to be more robuts and consistent.
Closes 80.
- To emphasize the fact that they are tied to a method, all ``on_<method>``
hooks now have ``<method>`` in uppercase.
- ``on_getting`` hook renamed to ``on_fetch_resource``.
- ``on_getting_<resource>`` hook renamed to ``on_fetch_resource_<resource>``
- ``on_getting_item`` hook renamed to ``on_fetch_item``.
- ``on_getting_item_<item_title>`` hook renamed to
``on_fetch_item_<item_title>``.
- ``on_posting`` hook renamed to ``on_insert``.
- Datasource projections always include automatic fields (``ID_FIELD``,
``LAST_UPDATED``, ``DATE_CREATED``). Closes 85.
- Public HTTP methods now override `auth_username_field` Edit. Closes 70
(Bryan Cattle).
- Response date fields are now using GMT instead of UTC. Closes 83.
- Handle the case of 'additional_lookup' field being an integer. If this is the
case you can omit the 'url' key, as it will be ignored, and the integer value
correctly parsed.
- More informative HTTP error messages. Some more informative error messages
have been added for HTTP 400/3/12 and 500 errors. The error messages only
show if DEBUG==True (Bryan Cattle).
- ``on_getting(resource, documents)`` is now ``on_getting_resource(resource,
documents)``; ``on_getting_<resource>(documents) is now known as
``on_getting_resource_<resource>(documents)`` (Ryan Shea).
- Added a new event hook: ``on_getting_item_<title>(_id, document)`` (Ryan
Shea).
- Allow ``auth_username_field`` to be set to ``ID_FIELD`` (Bryan Cattle).
- Python 3.3 is now supported.
- Flask 0.10.1 is now supported.
- Werkzeug 0.9.4 is now supported.
- Copyright finally updated to 2013.

~~~~~~~~~~~~~

Released on July 25th 2013.

- Only run RateLimiting tests if redis-py is installed and redis-server is
running.
- CORS ``Access-Control-Allow-Headers`` header support (Garrin Kimmell).
- CORS ``OPTIONS`` support for resource and items endpoints (Garrin Kimmell).
- ``float`` is now available as a data-type in the schema definition ruleset.
- ``nullable`` field schema rule is now available. If ``True`` the field value
can be set to null. Defaults to ``False``.
- v0.3.0 of Cerberus is now a requirement.
- ``on_getting``, ``on_getting_<resource>`` and ``on_getting_item`` event
hooks. These events are raised when documents have just been read from the
database and are about to be sent to the client. Registered callback
functions can eventually manipulate the documents as needed. Please be aware
that ``last_modified`` and ``etag`` headers will always be consistent with
the state of the documents on the database (they won't be updated to reflect
changes eventually applied by the callback functions). Closes 65.
- Documentation fix: ``AUTH_USERFIELD_NAME`` renamed to ``AUTH_USERNAME_FIELD``
(Julien Barbot).
- Responses to GET requests for resource endpoints now include a ``last`` item
in the `_links` dictionary. The value is a link to the last page available.
The item itself is only provided if pagination is enabled and the page being
requested isn't the last one. Closes 62.
- It is now possible to set the MongoDB write concern level at both global
(``MONGO_WRITE_CONCERN``) and endpoint (``mongo_write_concern``) levels. The
value is a dictionary with all valid MongoDB write_concern settings (w,
wtimeout, j and fsync) as keys. ``{'w': 1}`` is the default, which is also
MongoDB's default setting.
- ``TestMininal`` class added to the test suite. This will allow to start the
building of the tests for an application based on Eve, by subclassing the
TestMinimal class (Daniele Pizzolli).

~~~~~~~~~~~~~

Released on June 18th 2013.

- Pinned Werkzeug requirement to v0.8.3 to avoid issues with the latest release
which breaks backward compatibility (actually a Flask 0.9 requirements issue,
which backtracked to Eve).
- Support for Rate Limiting on all HTTP methods. Closes 58. Please note: to
successfully execute the tests in 'eve.tests.methods.ratelimit.py`, a running
redis server is needed.
- ``utils.request_method`` internal helper function added, which allowed for
some nice code cleanup (DRY).
- Setting the default 'field' value would not happen if a 'data_relation' was
nested deeper than the first schema level. Fixes 60.
- Support for ``EXTRA_RESPONSE_FIELDS``. It is now possible to configure a list
of additonal document fields that should be provided with POST responses.
Normally only automatically handled fields (``ID_FIELD``, ``LAST_UPDATED``,
``DATE_CREATED``, ``etag``) are included in POST payloads.
``EXTRA_RESPONSE_FIELDS`` is a global setting that will apply to all resource
endpoint . Defaults to ``[]``, effectively disabling the feature.
``extra_response_fields`` is a local resource setting and will override
``EXTRA_RESPONSE_FIELDS`` when present.
- ``on_posting`` and ``on_posting_<resource>`` event hooks. ``on_posting`` and
``on_posting_<resource>`` events are raised when documents are about to be
stored. Among other things this allows callback functions to arbitrarily
update the documents being inserted. ``on_posting(resource, documents)`` is
raised on every successful POST while ``on_posting_<resource>(documents)`` is
only raised when <resource> is being updated. In both circumstances events
will be raised only if at least one document passed validation and is going
to be inserted.
- Flask native ``request.json`` is now used when decoding request payloads.
- *resource* argument added to Authorization classes. The ``check_auth()``
method of all classes in the ``eve.auth`` package (``BasicAuth``,
``HMACAuth``, ``TokenAuth``) now supports the *resource* argument. This
allows subclasses to eventually build their custom authorization logic around
the resource being accessed.
- ``MONGO_QUERY_BLACKLIST`` option added. Allows to blacklist mongo query
operators that should not be allowed in resource queries (``?where=``).
Defaults to ['$where', '$regex']. Mongo Javascript operators are disabled by
default as they might be used as vectors for injection attacks. Javascript
queries also tend to be slow and generally can be easily replaced with the
(very rich) Mongo query dialect.
- ``MONGO_HOST`` defaults to 'localhost'.
- ``MONGO_PORT`` defaults to 27017.
- Support alternative hosts/ports for the test suite (Paul Doucet).