Flask-security

-------------

Released May 6, 2023

Note: Due to rapid deprecation and removal of APIs from the Pallets team,
maintaining the testing of back versions of various packages is taking too
much time and effort. In this release only current versions of the various
dependent packages are being tested.

Fixes
+++++

- (:issue:`764`) Remove old Werkzeug compatibility check.
- (:issue:`777`) Compatibility with Quart.
- (:pr:`780`) Remove dependence on pkg_resources / setuptools (use importlib_resources package)
- (:pr:`792`) Fix tests to work with latest Werkzeug/Flask. Update requirements_low to match current releases.
- (:pr:`792`) Drop support for Python 3.7

Known Issues
++++++++++++

- Flask-mongoengine hasn't released in a while and currently will not work with latest Flask and Flask-Security-Too/Flask-Security
(this is due to the JSONEncoder being deprecated and removed).

Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++
- The removal of pkg_resources required changing the config variable :py:data:`SECURITY_I18N_DIRNAME`.
If your application modified or extended this configuration variable, a small change will be required.

-------------

Released March 12, 2023

Fixes
+++++

- (:issue:`771`) Hungarian translations not working.
- (:pr:`769`) Fix documentation for send_mail. (gg)
- (:pr:`768`) Fix for latest mongoengine and mongomock.
- (:pr:`766`) Fix inappropriate use of &thinsp& in French translations. (maxdup)
- (:pr:`773`) Improve documentation around subclassing forms.

-------------

Released March 1, 2023

Fixes
+++++

- (:issue:`740`) Fix 2 Flask apps in same thread with USERNAME_ENABLE set.
There was a too aggressive config check.
- (:pr:`739`) Update Russian translations. (ademaro)
- (:pr:`743`) Run all templates through a linter. (ademaro)
- (:pr:`757`) Fix json/flask backwards compatibility hack.
- (:issue:`759`) Fix quickstarts - make sure they run using `flask run`
- (:pr:`755`) Fix unified signup when two-factor not enabled. (sebdroid)
- (:pr:`763`) Add dependency on setuptools (pkg_resources). (hroncok)

-------------

Released January 23, 2023

Features
++++++++

- (:issue:`667`) Expose form instantiation. See :ref:`form_instantiation`.
- (:issue:`693`) Option to encrypt recovery codes.
- (:pr:`716`) Support for authentication via 'social' oauth.
- (:pr:`721`) Support for Python 3.11

Fixes
+++++

- (:pr:`678`) Fixes for Flask-SQLAlchemy 3.0.0. (jrast)
- (:pr:`680`) Fixes for sqlalchemy 2.0.0 (jrast)
- (:issue:`697`) Webauthn and Unified signin features now properly take into
account blueprint prefixes.
- (:issue:`699`) Properly propagate `?next=/xx` - the verify, webauthn, and unified
signin endpoints, that had multiple redirects, needed fixes.
- (:pr:`696`) Add Hungarian translations. (xQwexx)
- (:issue:`701`) Two factor redirects ignored url_prefix. Added a :py:data:`SECURITY_TWO_FACTOR_ERROR_VIEW`
configuration option.
- (:issue:`704`) Add configurations for static folder/URL and make sure templates reference
blueprint relative static folder.
- (:issue:`709`) Make (some) templates look better by using single quotes instead of
double quotes.
- (:issue:`690`) Send entire context to MailUtil::send_mail (patrickyan)
- (:pr:`728`) Support for Flask-Babel 3.0.0
- (:issue:`692`) Add configuration option :py:data:`SECURITY_TWO_FACTOR_POST_SETUP_VIEW` which
is redirected to upon successful change of a two factor method.
- (:pr:`733`) The ability to pass in a LoginManager instance which was deprecated in
5.0 has been removed.
- (:issue:`732`) If :py:data:`SECURITY_USERNAME_REQUIRED` was ``True`` then users couldn't login
with just an email.
- (:issue:`734`) If :py:data:`SECURITY_USERNAME_ENABLE` is set, bleach is a requirement.
- (:pr:`736`) The unauthz_handler now takes a function name, not the function!

Backwards Compatibility Concerns
+++++++++++++++++++++++++++++++++

- Each form class used to be set as an attribute on the Security object. With
the new form instantiation model, they no longer are.
- After a successful update/change of a two-factor method, the user was redirected to
:py:data:`SECURITY_POST_LOGIN_VIEW`. Now it redirects to :py:data:`SECURITY_TWO_FACTOR_POST_SETUP_VIEW`
which defaults to `".two_factor_setup"`.
- The :meth:`.Security.unauthz_handler` now takes a function name - not the function -
which never made sense.

-------------

Released September 23, 2022

Fixes
+++++
- (:issue:`673`) Role permissions backwards compatibility bug. For SQL based datastores
that use Flask-Security's models.fsqla_vx - there should be NO issues. If you declare
your own models - please see the 5.0.0 releases notes for required change.

-------------

Released September 6, 2022

Fixes
+++++
- (:pr:`662`) Fix Change Password regression. (tysonholub)