Morepath

===================

* Adjust ``setup.py`` to require Reg 0.10 and Dectate 0.12, otherwise
Morepath won't work properly.

=================

Release highlights
------------------

* A new, cleaner and faster implementation of Reg underlies this
version of Morepath. It turns generic functions into methods on the
``App`` class, and removes implicit behavior entirely.

This has some impact if you used the low-level ``function``
directive or if you defined your own predicates with the
``predicate`` and ``predicate_fallback`` directives, see details
below.

* A new build environment based around virtualenv and pip. We've
removed the old buildout-based build environment. ``doc/developing.rst``
has much more.

* Performance work boosts performance of Morepath significantly.

Removals & Deprecations
-----------------------

- **Removed**: ``morepath.remember_identity`` is removed from the
Morepath API.

Use ::

request.app.remember_identity(response, request, identity)

Instead of ::

remember_identity(response, request, identity, lookup=request.lookup)

- **Removed**: ``morepath.forget_identity`` is removed from the
Morepath API.

Use ::

request.app.forget_identity(response, request)

Instead of ::

morepath.forget_identity(response, request, lookup=request.lookup)

- **Removed** ``morepath.settings`` is removed from the Morepath API.

Use the ``morepath.App.settings`` property instead. You can access
this through ``app.settings``. You can access this through
``request.app.settings`` if you have the request. The following
directives now get an additional optional first argument called
``app``: ``permission_rule``, ``verify_identity``, ``dump_json``,
``load_json``, ``link_prefix`` and the ``variables`` function passed
to the path directive.

- **Removed** ``morepath.enable_implicit`` and
``morepath.disable_implicit`` are both removed from the Morepath API.

Morepath now uses generic *methods* on the application class. The
application class determines the context used.

- **Removed** We previously used buildout to install a development
environment for Morepath. We now use pip. See ``doc/developing.rst``
for details, and also below.

Features
--------

- **Breaking change** Dectate used to support the ``directive``
pseudo-directive to let you define directives. But this could lead
to import problems if you forgot to import the module where the
pseudo-directives are defined before using them. In this release we
define the directives directly on the ``App`` class using the new
``dectate.directive`` mechanism, avoiding this problem.

If you have code that defines new directives, you have to adjust
your code accordingly; see the `Dectate changelog`_ for more
details.

.. _`Dectate changelog`: http://dectate.readthedocs.io/en/latest/changes.html

- **Breaking change** Previously Morepath used Reg's dispatch
functions directly, with a mechanism to pass in a ``lookup``
argument to a dispatch function to control the application
context. The lookup was maintained on ``App.lookup``. Tests were to
pass the lookup explicitly. Reg also maintained this lookup in a
thread-local variable, and any dispatch call that did not have a
explicit lookup argument passed in used this implicit lookup
directly.

Reg has undergone a major refactoring which affects Morepath. As a
result, Morepath is faster and dispatch code becomes more
Pythonic. The concept of lookup is gone: no more lookup argument,
``app.lookup`` or implicit lookup. Instead, Morepath now makes use
of dispatch *methods* on the application. The application itself
provides the explicit dispatch context. See `448`_ for the
discussion leading up to this change.

.. _`448`: https://github.com/morepath/morepath/issues/448

Most Morepath application and library projects should continue to
work unchanged, but some changes are necessary if you used
some advanced features:

* If in your code you call a generic function from
``morepath.generic`` directly it won't work anymore. Call the
equivalent method on the app instance instead.

* If you pass through the ``lookup`` argument explicitly, remove
this. Calling the dispatch method on the app instance is enough to
indicate context.

* If you defined a generic function in your code, you should move it
to a ``morepath.App`` subclass instead and use
``morepath.dispatch_method`` instead of ``reg.dispatch``. Using
``reg.dispatch_method`` directly is possible but not recommended:
``morepath.dispatch_method`` includes caching behavior that speeds
up applications. For example::

class MyApp(morepath.App):
morepath.dispatch_method('obj')
def my_dispatch(self, obj):
pass

* The ``function`` directive has been replaced by the ``method`` directive,
where you indicate the dispatch method on the first argument. For
example::

App.method(MyApp.my_dispatch, obj=Foo)
def my_dispatch_impl(app, obj):
return "Implementation for Foo"

* The ``predicate`` directive can be used to install new predicates for
dispatch methods. The first argument should be a reference to the
dispatch method, for instance::

App.predicate(App.get_view, name='model', default=None,
index=ClassIndex)
def model_predicate(obj):
return obj.__class__

There is a new public method called ``App.get_view`` that you can
install view predicates on.

* The ``predicate_fallback`` directive gets a reference to the
method too. The decorated function needs to take the same
arguments as the dispatch method; previously it could be a subset.
So for example::

App.predicate_fallback(App.get_view, model_predicate)
def model_not_found(self, obj, request):
raise HTTPNotFound()

Where ``self`` refers to the app instance.

Bug fixes
---------

- Fix code_examples path for doctests with tox.

Build environment
-----------------

- We now use virtualenv and pip instead of buildout to set up the
development environment. The development documentation has been
updated accordingly. Also see issues `473`_ and `484`_.

- Have the manifest file for source distribution include all files
under VCS.

- As we reached 100% code coverage for pytest, coveralls integration
was replaced by the ``--fail-under=100`` argument of ``coverage
report`` in the tox coverage test.

.. _473: https://github.com/morepath/morepath/issues/473
.. _484: https://github.com/morepath/morepath/pull/484

Other
-----

- Refactored traject routing code with an eye on performance.

- Use abstract base classes from the standard library for
``morepath.IdentityPolicy``.

- Reorganize the table of contents of the documentation into a
hierarchy (`468`_).

- Expand the test suite to cover ``morepath.Request.reset``, loop
detection for deferred class links, dispatching of
``App.verify_identity``-decorated functions on the ``identity``
argument (`464`_). Coverage ratio is now 100%.

.. _464: https://github.com/morepath/morepath/issues/464
.. _468: https://github.com/morepath/morepath/pull/468

=================

Removals & Deprecations
-----------------------

- **Removed**: ``morepath.autosetup`` and ``morepath.autocommit`` are
both removed from the Morepath API.

Use ``autoscan``. Also use new explicit ``App.commit`` method, or
rely on Morepath automatically committing during the first
request. So instead of::

morepath.autosetup()
morepath.run(App())

you do::

morepath.autoscan()
App.commit() optional
morepath.run(App())

- **Removed**: the ``morepath.security`` module is removed, and you cannot
import from it anymore. Change imports from it to the public API, so go
from::

from morepath.security import NO_IDENTITY

to::

from morepath import NO_IDENTITY

- **Deprecated** ``morepath.remember_identity`` and
``morepath.forget_identity`` are both deprecated.

Use the ``morepath.App.remember_identity`` and
``morepath.App.forget_identity`` methods, respectively.

Instead of ::

remember_identity(response, request, identity, lookup=request.lookup)
...
morepath.forget_identity(response, request, lookup=request.lookup)

you do::

request.app.remember_identity(response, request, identity)
...
request.app.forget_identity(response, request)

- **Deprecated** ``morepath.settings`` is deprecated.

Use the ``morepath.App.settings`` property instead.

- **Deprecated** ``morepath.enable_implicit`` and
``morepath.disable_implicit`` are both deprecated.

You no longer need to choose between implicit or explicit lookup for
generic functions, as the generic functions that are part of the API
have all been deprecated.

Features
--------

- Factored out new ``App.mounted_app_classes()`` class method which
can be used to determine the mounted app classes after a
commit. This can used to get the argument to ``dectate.query_tool``
if the commit is known to have already been done earlier.

- The ``morepath.run`` function now takes command-line arguments to
set the host and port, and is friendlier in general.

- Add ``App.init_settings`` for pre-filling the settings registry with
a python dictionary. This can be used to load the settings from a
config file.

- Add a ``reset`` method to the ``Request`` class that resets it to
the state it had when request processing started. This is used by
``more.transaction`` to reset request processing when it retries a
transaction.

Bug fixes
---------

- Fix a bug where a double slash at the start of a path was not
normalized.

Cleanups
--------

- Cleanups and testing of ``reify`` functionality.

- More doctests in the narrative documentation.

- A few small performance tweaks.

- Remove unused imports and fix pep8 in core.py.

Other
-----

- Add support for Python 3.5 and make it the default Python
environment.

=================

- **New** We have a new chat channel available. You can join us by clicking
this link:

https://discord.gg/0xRQrJnOPiRsEANa

Please join and hang out! We are retiring the (empty) Freenode
morepath channel.

- **Breaking change**: Move the basic auth policy to
``more.basicauth`` extension extension. Basic auth is just one of
the authentication choices you have and not the default. To update
code, make your project depend on ``more.basicauth`` and import
``BasicAuthIdentityPolicy`` from ``more.basicauth``.

- **Breaking change**: Remove some exception classes that weren't
used: ``morepath.error.ViewError``, ``morepath.error.ResolveError``.
If you try to catch them in your code, just remove the whole
``except`` statement as they were never raised.

- **Deprecated** Importing from ``morepath.security`` directly. We
moved a few things from it into the public API: ``enable_implicit``,
``disable_implicit``, ``remember_identity``, ``forget_identity``,
``Identity``, ``IdentityPolicy``, ``NO_IDENTITY``. Some of these
were already documented as importable from ``morepath.security``.
Although importing from ``morepath.security`` won't break yet, you
should stop importing from it and import directly from ``morepath``
instead.

- **Deprecated** ``morepath.autosetup`` and ``morepath.autocommit``
are both deprecated.

Use ``autoscan``. Also use new explicit ``App.commit`` method, or
rely on Morepath automatically committing during the first
request. So instead of::

morepath.autosetup()
morepath.run(App())

you do::

morepath.autoscan()
App.commit() optional
morepath.run(App())

- **Breaking change** Extensions that imported ``RegRegistry`` directly
from ``morepath.app`` are going to be broken. This kind of import::

from morepath.app import RegRegistry

needs to become::

from morepath.directive import RegRegistry

This change was made to avoid circular imports in Morepath, and
because ``App`` did not directly depend on ``RegRegistry`` anymore.

- **Breaking change**: the ``variables`` function for the ``path``
directive *has* to be defined taking a first ``obj`` argument. In
the past it was possible to define a ``variables`` function that
took no arguments. This is now an error.

- Introduce a new ``commit`` method on ``App`` that commits the App
and also recursively commits all mounted apps. This is more explicit
than ``autocommit`` and less verbose than using the lower-level
``dectate.commit``.

- Automatic commit of the app is done during the first request if the
app wasn't committed previously. See issue 392.

- Introduce a deprecation warnings (for ``morepath.security``,
``morepath.autosetup``) and document how a user can deal with such
warnings.

- Adds host header validation to protect against header poisoning attacks.

See https://github.com/morepath/morepath/issues/271

You can use ``morepath.HOST_HEADER_PROTECTION`` in your own tween
factory to wrap before or under it.

- Refactor internals of publishing/view engine. Reg is used more
effectively for view lookup, order of some parameters is reversed
for consistency with public APIs.

- Document the internals of Morepath, see implementation document.
This includes docstrings for all the internal APIs.

- The framehack module was merged into ``autosetup``. Increased
the coverage to this module to 100%.

- New cookiecutter template for Morepath, and added references in the
documentation for it.

See https://github.com/morepath/morepath-cookiecutter

- Test cleanup; scan in many tests turns out to be superfluous. Issue
379

- Add a test that verifies we can instantiate an app before configuration
is done. See issue 378 for discussion.

- Started doctesting some of the docs.

- Renamed ``RegRegistry.lookup`` to ``RegRegistry.caching_lookup`` as
the ``lookup`` property was shadowing a lookup property on
``reg.Registry``. This wasn't causing bugs but made debugging
harder.

- Refactored link generation. Introduce a new ``defer_class_links``
directive that lets you defer link generation using
``Request.class_link()`` in addition to ``Request.link()``. This is
an alternative to ``defer_links``, which cannot support
``Request.class_link``.

- Morepath now has extension API docs that are useful when you want to
create your own directive and build on one of Morepath's registries
or directives.

- A friendlier ``morepath.run`` that tells you how to quit it with
``ctrl-C``.

- A new document describing how to write a test for Morepath-based
applications.

- Document how to create a Dectate-based command-line query tool that
lets you query Morepath directives.

- Uses the topological sort implementation in Dectate. Sort out a mess
where there were too many ``TopologicalSortError`` classes.

===================

- Undid change in 0.13.1 where ``App`` could not be instantiated if
not committed, as ran into real-world code where this assumption
was broken.

===================

- Enable queries by the Dectate query tool.

- Document ``scan`` function in API docs.

- Work around an issue in Python where ``~`` (tilde) is quoted by
``urllib.quote`` & ``urllib.encode``, even though it should not be
according to the RFC, as ``~`` is considered unreserved.

https://www.ietf.org/rfc/rfc3986.txt

- Document some tricks you can do with directives in a new "Directive
tricks" document.

- Refactor creation of tweens into function on TweenRegistry.

- Update the REST document; it was rather old and made no mention of
``body_model``.

- Bail out with an error if an App is instantiated without being
committed.