Pyramid

Latest version: v2.0.2

Safety actively analyzes 638646 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 4 of 30

1.7b1

==================

- This release announces the beta period for 1.7.

- Fix an issue where some files were being included in the alchemy scafffold
which had been removed from the 1.7 series.
See https://github.com/Pylons/pyramid/issues/2525

1.7a2

==================

Features
--------

- Automatic CSRF checks are now disabled by default on exception views. They
can be turned back on by setting the appropriate `require_csrf` option on
the view.
See https://github.com/Pylons/pyramid/pull/2517

- The automatic CSRF API was reworked to use a config directive for
setting the options. The ``pyramid.require_default_csrf`` setting is
no longer supported. Instead, a new ``config.set_default_csrf_options``
directive has been introduced that allows the developer to specify
the default value for ``require_csrf`` as well as change the CSRF token,
header and safe request methods. The ``pyramid.csrf_trusted_origins``
setting is still supported.
See https://github.com/Pylons/pyramid/pull/2518

Bug fixes
---------

- CSRF origin checks had a bug causing the checks to always fail.
See https://github.com/Pylons/pyramid/pull/2512

- Fix the test suite to pass on windows.
See https://github.com/Pylons/pyramid/pull/2520

1.7a1

==================

Backward Incompatibilities
--------------------------

- Following the Pyramid deprecation period (1.4 -> 1.6),
AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
to sha512. If you are using the authentication policy and need to continue
using md5, please explicitly set hashalg to 'md5'.

This change does mean that any existing auth tickets (and associated cookies)
will no longer be valid, and users will no longer be logged in, and have to
login to their accounts again.

See https://github.com/Pylons/pyramid/pull/2496

- The ``check_csrf_token`` function no longer validates a csrf token in the
query string of a request. Only headers and request bodies are supported.
See https://github.com/Pylons/pyramid/pull/2500

Features
--------

- Added a new setting, ``pyramid.require_default_csrf`` which may be used
to turn on CSRF checks globally for every POST request in the application.
This should be considered a good default for websites built on Pyramid.
It is possible to opt-out of CSRF checks on a per-view basis by setting
``require_csrf=False`` on those views.
See https://github.com/Pylons/pyramid/pull/2413

- Added a ``require_csrf`` view option which will enforce CSRF checks on any
request with an unsafe method as defined by RFC2616. If the CSRF check fails
a ``BadCSRFToken`` exception will be raised and may be caught by exception
views (the default response is a ``400 Bad Request``). This option should be
used in place of the deprecated ``check_csrf`` view predicate which would
normally result in unexpected ``404 Not Found`` response to the client
instead of a catchable exception. See
https://github.com/Pylons/pyramid/pull/2413 and
https://github.com/Pylons/pyramid/pull/2500

- Added an additional CSRF validation that checks the origin/referrer of a
request and makes sure it matches the current ``request.domain``. This
particular check is only active when accessing a site over HTTPS as otherwise
browsers don't always send the required information. If this additional CSRF
validation fails a ``BadCSRFOrigin`` exception will be raised and may be
caught by exception views (the default response is ``400 Bad Request``).
Additional allowed origins may be configured by setting
``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on
a non standard port) to allow. Subdomains are not allowed unless the domain
name has been prefixed with a ``.``. See
https://github.com/Pylons/pyramid/pull/2501

- Added a new ``pyramid.session.check_csrf_origin`` API for validating the
origin or referrer headers against the request's domain.
See https://github.com/Pylons/pyramid/pull/2501

- Pyramid HTTPExceptions will now take into account the best match for the
clients Accept header, and depending on what is requested will return
text/html, application/json or text/plain. The default for */* is still
text/html, but if application/json is explicitly mentioned it will now
receive a valid JSON response. See
https://github.com/Pylons/pyramid/pull/2489

- A new event and interface (BeforeTraversal) has been introduced that will
notify listeners before traversal starts in the router. See
https://github.com/Pylons/pyramid/pull/2469 and
https://github.com/Pylons/pyramid/pull/1876

- Add a new "view deriver" concept to Pyramid to allow framework authors to
inject elements into the standard Pyramid view pipeline and affect all
views in an application. This is similar to a decorator except that it
has access to options passed to ``config.add_view`` and can affect other
stages of the pipeline such as the raw response from a view or prior to
security checks. See https://github.com/Pylons/pyramid/pull/2021

- Allow a leading ``=`` on the key of the request param predicate.
For example, '=abc=1' is equivalent down to
``request.params['=abc'] == '1'``.
See https://github.com/Pylons/pyramid/pull/1370

- A new ``request.invoke_exception_view(...)`` method which can be used to
invoke an exception view and get back a response. This is useful for
rendering an exception view outside of the context of the excview tween
where you may need more control over the request.
See https://github.com/Pylons/pyramid/pull/2393

- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
for logging sections of the .ini file and populate these variables from
the ``pserve`` command line -- e.g.:
``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
See https://github.com/Pylons/pyramid/pull/2399

Documentation Changes
---------------------

- A complete overhaul of the docs:

- Use pip instead of easy_install.
- Become opinionated by preferring Python 3.4 or greater to simplify
installation of Python and its required packaging tools.
- Use venv for the tool, and virtual environment for the thing created,
instead of virtualenv.
- Use py.test and pytest-cov instead of nose and coverage.
- Further updates to the scaffolds as well as tutorials and their src files.

See https://github.com/Pylons/pyramid/pull/2468

- A complete overhaul of the ``alchemy`` scaffold as well as the
Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features
into the usage of SQLAlchemy with Pyramid and provide a better starting
point for new projects.
See https://github.com/Pylons/pyramid/pull/2024

Bug Fixes
---------

- Fix ``pserve --browser`` to use the ``--server-name`` instead of the
app name when selecting a section to use. This was only working for people
who had server and app sections with the same name, for example
``[app:main]`` and ``[server:main]``.
See https://github.com/Pylons/pyramid/pull/2292

Deprecations
------------

- The ``check_csrf`` view predicate has been deprecated. Use the
new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting
to ensure that the ``BadCSRFToken`` exception is raised.
See https://github.com/Pylons/pyramid/pull/2413

- Support for Python 3.3 will be removed in Pyramid 1.8.
https://github.com/Pylons/pyramid/issues/2477

- Python 2.6 is no longer supported by Pyramid. See
https://github.com/Pylons/pyramid/issues/2368

- Dropped Python 3.2 support.
See https://github.com/Pylons/pyramid/pull/2256

1.6

================

Deprecations
------------

- Continue removal of ``pserve`` daemon/process management features
by deprecating ``--user`` and ``--group`` options.
See https://github.com/Pylons/pyramid/pull/2190

1.6b3

==================

Backward Incompatibilities
--------------------------

- Remove the ``cachebust`` option from ``config.add_static_view``. See
``config.add_cache_buster`` for the new way to attach cache busters to
static assets.
See https://github.com/Pylons/pyramid/pull/2186

- Modify the ``pyramid.interfaces.ICacheBuster`` API to be a simple callable
instead of an object with ``match`` and ``pregenerate`` methods. Cache
busters are now focused solely on generation. Matching has been dropped.

Note this affects usage of ``pyramid.static.QueryStringCacheBuster`` and
``pyramid.static.ManifestCacheBuster``.

See https://github.com/Pylons/pyramid/pull/2186

Features
--------

- Add a new ``config.add_cache_buster`` API for attaching cache busters to
static assets. See https://github.com/Pylons/pyramid/pull/2186

Bug Fixes
---------

- Ensure that ``IAssetDescriptor.abspath`` always returns an absolute path.
There were cases depending on the process CWD that a relative path would
be returned. See https://github.com/Pylons/pyramid/pull/2188

1.6b2

==================

Features
--------

- Allow asset specifications to be supplied to
``pyramid.static.ManifestCacheBuster`` instead of requiring a
filesystem path.

Page 4 of 30

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.