Repoze.who

------------------

- ``repoze.who`` and ``repoze.who.plugins`` were not added to the
``namespace_packages`` list in setup.py, potentially making 1.0.6 a
brownbag release, given that making these packages namespace
packages was the only reason for its release.

------------------

- Make repoze.who and repoze.who.plugins into namespace packages
mainly so we can allow plugin authors to distribute packages in the
repoze.who.plugins namespace.

------------------

- Fix auth_tkt plugin to set the same cookies in its ``remember``
method that it does in its ``forget`` method. Previously, logging
out and relogging back in to a site that used auth_tkt identifier
plugin was slightly dicey and would only work sometimes.

- The FormPlugin plugin has grown a redirect-on-unauthorized feature.
Any response from a downstream application that causes a challenge
and includes a Location header will cause a redirect to the value of
the Location header.

------------------

- Added a key to the '[general]' config section: ``remote_user_key``.
If you use this key in the config file, it tells who to 1) not
perform any authentication if it exists in the environment during
ingress and 2) to set the key in the environment for the downstream
app to use as the REMOTE_USER variable. The default is
``REMOTE_USER``.

- Using unicode user ids in combination with the auth_tkt plugin would
cause problems under mod_wsgi.

- Allowed 'cookie_path' argument to InsecureCookiePlugin (and config
constructor). Thanks to Gustavo Narea.

------------------

- A bug in the middleware's ``authenticate`` method made it impossible
to authenticate a user with a userid that was null (e.g. 0, False),
which are valid identifiers. The only invalid userid is now None.

- Applied patch from Olaf Conradi which logs an error when an invalid
filename is passed to the HTPasswdPlugin.

------------------

- Fix bug found by Chris Perkins: the auth_tkt plugin's "remember"
method didn't handle userids which are Python "long" instances
properly. Symptom: TypeError: cannot concatenate 'str' and 'long'
objects in "paste.auth.auth_tkt".

- Added predicate-based "restriction" middleware support
(repoze.who.restrict), allowing configuratio-driven authorization as
a WSGI filter. One example predicate, 'authenticated_predicate', is
supplied, which requires that the user be authenticated either via
'REMOTE_USER' or via 'repoze.who.identity'. To use the filter to
restrict access::

[filter:authenticated_only]
use = egg:repoze.whoauthenticated

or::

[filter:some_predicate]
use = egg:repoze.whopredicate
predicate = my.module:some_predicate
some_option = a value