1.9a1 (2017-05-01)
==================
Major Features
--------------
- The file format used by all ``p*`` command line scripts such as ``pserve``
and ``pshell``, as well as the ``pyramid.paster.bootstrap`` function
is now replaceable thanks to a new dependency on
`plaster `_.
For now, Pyramid is still shipping with integrated support for the
PasteDeploy INI format by depending on the
`plaster_pastedeploy `_.
See https://github.com/Pylons/pyramid/pull/2964
- CSRF support has been refactored out of sessions and into its own
independent API in the ``pyramid.csrf`` module. It supports a pluggable
``pyramid.interfaces.ICSRFStoragePolicy`` which can be used to define your
own mechanism for generating and validating CSRF tokens. By default,
Pyramid continues to use the ``pyramid.csrf.LegacySessionCSRFStoragePolicy``
that uses the ``request.session.get_csrf_token`` and
``request.session.new_csrf_token`` APIs under the hood to preserve
compatibility. Two new policies are shipped as well,
``pyramid.csrf.SessionCSRFStoragePolicy`` and
``pyramid.csrf.CookieCSRFStoragePolicy`` which will store the CSRF tokens
in the session and in a standalone cookie, respectively. The storage policy
can be changed by using the new
``pyramid.config.Configurator.set_csrf_storage_policy`` config directive.
CSRF tokens should be used via the new ``pyramid.csrf.get_csrf_token``,
``pyramid.csrf.new_csrf_token`` and ``pyramid.csrf.check_csrf_token`` APIs
in order to continue working if the storage policy is changed. Also, the
``pyramid.csrf.get_csrf_token`` function is injected into templates to be
used conveniently in UI code.
See https://github.com/Pylons/pyramid/pull/2854 and
https://github.com/Pylons/pyramid/pull/3019
Minor Features
--------------
- Support an ``open_url`` config setting in the ``pserve`` section of the
config file. This url is used to open a web browser when ``pserve --browser``
is invoked. When this setting is unavailable the ``pserve`` script will
attempt to guess the port the server is using from the
``server:`` section of the config file but there is no
requirement that the server is being run in this format so it may fail.
See https://github.com/Pylons/pyramid/pull/2984
- The ``pyramid.config.Configurator`` can now be used as a context manager
which will automatically push/pop threadlocals (similar to
``config.begin()`` and ``config.end()``). It will also automatically perform
a ``config.commit()`` and thus it is only recommended to be used at the
top-level of your app. See https://github.com/Pylons/pyramid/pull/2874
- The threadlocals are now available inside any function invoked via
``config.include``. This means the only config-time code that cannot rely
on threadlocals is code executed from non-actions inside the main. This
can be alleviated by invoking ``config.begin()`` and ``config.end()``
appropriately or using the new context manager feature of the configurator.
See https://github.com/Pylons/pyramid/pull/2989
Bug Fixes
---------
- HTTPException's accepts a detail kwarg that may be used to pass additional
details to the exception. You may now pass objects so long as they have a
valid __str__ method. See https://github.com/Pylons/pyramid/pull/2951
- Fix a reference cycle causing memory leaks in which the registry
would keep a ``Configurator`` instance alive even after the configurator
was discarded. Another fix was also added for the ``global_registries``
object in which the registry was stored in a closure preventing it from
being deallocated. See https://github.com/Pylons/pyramid/pull/2967
- Fix a bug directly invoking ``pyramid.scripts.pserve.main`` with the
``--reload`` option in which ``sys.argv`` is always used in the subprocess
instead of the supplied ``argv``.
See https://github.com/Pylons/pyramid/pull/2962
Deprecations
------------
- Pyramid currently depends on ``plaster_pastedeploy`` to simplify the
transition to ``plaster`` by maintaining integrated support for INI files.
This dependency on ``plaster_pastedeploy`` should be considered subject to
Pyramid's deprecation policy and may be removed in the future.
Applications should depend on the appropriate plaster binding to satisfy
their needs.
- Retrieving CSRF token from the session has been deprecated in favor of
equivalent methods in the ``pyramid.csrf`` module. The CSRF methods
(``ISession.get_csrf_token`` and ``ISession.new_csrf_token``) are no longer
required on the ``ISession`` interface except when using the default
``pyramid.csrf.LegacySessionCSRFStoragePolicy``.
Also, ``pyramid.session.check_csrf_token`` is now located at
``pyramid.csrf.check_csrf_token``.
See https://github.com/Pylons/pyramid/pull/2854 and
https://github.com/Pylons/pyramid/pull/3019
Documentation Changes
---------------------
- Added the execution policy to the routing diagram in the Request Processing
chapter. See https://github.com/Pylons/pyramid/pull/2993