1.7 (2016-05-19)
================

- Fix a bug in the wiki2 tutorial where bcrypt is always expecting byte
  strings. See https://github.com/Pylons/pyramid/pull/2576

- Simplify windows detection code and remove some duplicated data.
  See https://github.com/Pylons/pyramid/pull/2585 and
  https://github.com/Pylons/pyramid/pull/2586

1.7b4 (2016-05-12)
==================

- Fixed the exception view tween to re-raise the original exception if
  no exception view could be found to handle the exception. This better
  allows tweens further up the chain to handle exceptions that were
  left unhandled. Previously they would be converted into a
  ``PredicateMismatch`` exception if predicates failed to allow the view to
  handle the exception.
  See https://github.com/Pylons/pyramid/pull/2567

- Exposed the ``pyramid.interfaces.IRequestFactory`` interface to mirror
  the public ``pyramid.interfaces.IResponseFactory`` interface.

1.7b3 (2016-05-10)
==================

- Fix ``request.invoke_exception_view`` to raise an ``HTTPNotFound``
  exception if no view is matched. Previously ``None`` would be returned
  if no views were matched and a ``PredicateMismatch`` would be raised if
  a view "almost" matched (a view was found matching the context).
  See https://github.com/Pylons/pyramid/pull/2564

- Add defaults for py.test configuration and coverage to all three scaffolds,
  and update documentation accordingly.
  See https://github.com/Pylons/pyramid/pull/2550

- Add ``linkcheck`` to ``Makefile`` for Sphinx. To check the documentation for
  broken links, use the command ``make linkcheck
  SPHINXBUILD=$VENV/bin/sphinx-build``. Also removed and fixed dozens of broken
  external links.

- Fix the internal runner for scaffold tests to ensure they work with pip
  and py.test.
  See https://github.com/Pylons/pyramid/pull/2565

1.7b2 (2016-05-01)
==================

- Removed inclusion of pyramid_tm in development.ini for alchemy scaffold
  See https://github.com/Pylons/pyramid/issues/2538

- A default permission set via ``config.set_default_permission`` will no
  longer be enforced on an exception view. This has been the case for a while
  with the default exception views (``config.add_notfound_view`` and
  ``config.add_forbidden_view``), however for any other exception view a
  developer had to remember to set ``permission=NO_PERMISSION_REQUIRED`` or
  be surprised when things didn't work. It is still possible to force a
  permission check on an exception view by setting the ``permission`` argument
  manually to ``config.add_view``. This behavior is consistent with the new
  CSRF features added in the 1.7 series.
  See https://github.com/Pylons/pyramid/pull/2534

1.7b1 (2016-04-25)
==================

- This release announces the beta period for 1.7.

- Fix an issue where some files were being included in the alchemy scafffold
  which had been removed from the 1.7 series.
  See https://github.com/Pylons/pyramid/issues/2525

1.7a2 (2016-04-19)
==================

Features
--------

- Automatic CSRF checks are now disabled by default on exception views. They
  can be turned back on by setting the appropriate `require_csrf` option on
  the view.
  See https://github.com/Pylons/pyramid/pull/2517

- The automatic CSRF API was reworked to use a config directive for
  setting the options. The ``pyramid.require_default_csrf`` setting is
  no longer supported. Instead, a new ``config.set_default_csrf_options``
  directive has been introduced that allows the developer to specify
  the default value for ``require_csrf`` as well as change the CSRF token,
  header and safe request methods. The ``pyramid.csrf_trusted_origins``
  setting is still supported.
  See https://github.com/Pylons/pyramid/pull/2518

Bug fixes
---------

- CSRF origin checks had a bug causing the checks to always fail.
  See https://github.com/Pylons/pyramid/pull/2512

- Fix the test suite to pass on windows.
  See https://github.com/Pylons/pyramid/pull/2520

1.7a1 (2016-04-16)
==================

Backward Incompatibilities
--------------------------

- Following the Pyramid deprecation period (1.4 -> 1.6),
  AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
  to sha512. If you are using the authentication policy and need to continue
  using md5, please explicitly set hashalg to 'md5'.

  This change does mean that any existing auth tickets (and associated cookies)
  will no longer be valid, and users will no longer be logged in, and have to
  login to their accounts again.

  See https://github.com/Pylons/pyramid/pull/2496

- The ``check_csrf_token`` function no longer validates a csrf token in the
  query string of a request. Only headers and request bodies are supported.
  See https://github.com/Pylons/pyramid/pull/2500

Features
--------

- Added a new setting, ``pyramid.require_default_csrf`` which may be used
  to turn on CSRF checks globally for every POST request in the application.
  This should be considered a good default for websites built on Pyramid.
  It is possible to opt-out of CSRF checks on a per-view basis by setting
  ``require_csrf=False`` on those views.
  See https://github.com/Pylons/pyramid/pull/2413

- Added a ``require_csrf`` view option which will enforce CSRF checks on any
  request with an unsafe method as defined by RFC2616. If the CSRF check fails
  a ``BadCSRFToken`` exception will be raised and may be caught by exception
  views (the default response is a ``400 Bad Request``). This option should be
  used in place of the deprecated ``check_csrf`` view predicate which would
  normally result in unexpected ``404 Not Found`` response to the client
  instead of a catchable exception.  See
  https://github.com/Pylons/pyramid/pull/2413 and
  https://github.com/Pylons/pyramid/pull/2500

- Added an additional CSRF validation that checks the origin/referrer of a
  request and makes sure it matches the current ``request.domain``. This
  particular check is only active when accessing a site over HTTPS as otherwise
  browsers don't always send the required information. If this additional CSRF
  validation fails a ``BadCSRFOrigin`` exception will be raised and may be
  caught by exception views (the default response is ``400 Bad Request``).
  Additional allowed origins may be configured by setting
  ``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on
  a non standard port) to allow. Subdomains are not allowed unless the domain
  name has been prefixed with a ``.``. See
  https://github.com/Pylons/pyramid/pull/2501

- Added a new ``pyramid.session.check_csrf_origin`` API for validating the
  origin or referrer headers against the request's domain.
  See https://github.com/Pylons/pyramid/pull/2501

- Pyramid HTTPExceptions will now take into account the best match for the
  clients Accept header, and depending on what is requested will return
  text/html, application/json or text/plain. The default for */* is still
  text/html, but if application/json is explicitly mentioned it will now
  receive a valid JSON response. See
  https://github.com/Pylons/pyramid/pull/2489

- A new event and interface (BeforeTraversal) has been introduced that will
  notify listeners before traversal starts in the router. See
  https://github.com/Pylons/pyramid/pull/2469 and
  https://github.com/Pylons/pyramid/pull/1876

- Add a new "view deriver" concept to Pyramid to allow framework authors to
  inject elements into the standard Pyramid view pipeline and affect all
  views in an application. This is similar to a decorator except that it
  has access to options passed to ``config.add_view`` and can affect other
  stages of the pipeline such as the raw response from a view or prior to
  security checks. See https://github.com/Pylons/pyramid/pull/2021

- Allow a leading ``=`` on the key of the request param predicate.
  For example, '=abc=1' is equivalent down to
  ``request.params['=abc'] == '1'``.
  See https://github.com/Pylons/pyramid/pull/1370

- A new ``request.invoke_exception_view(...)`` method which can be used to
  invoke an exception view and get back a response. This is useful for
  rendering an exception view outside of the context of the excview tween
  where you may need more control over the request.
  See https://github.com/Pylons/pyramid/pull/2393

- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
  for logging sections of the .ini file and populate these variables from
  the ``pserve`` command line -- e.g.:
  ``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
  See https://github.com/Pylons/pyramid/pull/2399

Documentation Changes
---------------------

- A complete overhaul of the docs:

  - Use pip instead of easy_install.
  - Become opinionated by preferring Python 3.4 or greater to simplify
    installation of Python and its required packaging tools.
  - Use venv for the tool, and virtual environment for the thing created,
    instead of virtualenv.
  - Use py.test and pytest-cov instead of nose and coverage.
  - Further updates to the scaffolds as well as tutorials and their src files.

  See https://github.com/Pylons/pyramid/pull/2468

- A complete overhaul of the ``alchemy`` scaffold as well as the
  Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features
  into the usage of SQLAlchemy with Pyramid and provide a better starting
  point for new projects.
  See https://github.com/Pylons/pyramid/pull/2024

Bug Fixes
---------

- Fix ``pserve --browser`` to use the ``--server-name`` instead of the
  app name when selecting a section to use. This was only working for people
  who had server and app sections with the same name, for example
  ``[app:main]`` and ``[server:main]``.
  See https://github.com/Pylons/pyramid/pull/2292

Deprecations
------------

- The ``check_csrf`` view predicate has been deprecated. Use the
  new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting
  to ensure that the ``BadCSRFToken`` exception is raised.
  See https://github.com/Pylons/pyramid/pull/2413

- Support for Python 3.3 will be removed in Pyramid 1.8.
  https://github.com/Pylons/pyramid/issues/2477

- Python 2.6 is no longer supported by Pyramid. See
  https://github.com/Pylons/pyramid/issues/2368

- Dropped Python 3.2 support.
  See https://github.com/Pylons/pyramid/pull/2256
