Pin pyramid to latest version 1.10.4

[pyup-bot]

This PR pins pyramid to the latest release 1.10.4.

Changelog

1.10

=================

- No major changes from 1.10b1.

1.10b1

===================

Bug Fixes
---------

- Fix the ``pyramid.testing.DummyRequest`` to support the new
``request.accept`` API so that ``acceptable_offers`` is available even
when code sets the value to a string.
See https://github.com/Pylons/pyramid/pull/3396

- Fix deprecated escape sequences in preparation for Python 3.8.
See https://github.com/Pylons/pyramid/pull/3400

1.10a1

===================

Features
--------

- Add a ``_depth`` and ``_category`` arguments to all of the venusian
decorators. The ``_category`` argument can be used to affect which actions
are registered when performing a ``config.scan(..., category=...)`` with a
specific category. The ``_depth`` argument should be used when wrapping
the decorator in your own. This change affects ``pyramid.view.view_config``,
``pyramid.view.exception_view_config``,
``pyramid.view.forbidden_view_config``, ``pyramid.view.notfound_view_config``,
``pyramid.events.subscriber`` and ``pyramid.response.response_adapter``
decorators. See https://github.com/Pylons/pyramid/pull/3105 and
https://github.com/Pylons/pyramid/pull/3122

- Fix the ``pyramid.request.Request`` class name after using
``set_property`` or ``config.add_request_method`` such that the
``str(request.__class__)`` would appear as ``pyramid.request.Request``
instead of ``pyramid.util.Request``.
See https://github.com/Pylons/pyramid/pull/3129

- In ``cherrypy_server_runner``, prefer imports from the ``cheroot`` package
over the legacy imports from `cherrypy.wsgiserver`.
See https://github.com/Pylons/pyramid/pull/3235

- Add a context manager ``route_prefix_context`` to the
``pyramid.config.Configurator`` to allow for convenient setting of the
route_prefix for ``include`` and ``add_route`` calls inside the context.
See https://github.com/Pylons/pyramid/pull/3279

- Modify the builtin session implementations to support ``SameSite`` options
on cookies and set the default to ``'Lax'``. This affects
``pyramid.session.BaseCookieSessionFactory``,
``pyramid.session.SignedCookieSessionFactory``, and
``pyramid.session.UnencryptedCookieSessionFactoryConfig``.
See https://github.com/Pylons/pyramid/pull/3300

- Modify ``pyramid.authentication.AuthTktAuthenticationPolicy`` and
``pyramid.csrf.CookieCSRFStoragePolicy`` to support the ``SameSite`` option
on cookies and set the default to ``'Lax'``.
See https://github.com/Pylons/pyramid/pull/3319

- Added new ``pyramid.httpexceptions.HTTPPermanentRedirect``
exception/response object for a HTTP 308 redirect.
See https://github.com/Pylons/pyramid/pull/3302

- Within ``pshell``, allow the user-defined ``setup`` function to be a
generator, in which case it may wrap the command's lifecycle.
See https://github.com/Pylons/pyramid/pull/3318

- Within ``pshell``, variables defined by the ``[pshell]`` settings are
available within the user-defined ``setup`` function.
See https://github.com/Pylons/pyramid/pull/3318

- Add support for Python 3.7. Add testing on Python 3.8 with allowed failures.
See https://github.com/Pylons/pyramid/pull/3333

- Added the ``pyramid.config.Configurator.add_accept_view_order`` directive,
allowing users to specify media type preferences in ambiguous situations
such as when several views match. A default ordering is defined for media
types that prefers human-readable html/text responses over JSON.
See https://github.com/Pylons/pyramid/pull/3326

- Support a list of media types in the ``accept`` predicate used in
``pyramid.config.Configurator.add_route``.
See https://github.com/Pylons/pyramid/pull/3326

- Added ``pyramid.session.JSONSerializer``. See "Upcoming Changes to ISession
in Pyramid 2.0" in the "Sessions" chapter of the documentation for more
information about this feature.
See https://github.com/Pylons/pyramid/pull/3353

- Add a ``registry`` argument to ``pyramid.renderers.get_renderer``
to allow users to avoid threadlocals during renderer lookup.
See https://github.com/Pylons/pyramid/pull/3358

- Pyramid's test suite is no longer distributed with the universal wheel.
See https://github.com/Pylons/pyramid/pull/3387

- All Python code is now formatted automatically using ``black``.
See https://github.com/Pylons/pyramid/pull/3388

Bug Fixes
---------

- Set appropriate ``code`` and ``title`` attributes on the ``HTTPClientError``
and ``HTTPServerError`` exception classes. This prevents inadvertently
returning a 520 error code.
See https://github.com/Pylons/pyramid/pull/3280

- Replace ``webob.acceptparse.MIMEAccept`` from WebOb with
``webob.acceptparse.create_accept_header`` in the HTTP exception handling
code. The old ``MIMEAccept`` has been deprecated. The new methods follow the
RFC's more closely. See https://github.com/Pylons/pyramid/pull/3251

- Catch extra errors like ``AttributeError`` when unpickling "trusted"
session cookies with bad pickle data in them. This would occur when sharing
a secret between projects that shouldn't actually share session cookies,
like when reusing secrets between projects in development.
See https://github.com/Pylons/pyramid/pull/3325

Deprecations
------------

- The ``pyramid.intefaces.ISession`` interface will move to require
JSON-serializable objects in Pyramid 2.0. See
"Upcoming Changes to ISession in Pyramid 2.0" in the "Sessions" chapter
of the documentation for more information about this change.
See https://github.com/Pylons/pyramid/pull/3353

- The ``pyramid.session.signed_serialize`` and
``pyramid.session.signed_deserialize`` functions will be removed in Pyramid
2.0, along with the removal of
``pyramid.session.UnencryptedCookieSessionFactoryConfig`` which was
deprecated in Pyramid 1.5. Please switch to using the
``SignedCookieSessionFactory``, copying the code, or another session
implementation if you're still using these features.
See https://github.com/Pylons/pyramid/pull/3353

- Media ranges are deprecated in the ``accept`` argument of
``pyramid.config.Configurator.add_route``. Use a list of explicit
media types to ``add_route`` to support multiple types.

- Media ranges are deprecated in the ``accept`` argument of
``pyramid.config.Configurator.add_view``.  There is no replacement for
ranges to ``add_view``, but after much discussion the workflow is
fundamentally ambiguous in the face of various client-supplied values for
the ``Accept`` header.
See https://github.com/Pylons/pyramid/pull/3326

Backward Incompatibilities
--------------------------

- On Python 3.4+ the ``repoze.lru`` dependency is dropped. If you were using
this package directly in your apps you should make sure that you are
depending on it directly within your project.
See https://github.com/Pylons/pyramid/pull/3140

- Remove the ``permission`` argument from
``pyramid.config.Configurator.add_route``. This was an argument left over
from a feature removed in Pyramid 1.5 and has had no effect since then.
See https://github.com/Pylons/pyramid/pull/3299

- Modify the builtin session implementations to set ``SameSite='Lax'`` on
cookies. This affects ``pyramid.session.BaseCookieSessionFactory``,
``pyramid.session.SignedCookieSessionFactory``, and
``pyramid.session.UnencryptedCookieSessionFactoryConfig``.
See https://github.com/Pylons/pyramid/pull/3300

- Variables defined in the ``[pshell]`` section of the settings will no
longer override those set by the ``setup`` function.
See https://github.com/Pylons/pyramid/pull/3318

- ``pyramid.config.Configurator.add_notfound_view`` uses default redirect
class exception ``pyramid.httpexceptions.HTTPTemporaryRedirect`` instead
of previous ``pyramid.httpexceptions.HTTPFound``.
See https://github.com/Pylons/pyramid/pull/3328

- Removed ``pyramid.config.Configurator.set_request_property`` which had been
deprecated since Pyramid 1.5. Instead use
``pyramid.config.Configurator.add_request_method`` with ``reify=True`` or
``property=True``.
See https://github.com/Pylons/pyramid/pull/3368

- Removed the ``principal`` keyword argument from
``pyramid.security.remember`` which had been deprecated since Pyramid 1.6
and replaced by the ``userid`` argument.
See https://github.com/Pylons/pyramid/pull/3369

- Removed the ``pyramid.tests`` subpackage that used to contain the Pyramid
test suite. These changes also changed the format of the repository to move
the code into a ``src`` folder.
See https://github.com/Pylons/pyramid/pull/3387

Documentation Changes
---------------------

- Ad support for Read The Docs Ethical Ads.
See https://github.com/Pylons/pyramid/pull/3360 and
https://docs.readthedocs.io/en/latest/advertising/ethical-advertising.html

- Add support for alembic to the pyramid-cookiecutter-alchemy cookiecutter
and update the wiki2 tutorial to explain how it works.
See https://github.com/Pylons/pyramid/pull/3307 and
https://github.com/Pylons/pyramid-cookiecutter-alchemy/pull/7

- Bump Sphinx to >= 1.7.4 in setup.py to support ``emphasize-lines`` in PDFs
and to pave the way for xelatex support.  See
https://github.com/Pylons/pyramid/pull/3271,
https://github.com/Pylons/pyramid/issues/667, and
https://github.com/Pylons/pyramid/issues/2572

- Added extra tests to the quick tutorial.
See https://github.com/Pylons/pyramid/pull/3375

1.9

================

- No major changes from 1.9b1.

- Updated documentation links for ``docs.pylonsproject.org`` to use HTTPS.

1.9b1

==================

- Add an informative error message when unknown predicates are supplied. The
new message suggests alternatives based on the list of known predicates.
See https://github.com/Pylons/pyramid/pull/3054

- Added integrity attributes for JavaScripts in cookiecutters, scaffolds, and
resulting source files in tutorials.
See https://github.com/Pylons/pyramid/issues/2548

- Update RELEASING.txt for updating cookiecutters. Change cookiecutter URLs to
use shortcut.
See https://github.com/Pylons/pyramid/issues/3042

- Ensure the correct threadlocals are pushed during view execution when
invoked from ``request.invoke_exception_view``.
See https://github.com/Pylons/pyramid/pull/3060

- Fix a bug in which ``pyramid.security.ALL_PERMISSIONS`` failed to return
a valid iterator in its ``__iter__`` implementation.
See https://github.com/Pylons/pyramid/pull/3074

- Normalize the permission results to a proper class hierarchy.
``pyramid.security.ACLAllowed`` is now a subclass of
``pyramid.security.Allowed`` and ``pyramid.security.ACLDenied`` is now a
subclass of ``pyramid.security.Denied``.
See https://github.com/Pylons/pyramid/pull/3084

- Add a ``quote_via`` argument to ``pyramid.encode.urlencode`` to follow
the stdlib's version and enable custom quoting functions.
See https://github.com/Pylons/pyramid/pull/3088

- Support `_query=None` and `_anchor=None` in ``request.route_url`` as well
as ``query=None`` and ``anchor=None`` in ``request.resource_url``.
Previously this would cause an `?` and a ``, respectively, in the url
with nothing after it. Now the unnecessary parts are dropped from the
generated URL. See https://github.com/Pylons/pyramid/pull/3034

- Revamp the ``IRouter`` API used by ``IExecutionPolicy`` to force
pushing/popping the request threadlocals. The
``IRouter.make_request(environ)`` API has been replaced by
``IRouter.request_context(environ)`` which should be used as a context
manager. See https://github.com/Pylons/pyramid/pull/3086

1.9a2

==================

Backward Incompatibilities
--------------------------

- ``request.exception`` and ``request.exc_info`` will only be set if the
response was generated by the EXCVIEW tween. This is to avoid any confusion
where a response was generated elsewhere in the pipeline and not in
direct relation to the original exception. If anyone upstream wants to
catch and render responses for exceptions they should set
``request.exception`` and ``request.exc_info`` themselves to indicate
the exception that was squashed when generating the response.

Similar behavior occurs with ``request.invoke_exception_view`` in which
the exception properties are set to reflect the exception if a response
is successfully generated by the method.

This is a very minor incompatibility. Most tweens right now would give
priority to the raised exception and ignore ``request.exception``. This
change just improves and clarifies that bookkeeping by trying to be
more clear about the relationship between the response and its squashed
exception. See https://github.com/Pylons/pyramid/pull/3029 and
https://github.com/Pylons/pyramid/pull/3031

1.9a1

==================

Major Features
--------------

- The file format used by all ``p*`` command line scripts such as ``pserve``
and ``pshell``, as well as the ``pyramid.paster.bootstrap`` function
is now replaceable thanks to a new dependency on
`plaster <https://docs.pylonsproject.org/projects/plaster/en/latest/>`_.

For now, Pyramid is still shipping with integrated support for the
PasteDeploy INI format by depending on the
`plaster_pastedeploy <https://github.com/Pylons/plaster_pastedeploy>`_
binding library. This may change in the future.

See https://github.com/Pylons/pyramid/pull/2985

- Added an execution policy hook to the request pipeline. An execution
policy has the ability to control creation and execution of the request
objects before they enter the rest of the pipeline. This means for a single
request environ the policy may create more than one request object.

The first library to use this feature is
`pyramid_retry
<https://docs.pylonsproject.org/projects/pyramid-retry/en/latest/>`_.

See https://github.com/Pylons/pyramid/pull/2964

- CSRF support has been refactored out of sessions and into its own
independent API in the ``pyramid.csrf`` module. It supports a pluggable
``pyramid.interfaces.ICSRFStoragePolicy`` which can be used to define your
own mechanism for generating and validating CSRF tokens. By default,
Pyramid continues to use the ``pyramid.csrf.LegacySessionCSRFStoragePolicy``
that uses the ``request.session.get_csrf_token`` and
``request.session.new_csrf_token`` APIs under the hood to preserve
compatibility. Two new policies are shipped as well,
``pyramid.csrf.SessionCSRFStoragePolicy`` and
``pyramid.csrf.CookieCSRFStoragePolicy`` which will store the CSRF tokens
in the session and in a standalone cookie, respectively. The storage policy
can be changed by using the new
``pyramid.config.Configurator.set_csrf_storage_policy`` config directive.

CSRF tokens should be used via the new ``pyramid.csrf.get_csrf_token``,
``pyramid.csrf.new_csrf_token`` and ``pyramid.csrf.check_csrf_token`` APIs
in order to continue working if the storage policy is changed. Also, the
``pyramid.csrf.get_csrf_token`` function is injected into templates to be
used conveniently in UI code.

See https://github.com/Pylons/pyramid/pull/2854 and
https://github.com/Pylons/pyramid/pull/3019

Minor Features
--------------

- Support an ``open_url`` config setting in the ``pserve`` section of the
config file. This url is used to open a web browser when ``pserve --browser``
is invoked. When this setting is unavailable the ``pserve`` script will
attempt to guess the port the server is using from the
``server:<server_name>`` section of the config file but there is no
requirement that the server is being run in this format so it may fail.
See https://github.com/Pylons/pyramid/pull/2984

- The ``pyramid.config.Configurator`` can now be used as a context manager
which will automatically push/pop threadlocals (similar to
``config.begin()`` and ``config.end()``). It will also automatically perform
a ``config.commit()`` and thus it is only recommended to be used at the
top-level of your app. See https://github.com/Pylons/pyramid/pull/2874

- The threadlocals are now available inside any function invoked via
``config.include``. This means the only config-time code that cannot rely
on threadlocals is code executed from non-actions inside the main. This
can be alleviated by invoking ``config.begin()`` and ``config.end()``
appropriately or using the new context manager feature of the configurator.
See https://github.com/Pylons/pyramid/pull/2989

Bug Fixes
---------

- HTTPException's accepts a detail kwarg that may be used to pass additional
details to the exception. You may now pass objects so long as they have a
valid __str__ method. See https://github.com/Pylons/pyramid/pull/2951

- Fix a reference cycle causing memory leaks in which the registry
would keep a ``Configurator`` instance alive even after the configurator
was discarded. Another fix was also added for the ``global_registries``
object in which the registry was stored in a closure preventing it from
being deallocated. See https://github.com/Pylons/pyramid/pull/2967

- Fix a bug directly invoking ``pyramid.scripts.pserve.main`` with the
``--reload`` option in which ``sys.argv`` is always used in the subprocess
instead of the supplied ``argv``.
See https://github.com/Pylons/pyramid/pull/2962

Deprecations
------------

- Pyramid currently depends on ``plaster_pastedeploy`` to simplify the
transition to ``plaster`` by maintaining integrated support for INI files.
This dependency on ``plaster_pastedeploy`` should be considered subject to
Pyramid's deprecation policy and may be removed in the future.
Applications should depend on the appropriate plaster binding to satisfy
their needs.

- Retrieving CSRF token from the session has been deprecated in favor of
equivalent methods in the ``pyramid.csrf`` module. The CSRF methods
(``ISession.get_csrf_token`` and ``ISession.new_csrf_token``) are no longer
required on the ``ISession`` interface except when using the default
``pyramid.csrf.LegacySessionCSRFStoragePolicy``.

Also, ``pyramid.session.check_csrf_token`` is now located at
``pyramid.csrf.check_csrf_token``.

See https://github.com/Pylons/pyramid/pull/2854 and
https://github.com/Pylons/pyramid/pull/3019

Documentation Changes
---------------------

- Added the execution policy to the routing diagram in the Request Processing
chapter. See https://github.com/Pylons/pyramid/pull/2993

1.8

================

- No major changes from 1.8b1.

1.8b1

==================

Features
--------

- Added an ``override`` option to ``config.add_translation_dirs`` to allow
later calls to place translation directories at a higher priority than
earlier calls. See https://github.com/Pylons/pyramid/pull/2902

Documentation Changes
---------------------

- Improve registry documentation to discuss uses as a component registry
and as a dictionary. See https://github.com/Pylons/pyramid/pull/2893

- Quick Tour, Quick Tutorial, and most other remaining documentation updated to
use cookiecutters instead of pcreate and scaffolds.
See https://github.com/Pylons/pyramid/pull/2888 and
https://github.com/Pylons/pyramid/pull/2889

- Fix unittests in wiki2 to work without different dependencies between
py2 and py3. See https://github.com/Pylons/pyramid/pull/2899

- Update Windows documentation to track newer Python 3 improvements to the
installer. See https://github.com/Pylons/pyramid/pull/2900

- Updated the ``mod_wsgi`` tutorial to use cookiecutters and Apache 2.4+.
See https://github.com/Pylons/pyramid/pull/2901

1.8a1

==================

Backward Incompatibilities
--------------------------

- Support for the ``IContextURL`` interface that was deprecated in Pyramid 1.3
has been removed.  See https://github.com/Pylons/pyramid/pull/2822

- Following the Pyramid deprecation period (1.6 -> 1.8),
daemon support for pserve has been removed. This includes removing the
daemon commands (start, stop, restart, status) as well as the following
arguments: ``--daemon``, ``--pid-file``, ``--log-file``,
``--monitor-restart``, ``--status``, ``--user``, ``--group``,
``--stop-daemon``

To run your server as a daemon you should use a process manager instead of
pserve.

See https://github.com/Pylons/pyramid/pull/2615

- ``pcreate`` is now interactive by default. You will be prompted if a file
already exists with different content. Previously if there were similar
files it would silently skip them unless you specified ``--interactive``
or ``--overwrite``.
See https://github.com/Pylons/pyramid/pull/2775

- Removed undocumented argument ``cachebust_match`` from
``pyramid.static.static_view``. This argument was shipped accidentally
in Pyramid 1.6. See https://github.com/Pylons/pyramid/pull/2681

- Change static view to avoid setting the ``Content-Encoding`` response header
to an encoding guessed using Python's ``mimetypes`` module. This was causing
clients to decode the content of gzipped files when downloading them. The
client would end up with a ``foo.txt.gz`` file on disk that was already
decoded, thus should really be ``foo.txt``. Also, the ``Content-Encoding``
should only have been used if the client itself broadcast support for the
encoding via ``Accept-Encoding`` request headers.
See https://github.com/Pylons/pyramid/pull/2810

- Settings are no longer accessible as attributes on the settings object
(e.g. ``request.registry.settings.foo``). This was deprecated in Pyramid 1.2.
See https://github.com/Pylons/pyramid/pull/2823

Features
--------

- Python 3.6 compatibility.
https://github.com/Pylons/pyramid/issues/2835

- ``pcreate`` learned about ``--package-name`` to allow you to create a new
project in an existing folder with a different package name than the project
name. See https://github.com/Pylons/pyramid/pull/2783

- The ``_get_credentials`` private method of ``BasicAuthAuthenticationPolicy``
has been extracted into standalone function ``extract_http_basic_credentials``
in ``pyramid.authentication`` module, this function extracts HTTP Basic
credentials from a ``request`` object, and returns them as a named tuple.
See https://github.com/Pylons/pyramid/pull/2662

- Pyramid 1.4 silently dropped a feature of the configurator that has been
restored. It's again possible for action discriminators to conflict across
different action orders.
See https://github.com/Pylons/pyramid/pull/2757

- ``pyramid.paster.bootstrap`` and its sibling ``pyramid.scripting.prepare``
can now be used as context managers to automatically invoke the ``closer``
and pop threadlocals off of the stack to prevent memory leaks.
See https://github.com/Pylons/pyramid/pull/2760

- Added ``pyramid.config.Configurator.add_exception_view`` and the
``pyramid.view.exception_view_config`` decorator. It is now possible using
these methods or via the new ``exception_only=True`` option to ``add_view``
to add a view which will only be matched when handling an exception.
Previously any exception views were also registered for a traversal
context that inherited from the exception class which prevented any
exception-only optimizations.
See https://github.com/Pylons/pyramid/pull/2660

- Added the ``exception_only`` boolean to
``pyramid.interfaces.IViewDeriverInfo`` which can be used by view derivers
to determine if they are wrapping a view which only handles exceptions.
This means that it is no longer necessary to perform request-time checks
for ``request.exception`` to determine if the view is handling an exception
- the pipeline can be optimized at config-time.
See https://github.com/Pylons/pyramid/pull/2660

- ``pserve`` should now work with ``gevent`` and other workers that need
to monkeypatch the process, assuming the server and / or the app do so
as soon as possible before importing the rest of pyramid.
See https://github.com/Pylons/pyramid/pull/2797

- Pyramid no longer copies the settings object passed to the
``pyramid.config.Configurator(settings=)``. The original ``dict`` is kept.
See https://github.com/Pylons/pyramid/pull/2823

- The csrf trusted origins setting may now be a whitespace-separated list of
domains. Previously only a python list was allowed. Also, it can now be set
using the ``PYRAMID_CSRF_TRUSTED_ORIGINS`` environment variable similar to
other settings. See https://github.com/Pylons/pyramid/pull/2823

- ``pserve --reload`` now uses the
`hupper <http://docs.pylonsproject.org/projects/hupper/en/latest/>`
library to monitor file changes. This comes with many improvements:

- If the `watchdog <http://pythonhosted.org/watchdog/>`_ package is
 installed then monitoring will be done using inotify instead of
 cpu and disk-intensive polling.

- The monitor is now a separate process that will not crash and starts up
 before any of your code.

- The monitor will not restart the process after a crash until a file is
 saved.

- The monitor works on windows.

- You can now trigger a reload manually from a pyramid view or any other
 code via ``hupper.get_reloader().trigger_reload()``. Kind of neat.

- You can trigger a reload by issuing a ``SIGHUP`` to the monitor process.

See https://github.com/Pylons/pyramid/pull/2805

- A new ``[pserve]`` section is supported in your config files with a
``watch_files`` key that can configure ``pserve --reload`` to monitor custom
file paths. See https://github.com/Pylons/pyramid/pull/2827

- Allow streaming responses to be made from subclasses of
``pyramid.httpexceptions.HTTPException``. Previously the response would
be unrolled while testing for a body, making it impossible to stream
a response.
See https://github.com/Pylons/pyramid/pull/2863

- Update starter, alchemy and zodb scaffolds to support IPv6 by using the
new ``listen`` directives in waitress.
See https://github.com/Pylons/pyramid/pull/2853

- All p* scripts now use argparse instead of optparse. This improves their
``--help`` output as well as enabling nicer documentation of their options.
See https://github.com/Pylons/pyramid/pull/2864

- Any deferred configuration action registered via ``config.action`` may now
depend on threadlocal state, such as asset overrides, being active when
the action is executed.
See https://github.com/Pylons/pyramid/pull/2873

- Asset specifications for directories passed to
``config.add_translation_dirs`` now support overriding the entire asset
specification, including the folder name. Previously only the package name
was supported and the folder would always need to have the same name.
See https://github.com/Pylons/pyramid/pull/2873

- ``config.begin()`` will propagate the current threadlocal request through
as long as the registry is the same. For example:

.. code-block:: python

  request = Request.blank(...)
  config.begin(request)   pushes a request
  config.begin()          propagates the previous request through unchanged
  assert get_current_request() is request

See https://github.com/Pylons/pyramid/pull/2873

- Added a new ``callback`` option to ``config.set_default_csrf_options`` which
can be used to determine per-request whether CSRF checking should be enabled
to allow for a mix authentication methods. Only cookie-based methods
generally require CSRF checking.
See https://github.com/Pylons/pyramid/pull/2778

Bug Fixes
---------

- Fixed bug in ``proutes`` such that it now shows the correct view when a
class and ``attr`` is involved.
See: https://github.com/Pylons/pyramid/pull/2687

- Fix a ``FutureWarning`` in Python 3.5 when using ``re.split`` on the
``format`` setting to the ``proutes`` script.
See https://github.com/Pylons/pyramid/pull/2714

- Fix a ``RuntimeWarning`` emitted by WebOb when using arbitrary objects
as the ``userid`` in the ``AuthTktAuthenticationPolicy``. This is now caught
by the policy and the object is serialized as a base64 string to avoid
the cryptic warning. Since the userid will be read back as a string on
subsequent requests a more useful warning is emitted encouraging you to
use a primitive type instead.
See https://github.com/Pylons/pyramid/pull/2715

- Pyramid 1.6 introduced the ability for an action to invoke another action.
There was a bug in the way that ``config.add_view`` would interact with
custom view derivers introduced in Pyramid 1.7 because the view's
discriminator cannot be computed until view derivers and view predicates
have been created in earlier orders. Invoking an action from another action
would trigger an unrolling of the pipeline and would compute discriminators
before they were ready. The new behavior respects the ``order`` of the action
and ensures the discriminators are not computed until dependent actions
from previous orders have executed.
See https://github.com/Pylons/pyramid/pull/2757

- Fix bug in i18n where the default domain would always use the Germanic plural
style, even if a different plural function is defined in the relevant
messages file. See https://github.com/Pylons/pyramid/pull/2859

- The ``config.override_asset`` method now occurs during
``pyramid.config.PHASE1_CONFIG`` such that it is ordered to execute before
any calls to ``config.add_translation_dirs``.
See https://github.com/Pylons/pyramid/pull/2873

Deprecations
------------

- The ``pcreate`` script and related scaffolds have been deprecated in favor
of the popular
`cookiecutter <https://cookiecutter.readthedocs.io/en/latest/>`_ project.

All of Pyramid's official scaffolds as well as the tutorials have been
ported to cookiecutters:

- `pyramid-cookiecutter-starter
 <https://github.com/Pylons/pyramid-cookiecutter-starter>`_

- `pyramid-cookiecutter-alchemy
 <https://github.com/Pylons/pyramid-cookiecutter-alchemy>`_

- `pyramid-cookiecutter-zodb
 <https://github.com/Pylons/pyramid-cookiecutter-zodb>`_

See https://github.com/Pylons/pyramid/pull/2780

Documentation Changes
---------------------

- Update Typographical Conventions.
https://github.com/Pylons/pyramid/pull/2838

- Add `pyramid_nacl_session
<http://docs.pylonsproject.org/projects/pyramid-nacl-session/en/latest/>`_
to session factories. See https://github.com/Pylons/pyramid/issues/2791

- Update ``HACKING.txt`` from stale branch that was never merged to master.
See https://github.com/Pylons/pyramid/pull/2782

- Updated Windows installation instructions and related bits.
See https://github.com/Pylons/pyramid/issues/2661

- Fix an inconsistency in the documentation between view predicates and
route predicates and highlight the differences in their APIs.
See https://github.com/Pylons/pyramid/pull/2764

- Clarify a possible misuse of the ``headers`` kwarg to subclasses of
``pyramid.httpexceptions.HTTPException`` in which more appropriate
kwargs from the parent class ``pyramid.response.Response`` should be
used instead. See https://github.com/Pylons/pyramid/pull/2750

- The SQLAlchemy + URL Dispatch + Jinja2 (``wiki2``) and
ZODB + Traversal + Chameleon (``wiki``) tutorials have been updated to
utilize the new cookiecutters and drop support for the ``pcreate``
scaffolds.

See https://github.com/Pylons/pyramid/pull/2881 and
https://github.com/Pylons/pyramid/pull/2883.

- Improve output of p* script descriptions for help.
See https://github.com/Pylons/pyramid/pull/2886

- Quick Tour updated to use cookiecutters instead of pcreate and scaffolds.
See https://github.com/Pylons/pyramid/pull/2888

1.7

================

- Fix a bug in the wiki2 tutorial where bcrypt is always expecting byte
strings. See https://github.com/Pylons/pyramid/pull/2576

- Simplify windows detection code and remove some duplicated data.
See https://github.com/Pylons/pyramid/pull/2585 and
https://github.com/Pylons/pyramid/pull/2586

1.7b4

==================

- Fixed the exception view tween to re-raise the original exception if
no exception view could be found to handle the exception. This better
allows tweens further up the chain to handle exceptions that were
left unhandled. Previously they would be converted into a
``PredicateMismatch`` exception if predicates failed to allow the view to
handle the exception.
See https://github.com/Pylons/pyramid/pull/2567

- Exposed the ``pyramid.interfaces.IRequestFactory`` interface to mirror
the public ``pyramid.interfaces.IResponseFactory`` interface.

1.7b3

==================

- Fix ``request.invoke_exception_view`` to raise an ``HTTPNotFound``
exception if no view is matched. Previously ``None`` would be returned
if no views were matched and a ``PredicateMismatch`` would be raised if
a view "almost" matched (a view was found matching the context).
See https://github.com/Pylons/pyramid/pull/2564

- Add defaults for py.test configuration and coverage to all three scaffolds,
and update documentation accordingly.
See https://github.com/Pylons/pyramid/pull/2550

- Add ``linkcheck`` to ``Makefile`` for Sphinx. To check the documentation for
broken links, use the command ``make linkcheck
SPHINXBUILD=$VENV/bin/sphinx-build``. Also removed and fixed dozens of broken
external links.

- Fix the internal runner for scaffold tests to ensure they work with pip
and py.test.
See https://github.com/Pylons/pyramid/pull/2565

1.7b2

==================

- Removed inclusion of pyramid_tm in development.ini for alchemy scaffold
See https://github.com/Pylons/pyramid/issues/2538

- A default permission set via ``config.set_default_permission`` will no
longer be enforced on an exception view. This has been the case for a while
with the default exception views (``config.add_notfound_view`` and
``config.add_forbidden_view``), however for any other exception view a
developer had to remember to set ``permission=NO_PERMISSION_REQUIRED`` or
be surprised when things didn't work. It is still possible to force a
permission check on an exception view by setting the ``permission`` argument
manually to ``config.add_view``. This behavior is consistent with the new
CSRF features added in the 1.7 series.
See https://github.com/Pylons/pyramid/pull/2534

1.7b1

==================

- This release announces the beta period for 1.7.

- Fix an issue where some files were being included in the alchemy scafffold
which had been removed from the 1.7 series.
See https://github.com/Pylons/pyramid/issues/2525

1.7a2

==================

Features
--------

- Automatic CSRF checks are now disabled by default on exception views. They
can be turned back on by setting the appropriate `require_csrf` option on
the view.
See https://github.com/Pylons/pyramid/pull/2517

- The automatic CSRF API was reworked to use a config directive for
setting the options. The ``pyramid.require_default_csrf`` setting is
no longer supported. Instead, a new ``config.set_default_csrf_options``
directive has been introduced that allows the developer to specify
the default value for ``require_csrf`` as well as change the CSRF token,
header and safe request methods. The ``pyramid.csrf_trusted_origins``
setting is still supported.
See https://github.com/Pylons/pyramid/pull/2518

Bug fixes
---------

- CSRF origin checks had a bug causing the checks to always fail.
See https://github.com/Pylons/pyramid/pull/2512

- Fix the test suite to pass on windows.
See https://github.com/Pylons/pyramid/pull/2520

1.7a1

==================

Backward Incompatibilities
--------------------------

- Following the Pyramid deprecation period (1.4 -> 1.6),
AuthTktAuthenticationPolicy's default hashing algorithm is changing from md5
to sha512. If you are using the authentication policy and need to continue
using md5, please explicitly set hashalg to 'md5'.

This change does mean that any existing auth tickets (and associated cookies)
will no longer be valid, and users will no longer be logged in, and have to
login to their accounts again.

See https://github.com/Pylons/pyramid/pull/2496

- The ``check_csrf_token`` function no longer validates a csrf token in the
query string of a request. Only headers and request bodies are supported.
See https://github.com/Pylons/pyramid/pull/2500

Features
--------

- Added a new setting, ``pyramid.require_default_csrf`` which may be used
to turn on CSRF checks globally for every POST request in the application.
This should be considered a good default for websites built on Pyramid.
It is possible to opt-out of CSRF checks on a per-view basis by setting
``require_csrf=False`` on those views.
See https://github.com/Pylons/pyramid/pull/2413

- Added a ``require_csrf`` view option which will enforce CSRF checks on any
request with an unsafe method as defined by RFC2616. If the CSRF check fails
a ``BadCSRFToken`` exception will be raised and may be caught by exception
views (the default response is a ``400 Bad Request``). This option should be
used in place of the deprecated ``check_csrf`` view predicate which would
normally result in unexpected ``404 Not Found`` response to the client
instead of a catchable exception.  See
https://github.com/Pylons/pyramid/pull/2413 and
https://github.com/Pylons/pyramid/pull/2500

- Added an additional CSRF validation that checks the origin/referrer of a
request and makes sure it matches the current ``request.domain``. This
particular check is only active when accessing a site over HTTPS as otherwise
browsers don't always send the required information. If this additional CSRF
validation fails a ``BadCSRFOrigin`` exception will be raised and may be
caught by exception views (the default response is ``400 Bad Request``).
Additional allowed origins may be configured by setting
``pyramid.csrf_trusted_origins`` to a list of domain names (with ports if on
a non standard port) to allow. Subdomains are not allowed unless the domain
name has been prefixed with a ``.``. See
https://github.com/Pylons/pyramid/pull/2501

- Added a new ``pyramid.session.check_csrf_origin`` API for validating the
origin or referrer headers against the request's domain.
See https://github.com/Pylons/pyramid/pull/2501

- Pyramid HTTPExceptions will now take into account the best match for the
clients Accept header, and depending on what is requested will return
text/html, application/json or text/plain. The default for */* is still
text/html, but if application/json is explicitly mentioned it will now
receive a valid JSON response. See
https://github.com/Pylons/pyramid/pull/2489

- A new event and interface (BeforeTraversal) has been introduced that will
notify listeners before traversal starts in the router. See
https://github.com/Pylons/pyramid/pull/2469 and
https://github.com/Pylons/pyramid/pull/1876

- Add a new "view deriver" concept to Pyramid to allow framework authors to
inject elements into the standard Pyramid view pipeline and affect all
views in an application. This is similar to a decorator except that it
has access to options passed to ``config.add_view`` and can affect other
stages of the pipeline such as the raw response from a view or prior to
security checks. See https://github.com/Pylons/pyramid/pull/2021

- Allow a leading ``=`` on the key of the request param predicate.
For example, '=abc=1' is equivalent down to
``request.params['=abc'] == '1'``.
See https://github.com/Pylons/pyramid/pull/1370

- A new ``request.invoke_exception_view(...)`` method which can be used to
invoke an exception view and get back a response. This is useful for
rendering an exception view outside of the context of the excview tween
where you may need more control over the request.
See https://github.com/Pylons/pyramid/pull/2393

- Allow using variable substitutions like ``%(LOGGING_LOGGER_ROOT_LEVEL)s``
for logging sections of the .ini file and populate these variables from
the ``pserve`` command line -- e.g.:
``pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG``
See https://github.com/Pylons/pyramid/pull/2399

Documentation Changes
---------------------

- A complete overhaul of the docs:

- Use pip instead of easy_install.
- Become opinionated by preferring Python 3.4 or greater to simplify
 installation of Python and its required packaging tools.
- Use venv for the tool, and virtual environment for the thing created,
 instead of virtualenv.
- Use py.test and pytest-cov instead of nose and coverage.
- Further updates to the scaffolds as well as tutorials and their src files.

See https://github.com/Pylons/pyramid/pull/2468

- A complete overhaul of the ``alchemy`` scaffold as well as the
Wiki2 SQLAlchemy + URLDispatch tutorial to introduce more modern features
into the usage of SQLAlchemy with Pyramid and provide a better starting
point for new projects.
See https://github.com/Pylons/pyramid/pull/2024

Bug Fixes
---------

- Fix ``pserve --browser`` to use the ``--server-name`` instead of the
app name when selecting a section to use. This was only working for people
who had server and app sections with the same name, for example
``[app:main]`` and ``[server:main]``.
See https://github.com/Pylons/pyramid/pull/2292

Deprecations
------------

- The ``check_csrf`` view predicate has been deprecated. Use the
new ``require_csrf`` option or the ``pyramid.require_default_csrf`` setting
to ensure that the ``BadCSRFToken`` exception is raised.
See https://github.com/Pylons/pyramid/pull/2413

- Support for Python 3.3 will be removed in Pyramid 1.8.
https://github.com/Pylons/pyramid/issues/2477

- Python 2.6 is no longer supported by Pyramid. See
https://github.com/Pylons/pyramid/issues/2368

- Dropped Python 3.2 support.
See https://github.com/Pylons/pyramid/pull/2256

1.6

================

Deprecations
------------

- Continue removal of ``pserve`` daemon/process management features
by deprecating ``--user`` and ``--group`` options.
See https://github.com/Pylons/pyramid/pull/2190

1.6b3

==================

Backward Incompatibilities
--------------------------

- Remove the ``cachebust`` option from ``config.add_static_view``. See
``config.add_cache_buster`` for the new way to attach cache busters to
static assets.
See https://github.com/Pylons/pyramid/pull/2186

- Modify the ``pyramid.interfaces.ICacheBuster`` API to be a simple callable
instead of an object with ``match`` and ``pregenerate`` methods. Cache
busters are now focused solely on generation. Matching has been dropped.

Note this affects usage of ``pyramid.static.QueryStringCacheBuster`` and
``pyramid.static.ManifestCacheBuster``.

See https://github.com/Pylons/pyramid/pull/2186

Features
--------

- Add a new ``config.add_cache_buster`` API for attaching cache busters to
static assets. See https://github.com/Pylons/pyramid/pull/2186

Bug Fixes
---------

- Ensure that ``IAssetDescriptor.abspath`` always returns an absolute path.
There were cases depending on the process CWD that a relative path would
be returned. See https://github.com/Pylons/pyramid/issues/2188

1.6b2

==================

Features
--------

- Allow asset specifications to be supplied to
``pyramid.static.ManifestCacheBuster`` instead of requiring a
filesystem path.

1.6b1

==================

Backward Incompatibilities
--------------------------

- IPython and BPython support have been removed from pshell in the core.
To continue using them on Pyramid 1.6+ you must install the binding
packages explicitly::

 $ pip install pyramid_ipython

 or

 $ pip install pyramid_bpython

- Remove default cache busters introduced in 1.6a1 including
``PathSegmentCacheBuster``, ``PathSegmentMd5CacheBuster``, and
``QueryStringMd5CacheBuster``.
See https://github.com/Pylons/pyramid/pull/2116

Features
--------

- Additional shells for ``pshell`` can now be registered as entrypoints. See
https://github.com/Pylons/pyramid/pull/1891 and
https://github.com/Pylons/pyramid/pull/2012

- The variables injected into ``pshell`` are now displayed with their
docstrings instead of the default ``str(obj)`` when possible.
See https://github.com/Pylons/pyramid/pull/1929

- Add new ``pyramid.static.ManifestCacheBuster`` for use with external
asset pipelines as well as examples of common usages in the narrative.
See https://github.com/Pylons/pyramid/pull/2116

- Fix ``pserve --reload`` to not crash on syntax errors!!!
See https://github.com/Pylons/pyramid/pull/2125

- Fix an issue when user passes unparsed strings to ``pyramid.session.CookieSession``
and ``pyramid.authentication.AuthTktCookieHelper`` for time related parameters
``timeout``, ``reissue_time``, ``max_age`` that expect an integer value.
See https://github.com/Pylons/pyramid/pull/2050

Bug Fixes
---------

- ``pyramid.httpexceptions.HTTPException`` now defaults to
``520 Unknown Error`` instead of ``None None`` to conform with changes in
WebOb 1.5.
See https://github.com/Pylons/pyramid/pull/1865

- ``pshell`` will now preserve the capitalization of variables in the
``[pshell]`` section of the INI file. This makes exposing classes to the
shell a little more straightfoward.
See https://github.com/Pylons/pyramid/pull/1883

- Fixed usage of ``pserve --monitor-restart --daemon`` which would fail in
horrible ways. See https://github.com/Pylons/pyramid/pull/2118

- Explicitly prevent ``pserve --reload --daemon`` from being used. It's never
been supported but would work and fail in weird ways.
See https://github.com/Pylons/pyramid/pull/2119

- Fix an issue on Windows when running ``pserve --reload`` in which the
process failed to fork because it could not find the pserve script to
run. See https://github.com/Pylons/pyramid/pull/2138

Deprecations
------------

- Deprecate ``pserve --monitor-restart`` in favor of user's using a real
process manager such as Systemd or Upstart as well as Python-based
solutions like Circus and Supervisor.
See https://github.com/Pylons/pyramid/pull/2120

1.6a2

==================

Bug Fixes
---------

- Ensure that ``pyramid.httpexceptions.exception_response`` returns the
appropriate "concrete" class for ``400`` and ``500`` status codes.
See https://github.com/Pylons/pyramid/issues/1832

- Fix an infinite recursion bug introduced in 1.6a1 when
``pyramid.view.render_view_to_response`` was called directly or indirectly.
See https://github.com/Pylons/pyramid/issues/1643

- Further fix the JSONP renderer by prefixing the returned content with
a comment. This should mitigate attacks from Flash (See CVE-2014-4671).
See https://github.com/Pylons/pyramid/pull/1649

- Allow periods and brackets (``[]``) in the JSONP callback. The original
fix was overly-restrictive and broke Angular.
See https://github.com/Pylons/pyramid/pull/1649

1.6a1

==================

Features
--------

- pcreate will now ask for confirmation if invoked with
an argument for a project name that already exists or
is importable in the current environment.
See https://github.com/Pylons/pyramid/issues/1357 and
https://github.com/Pylons/pyramid/pull/1837

- Make it possible to subclass ``pyramid.request.Request`` and also use
``pyramid.request.Request.add_request.method``.  See
https://github.com/Pylons/pyramid/issues/1529

- The ``pyramid.config.Configurator`` has grown the ability to allow
actions to call other actions during a commit-cycle. This enables much more
logic to be placed into actions, such as the ability to invoke other actions
or group them for improved conflict detection. We have also exposed and
documented the config phases that Pyramid uses in order to further assist
in building conforming addons.
See https://github.com/Pylons/pyramid/pull/1513

- Add ``pyramid.request.apply_request_extensions`` function which can be
used in testing to apply any request extensions configured via
``config.add_request_method``. Previously it was only possible to test
the extensions by going through Pyramid's router.
See https://github.com/Pylons/pyramid/pull/1581

- pcreate when run without a scaffold argument will now print information on
the missing flag, as well as a list of available scaffolds.
See https://github.com/Pylons/pyramid/pull/1566 and
https://github.com/Pylons/pyramid/issues/1297

- Added support / testing for 'pypy3' under Tox and Travis.
See https://github.com/Pylons/pyramid/pull/1469

- Automate code coverage metrics across py2 and py3 instead of just py2.
See https://github.com/Pylons/pyramid/pull/1471

- Cache busting for static resources has been added and is available via a new
argument to ``pyramid.config.Configurator.add_static_view``: ``cachebust``.
Core APIs are shipped for both cache busting via query strings and
path segments and may be extended to fit into custom asset pipelines.
See https://github.com/Pylons/pyramid/pull/1380 and
https://github.com/Pylons/pyramid/pull/1583

- Add ``pyramid.config.Configurator.root_package`` attribute and init
parameter to assist with includeable packages that wish to resolve
resources relative to the package in which the ``Configurator`` was created.
This is especially useful for addons that need to load asset specs from
settings, in which case it is may be natural for a developer to define
imports or assets relative to the top-level package.
See https://github.com/Pylons/pyramid/pull/1337

- Added line numbers to the log formatters in the scaffolds to assist with
debugging. See https://github.com/Pylons/pyramid/pull/1326

- Add new HTTP exception objects for status codes
``428 Precondition Required``, ``429 Too Many Requests`` and
``431 Request Header Fields Too Large`` in ``pyramid.httpexceptions``.
See https://github.com/Pylons/pyramid/pull/1372/files

- The ``pshell`` script will now load a ``PYTHONSTARTUP`` file if one is
defined in the environment prior to launching the interpreter.
See https://github.com/Pylons/pyramid/pull/1448

- Make it simple to define notfound and forbidden views that wish to use
the default exception-response view but with altered predicates and other
configuration options. The ``view`` argument is now optional in
``config.add_notfound_view`` and ``config.add_forbidden_view``..
See https://github.com/Pylons/pyramid/issues/494

- Greatly improve the readability of the ``pcreate`` shell script output.
See https://github.com/Pylons/pyramid/pull/1453

- Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and
the ``SignedCookieSessionFactory`` classes by using the stdlib's
``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+).
See https://github.com/Pylons/pyramid/pull/1457

- Assets can now be overidden by an absolute path on the filesystem when using
the ``config.override_asset`` API. This makes it possible to fully support
serving up static content from a mutable directory while still being able
to use the ``request.static_url`` API and ``config.add_static_view``.
Previously it was not possible to use ``config.add_static_view`` with an
absolute path **and** generate urls to the content. This change replaces
the call, ``config.add_static_view('/abs/path', 'static')``, with
``config.add_static_view('myapp:static', 'static')`` and
``config.override_asset(to_override='myapp:static/',
override_with='/abs/path/')``. The ``myapp:static`` asset spec is completely
made up and does not need to exist - it is used for generating urls
via ``request.static_url('myapp:static/foo.png')``.
See https://github.com/Pylons/pyramid/issues/1252

- Added ``pyramid.config.Configurator.set_response_factory`` and the
``response_factory`` keyword argument to the ``Configurator`` for defining
a factory that will return a custom ``Response`` class.
See https://github.com/Pylons/pyramid/pull/1499

- Allow an iterator to be returned from a renderer. Previously it was only
possible to return bytes or unicode.
See https://github.com/Pylons/pyramid/pull/1417

- ``pserve`` can now take a ``-b`` or ``--browser`` option to open the server
URL in a web browser. See https://github.com/Pylons/pyramid/pull/1533

- Overall improvments for the ``proutes`` command. Added ``--format`` and
``--glob`` arguments to the command, introduced the ``method``
column for displaying available request methods, and improved the ``view``
output by showing the module instead of just ``__repr__``.
See https://github.com/Pylons/pyramid/pull/1488

- Support keyword-only arguments and function annotations in views in
Python 3. See https://github.com/Pylons/pyramid/pull/1556

- ``request.response`` will no longer be mutated when using the
``pyramid.renderers.render_to_response()`` API.  It is now necessary to
pass in a ``response=`` argument to ``render_to_response`` if you wish to
supply the renderer with a custom response object for it to use. If you
do not pass one then a response object will be created using the
application's ``IResponseFactory``. Almost all renderers
mutate the ``request.response`` response object (for example, the JSON
renderer sets ``request.response.content_type`` to ``application/json``).
However, when invoking ``render_to_response`` it is not expected that the
response object being returned would be the same one used later in the
request. The response object returned from ``render_to_response`` is now
explicitly different from ``request.response``. This does not change the
API of a renderer. See https://github.com/Pylons/pyramid/pull/1563

- The ``append_slash`` argument of Configurator().add_notfound_view()`` will
now accept anything that implements the ``IResponse`` interface and will use
that as the response class instead of the default ``HTTPFound``.  See
https://github.com/Pylons/pyramid/pull/1610

Bug Fixes
---------

- The JSONP renderer created JavaScript code in such a way that a callback
variable could be used to arbitrarily inject javascript into the response
object. https://github.com/Pylons/pyramid/pull/1627

- Work around an issue where ``pserve --reload`` would leave terminal echo
disabled if it reloaded during a pdb session.
See https://github.com/Pylons/pyramid/pull/1577,
https://github.com/Pylons/pyramid/pull/1592

- ``pyramid.wsgi.wsgiapp`` and ``pyramid.wsgi.wsgiapp2`` now raise
``ValueError`` when accidentally passed ``None``.
See https://github.com/Pylons/pyramid/pull/1320

- Fix an issue whereby predicates would be resolved as maybe_dotted in the
introspectable but not when passed for registration. This would mean that
``add_route_predicate`` for example can not take a string and turn it into
the actual callable function.
See https://github.com/Pylons/pyramid/pull/1306

- Fix ``pyramid.testing.setUp`` to return a ``Configurator`` with a proper
package. Previously it was not possible to do package-relative includes
using the returned ``Configurator`` during testing. There is now a
``package`` argument that can override this behavior as well.
See https://github.com/Pylons/pyramid/pull/1322

- Fix an issue where a ``pyramid.response.FileResponse`` may apply a charset
where it does not belong. See https://github.com/Pylons/pyramid/pull/1251

- Work around a bug introduced in Python 2.7.7 on Windows where
``mimetypes.guess_type`` returns Unicode rather than str for the content
type, unlike any previous version of Python.  See
https://github.com/Pylons/pyramid/issues/1360 for more information.

- ``pcreate`` now normalizes the package name by converting hyphens to
underscores. See https://github.com/Pylons/pyramid/pull/1376

- Fix an issue with the final response/finished callback being unable to
add another callback to the list. See
https://github.com/Pylons/pyramid/pull/1373

- Fix a failing unittest caused by differing mimetypes across various OSs.
See https://github.com/Pylons/pyramid/issues/1405

- Fix route generation for static view asset specifications having no path.
See https://github.com/Pylons/pyramid/pull/1377

- Allow the ``pyramid.renderers.JSONP`` renderer to work even if there is no
valid request object. In this case it will not wrap the object in a
callback and thus behave just like the ``pyramid.renderers.JSON`` renderer.
See https://github.com/Pylons/pyramid/pull/1561

- Prevent "parameters to load are deprecated" ``DeprecationWarning``
from setuptools>=11.3. See https://github.com/Pylons/pyramid/pull/1541

- Avoiding sharing the ``IRenderer`` objects across threads when attached to
a view using the `renderer=` argument. These renderers were instantiated
at time of first render and shared between requests, causing potentially
subtle effects like `pyramid.reload_templates = true` failing to work
in `pyramid_mako`. See https://github.com/Pylons/pyramid/pull/1575
and https://github.com/Pylons/pyramid/issues/1268

- Avoiding timing attacks against CSRF tokens.
See https://github.com/Pylons/pyramid/pull/1574

- ``request.finished_callbacks`` and ``request.response_callbacks`` now
default to an iterable instead of ``None``. It may be checked for a length
of 0. This was the behavior in 1.5.

Deprecations
------------

- The ``pserve`` command's daemonization features have been deprecated. This
includes the ``[start,stop,restart,status]`` subcommands as well as the
``--daemon``, ``--stop-server``, ``--pid-file``, and ``--status`` flags.

Please use a real process manager in the future instead of relying on the
``pserve`` to daemonize itself. Many options exist including your Operating
System's services such as Systemd or Upstart, as well as Python-based
solutions like Circus and Supervisor.

See https://github.com/Pylons/pyramid/pull/1641

- Renamed the ``principal`` argument to ``pyramid.security.remember()`` to
``userid`` in order to clarify its intended purpose.
See https://github.com/Pylons/pyramid/pull/1399

Docs
----

- Moved the documentation for ``accept`` on ``Configurator.add_view`` to no
longer be part of the predicate list. See
https://github.com/Pylons/pyramid/issues/1391 for a bug report stating
``not_`` was failing on ``accept``. Discussion with mcdonc led to the
conclusion that it should not be documented as a predicate.
See https://github.com/Pylons/pyramid/pull/1487 for this PR

- Removed logging configuration from Quick Tutorial ini files except for
scaffolding- and logging-related chapters to avoid needing to explain it too
early.

- Clarify a previously-implied detail of the ``ISession.invalidate`` API
documentation.

- Improve and clarify the documentation on what Pyramid defines as a
``principal`` and a ``userid`` in its security APIs.
See https://github.com/Pylons/pyramid/pull/1399

- Add documentation of command line programs (``p*`` scripts). See
https://github.com/Pylons/pyramid/pull/2191

Scaffolds
---------

- Update scaffold generating machinery to return the version of pyramid and
pyramid docs for use in scaffolds. Updated starter, alchemy and zodb
templates to have links to correctly versioned documentation and reflect
which pyramid was used to generate the scaffold.

- Removed non-ascii copyright symbol from templates, as this was
causing the scaffolds to fail for project generation.

- You can now run the scaffolding func tests via ``tox py2-scaffolds`` and
``tox py3-scaffolds``.

1.5

================

- Python 3.4 compatibility.

- Avoid crash in ``pserve --reload`` under Py3k, when iterating over possibly
mutated ``sys.modules``.

- ``UnencryptedCookieSessionFactoryConfig`` failed if the secret contained
higher order characters. See https://github.com/Pylons/pyramid/issues/1246

- Fixed a bug in ``UnencryptedCookieSessionFactoryConfig`` and
``SignedCookieSessionFactory`` where ``timeout=None`` would cause a new
session to always be created. Also in ``SignedCookieSessionFactory`` a
``reissue_time=None`` would cause an exception when modifying the session.
See https://github.com/Pylons/pyramid/issues/1247

- Updated docs and scaffolds to keep in step with new 2.0 release of
``Lingua``.  This included removing all ``setup.cfg`` files from scaffolds
and documentation environments.

1.5b1

==================

Features
--------

- We no longer eagerly clear ``request.exception`` and ``request.exc_info`` in
the exception view tween.  This makes it possible to inspect exception
information within a finished callback.  See
https://github.com/Pylons/pyramid/issues/1223.

1.5a4

==================

Features
--------

- Updated scaffolds with new theme, fixed documentation and sample project.

Bug Fixes
---------

- Depend on a newer version of WebOb so that we pull in some crucial bug-fixes
that were showstoppers for functionality in Pyramid.

- Add a trailing semicolon to the JSONP response. This fixes JavaScript syntax
errors for old IE versions. See https://github.com/Pylons/pyramid/pull/1205

- Fix a memory leak when the configurator's ``set_request_property`` method was
used or when the configurator's ``add_request_method`` method was used with
the ``property=True`` attribute.  See
https://github.com/Pylons/pyramid/issues/1212 .

1.5a3

==================

Features
--------

- An authorization API has been added as a method of the
request: ``request.has_permission``.

``request.has_permission`` is a method-based alternative to the
``pyramid.security.has_permission`` API and works exactly the same.  The
older API is now deprecated.

- Property API attributes have been added to the request for easier access to
authentication data: ``request.authenticated_userid``,
``request.unauthenticated_userid``, and ``request.effective_principals``.

These are analogues, respectively, of
``pyramid.security.authenticated_userid``,
``pyramid.security.unauthenticated_userid``, and
``pyramid.security.effective_principals``.  They operate exactly the same,
except they are attributes of the request instead of functions accepting a
request.  They are properties, so they cannot be assigned to.  The older
function-based APIs are now deprecated.

- Pyramid's console scripts (``pserve``, ``pviews``, etc) can now be run
directly, allowing custom arguments to be sent to the python interpreter
at runtime. For example::

   python -3 -m pyramid.scripts.pserve development.ini

- Added a specific subclass of ``HTTPBadRequest`` named
``pyramid.exceptions.BadCSRFToken`` which will now be raised in response
to failures in ``check_csrf_token``.
See https://github.com/Pylons/pyramid/pull/1149

- Added a new ``SignedCookieSessionFactory`` which is very similar to the
``UnencryptedCookieSessionFactoryConfig`` but with a clearer focus on signing
content. The custom serializer arguments to this function should only focus
on serializing, unlike its predecessor which required the serializer to also
perform signing.  See https://github.com/Pylons/pyramid/pull/1142 .  Note
that cookies generated using ``SignedCookieSessionFactory`` are not
compatible with cookies generated using ``UnencryptedCookieSessionFactory``,
so existing user session data will be destroyed if you switch to it.

- Added a new ``BaseCookieSessionFactory`` which acts as a generic cookie
factory that can be used by framework implementors to create their own
session implementations. It provides a reusable API which focuses strictly
on providing a dictionary-like object that properly handles renewals,
timeouts, and conformance with the ``ISession`` API.
See https://github.com/Pylons/pyramid/pull/1142

- The anchor argument to ``pyramid.request.Request.route_url`` and
``pyramid.request.Request.resource_url`` and their derivatives will now be
escaped via URL quoting to ensure minimal conformance.  See
https://github.com/Pylons/pyramid/pull/1183

- Allow sending of ``_query`` and ``_anchor`` options to
``pyramid.request.Request.static_url`` when an external URL is being
generated.
See https://github.com/Pylons/pyramid/pull/1183

- You can now send a string as the ``_query`` argument to
``p