forked from pyeve/eve
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
313 lines (281 loc) · 16 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
Eve Changelog
=============
Here you can see the full list of changes between each Eve release.
Version 0.1.0
-------------
Not released yet.
- PUT method for completely replace a document with another valid one while
keeping the same unique identifier. Closes #96.
- Some more Python 3 refactoring (Dong Wei Ming).
- Fixed #99: malformed XML render when href includes forbidden URI/URL chars.
- Fixed a bug introduced with 0.0.9 and Python 3 support. Filters (``?where``)
on datetime values were not working when running on Python 2.x.
- Fixed some typos and minor grammatical errors all across the documentation
(Ken Carpenter, Jean Boussier, Kracekumar).
- HTTP method is now passed into ``authenticate()`` and ``check_auth()``.
Closes #90 (Ken Carpenter).
- HATEOAS is now optional and can be disabled both at global and resource
level.
- PyMongo 2.6.2 is now supported.
Version 0.0.9
-------------
Released on August 29, 2013
- PyMongo 2.6 is now supported.
- ``FILTERS`` boolean replaced by ``ALLOWED_FILTERS`` list which allows for
explicit whitelisting of filter-enabled fields (Bryan Cattle). Closes #78.
- Custom user ids for User-Restricted Resource Access, allowing for more
flexibility and token revocation with token-based authentication. Closes #73.
- ``AUTH_USERNAME_FIELD`` renamed to ``AUTH_FIELD``.
- ``auth_username_field`` renamed to ``auth_field``.
- BasicAuth and subclasses now support ``user_id`` property.
- Updated the event hooks naming system to be more robuts and consistent.
Closes #80.
- To emphasize the fact that they are tied to a method, all ``on_<method>``
hooks now have ``<method>`` in uppercase.
- ``on_getting`` hook renamed to ``on_fetch_resource``.
- ``on_getting_<resource>`` hook renamed to ``on_fetch_resource_<resource>``
- ``on_getting_item`` hook renamed to ``on_fetch_item``.
- ``on_getting_item_<item_title>`` hook renamed to
``on_fetch_item_<item_title>``.
- ``on_posting`` hook renamed to ``on_insert``.
- Datasource projections always include automatic fields (``ID_FIELD``,
``LAST_UPDATED``, ``DATE_CREATED``). Closes #85.
- Public HTTP methods now override `auth_username_field` Edit. Closes #70
(Bryan Cattle).
- Response date fields are now using GMT instead of UTC. Closes #83.
- Handle the case of 'additional_lookup' field being an integer. If this is the
case you can omit the 'url' key, as it will be ignored, and the integer value
correctly parsed.
- More informative HTTP error messages. Some more informative error messages
have been added for HTTP 400/3/12 and 500 errors. The error messages only
show if DEBUG==True (Bryan Cattle).
- ``on_getting(resource, documents)`` is now ``on_getting_resource(resource,
documents)``; ``on_getting_<resource>(documents) is now known as
``on_getting_resource_<resource>(documents)`` (Ryan Shea).
- Added a new event hook: ``on_getting_item_<title>(_id, document)`` (Ryan
Shea).
- Allow ``auth_username_field`` to be set to ``ID_FIELD`` (Bryan Cattle).
- Python 3.3 is now supported.
- Flask 0.10.1 is now supported.
- Werkzeug 0.9.4 is now supported.
- Copyright finally updated to 2013.
Version 0.0.8
-------------
Released on July 25th 2013.
- Only run RateLimiting tests if redis-py is installed and redis-server is
running.
- CORS ``Access-Control-Allow-Headers`` header support (Garrin Kimmell).
- CORS ``OPTIONS`` support for resource and items endpoints (Garrin Kimmell).
- ``float`` is now available as a data-type in the schema definition ruleset.
- ``nullable`` field schema rule is now available. If ``True`` the field value
can be set to null. Defaults to ``False``.
- v0.3.0 of Cerberus is now a requirement.
- ``on_getting``, ``on_getting_<resource>`` and ``on_getting_item`` event
hooks. These events are raised when documents have just been read from the
database and are about to be sent to the client. Registered callback
functions can eventually manipulate the documents as needed. Please be aware
that ``last_modified`` and ``etag`` headers will always be consistent with
the state of the documents on the database (they won't be updated to reflect
changes eventually applied by the callback functions). Closes #65.
- Documentation fix: ``AUTH_USERFIELD_NAME`` renamed to ``AUTH_USERNAME_FIELD``
(Julien Barbot).
- Responses to GET requests for resource endpoints now include a ``last`` item
in the `_links` dictionary. The value is a link to the last page available.
The item itself is only provided if pagination is enabled and the page being
requested isn't the last one. Closes #62.
- It is now possible to set the MongoDB write concern level at both global
(``MONGO_WRITE_CONCERN``) and endpoint (``mongo_write_concern``) levels. The
value is a dictionary with all valid MongoDB write_concern settings (w,
wtimeout, j and fsync) as keys. ``{'w': 1}`` is the default, which is also
MongoDB's default setting.
- ``TestMininal`` class added to the test suite. This will allow to start the
building of the tests for an application based on Eve, by subclassing the
TestMinimal class (Daniele Pizzolli).
Version 0.0.7
-------------
Released on June 18th 2013.
- Pinned Werkzeug requirement to v0.8.3 to avoid issues with the latest
release which breaks backward compatibility (actually a Flask 0.9
requirements issue, which backtracked to Eve).
- Support for Rate Limiting on all HTTP methods. Closes #58. Please note: to
successfully execute the tests in 'eve.tests.methods.ratelimit.py`, a running
redis server is needed.
- ``utils.request_method`` internal helper function added, which allowed for
some nice code cleanup (DRY).
- Setting the default 'field' value would not happen if a 'data_relation' was
nested deeper than the first schema level. Fixes #60.
- Support for ``EXTRA_RESPONSE_FIELDS``. It is now possible to configure a list
of additonal document fields that should be provided with POST responses.
Normally only automatically handled fields (``ID_FIELD``, ``LAST_UPDATED``,
``DATE_CREATED``, ``etag``) are included in POST payloads.
``EXTRA_RESPONSE_FIELDS`` is a global setting that will apply to all resource
endpoint . Defaults to ``[]``, effectively disabling the feature.
``extra_response_fields`` is a local resource setting and will override
``EXTRA_RESPONSE_FIELDS`` when present.
- ``on_posting`` and ``on_posting_<resource>`` event hooks. ``on_posting`` and
``on_posting_<resource>`` events are raised when documents are about to be
stored. Among other things this allows callback functions to arbitrarily
update the documents being inserted. ``on_posting(resource, documents)`` is
raised on every successful POST while ``on_posting_<resource>(documents)`` is
only raised when <resource> is being updated. In both circumstances events
will be raised only if at least one document passed validation and is going
to be inserted.
- Flask native ``request.json`` is now used when decoding request payloads.
- *resource* argument added to Authorization classes. The ``check_auth()``
method of all classes in the ``eve.auth`` package (``BasicAuth``,
``HMACAuth``, ``TokenAuth``) now supports the *resource* argument. This
allows subclasses to eventually build their custom authorization logic around
the resource being accessed.
- ``MONGO_QUERY_BLACKLIST`` option added. Allows to blacklist mongo query
operators that should not be allowed in resource queries (``?where=``).
Defaults to ['$where', '$regex']. Mongo Javascript operators are disabled by
default as they might be used as vectors for injection attacks. Javascript
queries also tend to be slow and generally can be easily replaced with the
(very rich) Mongo query dialect.
- ``MONGO_HOST`` defaults to 'localhost'.
- ``MONGO_PORT`` defaults to 27017.
- Support alternative hosts/ports for the test suite (Paul Doucet).
Version 0.0.6
-------------
Released on May 13th 2013.
- Content-Type header now properly parsed when additional arguments are
included (Ondrej Slinták).
- Only fields defined in the resource schema are now returned from the
database. Closes #52.
- Default ``SERVER_NAME`` is now set to ``127.0.0.1:5000``.
- ``auth_username_field`` is honored even when there is no query in the request
(Thomas Sileo).
- Pagination links in XML payloads are now properly escaped. Fixes #49.
- HEAD requests supported. Closes #48.
- Event Hooks. Each time a GET, POST, PATCH, DELETE method has been executed,
both global ``on_<method>`` and resource-level ``on_<method>_<resource>``
events will be raised. You can subscribe to these events with multiple
callback functions. Callbacks will receive the original flask.request object
and the response payload as arguments.
- Proper ``max_results`` handling in ``eve.utils.parse_request``, refactored
tests (Tomasz Jezierski).
- Projections. Projections are conditional queries where the client dictates
which fields should be returned by the API (Nicolas Bazire).
- ``ALLOW_UNKNOWN`` option, and the corresponding ``allow_options`` local
setting, allow for a less strict schema validation. Closes #34.
- ETags are now provided with POST responses. Closes #36.
- PATCH performance improvement: ETag is now computed in memory; performing an
extra database lookup is not needed anymore.
- Bulk Inserts on the database. POST method heavily refactored to take
advantage of MongoDB native support for Bulk Inserts. Please note: validation
constraints are checked against the database, and not between the payload
documents themselves. This causes an interesting corner case: in the event of
a multiple documents payload where two or more documents carry the same value
for a field where the ``unique`` constraint is set, the payload will validate
successfully, as there are no duplicates in the database (yet). If this is an
issue, the client can always send the documents once at a time for insertion,
or validate locally before submitting the payload to the API.
- Responses to document GET requests now include the ETag in both the header
and the payload. Closes #29.
- ``methods`` settings keyword renamed to ``resource_methods`` for coherence
with the global ``RESOURCE_METHODS`` (Nicolas Carlier).
Version 0.0.5
-------------
Released on April 11th 2013.
- Fixed an issue that apparently caused the test suite to only run successfully
on the dev box. Thanks Chronidev for reporting this.
- Referential integrity validation via the new ``data_relation`` schema
keyword. Closes #25.
- Support for ``Content-Type: application/json`` for POST and PATCH methods.
Closes #28.
- User-restricted resource access. Works in conjunction with Authentication.
When enabled, users can only read/update/delete resource items created by
themselves. Can be switched on and off at global level via the
``AUTH_USERFIELD_NAME`` keywork, or at single resource endpoints with the
user_userfield_name keyword (the latter will override the former). The
keyword contains the actual name of the field used to store the username of
the user who created the resource item. Defaults to '', which disables the
feature (Thomas Sileo).
- ``PAGING_LIMIT`` keyword setting renamed to ``PAGINATION_LIMIT`` for better
coherency with the new ``PAGINATION`` keyword. This could break backward
compatibility in some cases.
- ``PAGING_DEFAULT`` keyword settings renamed to ``PAGINATION_DEFAULT`` for
better coherence with the new ``PAGINATION`` keyword. This could break
backward compatibility in some cases.
- ``ITEM_CACHE_CONTROL`` removed as it seems unnecessary at the moment.
- Added an example on how to handle events to perform custom actions. Closes
#23 and #22.
- ``eve.validation_schema()`` now collects offending items and returns all of
them into the exception message. Closes #24.
- Filters (``?where=``), sorting (``?sort=``) and pagination (``?page=10``) can
now be be disabled at both global and endpoint level. Closes #7.
- CORS (Cross-Origin Resource Sharing) support. The new ``X-DOMAINS`` keywords
allows API maintainers to specify which domains are allowed to perform CORS
requests. Allowed values are: None, a list of domains, or '*' for a wide-open
API. Closes #1.
- HMAC (Hash Message Authentication Code) based Autentication.
- Token Based Authentication, a variation of Basic Authentication. Closes #20.
- Orphan function removed (``eve.methods.get.standard_links`` ).
- ``DATE_CREATED`` and ``LAST_UPDATED`` fields now show default values for
documents created outside the API context. Fixes #18.
Version 0.0.4
-------------
Released on February 25th 2013.
- Consistent ETag computation between runs/instances. Closes #16.
- Support for Basic Authentication (RFC2617).
- Support for fine-tuning authentication with ``PUBLIC_METHODS`` and
``PUBLIC_ITEM_METHODS``. By default, access is restricted to *all* endpoints,
for *all* HTTP verbs (methods), effectively locking down the whole API.
- Supporto for role-based access control with ``ALLOWED_ROLES`` and
``allowed_roles``.
- Support for all standard Flask initialization parameters.
- Support for default values in resource fields. The new ``default`` keyword
can now be used when defining a field rule set. Please note: currently
default values are supported only for main document fields. Default values
for fields in embedded documents will be ignored.
- Multiple API endpoints can now target the same database collection. For
example now you can set both ``/admins/`` and ``/users/`` to read and write
from the same collection on the db, *people*. The new ``datasource`` setting
allows to explicitly link API resources to database collections. It is
a dictionary with two allowed keys: *source* and *filter*. *source* dictates
the database collection consumed by the resource. *filter* is the underlying
query, applied by the API when retrieving and validating data for the
resource. Previously, the resource name would dictate the linked datasource
(and of course you could not have two resources with the same name). This
remains the default behaviour: if you omit the ``datasource`` setting for
a resource, its name will be used to determine the database collection.
- It is now possibile to set predefined db filters for each resource.
Predefined filters run on top of user queries (GET requests with ``where``
clauses) and standard conditional requests (``If-Modified-Since``, etc.)
Please note that datasource filters are applied on GET, PATCH and DELETE
requests. If your resource allows for POST requests (document insertions),
then you will probably want to set the validation rules accordingly (in our
example, 'username' should probably be a required field).
- JSON-Datetime dependency removed.
- Support for Cerberus v0.0.3 and later.
- Support for Flask-PyMongo v0.2.0 and later.
- Repeated XML requests to the same endpoint could occasionally return an
Internal Server Error (Fixes #8).
Version 0.0.3
-------------
Released on January 22th 2013.
- XML rendering love. Lots of love.
- JSON links are always wrapped in a ``_links`` dictionary. Key values match
the relation between the item being represented and the linked resource.
- Streamlined JSON responses. Superflous ``response`` root key has been removed
from JSON payloads. GET requests to resource endpoints: items are now wrapped
with an ``_items`` list. GET requests to item endpoints: item is now at root
level, with no wrappers around it.
- Support for API versioning through the new API_VERSION configuration setting.
- Boolean values in request forms are now correctly parsed.
- Tests now run under Python 2.6.
Version 0.0.2
-------------
Released on November 27th 2012.
- Homepage/api entry point resource links fixed. They had bad 'href'
tags which also caused XML validation issues when processing responses
(especially when accessing the API via browser).
- Version number in 'Server' response headers.
- Added support for DELETE at resource endpoints. Expected behavior:
will delete all items in the collection. Disabled by default.
- :class:`eve.io.mongo.Validator` now supports :class:`~cerberus.Validator`
signature, allowing for further subclassing.
Version 0.0.1
-------------
Released on November 20th 2012.
- First public preview release.