What's New in Pyramid 1.9¶
This article explains the new features in Pyramid version 1.9 as compared to its predecessor, Pyramid 1.8. It also documents backwards incompatibilities between the two versions and deprecations added to Pyramid 1.9, as well as software dependency changes and notable documentation additions.
Major Feature Additions¶
The file format used by all
p*command line scripts such aspserveandpshell, as well as thepyramid.paster.bootstrap()function is now replaceable thanks to a new dependency on plaster.For now, Pyramid is still shipping with integrated support for the PasteDeploy INI format by depending on the plaster_pastedeploy binding library. This may change in the future so it is recommended for applications to start depending on the appropriate plaster binding for their needs.
Added an execution policy hook to the request pipeline. An execution policy has the ability to control creation and execution of the request objects before they enter the rest of the pipeline. This means for a single request environ the policy may create more than one request object.
The execution policy can be replaced using the new
pyramid.config.Configurator.set_execution_policy()config directive.The first library to use this feature is pyramid_retry.
Pyramid's default execution policy will attempt to handle and render uncaught exceptions. This is a subtle, but fundamental, change indicating that an exception view may expect to be called outside of the default
EXCVIEWtween. There are various predicates available to assist in defining valid exception views for various parts of the pipeline. For example,pyramid_tmdefines thetm_active=Truepredicate which can be applied to exception views that require access to the default transaction. In general this means that exception views may be expected to cover more possible error conditions, including when exceptions occur from tweens that are placed OVER theEXCVIEWtween. If necessary, when provided aresponseobject, you may inspectrequest.exceptionorrequest.exc_infoto determine if the response was generated as the result of an exception. See https://github.com/Pylons/pyramid/pull/2964CSRF support has been refactored out of sessions and into its own independent API in the
pyramid.csrfmodule. It supports a pluggablepyramid.interfaces.ICSRFStoragePolicywhich can be used to define your own mechanism for generating and validating CSRF tokens. By default, Pyramid continues to use thepyramid.csrf.LegacySessionCSRFStoragePolicythat uses therequest.session.get_csrf_tokenandrequest.session.new_csrf_tokenAPIs under the hood to preserve compatibility with older Pyramid applications. Two new policies are shipped as well,pyramid.csrf.SessionCSRFStoragePolicyandpyramid.csrf.CookieCSRFStoragePolicywhich will store the CSRF tokens in the session and in a standalone cookie, respectively. The storage policy can be changed by using the newpyramid.config.Configurator.set_csrf_storage_policy()config directive.CSRF tokens should be used via the new
pyramid.csrf.get_csrf_token(),pyramid.csrf.new_csrf_token()andpyramid.csrf.check_csrf_token()APIs in order to continue working if the storage policy is changed. Also, thepyramid.csrf.get_csrf_token()function is now injected into templates to be used conveniently in UI code.See https://github.com/Pylons/pyramid/pull/2854 and https://github.com/Pylons/pyramid/pull/3019
Minor Feature Additions¶
Support an
open_urlconfig setting in thepservesection of the config file. This url is used to open a web browser whenpserve --browseris invoked. When this setting is unavailable thepservescript will attempt to guess the port the server is using from theserver:<server_name>section of the config file but there is no requirement that the server is being run in this format so it may fail. See https://github.com/Pylons/pyramid/pull/2984The
pyramid.config.Configuratorcan now be used as a context manager which will automatically push/pop threadlocals (similar topyramid.config.Configurator.begin()andpyramid.config.Configurator.end()). It will also automatically perform apyramid.config.Configurator.commit()at the end and thus it is only recommended to be used at the top-level of your app. See https://github.com/Pylons/pyramid/pull/2874The threadlocals are now available inside any function invoked via
pyramid.config.Configurator.include(). This means the only config-time code that cannot rely on threadlocals is code executed from non-actions inside the main. This can be alleviated by invokingpyramid.config.Configurator.begin()andpyramid.config.Configurator.end()appropriately or using the new context manager feature of the configurator. See https://github.com/Pylons/pyramid/pull/2989The threadlocals are now available inside exception views invoked via
pyramid.request.Request.invoke_exception_view()even when therequestargument is overridden. See https://github.com/Pylons/pyramid/pull/3060When unsupported predicates are supplied to
pyramid.config.Configurator.add_view(),pyramid.config.Configurator.add_route()andpyramid.config.Configurator.add_subscriber()a much more helpful error message is output with a guess as to which predicate was intended. See https://github.com/Pylons/pyramid/pull/3054Normalize the permission results to a proper class hierarchy.
pyramid.security.ACLAllowedis now a subclass ofpyramid.security.Allowedandpyramid.security.ACLDeniedis now a subclass ofpyramid.security.Denied. See https://github.com/Pylons/pyramid/pull/3084Add a
quote_viaargument topyramid.encode.urlencode()to follow the stdlib's version and enable custom quoting functions. See https://github.com/Pylons/pyramid/pull/3088Support _query=None and _anchor=None in
pyramid.request.Request.route_url()as well asquery=Noneandanchor=Noneinpyramid.request.Request.resource_url(). Previously this would cause an ? and a #, respectively, in the url with nothing after it. Now the unnecessary parts are dropped from the generated URL. See https://github.com/Pylons/pyramid/pull/3034
Deprecations¶
Pyramid currently depends on
plaster_pastedeployto simplify the transition toplasterby maintaining integrated support for INI files. This dependency onplaster_pastedeployshould be considered subject to Pyramid's deprecation policy and may be removed in the future. Applications should depend on the appropriate plaster binding to satisfy their needs.Retrieving CSRF token from the session has been deprecated in favor of equivalent methods in the
pyramid.csrfmodule. The CSRF methods (ISession.get_csrf_tokenandISession.new_csrf_token) are no longer required on thepyramid.interfaces.ISessioninterface except when using the defaultpyramid.csrf.LegacySessionCSRFStoragePolicy.Also,
pyramid.session.check_csrf_tokenis now located atpyramid.csrf.check_csrf_token()andpyramid.session.check_csrf_originis moved topyramid.csrf.check_csrf_origin().See https://github.com/Pylons/pyramid/pull/2854 and https://github.com/Pylons/pyramid/pull/3019
Backward Incompatibilities¶
request.exceptionandrequest.exc_infowill only be set if the response was generated by the EXCVIEW tween. This is to avoid any confusion where a response was generated elsewhere in the pipeline and not in direct relation to the original exception. If anyone upstream wants to catch and render responses for exceptions they should setrequest.exceptionandrequest.exc_infothemselves to indicate the exception that was squashed when generating the response.Similar behavior occurs with
pyramid.request.Request.invoke_exception_view()in which the exception properties are set to reflect the exception if a response is successfully generated by the method.This is a very minor incompatibility. Most tweens right now would give priority to the raised exception and ignore
request.exception. This change just improves and clarifies that bookkeeping by trying to be more clear about the relationship between the response and its squashed exception. See https://github.com/Pylons/pyramid/pull/3029 and https://github.com/Pylons/pyramid/pull/3031
Documentation Enhancements¶
Added the execution policy to the routing diagram in Request Processing. See https://github.com/Pylons/pyramid/pull/2993